Domain 5: Identity & Access Management CISSP Cheat Sheet Series

Three-factor Authentication (3FA) Terminology Access Control Requirements

Access Action required to allow information flow between objects. CIA Triad: Confidentiality - Integrity - Availability (See Domain 1 cheat
Knowledge factor Something that is known by the user Control Security measures taken to restrict or allow access to systems. sheet!!!!!)

Ownership factor Something that the user possesses, like a key or a token.
Subject An entity which requires access to an object or objects. Identity Management
Object Entity which consists information. IAAA – Identification - Authentication - Authorization - Accountability.
Characteristic A user characteristic, such as biometrics; fingerprints, face
• Registration verification of user identity and add an
factor scan, signature. Levels of Access & Control identifier to system.
Identification
Centralized Only one component can control access. Highly restricted • Assign user the proper controls
Knowledge –Type/category 1 – something you know administration level where control done centrally. • Commonly use user ID or username.

Password authentication, Secret questions such as mother’s maiden name, Decentralized Access is controlled by information owners, Can be less • User verification process
Authentication
favorite food, date of birth, key combination / PIN. administration consistent. • Commonly used passwords
Hybrid Combination of centralized and decentralized. Authorization • Defining resources for user access
Terminology and concepts Accountability • Person responsible for the controls, uses logs.
Access stances allow-by-default or deny-by-default
Random data added to a password before hashing and
• A.K.A federated ID management
SESAME (Secure European System for Applications in
storing in a database on a server. Used instead of
Salted hash
plaintext storage that can be verified without revealing
Single • Pros – ComplEg. passwords, easy administration, faster a Multi-vendor Environment)
password. Sign-On authentication. Public Key cryptology only authenticates initial segment without
(SSO) • Cons – Risk of all systems comprised by unauthorized authenticating full message. Two separate tickets are in use one for
Alphanumeric, more than 10 characters. Includes a access of a key or keys. authentication and other one defines the access privileges for user. Both
ComplEg.
combination of upper and lower case letters, numbers symmetric and asymmetric encryptions are used.
password
and symbols. Authorization Exchange authentication and authorization information
between security domains and systems.
One-time password Dynamically generated to be used for one session or SAML -
(OTP) transaction.
Access control policies: Level of access and controls granted for a user. • Components: Principal User • Identity provider • Service
(SOAP/XML)
provider.
Static password Password does not change. To be avoided. Separation of Assigning different users different levels of access to • Use in directory federation SSO.
duties protect privacy and security.
Something used to identify a person, i.e. pets name,
Access to perform specific functions is granted to two or
Authorization Concepts
Cognitive password favorite color, mother’s maiden name etc, place of birth Dual Controls
more users. Security
etc. Set of resources having the same security policies.
domain
Password Hacking Unauthorized access of a password file Split Knowledge No single user can have full information to perform a task. Federated Organization having a common set of policies and standards
Identity within the federation.
Multiple attempts using all possible password or pin Principle of Least User is given minimum access level needed to perform a
Brute force attack Privilege task.
combinations to guess the password. Federation Models
Type of brute force attack that uses all the words from Need-to-Know Minimum knowledge level to perform a task. Every organization is certified and trusted by the other
Dictionary attack Cross-Certification
the dictionary. organizations within the standards defined internally by
No Access User is not assigned any access for any object. Model
said organizations.
Gain access by impersonating a user by establishing Trusted
Social engineering Centrally managed database for user objects management. Every organization adheres to the standards set by a third
legitimate user credentials through social manipulation of Directory Service Third-Party /
attack i.e. LDAP party.
trusted parties or authorities. Bridge Model
Client /server model authentication protocol. IDaaS (Identity as Identity and access management is provided by a third
Precomputed table for reversing cryptographic hash
Rainbow Tables • Symmetric Key Cryptography a Service) party organization.
functions and cracking passwords.
Kerberos • Key Distribution Center (KDC) Access management for multiple similar, yet independant
• Confidentiality and integrity and authentication, SSO (Single
Ownership –Type/category 2 – Something you have systems. Primarily used for the cloud and SaaS based
symmetric key cryptography sign-on)
system access.
Synchronous token Create password at regular time intervals. Cloud Identity User account management (Office 365)
Authentication administrative domain. Uses symmetric-key
Realm Directory
cryptography On-premises identity provider (Microsoft Active directory)
Asynchronous Generate a password based on the challenge-response Synchronization
token technique. Issues tickets to client for server authentication
KDC (Key On-premises identity provider for managing login request.
• Stores secret keys of all clients and servers in the network Federated Identity
Memory card A swipe card containing user information. Distribution (MS AD)
• AS (Authentication Server)
Center)
Smart Cards or
A card or dongle that includes a chip and memory, like
• TGS (Ticket Granting Server) Access Control Models
Integrated Circuit
bank cards or credit cards. • User input username/password in client PC/Device. By default access to an object is denied unless explicitly
Card (ICC) Implicit Deny
• Client system encrypts credentials using AES to submit granted.
Contact Cards Swiped against a hardware device. for KDC. Access Control Table which included subjects, objects, and access
• KDC match input credentials against database. Matrix controls / privileges.
The Kerberos
Contactless Cards • KDC create a symmetric key and time-stamped TGT to be List access controls and privileges assigned to a subject.
Simply need to be within proximity to the reader device. logon process
or Proximity Cards used by the client and the Kerberos server. Capability Tables • ACLs focus on objects whereas capability lists focus on
• Key and TGT are encrypted using client password hash. subjects.
Allows a card to be used in both contact and contactless • Client installs the TGT and decrypts the symmetric key
Hybrid Cards Permissions Access granted for an object.
systems. using a hash.
Rights Ability/access to perform an action on an object.
USB drive Bespoke USB with access credentials Privileges Combination of rights and permissions.
Authorization Methods
Static password
token
Simplest type of security token where the password is
stored within the token. Discretionary Access Control (DAC) • Mandatory Access Control (MAC) • Access Control Categories
Role-based Access Control (role-BAC) • Rule-based Access Control (Rule-BAC). Category Scope / Purpose Example
Challenge/respons Two keys or key and
A challenge has to be met by the correct user response. Discretionary Access Control Uses access control lists (ACLs -
e token Compensative Risk mitigation action. combination to open a safety
(DAC) Access-control lists).
locker.
Characteristic –Type/category 3 – Something you do / are Subject authorize according to security labels.
Having fire extinguishers, having
Mandatory Access Control Used by owners to grant or deny access to Corrective Reduce attack impact.
offsite data backups.
Biometric technology allows the user to be authenticated based on (MAC) other users. ACL defines the level of access
physiological behavior or characteristics. Detect an attack before CCTV, intrusion detection
granted or denied to subjects. Detective
• Physiological i.e. Iris, retina, and fingerprints. happens. systems (IDS).
Task-based access controls - subjects require User identification and
• Behavioral i.e. Voice pattern
Role-BAC (RBAC) access an object based on its role or Deterrent Discourages an attacker.
authentication, fences
assigned tasks.
Physiological Characteristics Define and document
Uses a set of rules or filters to define what Directive acceptable practices within Acceptable Use Policy (AUP)
Fingerprint Scans the thumb or edge of the finger. Rule-BAC
can or cannot be done on a system. an organization.
Locks, biometric systems,
Size, shape, bone length, finger length, or other layout Hybrid RBAC Limited RBAC Preventative Stop an attack.
Hand Geometry encryption, IPS, passwords.
attributes of a user’s hand are taken.
Objects are classified based on control level Recovery of a system after Disaster recovery plans, data
Lattice based / Label Recovery
Hand Topography Hand peaks and valleys pattern. using a label. an attack. backups etc.

Non-discretionary access / Based on policies defined by a central

Palm or Hand Scan Fingerprint and geometry combination of palm.
Mandatory-Access control authority. Role based or task based. Vulnerability Assessment
Facial features such as bone, eye length, nose, chin shape Personnel Testing • Physical Testing • System and Network Testing
Facial Scan
etc.
Authorization Methods / Concepts Penetration Testing and Threat Modeling
Retina Scan Retina blood vessel scan. Constrained Interface Restrict actions which can be performed with given Simulate an attack to determine the probability of the attack to the application
Applications privileges. systems
Retina blood vessel 1. Record information about the system
Scans the colored part of the eye around the pupil. Restrict access to data depends on the content of an
scan Content-Dependent
object. 2. Collect information about attack against the system
Vascular Scans Scans the pattern of the veins in the users hand or face. Granting users access after a specific condition. Eg. 3. Discover known system vulnerabilities
Context-Dependent Steps
after specific date/time.
4. Perform attacks against the system attempting to gain
Voice print Verify speech sound patterns. Work Hours Context-dependent control access
Subjects are given access to object only to perform
Scanning Behaviors 5. Document the outcome of the penetration test
Least Privilege what they need to have.
• No more or no less! Penetration Test Types
Signature Dynamics Pen pressure and acceleration is measured.
Separation of Duties Organization knows about possible attack but very limited
Tasks split to be performed by two or more people. Blind Test
and Responsibilities knowledge.
Keystroke
Scan the typing pattern.
Dynamics Auditing and Reporting • Vulnerability Assessment • Organization doesn’t know about incoming attack except for
User Accountability Double-Blind
Penetration Testing • Threat Modeling very few people in the organization who do not exchange
Test
Voice Pattern / Measures the sound pattern of a user read particular Users are responsible for what actions they have information.
Print word. performed. Organization has prior knowledge of the attack, including
Target Test
Auditing and Reporting Events to be monitored for reporting: Network Events • key details
Biometric Does not change throughout human life and unique. High
Application Events • System Events • User Events •
Considerations accuracy rate. Penetration Strategies
Keystroke Activity
Zero-Knowledge Test team doesn’t know any information about the target
Enrollment Time Sample processing for use by the biometric system. Test network A.K.A. black box testing.
Access Control Types Partial The testing team knows public knowledge about the
The process of obtaining the information from a
Feature Extraction Knowledge Test organization’s network.
collected sample. Type Scope / Purpose Example
Full Knowledge The testing team knows all available information regarding
Accuracy Scan the most important elements for correctness. Administration of Data classification, data
Administrative Test the organization’s network.
organization assets and labeling, security awareness
Controls
Throughput Rate The rate which the system can scan and analyze. personal. training.
Password types
False Rejection The percentage of valid users that will be falsely rejected. Firewalls, IDS’s/ IPS’s,
Logical / Single word usually a mixture of upper
Rate (FRR) Type 1 error. Restrict access. encryption, biometrics, smart Simple Passwords
Technical Controls and lowercase letters.
cards, and passwords.
False Acceptance The percentage invalid users that will be falsely accepted. Combination / Composition Combination of two unmatching
Protect organization’s
Rate (FAR) Type 2 error. Perimeter security, Passwords dictionary words.
Physical Controls infrastructure and
biometrics and cabling. Passphrase Passwords Requires that a long phrase be used.
Crossover Error The point at which FRR equals FAR. This is expressed as personnel.
Rate (CER) a percentage - lower CER is better. Passwords that are valid for a single
One-Time or Dynamic Passwords
session login.
Procedure for user account management
Order of effectiveness and accuracy: Iris Scan • Retina Uses of character images or graphics
Graphical Passwords (CAPCHA)
Biometric scans Scan • Fingerprint • Hand Geometry • Voice Pattern • Regular user account review and password changes, track access authorization as a part of the authentication.
Keystroke Pattern • Signature Dynamics. using a procedure, regularly verify the accounts for active status. Numeric Passwords A password that only uses numbers.