35 hours 10 minutes
Hello and welcome to sigh berries can tear Certified Advance security practitioners certification preparation course.
This is actually margin number 10. And the title of this particular Marja is identity management.
Here are the objectives which encompasses this particular model. Number 10, ranging all the way from implement authentication mechanism. Operate in a network trust architectures, participate in identity management lifecycle, implement access control. And then we'll have like a key takeaway which is titled Identity management. Let's not turn our attention toward the discussion of
Now let's take a look at the learning objectives and the order in which will be covered during this particular presentation. We begin by first are discussing single in other words or other words, multifactor authentication,
single sign on and lastly device authentication.
Perhaps the best place to begin this particular presentation is by actually beginning by taking a look at a pre assessment quiz and the quiz is as follows.
Which of the following factors
is not used for network and infrastructure authentication. Is it a something you have to be something you are see something you know or something you need.
If you select the d you're absolutely correct because it's something you need.
So let's not turn our attention toward the topic of what exactly is access control.
When you think about access control, it's basically granting or the nine approval to use specific resources.
Physical access control of their hand consist of fencing,
hardware, door locks and man trap to limit contact with devices.
Technical access control on hand consists of technology prescription that limit uses on computers from accessing data. Now there are four standard access control models which will be discussing during this particular presentation.
So when you look at access control is enables an authorized person to control access to areas
and resources in a given physical facility or computer based information system.
Now it keep part of access control is identification and authentication of individuals. If you can't identify individuals, everyone is anonymous. If everyone is in fact anonymous, that is no way you can control access to different resources. Either everyone has access or no one does
the overall process of identification authentication and authorization to use the professors identity with the user name and validates the identity. By providing authentication information.
An authentication system verifies the credentials. Then access controls such as permission authorized to use access resources such as files stored on a server. If the three steps do not come together,
the user is not able to access resources protected with access control.
Now let's talk discuss what we call access control terminologies.
Now remember we we have identification, we have authentication and we have authorization. So let's take a look at one of these items here, listening to here on this particular chart here. When you look at identification
in terms of the description is a review of your credentials.
Let's take a look at this scenario. Example, delivery person shows the employee badge
force the computer process. The user enters their user names. So again these are some examples of some different types of access control type terminologies.
Now it's time to take a look at the steps of access control.
When you look at access control, it requires identification as we mentioned earlier authentication as well as authorization.
Now for his identification is involved the process of predicting some type of credentials. Example a delivery driver presenting an employee badge
authentication is when you actually go about the process of what checking those credentials. Example examining delivery drivers badge with authorization. It involves granting permission to take action. And an excellent example would be allowing the driver or other words that delivery driver to pick up the package.
Now for access control process, you have a subject
and what happened is subject presents the credentials to the system
authentication basically system verified and validates that the credentials are authentic
authorization, granted permission to the allow resource.
Now when you present your identity to a system, the sensor wants you to prove that indeed you are not someone else wearing authentication is the process of ascertaining that somebody really is, who he claims to be or she claims to be. In other words, authentication, verify who you are. For example,
you can log on into your unit survey using the ssh client or access your email server using Pop three as well as SMTP client. Usually you have what we call pam withstand. For plug double authentication modules are used as low level authentication schemes into a high level application programming interface or A P. I.
Which allows the programs that rely on authentication to be written independently of the underlying
Now let's take a look at exploring authentication. There are three factors of authentication that you need to be aware of
and they are as follows something you know
something you have
and something you are. So when you look at something you know this include knowledge such as passwords, personal identification number or pin your mother's maiden name or even personal information such as the name of your first pet.
Then we have something you have which is Type two. This includes items such as smart cards, hardware and software tokens
and proximity cards.
Then we have something you are,
this is type three. This includes the use of biometrics such as fingerprints and or retina scans.
Let's continue on the discussion by taking a look at exploring authentication. Now when you think about exploring authentication basically is something you know we're gonna discuss this a little bit in detail remember that's something you know this includes knowledge such as passwords, personal identification numbers, your mother's maiden name or even personal information such as the name of your first pet.
Now for the different types of password types we have cognitive dynamic one time pass phrase as well as static. Now when you think about cognitive basically cognitive data is that the user knows such as a mother's maiden name or favorite, color dynamic or password that change upon each consecutive log on
one time password. Other words are only valid for a single use
and are there after useless. A pass phrase is a password based on a group of words or a phrase static is a normal password which has only changed on request. Now one of the things that you want to do from a proactive standpoint, you would always make you use strong passwords
because with more of our private communication, financial transaction, healthcare information being stored online. The sensibility of this information to users come with serious security risks. A strong password policy is a front line of defense to confidential information administration today play a crucial role, a critical role than ever in educating and ensure that users are aware of the security risk they face and that they need to use strong passwords. As a first line of defense from scammers as well as your hackers will also enforce it with password policies as well.
Continue on with something you have. This includes items such as your smart cars, your hardware and software tokens and your proximity cards.
A user typically authenticates their website by internet user name, password and the number displayed in the token which is sent to the authentication server. If the user into the correct number it proves that the user has a token as long as a user into the correct username and password. This provides authentication
as with smart cards. Hardware tokens are typically used with another factor of authentication and this example user enter a password and the number displayed on the token
continue on with software tokens or one time passwords first we want to kind of take a look at again. The H. O. T. P. Can be used to authenticate a user in a system and authentication server.
Then we have the T. O. T. P. Which stands for the time based one time password algorithm which again is an algorithm that computes a one time password from a sheriff's secret key. And the current time we also have the one time password and everything or the other words. The O. P. I. E.
Is another type of one time password used in networks. We also have the S key
is a one time password system developed for authentication to UNIX like operating system especially from dumb terminals or untrusted public computers on which one does not want to type a long term password and use a real password is combined in an offline device with a short set of characters and discriminating
counter to form what we call a single use password.
Then we come to something you are.
This includes the use of biometrics such as fingerprints and retina scan. Since people forget things and lose things one might be contemplated. Basin and authentication scheme for human on something that the person is. After all, we recognize people we interact with not because of some password protocol but because of how they look or how they sound something. They are
authentication based on something you are. Will employ behavior and psychological characteristics of the principal. These characters must be easily measured accurately and prefer. These are the things that are difficult to spook. For example, we might use a retina scan,
a fingerprint reader, a handprint reader, voice print keystroke timer as well as signature as well.
Now for it's something you are we have a term called false acceptance rate as well as a false rejection rate. When you think about the false acceptance rate. Also called a type two error, the false acceptance rate refers to the percentage of times a biometric system false identify an unknown user. Instead the system
indicates the user is a known user
False rejection rates or F. R. R. is also called a Type one error.
The false rejection rate
refers to the potential times a biometric system false rejects a known user. Instead, the system indicate that the user is unknown.
Then we have the crossover airway or see er basically also called the equal error
rate or E. R.
The cross over error rate identifies the point whether
where the false exception rate
and the false resenting rate of a biometric systems are equal or cross over each other on the chart.
A lower crossover error rate indicates a better performing type biometric device.
Then we come to multifactor authentication. You may ask what in the world's multifactor authentication now. Multifactor authentication is a security mechanism in which individuals are authenticated through more than one required security and validation procedure.
A multifactor authentication built for me cos of physical logical and biometric validation techniques used to secure a facility a product or a service. There are two different types of decayed fact that might be typing the password
and a thumbprint.
Now with multifactor authentication, you can also employ a small card, something you have and a pin something you know. It can always you can also employ fingerprints, something you are and a password something you know
with the heart. You can also employ with multi factor authentication. A hardware token, basically that's something you have with the user name and password, something you know.
Then hence the term single factor authentication.
Single factor authentication is the simplest form of authentication mechanism or methods. In other words, with a single factor authentication, a person matches one credential to verify himself or herself online. The most popular example, this would be a password credential to a user name.
Most verification today uses this type of authentication
Then we come to a term called what is caramels.
Now when you think about this, this protocol gets his name from the three headed dog that guarded the gates of Hades in greek mythology.
Caribou is a network protocol that uses secret key cryptography to authenticate client server. Applications,
curve balls with crescents,
an encrypted ticket there and authenticated serve a sequence to use the service
if the key and it's time steps of ballot. The client server communication continues. The ticket granting server ticket is timestamp, which allows concurrent requests within a lot of time frame.
And it was developed this particular protocol was developed by the massachusetts Institute of Technology.
In this case the passwords are never sent across a network. It also provide single sign on capabilities as well.
Some key points to remember. The primary which attacker will attempt to compromise. A curb infrastructure will be to attack the curb of server. An attacker may explore outdated software in the infrastructure. Other methods of attacking curb infrastructure include replay attacks and password gas and attacks.
This brings us to the single sign on authentication.
First thing we have is Federated Access. Federated access allows users in different networks should log on only once, even if they are accessing multiple system. The system can be different operating systems owned and managed by different organizations. For example, company have an internet website used by employees. That also includes links to outside websites.
The outside website can be for employers financial services such as 241K information or insurance information websites used to provide information on employee health plan as well.
Then we have SAM which is called a security assertion markup language, which is extendable Markup language Basic, like an xML based data format used for single sign on on the internet. As an example, consider to website hosted by two separate organizations.
Normally user would have to log onto each site separately. However,
the older they can use security assertion markup language as a Federated identity management systems. Users authenticate once with the first website and they are not required to authenticate again when they access the second website. Many online banking site utilize this process.
For example, the bank of sight might have one service for access and checking and savings accounts.
Another service for online bill paying and another service for handling mortgages. With the single sign on. The user is able to log on to the primary bank of site one time and then access all the services without logging on again.
Another thing we need to discuss here is called the secure european system for applications in a multi vendor environment. This was created by alternative to curb those in the european countries. However, with improvements by to curb bo's
specimen is rarely if used today.
We have also kryptonite, which his game was created by IBM
Kryptonite as was is also considered an alternative to curveballs. It does not have as much network overhead as curveballs. However, like sesame,
kryptonite is rarely used today.
Now when you look at exploring authentication, we have a term called centralized or decentralized authentication. When you think about centralization of authority means the power of planning and decision making are exclusively in the hands of top management. It alludes to the concentration of all the power at the apex level.
for supporting cons, you have simplified user of the administration. You have standardized configuration across the device. Again, we look at the pros and you also have a single point of failure. On the other hand, with decentralization, it refers to the simulation of power by the top management, to the middle of the role of a management is the delegation authority at the levels of management.
A centralized access control system based on the concept of all access control creates being directed to a central point of an indication. The central authentication system performed the authentication and then it force the authorization data to the requested system. This type of system allows for the single point of administration for the entire access access control system.
This decrease administrative effort
but also raises costs. As each computer system using a centralized access control must be able to communicate with the central administration point at all times,
decentralization on hand is not always possible or desirable to have a single reference point for all access control request when the access control system is configured, so that multiple authentication system responsive for access control requests for a small group of computer system is considered to be a decentralized access control system.
This basically means that the access control system is not centralized to the single computer system or group of system.
Some examples of this are a Windows workgroup, whether every member of the workgroup handles access control or a database system that handles its own authentication. These systems do not rely on other system to perform access control for them.
Then we come to token based access control. This is authentication method that offers additional security.
Using this method, each user has a smart card or token that either displays a constantly changing password pass key or button that calculates a new password based on a challenge phase.
Without this card or token, it's impossible to then get yourself to the system. This two factor authentication provides additional security by requiring attacking both gets the user's password and still the small card or token that's used to access the system.
Let us not turn our attention toward the discussion of exploding dedication. Fear device authentication device authentication method, focus on hardware instead of a user. The goal is to prevent unauthorized devices from accessing your network. This has become increasingly important organization as users trying to connect their mobile devices
such as smartphones and tablets to the network.
Some only this embrace bring your own device policies while other orders this attempt to block this activity due to the risks that it poses. We also have their 17th established a successful bring your own device policy. First of all, specify what devices are permitted number to establish a stringent security policy for all devices.
Number three, defining clear service policy for device under the Bring your own device to work, make it clear who owns what applications and data. Number five, decide what applicants will be allowed. Orban. Number six integrate. You'll bring your own device policy, playing with your acceptable use policy and lastly set up and employs exit strategy as well.
Let's not turn our attention toward
the question of the words this post assessment question and the question is as follows. Which of the following specifies what a subject is allowed to do after being identified and authenticated? Is it a proofing
See something you know or d authorization?
The correct response for this particular question is authorization.
During this particular presentation we briefly highlight the topics of single and multi factor authentication as well as discussing single sign on and lastly device authentication. In the upcoming presentation we'll be discussing operate in a network trust architecture.
Look forward to seeing you in the very next video.
The CompTIA CASP+ Practice-Lab will provide you with the necessary platform to gain hands-on skills ...
Become a SOC Analyst - Level 3
This Career Path is for a Security Operations Center Analyst (SOC Analyst). This particular Career ...