Scribd
Upload
54 views137 pages

2022 FRSecure CISSP Mentor Program - 2022 - Class Eight - Updated 5-12-2022

Uploaded by

PAUL VINCENT FAJARDO
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
54 views137 pages

2022 FRSecure CISSP Mentor Program - 2022 - Class Eight - Updated 5-12-2022

Uploaded by

PAUL VINCENT FAJARDO
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 137

#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION ONE

INTRODUCTION

2022
Class #8 – Domain 5
Ron Woerner
Cyber-AAA Founder & CEO & vCISO
Bellevue University CyberSecurity Studies Professor

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 1
CISSP® MENTOR PROGRAM – SESSION EIGHT

WELCOME BACK!
• How ya doing?
• By now, you should have made (at least) your first pass
through chapters 1-4.
• If you have questions about any of the content so far,
check out the Slack study group or reach out!

Only 138 slides tonight, and we’ll finish


Chapter / Domain 6, all in one night!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 1
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION FOUR

FRSECURE CISSP MENTOR PROGRAM LIVE


STREAM
THANK YOU!
Quick housekeeping reminder.
• The online/live chat that’s provided while live streaming on YouTube
is for constructive, respectful, and relevant (about course content)
discussion ONLY.
• At NO TIME is the online chat permitted to be used for disrespectful,
offensive, obscene, indecent, or profane remarks or content.
• Please do not comment about controversial subjects, and please NO
DISCUSSION OF POLITICS OR RELIGION.
• Failure to abide by the rules may result in disabling chat for you.
• DO NOT share or post copywritten materials. (pdf of book)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 2
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION TWO & FOUR

WHOAMI
Ron Woerner, CISSP, CISM
• Chief Security Officer, Cyber-AAA
• Cybersecurity Professor, Bellevue University
https://linktr.ee/cyberron
Hackers Wanted
https://www.linkedin.com/in/ronwoerner/ TEDx Omaha

@ronw123

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 3
CISSP® MENTOR PROGRAM – SESSION FOUR

GETTING GOING…
Managing Risk!

Studythrough
We’re Tips: Chapters 1, 2, 3, and part way into Chapter
4!​
• Study in small amounts frequently (20-30 min)
•• Check-in.​
Flash card and practice test apps help
•• How many
Take naps have read
after Chapter
heavy 1, 2(aka
topics & 3?​Security Models)
•• Questions?​
Write things down, say them out loud
• Use the Slack Channels
• Exercise or get fresh air in between study sessions

Let’s get going!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 4
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

INTRODUCTION
Before we get too deep into this. Start with a “dad joke”
What do you call someone with no body and no nose?

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 5
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

INTRODUCTION
Before we get too deep into this. It’s been too long since we did a “dad
joke” Is that possible?

What do you call someone with no body and no nose?

Nobody knows.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 5
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION ONE

WHAT IS A CISSP?
The Certified Information Systems Security Professional (or “CISSP”)
Get your Ultimate Guide to the CISSP @
https://www.isc2.org/Certifications/Ultimate-Guides/CISSP?

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 7
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION ONE


CISSP CERTIFICATION EXAM OUTLINE & CLASS SCHEDULE

Quick Review

Class 6: May 2nd


Instructor: Chris

Class 7: May 9th


Instructor: Evan

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 8
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION ONE


CISSP CERTIFICATION EXAM OUTLINE & CLASS SCHEDULE

Monday Review
(In 1 slide)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 9
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION ONE


CISSP CERTIFICATION EXAM OUTLINE & CLASS SCHEDULE

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 10
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

QUIZ…
Will the real test be this easy too?!
1. What is the most secure type of firewall?
A.Packet Filter
B.Stateful Firewall
C.Circuit-level Proxy Firewall
D.Application-layer Proxy Firewall

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 7
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

QUIZ…
Will the real test be this easy too?!
1. What is the most secure type of firewall?
A.Packet Filter
B.Stateful Firewall
C.Circuit-level Proxy Firewall
D.Application-layer Proxy Firewall

Why?

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 8
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

QUIZ…
Will the real test be this easy too?!
2. What WAN Protocol has no error recovery, relying on
higher-level protocols to provide reliability?
A. ATM
B. Frame Relay
C. SMDS
D. X.25

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 9
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

QUIZ…
Will the real test be this easy too?!
2. What WAN Protocol has no error recovery, relying on
higher-level protocols to provide reliability?
A. ATM
B. Frame Relay
C. SMDS
D. X.25

What OSI model layer


does frame relay operate?

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 10
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

QUIZ…
Will the real test be this easy too?!
3. Which endpoint security technique is the most likely to
prevent a previously unknown attack from being
successful?
A. Signature-based antivirus
B. Host Intrusion Detection Systems (HIDS)
C. Application Whitelisting
D. Perimeter firewall

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 13
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

QUIZ…
Will the real test be this easy too?!
3. Which endpoint security technique is the most likely to
prevent a previously unknown attack from being
successful?
A. Signature-based antivirus
B. Host Intrusion Detection Systems (HIDS)
C. Application Whitelisting
D. Perimeter firewall

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 14
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

QUIZ…
Will the real test be this easy too?!
4. Restricting Bluetooth device discovery relies on the
secrecy of what?
A. MAC Address
B. Symmetric key
C. Private Key
D. Public Key

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 17
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

QUIZ…
Will the real test be this easy too?!
4. Restricting Bluetooth device discovery relies on the
secrecy of what?
A. MAC Address
B. Symmetric key
C. Private Key
D. Public Key

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 18
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT


CISSP CERTIFICATION EXAM OUTLINE & CLASS SCHEDULE

New Topic!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 19
CISSP® MENTOR PROGRAM – SESSION EIGHT
New Topic!

Book pp. 377 – 418 (or 514-581 pdf)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 20
CISSP® MENTOR PROGRAM – SESSION EIGHT

Book (pdf) pp. 184-261

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 21
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

WHAT ARE WE GOING TO COVER?


Agenda – Domain 5: Identity and Access Management
• Authentication Methods
• Access Control Technologies
• Access Control Models

Identity & Access Management (IAM or IdAM)

Starting on page 377 this evening

Not a challenging domain, but don’t let your guard down.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 21
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
pp. 377 – 418 (or 514-581 pdf)
Topics:
• CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
• MANAGE IDENTIFICATION AND AUTHENTICATION OF
PEOPLE, DEVICES, AND SERVICES
• FEDERATED IDENTITY WITH A THIRD-PARTY SERVICE
• IMPLEMENT AND MANAGE AUTHORIZATION
MECHANISMS
• MANAGE THE IDENTITY AND ACCESS PROVISIONING
LIFECYCLE
• IMPLEMENT AUTHENTICATION SYSTEMS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 23
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
Definitions
• Objects are assets that require access control.
• Files, datasets, resources, networks
• Facilities, paper
• Subjects are an active entity, generally in the form of a
person, process, or device, that causes information to
flow among objects or changes the system state. (NIST)
• Human or non-human
• Access is anything a subject is permitted to do with or to
an object.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 24
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS

Authenticity Confidentiality

Non-
Integrity
repudiation

Availability

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 25
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
Definitions
• Centralized IAM uses a dedicated access control
function or system, to manage all access control.
• Easier management
• Single point of failure
• Decentralized IAM assigns access control decisions
to system or information owners. (Greater freedom)

• Provisioning = Granting access


• Deprovisioning = Removing access

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 26
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS

Access Control Layers

Data / Information
Application Identifying the needs for
information access control is
System a fundamental requirement
for the security practitioner.
Device
Network

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
Access Control Layers

Data / Information
Application
System
Device
Network

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 28
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
Devices
• Anything with an IP Address
• Devices can be both objects and subjects in an
access control model
• Endpoint detection and response(EDR)
• Mobile device management (MDM)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 29
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
Device Security

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 30
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
Device Security
• Device Protection - enforces security policies on
each device, including password complexity,
software updates, and restricting apps
• Device Restrictions - identifies hardware that is not
supported or systems that have been jailbroken
• Remote lock or wipe - allows the organization to
prevent unauthorized users from gaining access
• Containerization - BYOD

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 31
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS

Access Control Layers

Data / Information
Application
System Physical Security

Device
Network

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 32
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
Physical Access Control Systems (PACS)
• Traditional Physical Security – 3 G’s – Guards, Guns & Gates
• Access Controls – Badges, Keys, Visitor management

• Answer: Who, where, when, why, how


• The complexity of the controls chosen must reflect the
value of the assets being protected.

See Chapter 7

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 33
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
Physical Access Control Systems (PACS)
• User Identification –
• ID, Badge, Sticker
• RFID, QR code, Barcode
• Device identification – Non-human assets

See Chapter 7

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 34
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
Physical Access Control
• Fences & gates
Delay, Deter, Deny
• Secured doors
• Locks & keys

See Chapter 7

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 35
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
Physical Access Control
• Guards
• Turnstile / Mantrap
• Intrusion Detection Sensors
Detect
• CCTV Surveillance

See Chapter 7

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 36
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS

Homework Sentry AI – Smart Surveillance System


https://www.youtube.com/watch?v=k_Y6I4igjIY
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 37
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 2 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS

Homework Google Data Center Security: 6 Layers Deep,


https://www.youtube.com/watch?v=kd33UVZhnAA
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 38
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
Access Control Layers

Data / Information
Application
System
Device
Network

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 39
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IAM
CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS
Application Access (objects)
• Access to applications
Role-based access control (RBAC) More on this later
• Access to data in applications
• Data flows between applications Data Maps
• BYOD & MDM – isolating / containerizing apps
• Access within applications
• Multiple levels – General vs admin
• Granularity – Controlling access based on level

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 40
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IDENTITY & ACCESS MANAGEMENT


CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 41
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Manage Identification and Authentication of New Topic!
People, Devices, and Services
Identification, Authentication, Authorization, Auditing
(IAAA)
• Identification
• Process of a subject asserting an identity.
• Begins before a subject attempts to access an object.
• Authentication - the process of proving the asserted identity.
• Identity Management (IdM)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 42
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Identity Management Implementation
• Provisioning
• Requesting identity creation &
approval process(es)
• Begins before a subject attempts
to access an object
• Deprovisioning
• Temporary suspension
• Disabling
• Deleting

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 43
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Identity Management Implementation
• Authorization Management
• After identity creation
• Sets permissions (more later)
• Identity (& Access) Review

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 44
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IDENTITY AND ACCESS MANAGEMENT


Registration, Proofing, and WARNING!
Establishment of Identity Jumping
ahead in the
NIST SP 800-63-3, “Digital Identity Guidelines” book
Credential Service Provider (CSP)
Identity Assurance Levels (IALs)
• IAL1: User self-asserts identity (“Trust me”)
• IAL2: Submission of identity documentation – links user to
a real-world identity
• IAL3: Reliable evidence of identity + verification

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

WARNING!
CISSP® MENTOR PROGRAM – SESSION EIGHT
Jumping
DOMAIN 5: IDENTITY AND ACCESS MANAGEMENT
ahead in the
Credential Management System (CMS) book

Tools to manage the identity lifecycle

Examples: Password Managers, PKI (CAs &


RAs), AD/LDAP, etc.
• Sponsorship : Authorized entity sponsoring
the subject
• Enrollment : Initial provisioning
• Credential production : By services provider
• Issuance : Provided to user

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Authentication Methods
• A subject first identifies his or herself; this identification cannot
be trusted.
• The subject then authenticates by providing an assurance that
the claimed identity is valid
• A credential set is the term used for the combination of both
the identification and authentication of a user
• Three basic authentication methods:
• Type 1 (something you know), Which is the
• Type 2 (something you have), and oldest?
• Type 3 (something you are).
• A fourth type of authentication is some place you are (sorta).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 25
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Authentication Methods

Something you Something you Something you are: Where you are:
know: have: ▪ Fingerprints ▪ Geolocation
▪ Password ▪ Smartcard ▪ Face
▪ Passphrase ▪ Token ▪ Eyes
▪ PIN ▪ Device ▪ Biometrics
▪ Application

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 25
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 1 Authentication: Something You Know – Passwords
• Memorized Secrets (Passwords, Passphrases, PINs)
• Long static passwords, comprised of words in a phrase or sentence
• An example of a passphrase is: “I will pass the CISSP® in 2 months!”
• Usually have less randomness per character compared to shorter complex
passwords (such as “B$%Jiu⁎!”), but make up for the lack of randomness with length
• One-time passwords
• Used for a single authentication
• Very secure but difficult to manage
• A one-time password is impossible to reuse and is valid for just one-time use

Long is Strong
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know

Super Strong Password

Long is Strong
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Domain
Rule 1 - Password 5:chars
Length <16 Identity and Access Management
Type char
Rule 2 - Only numbers 1 Authentication:
weight for passwords <16Something
chars You Know - Passwords
Rule 3 - Only lower case letters char weight for passwords <16 chars
• Passphrases
Rule 4 - Only upper case letters char weight for passwords <16 chars
• Long
Rule 5 - Only letters char weight for static
passwordspasswords,
<16 chars comprised of words in a phrase or sentence
An example
Rule 6 - Mix of letters and•numbers of for
char weight a passphrase is: “I will pass the CISSP® in 2 months!”
passwords <16 chars
Rule 7 - Number times where• Usually haveis less
this password randomness
compromised in a breachper character compared to shorter complex
Rule 8 - The password is word that exists in dictionary
passwords (such as “B$%Jiu⁎!”), but make up for the lack of randomness
Rule 9 - The password is word that length
with exists in dictionary with simple obfuscation
Rule 10 - 80%+ from the password is word that exists in dictionary
• One-time passwords
Rule 11 - 80%+ from the password is word that exists in dictionary with simple obfuscation
• Usedisfor a that
single authentication
Rule 12 - 60%+ from the password
Rule 13 - 60%+ from the password Super Strong Password
word
• Very issecure
word thatbut
exists in dictionary
difficult
exists to manage
in dictionary with simple obfuscation
A one-time
Rule 14 - The password is•double password
word (stopstop, crabcrab)is impossible to
Rule 15 - Contains common sequences from a keyboard row (qwerty, etc.)
Rule 16 - Contains numeric sequences based on well known numbers such as 911
Rule 17 - Word with numbers appended
Rule 18 - Contains anything personally related (phone, zip, birthday, email username)
Long is Strong
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 1 Authentication: Something You Know – Passwords
• Dynamic passwords
• Change at regular intervals
• RSA Security makes a synchronous token device called SecureID that generates
a new token code every 60 seconds. The user combines their static PIN with
the RSA dynamic token code to create one dynamic password that changes
every time it is used.
• One drawback when using dynamic passwords is the expense of the tokens
themselves
• Strong authentication (also called multifactor authentication) requires
that the user present more than one authentication factor

Source: NIST SP800-63B

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

A pretty good read.

https://docs.microsoft.com/en-us/windows-server/security/kerberos/passwords-technical-overview
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 1 Authentication: Something You Know – Passwords
Password Hashes and Password Cracking
• In most cases, clear text passwords are not stored within an IT system;
only the hashed outputs
• Hashing is one-way encryption using an algorithm and no key
• When a user attempts to log in, the password they type is hashed, and
that hash is compared against the hash stored on the system
• The hash function cannot be reversed: it is impossible to reverse the
algorithm and produce a password from a hash
• An attacker may run the hash algorithm forward many times, selecting
various possible passwords, and comparing the output to a desired
hash, hoping to find a match (and to derive the original password). This
is called password cracking.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 1 Authentication: Something You Know – Passwords
Password Hashes and Password Cracking
• In most cases, clear text passwords are not stored within an IT system;
only the hashed outputs
• Hashing is one-way encryption using an algorithm and no key
• When a user attempts to log in, the password they type is hashed, and
that hash is compared against the hash stored on the system
• The hash function cannot be reversed: it is impossible to reverse the
algorithm and produce a password from a hash
• An attacker may run the hash algorithm forward many times, selecting
WHAT THE &%!$?
various possible passwords, and comparing the output to a desired
hash, hoping to find a match (and to derive the original password). This
is called password cracking.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 1 Authentication: Something You Know – Passwords
Password Hashes and Password Cracking
• Password hashes for modern UNIX/Linux systems are stored
in/etc/shadow (which is typically readable only by root)
• Windows systems store hashes both locally and on the domain
controller (DC) in a file called the security account management file or
SAM file
• Password hashes may be sniffed on networks or read from memory
• The SAM file is locked while the Windows operating system is running
tools such as fgdump by foofus.net
(http://www.foofus.net/fizzgig/fgdump/) can dump the hashes from
memory.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 1 Authentication: Something You Know – Passwords
Password Hashes and Password Cracking

See 2021 Slides and Video


for password hacking tools

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 1 Authentication: Something You Know – Passwords

Password Managers
• A software application that can manage authentication
material like passwords, passphrases, and answers to secret
questions
• Support across desktop and mobile operating systems
• Can serve to offload the work of creating, remembering, and
filling in passwords.
What password
manager do you use?
Investopedia – Best Password Managers –
https://www.investopedia.com/best-password-managers-5080381

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 1 Authentication: Something You Know – Passwords
Review
Password Salting Crypto /
• Allows one password to hash multiple ways Hashing
• Some systems (like modern UNIX/Linux systems) combine a
salt with a password before hashing: “The designers of the
UNIX operating system improved on this method by using a
random value called a “salt.” A salt value ensures that the
same password will encrypt differently when used by different
users. This method offers the advantage that an attacker must
encrypt the same word multiple times (once for each salt or
user) in order to mount a successful password-guessing If two passwords
attack.” are the same,
their hashes will
• Makes rainbow tables far less effective (if not completely
ineffective) be identical.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

How long is a
standard “good”
password?

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 31
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

How long is a
standard “good”
password?

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 31
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

https://www.microsoft.com/en-us/research/wp-
content/uploads/2016/06/Microsoft_Password_
Guidance-1.pdf

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 31
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT


Further Confuses
Domain 5: Identity and Access Management
things… 😐
NIST SP800-63B – Authenticator Assurance Levels (AAL)

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT


Further Confuses
Domain 5: IAM
things… 😐
NIST SP800-63B –
Authenticator
Assurance Levels
(AAL)

https://nvlpubs.nist.gov/nistpubs/
specialpublications/nist.sp.800-63b.pdf

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IDENTITY & ACCESS MANAGEMENT


CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS

Apparently, you can’t use


Beefstew as a password…

It’s not Stroganoff.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 65
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 2 Authentication: Something You Have
• Something you have - requires that users possess something,
which proves they are an authenticated user
• A token is an object that helps prove an identity claim
• Possessing the car keys, credit cards, bank ATM cards, smartcards,
and paper documents
• Safeguarding the confidentiality and availability of the physical
devices

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IDENTITY AND ACCESS MANAGEMENT

https://venturebeat.com/2022/05/05
/passwordless-authentication/

Homework
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 2 Authentication: Something You Have

Synchronous Dynamic Token


• Time or counters are synchronized with an authentication server.
• Implemented in hardware (RSA SecureID) and software
(Google / Microsoft Authenticator).
• The authentication server expects a certain value based on time
or count, as part of the authentication scheme.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 2 Authentication: Something You Have

Synchronous Dynamic Token


• Time or counters are synchronized with an authentication server.
• Implemented in hardware (RSA SecureID) and software (Google / Microsoft
Authenticator).
• The authentication server expects a certain value based on time or count,
as part of the authentication scheme.

How many use an


authenticator app?

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 2 Authentication: Something You Have

Asynchronous Dynamic Token


• Not synchronized with a central server
• Most common variety is challenge-response tokens
• Systems produce a challenge, or input for the token device
• The user manually enters the information into the device along with
their PIN, and the device produces an output
• Output is then sent to the system
• Combining access control types is recommended
• Using more than one type of access control is referred to as strong
authentication or multifactor authentication

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 2 Authentication: Something You Have

Asynchronous Dynamic Token


• Not synchronized with a central server
• Most common variety is challenge-response tokens
• Systems produce a challenge, or input for the token device
• The user manually enters the information into the device along with their PIN,
and the device produces an output
• Output is then sent to the system
• Combining access control types is recommended
• Using more than one type of access control is referred to as strong
authentication or multifactor authentication

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 2 Authentication: Something You Have

Conditional MFA
• Dynamic trusted device authentication can also be used to both increase
security and provide greater usability
• A key element of attribute-based access control (ABAC)
• Time or location based

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 2 Authentication: Something You Have

SMS Authentication – Is it safe?

Homework
https://www.knowbe4.com/hubfs/KB4-11WaystoDefeat2FA-RogerGrimes.pdf & https://blog.knowbe4.com/author/roger-grimes
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 3 Authentication: Something You Are
• Something you are - biometrics, which uses physical characteristics as a
means of identification or authentication
• Biometrics may be used to establish an identity, or to authenticate
(prove an identity claim)
• Associated with the physical traits of an individual, it is more difficult for that
individual to forget, misplace, or otherwise lose control of the access capability
• Care should be given to ensure appropriate accuracy and to address any
privacy issues that may arise
• Should be reliable, and resistant to counterfeiting
• Data storage required to represent biometric information (called the template
or the file size) should be relatively small: 1000 bytes or less is typical
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 3 Authentication: Something You Are

Biometric Fairness, Psychological Comfort, & Safety


• Biometrics should not cause undue psychological stress to subjects, and
should not introduce unwarranted privacy issues
• Biometric controls must be usable by all staff, or compensating controls
must exist
• Potential exchange of bodily fluid is a serious negative for any biometric
control: this includes retina scans (where a user typically presses their eye
against an eyecup), and even fingerprint scanning (where many subjects
touch the same scanner)
• Fully passive controls, such as iris scans, may be preferable (there is no
exchange of bodily fluid)
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 3 Authentication: Something You Are

Biometric Controls
• Fingerprints
• Hand Geometry Not really covered
• Retina Scan in the book.
• Iris Scan Still know…
• Keyboard Dynamics
See last years slides
• Dynamic Signature
• Voice
• Facial Scan

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 3 Authentication: Something You Are

Biometric Enrollment and Throughput


• Enrollment describes the process of registering with a biometric system:
creating an account for the first time
• Enrollment is a one-time process that should take 2 minutes or less.
• Challenge with remote workers
• Throughput describes the process of authenticating to a biometric system
• Also called the biometric system response time
• A typical throughput is 6-10 seconds

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 3 Authentication: Something You Are

Biometric Accuracy
• Should be considered before implementing a biometric control program
• Three metrics are used to judge biometric accuracy:
• False Reject Rate (FRR),
• False Accept Rate (FAR),
• Crossover Error Rate (CER).

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 3 Authentication: Something You Are

Biometric Accuracy / Access Control Errors


• False Reject Rate (FRR)
• When an authorized subject is rejected by the biometric system as unauthorized
• Also called a Type I error
• Cause frustration of the authorized users, reduction in work due to poor access
conditions, and expenditure of resources to revalidate authorized users
• False Accept Rate (FAR)
• Occurs when an unauthorized subject is accepted as valid
• Risks an unauthorized user gaining access
• Also called a Type II error

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 3 Authentication: Something You Are

Biometric Accuracy / Access Control Errors


Note: A false accept is worse than a false reject: most organizations
would prefer to reject authentic subjects to accepting impostors.
FARs (Type II errors) are worse than FRRs (Type I errors).
Two is greater than one, which will help you remember that FAR is
Type II, which are worse than Type I (FRRs).
Over 40 data points are usually collected and compared in a typical fingerprint scan. The
accuracy of the system may be lowered by collecting fewer minutiae points (ten or so).
This will lower the FRR, but raise the FAR. It also increases the possibility that a user’s
fingerprints would be easier to counterfeit.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 3 Authentication: Something You Are

Biometric Accuracy / Access Control Errors


Crossover Error Rate (CER)
• Describes the point where the False Reject Rate (FRR) and
False Accept Rate (FAR) are equal
• Also known as the Equal Error Rate (EER)
• The overall accuracy of a biometric system
• As the accuracy of a biometric system increases, FARs will
rise and FRRs will drop
• As the accuracy is lowered, FARs will drop and FRRs will rise

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Type 3 Authentication: Something You Are

Biometric Accuracy
Crossover Error Rate (CER)
• Describes the point where the False Reject Rate (FRR) and
False Accept Rate (FAR) are equal
• Also known as the Equal Error Rate (EER)
• The overall accuracy of a biometric system
• As the accuracy of a biometric system increases, FARs will
rise and FRRs will drop
• As the accuracy is lowered, FARs will drop and FRRs will rise

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Manage Identification and Authentication of
People, Devices, and Services
Session Management
• Session is an exchange between communicating devices,
such as a client and server exchanging information
• Access is limited to the session
• Session security vulnerabilities
• Session Hijacking - MITM
• Session Sidejacking – same network, not direct attack
• Session fixation – reuse session IDs
OWASP Session Management Best Practices -
https://cheatsheetseries.owasp.org/cheatsheets/Session_
Management_Cheat_Sheet.html
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Manage Identification and Authentication of
New Topic!
People, Devices, and Services
Access Control
And Finally…
We’re on to
Access Control

Review Chapter 3 – Fundamental Concepts of Security Models

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Manage Identification and Authentication of
People, Devices, and Services
Centralized Access Control
• Concentrates access control in one logical point for a system or organization
• Can be used to provide Single Sign-On (SSO), where a subject may
authenticate once, and then access multiple systems
• Can centrally provide the three “A’s” of access control:
Authentication, Authorization, and Accountability
• Authentication: proving an identity claim
• Authorization: authenticated subjects are allowed to take on a system
• Accountability: the ability to audit a system and demonstrate the actions of subjects

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 93
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Manage Identification and Authentication of
People, Devices, and Services
Decentralized Access Control
• Allows IT administration to occur closer to the mission and operations of the
organization
• Also called distributed access control
• Provides more local power: each site has control over its data
• The U.S. military uses decentralized access control in battlefield situations

Exam Warning - Do not get confused on the CISSP exam if asked about DAC
compared to decentralized access control. DAC stands for discretionary access
control. Decentralized access control will always be spelled out on the exam.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 93
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Manage Identification and Authentication of
People, Devices, and Services
Federated Identity Management (FIdM)

Question: Is it centralized or decentralized?

Exam Warning – FIdM may also be called FIM.


Look at the context of the question.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 95
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Manage Identification and Authentication of
People, Devices, and Services
Registration, Proofing, and Covered earlier
Establishment of Identity with Identity
Management

Credential Management System (CMS)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 95
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Manage Identification and Authentication of
People, Devices, and Services

Single Sign-On (SSO)


• Allows multiple systems to use a central
Authentication Server (AS)
• Allows users to authenticate once, and then access
multiple, different systems
• Allows security administrators to add, change, or
revoke user privileges on one central system

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 95
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Manage Identification and Authentication of
People, Devices, and Services

Single Sign-On (SSO)


As outlined in the IBM article, “Build and Implement a Single Sign-On Solution” by
Chris Dunne, September 30, 2003, SSO is an important access control and can offer
the following benefits:
• “Improved user productivity. Users are no longer bogged down by multiple logins, and they are
not required to remember multiple IDs and passwords. Also, support personnel answer fewer
requests to reset forgotten passwords.”
• “Improved developer productivity. SSO provides developers with a common authentication
framework. In fact, if the SSO mechanism is independent, then developers do not have to
worry about authentication at all. They can assume that once a request for an application is
accompanied by a username, then authentication has already taken place.”
• “Simplified administration. When applications participate in a single sign-on protocol, the
administration burden of managing user accounts is simplified. The degree of simplification
depends on the applications since SSO only deals with authentication. So, applications may
still require user-specific attributes (such as access privileges) to be set up.”

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 95
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: IDENTITY & ACCESS MANAGEMENT


CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 91
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Federated Identity with a Third-Party Service New
Topic!
Federated Identity Management (FIdM)
• A process that allows for the conveyance of identity and
authentication information across a set of networked systems.
(NIST Glossary)
• The establishment of a trusted relationship between separate
organizations and third parties, such as application vendors or
partners, allowing them to share identities and authenticate
users across domains. (Ping Identity)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Federated Identity with a Third-Party Service
Federated Identity Management (FIdM)
• Applies SSO on a wider scale; cross-organization/domain
• Trusted authority for digital identities across multiple
organizations
• Microsoft Account, Google Account, Facebook, Twitter, etc.
• SAML, Oauth, OpenID, etc.
• SAML is an XML-based framework for exchanging security
information, including authentication data. [More later]

FIDM and SSO are not synonymous.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Manage Identification and Authentication of
People, Devices, and Services

Practice Question
Which of the following statements about single sign -on
(SSO) is not true?
A. A user can sign on a system once and access other systems
without re-authentication
B. An SSO user account causes more serious impact then non -SSO
if breached
C. Systems require federation protocols to support SSO
D. A user can create multiple user accounts across systems that
support SSO

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 95
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Manage Identification and Authentication of
People, Devices, and Services

Practice Question
Which of the following statements about single sign -on
(SSO) is not true?
A. A user can sign on a system once and access other systems
without re-authentication
B. An SSO user account causes more serious impact then non -SSO
if breached
C. Systems require federation protocols to support SSO
D. A user can create multiple user accounts across systems that
support SSO

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 95
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Federated Identity with a Third-Party Service
Identity as a Service (IDaaS)
• A cloud-based subscription model for IAM, where identity and
access services are rendered over the internet by a third-party
provider rather than deployed on-premises. (Ping Identity)
• Gartner Inc., divides IDaaS services into two categories:
• Web access software for cloud-based applications such as
software as a service (SaaS)
• Web-architected applications; and cloud-delivered legacy identity
management services.
(Reference)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Federated Identity with a Third-Party Service
Identity as a Service (IDaaS)
Risks Types
• Single point of failure • On-prem – LDAP, Microsoft AD
• Loss of control • Cloud (cloud-native)
• IAM broker
• Just in time (JIT) provisioning
• Hybrid
• Dual IAM implementation
• Microsoft AD & AzureAD

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Federated Identity
with a Third-Party
Service
• IdP = Identity Provider
• SP = Service Provider

Image Source:
https://www.pingidentity.com/en/reso
urces/blog/posts/2021/sso-vs-
federated-identity-management.html

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT New


Domain 5: Identity and Access Management
Topic!
Implement and Manage Authorization Mechanisms
(aka Access Control Models)
• Role-Based Access Control (RBAC)
• Rule-Based Access Control (RuBAC)
• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Attribute-Based Access Control (ABAC)
• Risk-Based Access Control
• Do not think of one model being better than another.
• Each model is used for a specific information security purpose.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement and Manage Authorization Mechanisms
Role-Based Access Control (RBAC)
• Defines how information is accessed on a system based on the role of
the subject
• Subjects are grouped into roles and each defined role has access
permissions based upon the role, not the individual
• Keeps each role separate on the system and reduces the exposure of
more sensitive accounts
• RBAC is a type of non-discretionary access control because users do
not have discretion regarding the groups of objects they are allowed to
access, and are unable to transfer objects to other subjects
• See NIST: http://csrc.nist.gov/rbac & https://docs.microsoft.com/en-
us/azure/role-based-access-control/overview
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement and Manage Authorization Mechanisms
Rule-Based Access Control (RuBAC)
• Based on a list of predefined rules to determine authorization
• Information systems often implement RuBAC via an access
control list (ACL)
• Implement the concepts of implicit and explicit permissions
• Content and Context-Dependent Access Controls

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement and Manage Authorization Mechanisms
See Chapter 3
Mandatory Access Control (MAC) Models
• System-enforced access control based on subject’s clearance
and object’s labels
• Subjects and Objects have clearances and labels, respectively, such as
confidential, secret, and top secret
• A subject may access an object only if the subject’s clearance is
equal to or greater than the object’s label
• Subjects cannot share objects with other subjects who lack the proper
clearance, or “write down” objects to a lower classification level
such as from top secret to secret)
• Usually focused on preserving the confidentiality of data
• Expensive and difficult to implement - Clearing users is an expensive process

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement and Manage Authorization Mechanisms
Discretionary Access Control (DAC)
• Gives subjects full control of objects they have been given access
to, including sharing the objects with other subjects
• Subjects are empowered and control their data
• Standard UNIX and Windows operating systems use DAC for
filesystems
• If a subject makes a mistake, such as attaching the wrong file to an
email sent to a public mailing list, loss of confidentiality can result
• Mistakes and malicious acts can also lead to a loss of integrity or
availability of data

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement and Manage Authorization Mechanisms
Attribute-Based Access Control (ABAC)
• Policy-based access control
• Combines attributes about the subject and evaluates them
against a policy to make an access control decision
• Examples: Time of day, Location
• Cyber example: Firewall rules

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement and Manage Authorization Mechanisms
Risk-Based Access Control (RBAC)
• Dynamic access control using a variety of parameters to
determine authorization.
• Utilize a number of factors to dynamically define authentication
requirements.
• Integrate threat intelligence data and make dynamic
authentication decisions.
• Cyber example: IDS/IPS

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Managing the Identity and Access New
Provisioning Lifecycle Topic!

Continued from
earlier

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Identity & Access Lifecycle Review from
• Provisioning earlier
• Requesting identity creation &
approval process(es)
• Begins before a subject attempts
to access an object
• Deprovisioning
• Temporary suspension
• Disabling
• Deleting

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 107
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Identity & Access Lifecycle Review from
Account Access Review earlier
• Include identifying what systems, data,
and permissions a user is granted
• Cadence – How often
• General user
• Admins
• System accounts
• Permission Creep
• Automate! (SOAR, SIRM)

• SOAR = Security Orchestration, Automation, and Response


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 108
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Identity & Access Lifecycle
Deprovisioning Risks
• Hostile or involuntary circumstances include a staff member
being let go at the company's decision.
• Friendly or voluntary circumstances include a staff member
resigning or retiring and generally carry less risk.
• Job changes are treated by some high-security organizations the
same as a friendly deprovisioning as an extra precaution.

• Beware of self-provisioning / deprovisioning…

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Identity & Access Lifecycle
Privilege Escalation
• Temporary access
• Allows end-users to install / update approved software
as administrator
• Production Control - Break-the-glass process – Specific
users given access to production systems to update or
fix issues. Part of change control.
• Examples:
• Linux/Unix: sudo
• Windows: UAC

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems New
Topic!
Federated Identity Management (FIdM) &
Identity as a Service (IDaaS)
• Open Authorization (OAuth) / OpenID Connect
• Security Assertion Markup Language (SAML)
• Kerberos
• RADIUS / TACACS+

See 2021 Video for more information:


https://youtu.be/G5YSeFYqKB8

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Open Authorization (Oauth)
An open protocol to allow secure authorization in a simple and
standard method from web, mobile and desktop applications.

IETF RFC 6749 (https://datatracker.ietf.org/doc/html/rfc6749)


OAuth Community Site (https://oauth.net/)
OAuth 2.0 Simplified (https://www.oauth.com/)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Open Authorization (Oauth)
Four key roles that systems in an Oauth federation must
implement to exchange authorization information:
• Resource owner: Any entity that grants access to a protected resource,
such as an information system or dataset.
• Resource server: Any server hosting the protected resource, which
accepts and responds to access requests.
• Client: Any application making requests for access to protected resources.
• Authorization server: Any server issuing access tokens to clients after
successful authentication; tokens are used across the federated system to
gain access.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
OpenID Connect
• Authentication functions built on top of OAuth version 2.0 and
federates identity management.
• Similar to SSO
• Implemented on Web Applications – given a choice of Identity
Providers (Google, Facebook, Microsoft, etc.)

Key steps of OIDC authentication


(developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauthand-oidc)
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
OpenID Connect
• Authentication functions built on top of OAuth version 2.0 and
federates identity management.
• Similar to SSO
• Implemented on Web Applications – given a choice of Identity
Providers (Google, Facebook, Microsoft, etc.)

GO RIGHT NOW!
Key steps of OIDC authentication
(developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauthand-oidc)
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Security Assertion Markup Language (SAML)
• An eXtensible Markup Language (XML)-based framework to
format messages regarding identities, resources, and access
information like authentication and authorization
• Current version: 2.0
OASIS Standard
• Three Roles:
• User Agent (UA)
• Service Provider (SP)
• Identity Provider (IdP)
Slide 95

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Security Assertion Markup Language (SAML)
Four components:
• Assertions define SAML attributes - how authentication and
authorization message protocols or frameworks are to be used by the
services.
• Bindings define the request-response pairs to be used by the three
roles to communicate.
• Protocols include HTTP and simple object access protocol (SOAP),
which are used to package and exchange messages between roles.
• Profiles are the combination of assertions, bindings, and protocols in
use within a specific SAML implementation.
OASIS SAML v2.0 Standard (https://wiki.oasis-open.org/security/FrontPage)
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Kerberos
• A third-party authentication service that may be used to support
Single Sign-On
• Kerberos (https://web.mit.edu/kerberos/ ) was the name of the
three-headed dog that guarded the entrance to Hades (also
called Cerberus) in Greek mythology (and Harry Potter)
• The three heads of the mythical Kerberos were meant to signify
the three “A”s of AAA systems:
• authentication,
• authorization, and
• accountability Highly Testable
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Kerberos
• A third-party authentication service that may be used to support
Single Sign-On
• Kerberos (https://web.mit.edu/kerberos/) was the name of the
three-headed dog that guarded the entrance to Hades (also
called Cerberus) in Greek mythology (and Harry Potter)
• The three heads of the mythical Kerberos were meant to signify
the three “A”s of AAA systems:
• authentication,
• authorization, and
• accountability Highly Testable
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Kerberos
Kerberos FAQ (http://www.faqs.org/faqs/kerberos-faq/user/)
• Kerberos is a network authentication system for use on physically
insecure networks
• Based on the key distribution model presented by Needham and
Schroeder
• Allows entities communicating over networks to prove their identity
to each other while preventing eavesdropping or replay attacks
• Provides for data stream integrity (detection of modification) and
secrecy (preventing unauthorized reading) using cryptography systems
such as DES (Data Encryption Standard)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Kerberos
• Uses secret key encryption
• Provides mutual authentication of both clients and servers
• Protects against network sniffing and replay attacks
• Current version of Kerberos is version 5, described by RFC 4120
(http://www.ietf.org/rfc/rfc4120.txt)
14 Mar 2022 – krb5-1.19.3 (as of this recording)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Kerberos Components
• Principal: Client (user) or service
• Realm: A logical Kerberos network
• Authentication Server (AS): Authenticating principles
• Ticket: Data that authenticates a principal’s identity
• Credentials: a ticket and a service key
• KDC: Key Distribution Center, which authenticates principals
• TGS: Ticket Granting Service
• TGT: Ticket Granting Ticket
• C/S: Client Server, regarding communications between the two

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Kerberos Components
• Principal: Client (user) or service
• Realm: A logical Kerberos network
• Authentication Server (AS): Authenticating principles
• Ticket: Data that authenticates a principal’s identity
• Credentials: a ticket and a service key
• KDC: Key Distribution Center, which authenticates principals
• TGS: Ticket Granting Service
• TGT: Ticket Granting Ticket
• C/S: Client Server, regarding communications between the two

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Kerberos
Strengths Weaknesses
• Provides mutual authentication • A compromise of the KDC (physical or
of client and server electronic) can lead to the compromise
of every key in the Kerberos realm
• If a rogue KDC pretended to be
a real KDC, it would not have • KDC and TGS are single points of failure:
if they go down, no new credentials can
access to keys
be issued
• mitigates replay attacks (where • Replay attacks
attackers sniff Kerberos
• Any user may request a session key for
credentials and replay them on another user
the network) via the use of
• Kerberos does not mitigate a malicious
timestamps
local host: plaintext keys may exist in
memory or cache

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Remote Authentication Dial In User Service (RADIUS)
• Originally designed in the 1990s Evan talked about
• A third-party authentication system this last session,
• Uses the User Datagram Protocol (UDP) ports: sooooooo….
• 1812 (authentication) and
• 1813 (accounting)
• Specified in IETF RFC 2865,
https://datatracker.ietf.org/doc/html/rfc2865

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Remote Authentication Dial In User Service (RADIUS)
• Originally designed in the 1990s
• A third-party authentication system
• Uses the User Datagram Protocol (UDP) ports:
• 1812 (authentication) and
• 1813 (accounting)
• Specified in IETF RFC 2865,
https://datatracker.ietf.org/doc/html/rfc2865

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Remote Authentication Dial In User Service (RADIUS)
• Request and response data is carried in Attribute Value Pairs (AVPs)
• According to RFC 2865 (http://tools.ietf.org/html/rfc2865),
RADIUS supports the following codes:
• Access-Request
• Access-Accept
• Access-Reject
• Accounting-Request
• Accounting-Response
• Access-Challenge
• Status-Server (experimental)
• Status-Client (experimental)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Terminal Access Controller Access Control System
(TACACS+)
• Centralized access control system that requires users to send an ID and static
(reusable) password for authentication
• TACACS uses UDP port 49 (and may also use TCP)
• Reusable passwords have security vulnerability: the improved TACACS+ provides
better password protection by allowing two-factor strong authentication
• TACACS+ is not backwards compatible with TACACS
• TACACS+ uses TCP port 49 for authentication with the TACACS+ server
• The actual function of authentication is similar to RADIUS
• RADIUS only encrypts the password (leaving other data, such as username,
unencrypted); TACACS+ encrypts all data below the TACACS+ header
• Specified in IETF RFC 8907 at datatracker.ietf.org/doc/html/rfc8907.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Terminal Access Controller Access Control System
(TACACS+)
• Centralized access control system that requires users to send an ID and static
(reusable) password for authentication
• TACACS uses UDP port 49 (and may also use TCP)
• Reusable passwords have security vulnerability: the improved TACACS+ provides
better password protection by allowing two-factor strong authentication
• TACACS+ is not backwards compatible with TACACS
• TACACS+ uses TCP port 49 for authentication with the TACACS+ server
• The actual function of authentication is similar to RADIUS
• RADIUS only encrypts the password (leaving other data, such as username,
unencrypted); TACACS+ encrypts all data below the TACACS+ header
• Specified in IETF RFC 8907 at datatracker.ietf.org/doc/html/rfc8907.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Implement Authentication Systems
Federated Identity Management (FIdM) &
Identity as a Service (IDaaS)
• Open Authorization (OAuth) / OpenID Connect
• Security Assertion Markup Language (SAML)
• Kerberos
• RADIUS / TACACS+

See 2021 Video for more information:


https://youtu.be/G5YSeFYqKB8

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

Domain 5: Identity and Access Management


Bringing it home

https://docs.microsoft.com/en-
us/azure/security/fundamental
s/identity-management-
overview

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 27
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

DOMAIN 5: Identity and Access Management


YAY! 👍🏻
Topics: Another Domain done!

• Control Physical and Logical Access to Assets


• Manage Identification and Authentication of People,
Devices, and Services
• Federated Identity
• Implement and Manage Authorization Mechanisms
• Manage the Identity and Access Lifecycle
Questions
• Implement Authentication Systems on Domain 5?
pp. 377-418

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 132
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

SESSION 8 - FIN
We made it!
Next Session (Monday, 16 May 2022) -
Domain 6 (Security Assessment & Testing)
• Design and Validate Assessment, Test, and Audit
Strategies
• Conduct Security Control Testing
• Collect Security Process Data
• Analyze Test Output and Generate Report
• Conduct or Facilitate Security Audits

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 133
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION EIGHT

SESSION 8 - FIN

Homework:
Review Domains 1-5.
Take practice tests.
Review at least two of the references we provided in this
class (download for later use).
Post at least one question/answer in the Slack Channel.

See you Monday!

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 134
#MissionBeforeMoney

CISSP® MENTOR PROGRAM – SESSION FOUR

WHOAMI
Ron Woerner, CISSP, CISM
• Chief Security Officer, Cyber-AAA
• Cybersecurity Professor, Bellevue University
https://linktr.ee/cyberron
Hackers Wanted
https://www.linkedin.com/in/ronwoerner/ TEDx Omaha

@ronw123

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 135
#MissionBeforeMoney
CISSP® MENTOR PROGRAM – SESSION ONE

INTRODUCTION

2022
Class #8 – Domain 5
Ron Woerner
Cyber-AAA Founder & CEO & vCISO
Bellevue University CyberSecurity Studies Professor

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 1

You might also like