Time
48 minutes
Difficulty
Beginner

Video Description

Authentication and Account Management

Video Transcription

00:21
Hi. Welcome back to the all in one certification video. Siris on Mike Redmond, master trainer here to guide you through your successful journey of becoming a security plus certified professional. We're gonna walk through a variety of subjects like access control and encryption
00:37
all the way down to network security and hardening. The OS is
00:48
in this section will describe three types of authentication credentials. Explain what single sign on conduce. Oh, list the account management procedures for securing passwords and defined the trusted operating system.
01:07
The types of authenticating credentials Also known as what you know what you have or what you are or the factors of authenticating credentials. What you know, for instance, a combination to your health club locker. What you have a key fob or a lock to your car
01:26
and what you are. Facial characteristics. Rec time by the health club attendant.
01:41
What you know, passwords. User logging into a system as to identify themselves, uses it, entered the user name and then is asked to authenticate using a password.
01:53
Passwords air, the most common type of authentication today and passwords provide only weak protection in its total to the operating system and
02:04
network itself.
02:10
What makes passwords so weak are they're linked to human memory. Humans can only memorize a limited number of items long, complex passwords all the most effective. However, they are the hardest for humans to memorize.
02:27
Couple this with the fact that users have to remember passwords for many different accounts. It makes it more likely that the users will write down their passwords, ultimately rendering those passwords useless. Once discovered,
02:51
other weaknesses that humans often will take to help them remember passwords is they'll use common words or short passwords or even personal information. Often they will re use the same password for multiple accounts.
03:07
This makes it easier for an attacker who compromises one account
03:12
to gain access to many others.
03:16
When we look at the attacks on passwords, we start talking through social engineering, like fishing and and shoulder surfing, capturing using key loggers or protocol analyzers, Reset attacks. The attacker gains physical access to the computer and just simply resets the password and then
03:36
online guessing, or per often the known as brute force
03:44
Offline. Cracking of path words is a method used by most password attacks. Today, Attackers is steal a file with encrypted passwords and compare the encrypted passwords that they have created. This is using a subset of software called a Rainbow Table.
04:02
Offline cracking types are brute force. Every possible combination of letters, numbers and characters were used to create
04:11
encrypted passwords and then match them against the stolen file. This is extremely slow in somewhat cumbersome, But
04:18
with modern computers getting faster,
04:21
it does take a lot less time today than it did just a few short years ago.
04:30
Some of the parameters set for some of these automated brute force attack programs are password length of character sets, languages, different patterns and win to skip
04:44
dictionary attacks. On the other hand, or somewhat similar, but only a little bit different theater, Acker creates encrypted versions of
04:53
common dictionary words and then compares those common dictionary words against the stolen password file.
05:15
Next, you have the hybrid attack that's slightly altered from dictionary words adding numbers to the end of passwords, for instance, or spelling words backwards or slightly Miss Feld words, including special characters or special character substitution
05:30
that again brings us to rainbow tables. Large
05:34
pre generated data sets of encrypted passwords,
05:41
the basic steps for using a Rainbow Table is first to create the table. It's a chain of plain tax passwords. Encrypt the initial password and feed it into a function that produces different plane tax passwords and repeat for a set number of rounds.
06:01
Next, you'll just repeat, starting with its initial password until the original encryption is found. The password used at length federation is the cracked password. The rainbow table advantage over the other attack methods is
06:17
it can be used repeatedly. It's a much faster than the dictionary attacks in
06:21
uses less machine memory because it's a lot shorter key space.
06:30
So how do we defend against these? Well, first, it starts by creating strong passwords. Insight into how to create a strong password is gained by examining thes attack methods. Most passwords consist of root in the attachment prefix or subjects.
06:48
The attack program methods test passwords against 1000 common passwords, so the key is is to not use a common password, but a variable of such
07:06
since these common passwords, with comments suffixes are widely known and used. It uses 5000 common dictionary words 10,000 names 100,000 comprehensive dictionary words
07:20
using upper lower initial case in all uppercase and final character. Uppercase makes the comment substitution. CZ for letters in the dictionary words. For example, dollar signs for S and Thea Amber sign for a.
07:42
So that brings us to just the general observations to create a strong passwords. First, don't use dictionary words or phonic words. Don't use birthdays or family members or pet names, addresses or any personal information. Do not repeat characters or use sequences and
08:01
do not use short
08:03
passwords. There are many methods for managing all of these passwords. One important defense is to prevent attacker from obtaining the encrypted password file itself.
08:20
To do this, obviously, you should never leave your computer unlocked in unattended screensavers should be set to resume with a password and a password to protect the wrong BIOS is often recommended. Good password management practices include changing passwords frequency
08:39
and do not re use old
08:41
passwords that, at least not after it least a few it orations of expiration.
08:50
You should never write your password down, use unique passwords for each account and set up temporary passwords for another users access, for instance, and gassed at your house that needs to use your computer while they're visiting.
09:07
Do not allow computer animated sign on into your account. Do not
09:11
in her passwords on public access computers. And, of course, you should never enter a password while connected to an unencrypted wireless network.
09:26
Another method starting to catch on is to use non keyboard characters, these air generally created by holding down the altar key while typing a number on a numeric keypad. There are some passwords supplements, Of course. The problem is managing numerous strong passwords is extremely burdensome.
09:46
One solution is to rely
09:48
on technology to store and manage passwords for us
09:54
Internet Explorer and Firefox. Web browsers contain such supplement. It's a function that allows users to save passwords inside the browser. They will often auto complete a password, for instance, in Internet Explorer and encrypted and stored in the Windows Registry.
10:13
Now the disadvantage of passwords supplements is the password. Information specific to one computer
10:18
in the passwords are vulnerable. Live Another user is allowed access to that computer.
10:28
There are password management applications where users create in store passwords in a single user bolt, if you will. The file is then protected by one strong master password, password management application figures often include dragon drop capability, enhanced encryption and
10:48
in memory protection that prevents the OS cash from being exposed.
11:03
Next would be something that you have, like tokens or cart.
11:07
A token is a small device with the little window led display. It's sink with another authentication servers recall this a synchronous method synchronizing your clock. You press a button and a code is generated from a preset algorithm.
11:24
That code will change every 30 to 60 seconds. If you do not
11:30
enter the code at the long on, prompt to this system or the network within those 30 or 60 seconds, you will have to generate a new code.
11:45
These have marketed advantages over passwords. The token code changes frequently, and there is no reliance on the human to memorize the code it will be given toe. It's time the user presses the button on the TOKER. Attackers would have to crack the code within
12:05
the time limit
12:05
30 or 60 seconds. Or it all completely depends on the administrator and how they have set that numeric value.
12:22
Some additional advantages to tokens over passwords is
12:26
users may not know if their passwords have been stolen. If a token it's stolen. It's somewhat obvious there's something that they should have or have. Possession of that is missing some. Some of the token variations or some some some systems use token code on Lee, and users
12:43
use code in conjunction with the password rules. Call that multi factor authentication
12:50
and then some. Combined a pin with a token
12:58
Cards, like smart cards contain integrated circuit trips that hold information. Contact PAD allows the electronic access to the chips content. There are contact and contact lists cards. Contactless cards required. No physical access to the card.
13:16
Most federal and Deal D and organizations use what's called the CAC or the Comment access card.
13:24
It's a ball code. Magnetic strip has the barriers the bears picture on it as well as that Contact chip.
13:41
Next, what you are. Biometrics standard Biometrics uses person's unique physical characteristics for authentication. Fingerprint scanners is the most common type. They're also face hand and I characteristics that could be used.
14:00
Some of the fingerprint scanner types are static fingerprint scanner. It takes a picture and compares
14:05
with an image on file and dynamic fingerprint scanner uses a small slit or an opening on the device.
14:22
However, it's not without its disadvantages. Some of them the cost of hardware scanning devices and readers have some amount of error. We call those rejected authorized users or accepted unauthorized users.
14:39
There are also behavioral biometrics. These authenticate by normal actions. The user's perform, like he struck dynamics and voice recognition as well as computer footprint
14:52
with keystroke dynamics, attempts to recognizing users typing rhythm all users the type at a different pace. These often provide up to about 98% accuracy uses two types of typing variables. Dwell time and flight time.
15:11
The dwell time is the time it takes to
15:13
press and release a key. The flight time is the time between each keystroke itself.
15:28
Voice recognition. There are several characteristics that make up each person's voice and makes it unique. Ah, voice template that can be created. It's difficult for an attacker to authenticate using a recording of a user's voice, because the phonic cadences of putting words together is part of
15:48
rials
15:48
speech patterns
15:54
with computer foot printing. It relies on typical access patterns and geographic locations, or time of day access. Cognitive biometric relates to the perception through process and understanding of the users
16:12
with cognitive biometrics, it's easier for user to remember because it's based on a user's life experience. It's difficult for an attacker to imitate, for example, identifying specific faces or a user selects a memorable lifetime event and has asked for details about them,
16:33
the
16:33
addicted to become a key element off authentication in the future.
16:41
Next, we have single sign on a form of identity management
16:45
using a single authentication credential shared across multiple networks, also called a Federated Identity Management. When networks are owned by different organizations, you can think of this, for instance, as Expedia or Travelocity.
17:02
Single sign on holds promise to reduce the burden of user names and passwords to just one. We call it either a single point of failure or a single point of success, depending on your point of view.
17:22
One type of single sign on is the Windows Live I D, introduced in 1999 is dot net password. The name changed from Microsoft Password Network and then adopted as Windows Live ideas designed as a single sign on for Web calmer
17:41
the authentication process. This user simply enters a user name and password.
17:45
The user is given a time limited global cookie stored on the computer with an encrypted i d tag that I. D tag is then sent to the website.
18:00
Next, the website uses the I D tag for authentication. The website stores Encrypted Time limited local cookies on the user's computer Windows Live I D was not widely supported at its introduction, is currently used for authentication on
18:18
Windows Live office Live Xbox Live M s in other Microsoft Online service is
18:30
next. You have open idea. It's a decentralized, open source. Federated Information Management System does not require specific software to be installed on the desktop.
18:41
It is a girl based identity system. Open I D provides a means to provide the user's own with the Earl authentication process. For open I D. The user goes to a free side and given open idea account for me, not open i d dot com, for instance.
19:03
Next the user visits Web commerce or other site and signs in using his open i d. Their sight restricts users to open i d dot com, where he enters password toe authenticate than my open i d dot com sends him back to the website now fully authenticated
19:23
some of the security weaknesses, however, relies on D. N s, which may have as we've discussed, its own weaknesses, and it's not considered strong enough for most banking and e commerce websites.
19:41
Next, we have open authorization. This promise users to share resource is stored on one side with a second sight without affording authentication credentials. It allows seamless data sharing among sites it relies on. Token credentials replaces the need for the
20:00
transfer of users username and passwords. Tokens
20:03
are four specific resource is on that specific site and only good for a limited time period.
20:18
Managing user account passwords can be done by setting a password rules too cumbersome to manage on a user by user basis. The security risk of one user setting is often overlook the preferred approaches to assign privileges by group
20:37
Microsoft Windows Group password settings, for instance, are to set password policy settings and account lockout policies.
20:45
They include enforced password history, maximum password, age minimum password, age minimum password length passwords must meet complex requirements and store passwords. Using reversible encryption,
21:03
you can also select the account lockout durations, the account lockout threshold, for instance, three or 30 invalid attempts and reset account lockout counter after, for instance, 15 minutes.
21:22
Next, the trusted operating systems operating systems. Basic flaws are first size. Millions of lines of code make vulnerabilities difficult to recognize. One compromised application can impact an entire system.
21:40
Applications cannot authenticate themselves to each other.
21:42
They need the operating system to help do that. No trusted path between users and the applications and operating systems do not use the principle of Lise privilege. Once you have center circle access, you are God on that system.
22:06
The trusted computing system are trusted OS. The OSS is designed to be secure from the ground up.
22:14
It's designed to keep Attackers from accessing critical parts of the system and can prevent administrators from inadvertently making harmful changes. Vendors developing trusted operating systems focus on securing operating system components and other platform elements.
22:33
One of these approaches is a compartmentalized approach. Compartmentalize service's
22:40
within the trusted operating system for individual customers.
22:47
There you have it
22:48
pretty simple, right?
22:49
I told you. Itwas
22:52
I know it seems like a lot of information all at once. But remember, study hard
23:00
lots of practice questions,
23:02
and you will succeed.
23:04
You will become a security plus certified professional.
23:10
I'll see you next time

Access Control and Identity Management

In the Access Control and Identity Management Course taught by Michael Redman, students will get a thorough deep dive into authentication and access control fundamentals, focusing on Security+ exam objectives, which will help them pass the exam.

Instructed By

Instructor Profile Image
Michael Redman
Sr. ISSM at deciBel Research, Inc.
Instructor