reflection 2
Implementing Identity and Account Management Controls
Lesson 8
1
Implement Identity and Account Types
Topic 8A
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
3.7 Given a scenario, implement identity and account management controls
5.3 Explain the importance of policies to organizational security
Syllabus Objectives Covered
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Identity Management Controls
Certificates and smart cards
Public key cryptography
Subject identified by a public key, wrapped in digital certificate
Private key must be kept secure
Tokens
Authorizations issued under single sign-on
Avoids need for user to authenticate to each service
Identity provider
Provisions and manages accounts
Processes authentication
Federated identity management
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
Background Check and Onboarding Policies
Human resources (HR) and personnel policies
Recruitment (hiring)
Operation (working)
Termination/separation (firing or retiring)
Background check
Onboarding
Welcoming a new employees or contractors to the organization
Account provisioning
Issuing credentials
Asset allocation
Training/policies
Non-disclosure Agreement (NDA)
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
Personnel Policies for Privilege Management
Mitigate insider threat
Separation of duties
Standard operating procedures (SOPs)
Shared authority
Least privilege
Assign sufficient permissions only
Reduce risk from compromised accounts
Job rotation
Distributes institutional knowledge and expertise
Reduces critical dependencies
Mandatory vacations
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
Offboarding Policies
Identity and access management checks
Disable the user account and privileges
Ensure integrity and availability of information assets managed by the employee
Retrieving company assets
Returning personal assets
Consider shared/generic accounts, security procedures that must be changed
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
7
Security Account Types and Credential Management
Standard users
Limited privileges
Should not be able to change the system configuration
Restricted to account profile
Credential management policies for personnel
Password policy
Protect access to the account and prevent compromise
Educate risks from reusing credentials and social engineering
Guest accounts
Account with no credentials (anonymous logon)
Unauthenticated access to hosts and websites
Must have very limited privileges or be disabled
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
Security Group-Based Privileges
User-assigned privileges
Assign privileges directly to user accounts
Unmanageable if number of users is large
Group-based privileges
Assign permissions to security groups and assign user accounts to relevant groups
Issues with users inheriting multiple permissions
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
Images © 123RF.com.
9
Administrator/Root Accounts
Privileged/administrative accounts
Can change system configuration
Generic administrator/root/superuser
User account with full control over system
Key target for attackers
Often disabled or usage restricted after install
Administrator credential policies
Create specific accounts with least privileges (generic account prohibition)
Enforce multifactor authentication
Default security groups
Administrators/sudoers
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
Service Accounts
Windows service accounts
System
Local Service
Network Service
Linux accounts to run services (daemons)
Deny shell access
Managing shared service account credentials
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
Screenshot used with permission from Microsoft.
Shared/Generic/Device Accounts and Credentials
Shared accounts
Accounts whose credentials are known to more than one person
Generic accounts
Accounts created by default on OS install
Only account available to manage a device
Might use a default password
Risks from shared and generic accounts
Breaks principle of non-repudiation
Difficult to keep credential secure
Credential policies for devices
Privilege access management software
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
Secure Shell Keys and Third-party Credentials
Secure Shell (SSH) used for remote access
Host key identifies the server
User key pair used to authenticate to server
Server holds copy of valid users’ public keys
Keys must be actively managed
Third-party credentials
Passwords and keys to manage cloud services
Highly vulnerable to accidental disclosure
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
Screenshot used with permission from Amazon.com.
Identity and Account Types
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
Review Activity
Implement Account Policies
Topic 8B
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
15
3.7 Given a scenario, implement identity and account management controls
Syllabus Objectives Covered
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
Account Attributes and Access Policies
Account attributes
Security ID, account name, credential
Extended profile attributes
Per-app settings and files
Access policies
File permissions
Access rights
Active Directory Group Policy Objects (GPOs)
Screenshot used with permission from Microsoft.
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
Account Password Policy Settings
Length
Complexity
Character combinations
Aging
History and reuse
NIST guidance
Password hints
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
Account Restrictions
Network location
Connecting from a VLAN or IP subnet/remote IP
Connecting to a machine type or group (clients versus servers)
Interactive versus remote logon
Geolocation
By IP address
By Location Services
Geofencing
Geotagging
Time-based restrictions
Logon hours
Logon duration
Impossible travel time/risky login
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
19
Account Audits
Accounting and auditing to detect account misuse
Use of file permissions to read and modify data
Failed login or resource access attempts
Recertification
Monitoring use of privileges
Granting/revoking privileges
Communication between IT and HR
Screenshot used with permission from Microsoft.
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
Account Permissions
Impact of improperly configured accounts
Insufficient permissions
Unnecessary permissions
Escalating and revoking privileges
Permission auditing tools
Screenshot used with permission from Microsoft.
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
Usage Audits
Account logon and management events
Process creation
Object access (file system / file shares)
Changes to audit policy
Changes to system security and integrity (anti-virus, host firewall, and so on)
Screenshot used with permission from Microsoft.
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
22
Account Lockout and Disablement
Disablement
Login is disabled until manually re-enabled
Combine with remote logoff
Lockout
Login is prevented for a period and then re-enabled
Policies to enforce automatic lockout
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
23
Screenshot used with permission from Microsoft.
Account Policies
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
24
Review Activity
Assisted Labs
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Managing Access Controls in Windows Server
Configuring a System for Auditing Policies
25
Lab Activity
Implement Authorization Solutions
Topic 8C
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
26
26
2.4 Summarize authentication and authorization design concepts
3.8 Given a scenario, implement authentication and authorization solutions
4.1 Given a scenario, use the appropriate tool to assess organizational security (chmod only)
Syllabus Objectives Covered
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
27
Discretionary and Role-Based Access Control
Access control model determines how users receive permissions/rights
Discretionary Access Control (DAC)
Based on resource ownership
Access Control Lists (ACLs)
Vulnerable to compromised privileged user accounts
Role-Based Access Control (RBAC)
Non-discretionary and more centralized control
Based on defining roles then allocating users to roles
Users should only inherit role permissions to perform particular tasks
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
28
File System Security
Access Control List (ACL)
Access Control Entry (ACE)
File system support
Linux permissions and chmod
Symbolic (rwx)
User, group, world
Octal
r=4
w=2
x=1
Screenshot used with permission from Microsoft.
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
29
29
Mandatory and Attribute-Based Access Control
Mandatory Access Control (MAC)
Labels and clearance
System policies to restrict access
Attribute-Based Access Control (ABAC)
Access decisions based on a combination of subject and object attributes plus any context-sensitive or system-wide attributes
Conditional access
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
30
Rule-Based Access Control
Non-discretionary
System determines rules, not users
Conditional access
Continual authentication
User account control (UAC)
Privileged access management
Policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
31
Directory Services
Database of subjects
Users, computers, security groups/roles, and services
Access Control Lists (authorizations)
X.500 and Lightweight Directory Access Protocol (LDAP)
Distinguished names
Attribute=Value pairs
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
32
CN=WIDGETWEB, OU=Marketing, O=Widget, C=UK, DC=widget, DC=foo
Federation and Attestation
Federated identity management
Networks under separate administrative control share users
Identity providers and attestation
Cloud versus on-premises requirements
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
33
Images © 123rf.com.
Security Assertions Markup Language
Open standard for implementing identity and service provider communications
Attestations/assertions
XML format
Signed using XML signature specification
Communications protocols
HTTPS
Simple Object Access Protocol (SOAP)
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
34
OAuth and OpenID Connect
“User-centric” federated services better suited to consumer websites
Representational State Transfer (REST) Application Programming Interfaces (APIs) (RESTful APIs)
Framework for implementation not a protocol
OAuth
Designed to communicate authorizations rather than explicitly authenticate a subject
Client sites and apps interact with OAuth IdPs and resource servers that hold the principal’s account/data
Different flow types for server to server or mobile app to server
JavaScript object notation (JSON) web token (JWT)
OpenID Connect (OIDC)
Adds functions and flows to OAuth to support explicit authentication
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
35
Authorization Solutions
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
36
Review Activity
Assisted Lab
Managing Access Controls in Linux
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
37
Lab Activity
Explain the Importance of Personnel Policies
Topic 8D
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
38
38
5.3 Explain the importance of policies to organizational security
Syllabus Objectives Covered
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
39
Conduct Policies
Acceptable use policy (AUP)
Employee use of employer’s hardware and software assets
Rules of behavior and social media analysis
General requirements for professional standards
Covers personal communications and social media accounts
Additional clauses for privileged users
Use of personally owned devices
Bring your own device
Shadow IT
Clean desk
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
40
User and Role-based Training
Impacts and risks from untrained users
Topics for security awareness
Overview of security policies
Incident response procedures
Site security procedures
Data handling
Password and account management
Awareness of social engineering and malware threats
Secure use of software such as browsers and email clients
Role-based training
Appropriate language
Level of technical content
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
41
Engagement and retention
Training delivery methods
Phishing campaigns
Simulating phishing messages to test employee awareness
Capture the flag
Computer-based training (CBT)
Simulations
Branching scenarios
Gamification elements
Diversity of Training Techniques
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
42
Importance of Personnel Policies
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
43
Review Activity
Applied Lab
Configuring Identity and Access Management Controls
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
44
Lab Activity
Summary
Lesson 8
CompTIA Security+ Lesson 8 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
45
45
<samlp:Response xmlns:samlp="urn:oasi s:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="200"
Version="2.0"
IssueInstant="2020-01-01T20:00:10Z "
Destination="https://sp.foo/saml/acs" InResponseTo="100".
<saml:Issuer>https://idp.foo/sso</saml:Issuer>
<ds:Signature>...</ds:Signature>
<samlp:Status>...(success)...</samlp:Status.
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema -instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="2000" Version="2.0"
IssueInstant="2020-01-01T20:00:09Z">
<saml:Issuer>https://idp.foo/sso</saml:Issuer>
<ds:Signature>...</ds:Signature>
<saml:Subject>...
<saml:Conditions>...
<saml:AudienceRestriction>...
<saml:AuthnStatement>...
<saml:AttributeStatement>
<saml:Attribute>...
<saml:Attribute>...
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>