CompTIA CySA+ Objective 4.2

Given a scenario, use data to recommend remediation of security issues related to identity and access management.

CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0

Identity and access management are crucial to the security of an enterprise. There are specific security concerns with identity and access management.

Security Issues Associated with Context-Based Authentication

Context-Based authentication takes multiple factors before authenticating and authorizing a user. Some of the advantages of context-based authentication include:

  • Prevents account takeovers from password attacks.
  • Prevents many attacks made possible by use of personal mobile devices.
  • Prevents attacks made possible by the user’s location.

Context-based authentication uses many factors when authenticating a user.

Time

Time can be used to restrict logons to a certain time of day. It can also be used to limit access to certain resources or require additional authentication to resources depending on the time of day.

Location

Because of today’s anywhere anytime access, location becomes an important factor. For example, a company may allow a user to access a certain resource from the office, but not from home. Companies may also want to restrict access from certain countries or when the same user logs in from two different locations in a short amount of time.

Frequency

Context-based authentication can take the number and frequency of logins into account. Automated processes or malware could trip this and cause authentication to be rejected.

Behavioral

Authentication systems can track the behavior of an account over time and use that information to determine what is anomalous.

Combined, the attributes can be used to make complex rules. The drawback is that these rules can end up being less secure if incorrectly configured.

Security Issues Associated with Identities

Identities are not always people. The subject could be a person, a server, an application, or a service. Each type of identity has its own security challenges.

Personnel

  • Dormant accounts remaining active
  • Easily guessed passwords
  • Poor credential management by privileged users
  • Shared accounts

Employment candidate screening is one control to help protect against the dangers of personnel. This can include many items.

  • Background checks
  • Criminal history checks
  • Work history
  • Credit history (especially for personnel involved in financial transactions)
  • substance abuse testing
  • reference checks
  • SSN validation

Proper credential management is an important control and should include the following:

  • strong passwords
  • automatic generation of complex passwords
  • implement password history checks
  • use contextual mechanisms including the who, what, how and when of access
  • auditing
  • backup and restore processes for integrity
  • Implement HA to ensure 24/7/365 access.
  • Implement group policies for credential management.

Creating accountability for a user’s action is important. Each user should have a unique account. User actions should be monitored and logs should be audited.

Endpoints

Endpoints are subject to a number of security issues.

Social engineering threats are often used by attackers to exploit endpoints.

  • Phishing/pharming: Phishing is where attackers try to learn personal information about a person. This is usually implemented through a fake website that resembles a legitimate website. Users are then tricked into putting their information into the site. Spear phishing is a targeted phishing attack. Pharming is similar, but it is accomplished by poisoning the computer’s DNS cache to make requests to a legitimate site route to the phishing site. INFOSEC Awareness training for users is the best way to prevent phishing.
  • Shoulder surfing: An attacker watches a users enter login or other confidential data. Encouraging users to be aware of who is observing them and adding privacy screens can help mitigate this.
  • Identity theft: ID theft can allow attackers to gain access to the user’s accounts by being able to answer security questions.
  • Malicious Software: Malware can be used to gain control of endpoints.
    • Virus: Malware that attaches to another application to replicate or distribute itself.
    • Worm: Malware that replicates itself
    • Trojan Horse: Malware disguises itself as a needed application
    • Spyware: Malware that collects private data
  • Rogue Endpoints: Devices on the network that are not under enterprise control. They could be malicious or benign.
  • Rogue Access Points: APs not controlled and managed by the enterprise. They could either be stand alone or attached to the enterprise wired network. Either could be used to gain access to enterprise resources.

Servers

Although less in numbers compared to endpoints, servers often have much more critical data and purposes. There are several issues that could impact devices, but are usually directed at servers:

  • DoS/DDoS: A denial of service attack floods a device with enough traffic requests to degrade the performance of the server. A distributed DoS uses multiple attack locations. These are often zombie computers infected with malware coordinated in a bot net.
  • Buffer overflow: Buffer overflows occur when inputted data exceeds what the application buffer can handle. This is normally due to poorly written code and can allow malicious code to be loaded. Patching OS and ensuring input validation for applications.
  • Mobile code: Examples include Java, JavaScript and ActiveX. Malicious mobile code can be used to bypass access controls.
  • Emanations: EM signals emitted by an electric device. Attackers can target these emanations to get information without having access to the device or medium. The TEMPEST program has been researching ways to limit emanations.
  • Backdoor/trapdoor: Known backdoor accounts can be attack vectors.

Services

Services run on both servers and workstations. They have identities just like users and should be held to the same least privilege policy to restrict them to just what they need. Just like users, the passwords must be changed for these service accounts.

Roles

Role-based access control (RBAC) is a common way to assign new users the permissions for their job. Policies and procedures must support a RBAC scheme to assure that the roles are correctly setup.

Applications

Managing access to applications requires a complicated mix of software, especially with Software as a Service (SaaS/Cloud) applications. Identity and Access Management (IAM) software can help to federate identity between organizations. IAM can have some security issues including:

  • over provisioned rights can lead to unauthorized access
  • DDoS attacks against IAM
  • common identity attacks like brute-force attacks and spoofing

Applications can also be used as identities by delegation. Kerberos is an example of an application that authenticates on behalf on a user.

Security Issues Associated with Identity Repositories

Identity Repositories such as Active Directory, LDAP, RADIUS and TACACS+ are prime targets as they contain all of the information for identities.

Directory Services

Directory Services serve to store all of the identity information for an organization. Examples of directory services include LDAP Active Directory and DNS.

LDAP

The Lightweight Directory Access Protocol (LDAP) is structured using distinguished name (DN), common name (CN), domain component (DC), organizational unit (OU) and other attributes. TCP port 389 is the default port for LDAP, but it can be secured using SSL on TCP port 636.

Active Directory (AD)

Microsoft’s implementation of LDAP is known as Active Directory. AD is an example of a single sign-on (SSO) system. It uses Kerberos as the authentication mechanism. Some advantages of Kerberos include:

  • Passwords don’t have to be sent over the network.
  • Both the client and server authenticate each other.
  • Tickets passed are timestamped and include lifetime information. (anti-replay)
  • The Kerberos protocol is an open Internet standard.

Some disadvantages include:

  • Key Distribution Center (KDC) is required for fault tolerance.
  • KDC must be scalable
  • Session keys on the client can be compromised
  • Kerberos traffic must be encrypted.
  • All systems participating must have time synchronized.
  • Kerberos is susceptible to password-guessing attacks.

SESAME

The Secure European System for Applications in a Multi-vendor Environment (SESAME) project extends Kerberos to fix its weakness. SESAME uses asymmetric and symmetric encryption. Privileged Attribute Certificates (PAC) are used instead of tickets. The KDC is replced with the Privileged Attribute Server (PAS)

DNS

The Domain Name System (DNS) provides a hierarchical naming system. Domain Name System Security Extensions (DNSSEC) should be enabled to ensure that the server is authenticated. DNS transfers need to be kept secure to prevent data leakage.

TACACS+ and RADIUS

802.1x is a standard for port based authentication for both wired and wireless networks. 802.1x has three components:

  • Supplicant: The user or device asking for network access. Usually a software application on the device.
  • Authenticator: The device through which network access is being requested like a switch or wireless network.
  • Authentication Server: The central server that does the authentication, could be RADIUS or TACACS+.
RADIUSTACACS+
Transport
Protocol
UDP (1812, 1813)TCP (49)
ConfidentialityEncrypts the passwordEncrypts the entire payload
Authentication
and
Authorization
CombinedSeparate
L3 ProtocolsNo Support for Apple Remote Access, NetBIOS Frame Protocol Control, or X.25 PADSupports all protocols
DevicesNo support for commands on routers and switchesSecures available commands
TrafficCreates less trafficCreates more traffic
StandardOpenProprietary

RADIUS security issues include:

  • Access-Request messages are not authenticated
  • Shared secret can be weak
  • RADIUS’ encryption is not secure
  • Request Authenticators are not sufficiently random and can be predicted or repeated if not properly configured

Security issues with TACACS+:

  • No integrity checking of packets
  • Vulnerable to replay attacks
  • Session ID collisions can cause weakness
  • Session IDs may repeat
  • No padding to obscure data fields.

Security issues associated with federation and single sign-on

SSO allows users to access resources without having to authenticate for multiple organizations. Federations allow for this to happen.

Identity Propagation

Identity Propagation is the passing of an authenticated identity from one tier to another in a. multitier systems.

Federations

Federated identity is a portable ID that can be used between businesses or domains. There are two federation models:

  • Cross-certification model: Each organization certifies that the other organizations are trusted.
  • Trusted third-party (or bridge) model: A third party verifies the participants.

Security issues for federations include:

  • Inconsistent security among partners: Partners must establish minimum standards and practices both agree on.
  • Insufficient legal agreements among partners

Some of the methods to secure authentication between partners include:

  • Extensible Access Control Markup Language (XACML): a standard for access control policy using XML.
  • Service Provisioning Markup Language (SPML): XML based framework developed by OASIS.
  • Security Assertion Markup Language (SAML): Model built on XML and SOAP.

Manual vs. Automatic Provisioning/Deprovisioning

Manual provisioning is more secure, but slower as both members of the federation must do the provisioning. Automatic provisioning is preferred for user experience. The amount of trust between federation members often dictates which way to go.

Self-Service Password Reset

To reduce the work load for IT, many organizations provide self-service options for password resets. This introduces security issues of making sure that the password is being reset by the user. Mitigation can be done through password challenge questions that were created by the user in the past. Another way is through a 2FA scheme through e-mail or text message.

Exploits

Defeating identity and access management is the goal of many types of exploit

Impersonation

Occurs when a user assumes the identity of another by acquiring their credentials. This is usually done through social engineering or intercepting unencrypted credentials.

Man-in-the-Middle

Man-in-the-Middle attacks occur when the attacker is able to intercept traffic between two parties. ARP cache poisoning is one implementation.

Session Hijack

Session hijacking is when an attacker is able to identify the unique session ID for an authenticated user.

Privilege Escalation

Privilege escalation exploits a bug or weakness to allow privileges above that which the user should have.

  • Vertical privilege escalation: Lower privilege user accesses higher-privileges.
  • Horizontal privilege escalation: Normal user accesses content reserved for other normal users.

Prevention of privilege escalation through these measures:

  • Ensure services and applications are running with minimum privileges needed to function.
  • Verify users have least privileged access.
  • Ensure databases do not run with root privileges if possible.

Rootkit

Rootkits are sets of tools used on a computer after gaining access to elevate privileges to administrator. Rootkits can do some of the following:

  • Install a backdoor
  • Log scrubbing
  • Trojan infected programs
  • Make malicious changes to the kernel.

Best defense is not to get a rootkit installed, other steps include:

  • Monitor for ingress points for a process that may be redirected
  • Use Windows Rootkit Revealer
  • Consider standalone rootkit detection tools
  • Keep the firewall updated
  • Harden all workstations