CompTIA CYSA+ CS0-002 – Identity and Access Management Solutions Part 1

1. Identity and Access Management (OBJ 2.1)

Identity and access management. In this lesson, we’re going to start to examine the idea of identity and access management. When I talk about identity and access management, this is also called IAM. This is a security process that provides the identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications. Essentially, when you log onto your computer, you’re taking place inside of the IAM process because you’re presenting a username and a password and that’s going to authenticate you and that gives you authorization to certain things within your network. Now, every unique subject in the organization is identified and associated with an account.

Now, when I talk about the term a unique subject, what does that really mean? Well, a unique subject could be personnel. It could be endpoints, it could be servers, it could be softwares, or it could be roles. When I’m talking about personnel, this is the most common type of IAM that’s defined. This is people and employees, those who have user accounts and log onto the system to do stuff with them. Now this is really important because most computers aren’t there just to be a computer. They’re there to get some kind of value from it. And to get that value from the computer, you need people to use it. When my computer is just sitting here, it’s a paperweight. But when I log on to my computer and I access the Internet to answer your questions, I’m providing value. And that’s why personnel are so important in terms of IAM.

Now, another thing you have to think about when you’re talking about personnel with IAM is that personnel is also a huge risk area because people write down their usernames and passwords and that’s a risk. People log into places carelessly and let their credentials get out, and that’s a risk. So these are things you have to think about. The next area we want to talk about for IAM is endpoints. Now, we talk about endpoints. These are desktops and laptops and tablets and cell phones. And all of these things are endpoints. They’re devices that people use to gain access to a network and be able to do their job. So the personnel is going to have credentials to log onto the computer and that computer is going to have credentials to log on to the network. And sometimes those are the same credentials.

But it’s still different from an IAM perspective because the computer has its own set because it is a unique subject in the case of IAM. Now, the next area we’re going to talk about is servers. Now, servers are a little bit different than endpoints. Endpoints are devices that users are going to log on to, but servers are sitting in the back. And a lot of times servers are there for machine to machine communication. So each server also is going to have its own IAM credentials. These servers might have missioncritical systems and encryption schemes and other things that are all going on. And all of that trust and identity that happens behind the scenes happens on these servers. So servers are another big part of IAM. Another area we have to think about with IAM is software.

Just like servers, there are different applications that can take and feed requests to and from users, and that’s going to require IAM. And so software can also be a subject that has its own unique way. And usually this is going to be done using certificates, like digital certificates, to be able to allow or disallow a client from doing certain things with a certain piece of software. And finally, we have roles. This is the fifth type of unique subject. Roles are going to support the identities of various assets by defining the resources an asset has permission to access based on the function that the asset is going to fulfill. So when we talk about roles, these roles can actually be assigned to servers or to people or to endpoints. And based on those roles, they’re going to have different permission sets.

Now the great thing here with roles is that they’re not limited to just people or just servers, or just endpoints or just software. All of those can be roles. So while we have those other four categories, they can all be rolled down into roles as well if we configure ourselves that way. Now when you’re dealing with roles, so a lot of times we’re going to do this inside of Windows by assigning people to different groups and then give those groups permissions. That’s what you probably learned in A plus or Security plus. So just keep that in mind when we talk about roles. That’s usually the way things are going to be done. Now when we talk about IAM tasks, there’s lots of different tasks that the system is going to do.

Your IAM system is going to contain technical components like directory services and repositories access management tools and systems that are going to do auditing and reporting on ID management capabilities. All of these things contain tasks that need to be done for an IAM system to function properly. Now in addition to that, a lot of different things that might happen as part of the IAM system is things like creating and deprovisioning accounts. So if I’m going to create a new user, that’s a creation or provisioning of an account. If I’m going to disable or delete a user, that’s deeprovisioning. When I talk about managing accounts, this includes things like resetting somebody’s passwords, updating their digital certificates, managing their permissions and their authorizations, and other things of that nature.

When I talk about auditing accounts, this is when I start looking at the activity that that account has done through the different logs and figure out was that legitimate or not. This is a big function inside the cybersecurity analyst role. You’re going to do a lot of account auditing as you go through those systems, and this is going to be a big part of your IAM management. Another thing we’re going to do is evaluate identity based threats. Now, what this means is we’re going to do a lot of different things to identify any threats as a cybersecurity analysis to our IAM systems. For instance, you might run password checks across your network to see if there’s any weak passwords that is evaluating the security of your identity based threats.

You want to make sure those passwords are strong and so an attacker can’t break into them. And the last thing we do is we want to maintain compliance. And to maintain compliance, we’re going to go through checks and balances, we’re going to go through audits, and we’re going to make sure that we’re meeting the requirements that we have set up for our system to run securely. And in the final part of this lesson, I want to talk about risk. What risks exist within IAM? Well, the biggest risk is really the risk caused by our accounts. And there are three main types of accounts that we’re going to cover. There are user accounts, and these are your standard accounts that all your users are going to have. Now, these are the least risky for us because they just have basic user permissions, but they are still a risk.

The second type of account we have are privileged accounts, and this is even more risky. The reason it’s more risky is because this type of account has more permissions as a privileged account. This is an administrator, a root user, or a super user. And so they have permission to install software and an uninstall software, and they can change passwords on other users, and they can create new accounts and do all sorts of things, making it a much more risky area. So it’s an area you want to have additional auditing and additional compliance checks to make sure those accounts are safe. And finally, we have shared accounts. Now, shared accounts are typically used in small office home office environments.

You may have one account that everybody uses to log in to do some certain function. Now, this is a really dangerous practice because everybody has that shared password, and so you lose the ability to audit who actually did something because everybody is logging in as that user. I can’t just go to the logs and say the shared account was on the system at this time. They must have done it well. Who was the shared account? It could have been any of ten different employees. We don’t know. And so this is another area that’s very risky. So it’s not recommended to use shared accounts. Instead, you should have people using user accounts and put them into a role based permissions group to allow them to do the functions they need.

2. Password Policies (OBJ 5.3)

Password policies. In this lesson, we’re going to examine password policies and how they affect your IAM systems. Now, first, let’s define a password policy. A password policy is simply a policy document that promotes strong passwords by specifying a minimum password length, requiring complex passwords, requiring periodic password changes, and placing limits on the reuse of passwords. Now, I know you’re probably thinking, Jason, I already know all this. I’m Security Plus certified, I don’t need to talk about password policies. But wait, you really do, because there’s some things in this lesson that are going to go against what you learned in your Security Plus, especially if you learned from the 501 version. So please pay attention. This is important and it will show up on the exam.

Now, when we talk about password protection policies, these are used to mitigate against the risk of attackers being able to compromise an account. Again, if you have a strong password, the chance is people aren’t going to be able to break into your system. That’s the goal here. Now, why did I say we have to pay attention to this lesson? Well, because there’s been some big changes in the world of password policies. Now, if you go and look at the source documentation, which is the NIST special publication 863 B, this is the Digital Identity Guidelines. It talks about IAM and passwords. And they actually went and deprecated some of the old traditional elements of password policy. For instance, you might be familiar with the concept of using a long, strong, complex password.

Well, now, complexity rules should not be enforced according to this document. Why is that? Well, they found that when you have really long, strong passwords that are very complex, people tend to write them down because they can’t remember them. And so if they write them down, what happens? You now have password credentials that are out in the open and could be retrieved by other people. So the complexity rules should not be enforced. Instead, you should have something between eight and 64 ASCII characters that’s really nice and long, and this can have uppercase, lowercase and special characters if you want. But again, if you just have a really long string that doesn’t have anything that’s repetitive like 1234-5678, it’s just as secure. And so this is a reason why they now have complexity rules should not be enforced.

Another thing that might shock you is that aging policies should not be enforced. Now, in Security Plus, you probably learned that you should have people change their passwords every 60 days, and that’s one of the settings that they had you memorized inside of Security Plus. But now, under this new guidance, aging policies don’t need to be enforced. Why? Because, again, if you’re using a really long, strong password and you end up having those complexity rules that aren’t enforced, but you’re using something like a password manager, you wouldn’t want to have to change those passwords every 60 days. The more you change them, the more people start doing password reuse, or those passwords could become compromised.

Now, the third one is that password hints should not be used. Now, this isn’t to say there shouldn’t be a way to reset a password, but you shouldn’t have a password hint. For instance, if my password was password and I hit the little hint button, it says, reminder your password is pass or p. That might be something that gives me a hint, and then I could jog my memory. Well, that also can jog the memory or help the attacker guess your password. So password hint shouldn’t be used. Instead, there should be another way to reset that password if you forgot it, using things like logical information responding to personal information, such as your first school or your first pet’s name or things like that.

And then you just reset the password and choose a new one. Now, another area inside your password policy that you want to consider is password reuse, because this is a big issue, too. Password reuse across multiple sites becomes a huge vulnerability, because if somebody is able to break into a database, for instance, the Yahoo. Breach, and they get your password from that because you had a Yahoo. Account, and they take that password. Now try it on Gmail and Facebook and Ebay and everywhere else. Maybe if you use the same password across all those sites. Now all your passwords have been compromised. That’s the idea of why you don’t want to use password reuse. Every password should be unique for every site you go to.

So how do you do all of that? Well, the best way is to use a password manager. A password manager should be implemented and enforced as part of your given password policy. Now, a password manager is a piece of software that’s used to generate a pseudo random passphrase for each website that a user needs to log on to. And so if I use something as a password manager, for instance, LastPass, it will create something between eight and 64 characters that’s a random password. Now, I won’t even know what that password is, but that’s okay. I have one master password that I use to get into LastPass, and then LastPass logs into all those websites. For me, this is much more secure than you trying to memorize passwords for every single website out there.

If you’re like most people, you simply can’t remember all the passwords for every website. So you either write them down or use the same password across multiple websites, both of which are bad. By using a password manager, you solve both of these problems. Now, if you forget your password, what should you do? Well, you should reset your password, right? And when we reset our passwords, we’re going to do it using one of two methods. We can either use challenge questions, or we can use two step verification. Now, a challenge question is going to ask the user for information that only they should know.

For instance, what was the first school you attended? What was the first model of car you had? What was the name of your first pet? What was your first girlfriend’s name? Where was your first kiss? Where did you meet your spouse? Things like this. These are questions that only you should know or maybe you and your spouse or you and your significant other. And so this is a way to be able to validate somebody’s identity. When you create a new account, you create a username and a password and you add in some of these challenge questions. Then if you need to look up your password or reset your password, you could do that by using these challenge questions.

Now, the other way of doing it is by using two step verification. Now two step verification is going to allow users to provide a secondary communication channel, like another email address or a cell phone number to receive a one time code to verify their identity when resetting a password. Now, this is a great way of doing things because when you set up the account, you said, you can trust me. I am Jason, and my phone number is. Now, anytime I try to log in or reset that password and I need that second step of verification to reset it, it will send that one time use code to me. If I have that phone, it now knows I am Jason because I have my phone and I know my username. That is two factor authentication and it becomes two step verification in this case.

3. SSO and MFA (OBJ 2.1)

Single signon and multifactor authentication. In this lesson we’re going to talk about SSO and MFA. First. Let’s start with SSO. This is single sign on. Single signon is an authentication technology that enables a user to authenticate once and then receive authorizations for multiple services. Now, there’s both advantages and disadvantages to using something like single sign on. When you use single sign on, the user user doesn’t have to have multiple usernames and passwords. This is a good thing. One password to rule them all. It’s one nice hard, challenging password that you can memorize and then use to get on to everything. Because you log on once and have access to all the systems, that’s a great advantage. But the disadvantage is you only have one password.

So if your user account is compromised, that attacker now has access to everything. For example, I talked about before, you can use something like LastPass which is a password manager. Now this isn’t necessarily single sign on but it’s the same concept. If your master password is compromised, they now have access to all of your sites. Well, with single sign on it’s essentially the same thing because you log in once and get access to all of the sites. And so if that one password gets compromised, they get everything.

So this is a bad thing about single sign on. Now, when you’re using single sign on, for instance, on a Windows domain, you log on to your Windows domain, you have access to all the files and email and everything else that is single sign on. That’s using Kerberos as a single sign on tool. Now, the next one we’re going to talk about is MFA, which is multifactor authentication. This is the buzzword these days everybody needs to have MFA. This is an authentication scheme that requires the user to present at least two different factors of credentials. This can come from something you know, such as a username and password. Something you have like a token or a fob, something you are like a fingerprint or an eyeball scan.

Something you do such as the way you sign your name or somewhere you are, such as your location and your GPS coordinates.If you have at least two of these five categories, you have multifactor authentication. Now another buzzword go here is twoFA and that’s for two factor authentication. This is when only two of those factors are used. And that’s the most common form of multifactor authentication because most systems aren’t going to require you to have three or four or five factors, just two. Now, what makes multifactor authentication better than just using a username and password? Well, it’s because you have two factors of authentication and you can even secure this even further by using things like two step verification, biometrics certificate based authentication or location based authentication.

Let’s talk a little bit about each of these. Two step authentication is when you go to log into a website and then once you put in your username and password, it sends a text message to your phone or an email to you, and then you have to get that code and enter it into the website. This now gives you two factors something you know, your username and password and something you have your cell phone receiving that text message. That’s the idea of a two step verification. Now, this is a really good way of doing things, and one of the reasons it’s very widely implemented is because almost everybody now has a cell phone. And so you don’t have to have special hardware, you just have to have any smartphone. And you can then get this two factor authentication.

Now, another way you can use multifactor authentication is by using biometrics. And most of our smartphones use biometrics. Now you have a fingerprint scanner or a Face ID, like on my iPhone. This is the idea of using biometrics as a login mechanism. Now is face ID, multifactor authentication. No, because when you pull up that phone and you use your face, you’re only using your face. Yes, it’s more secure than using a password, but it’s not requiring two factors, it’s only requiring your face. So this would not be multifactor by itself. But if I had to put in a Pin and my face or a password and my face, that would then be multifactor authentication. Another factor you can use is certificate based. And this is often done using digital certificates.

For instance, on my iPhone I have some digital certificates installed that identify me as the person holding that phone. So when I go to certain websites, it uses that digital certificate to log me in between that and my username and password, I now have multifactor authentication. In my case, it’s a digital certificate and a Pin number. And that would let me get into the website I need to get into. And the final one is location based. This can be done based on your IP address location, although that’s easily spoofed through VPNs or your actual GPS coordinates, which is a much better way of doing it. This again is another factor you can use as part of your multifactor. But if you’re just using login by itself based on your GPS location, that is a single factor.

So for example, if I wanted to log into my corporate file share, I can pull up my iPhone, it can detect where I am in the world based on my GPS, and if I am within the United States and I have the right username and password, it would let me log in. That could be a form of multifactor authentication because in my authentication scheme, you must be in the United States and you must have the username and password. That’s a pretty generic range of locations, but you could make it even more specific and say you must be in the city, or within this 50ft, you must be within our office building or something like that. But again, location base can be done as a way to identify fraud and figure out if your employees really are where they say they are.

If I have an employee who’s trying to log in from Russia or China and they’re sitting in the office, well, that’s obviously fraud, and we can then go ahead and turn that account off and figure out how that account has been compromised and get it fixed. So this, again, is one of those additional factors you can use. Usually it won’t be your primary factor, but it could be a factor that you use as a third degree to make sure the person has their username and password and has their security token and they’re actually in the state you think they should be in when they’re logging into that service. That’s why it’s a good third or fourth factor that you might want to use. But in general, you’re going to use mostly two factor authentication or a biometrics in addition with the username and password to be able to create good multifactor authentication.

• Category: Uncategorized