CompTIA Security+ 501 Summary Part 2
This is a summary of my notes on Chapter 2 of the CompTIA Security+ Get Certified Get Ahead by Darril Gibson, 5th Edition
Things to keep in mind:
- CompTIA is releasing an updated version of the Security+ Exam in November 2020 so this edition will soon be outdated. 90% of the book will remain the same in accordance with the updated exam. New threats and cloud-computing technology will probably make up the majority of that new 10% of content.
- Synthesizing paragraphs with a huge list of facts sometimes results in dreadful sentences. It also results in some streams of thought that end abruptly. Some notes cannot be digested any further and remain identical in this summary. In any case, these are just notes and not an essay.
- Rights, Permissions, and Privileges are interchangeable. There are subtle differences depending on very specific context. Permissions can be what an action requires and a privilege can be whether an account can do that action.
- Some things are repeated but this is simply to reinforce.
1. Authentication Management
You identify yourself with usernames and email addresses. You prove your identity through authentication with a password. Authentication(username and password), authorization(access permissions), and accounting(logging), (AAA), make up an access management system. Authentication can be broken down into factors of authentication. Something you know is one factor, like a password or pin. A 6 character password with all lowercase letters equals about 308 million possibilities. A 10 character password with all lowercase letters equals about 141 trillion possibilities. All is good and well, however, with today’s techniques and computing power, password-cracking tools can go through more than 20 billion passwords per second. That lowercase 10 character password can be cracked in as little as two hours. Enhance that 10 character password by allowing uppercase, numbers, and symbols, and you increase the possibilities to 53 quintillion, making cracking a password infeasible.
Passwords are best when they are easily remembered phrases instead of a chaotic mix of symbols and characters because users tend to remember phrases and forget those mixes. Password resets because of forgetting result in lesser-quality passwords and therefore reduce security. An example of a good password would be something like: usegooDP@ssw0rds. Users should reset their passwords often; at least every month. Automation helps keep this password-reset policy in place where users can use a self-service to complete the reset process. Another hardening technique would be to keep a password history and block the last ten used passwords, forcing users to create new, unique passwords every time. Account disablement policies define what to do for the accounts of employees who have left the company. Disabling, instead of deleting, the account ensures the data surrounding it remains available. Time of day restrictions restrict workers to their usual eight hours and prevents them from logging in on a weekend with nobody around and possibly stealing data. Account expiration dates are useful for temporary contractors.
End User Accounts, Privileged Accounts, Guest Accounts, and Service Accounts. A common practice is to have admins use two accounts, one with the required privileges for administration and the other for regular use.
Group Policy helps manage multiple users in a windows domain. Administrators can easily set up Group Policy Objects (GPO) and apply certain settings to a list of users all at once instead of doing it individually. For example, they can set password policies and configure host-based firewalls. Active Directory Domain Services (AD DS) is used by windows admins to manage domain networks. Group Policy is setup on a domain controller.
Common Access Card (CAC) is a picture of a user and other information. Personal Identity Verification (PIV) cards are smart cards used by U.S. Federal agencies. Both types provide confidentiality, integrity, authentication, and non-repudiation. Smart cards have embedded certificates to produce encrypted digital signatures. They provide dual-factor authentication. HMAC-based One Time Password (HOTP) is the standard for creating one time passwords. They are similar to passwords provided by token generators like RSA. The password becomes invalid upon use. A time-based One Time Password (TOTP) expires after a short period, giving the user a timed window to use the generated key. These are popular with game accounts where you would use a phone application to see the current password and the timer. Both HOTP and TOTP are open source and therefore are significantly cheaper than proprietary algorithms.
Where you are, your location, is another factor of authentication. Sometimes IP-range bans are put in place to block IP’s that originate from specific countries. Something you are, your biometrics, is another factor of authentication and the strongest factor out of all because your DNA, your iris, your fingerprint, your face, etc. is all unique to you specifically. Facial recognition is more flexible when viewing through infrared. The crossover error rate (CER) measures the accuracy of a system. Lower CER scores are better. Something you do is another factor of authentication; a hand gesture or drawing a picture.
All of these factors can be used in multi-factor authentication. The factors must be different to be considered multi-factor. Some common authentication issues include: terrible passwords, memory lapses, sweaty fingers that cause biometric errors, and a problem with the authentication service itself.
The acronym RBAC is used in CompTIA for both Rule-Based Access Control and Role-Based Access Control. Role-BAC manages user permissions and uses roles based on job function. A matrix is a document that matches the job roles with required privileges. Admins implement roles as groups or security groups. If you, as a user, are part of a specific security group, then you have all the rights assigned to that security group. Rule-BAC would be an access control list. AWS S3 Buckets use ACL’s and policies where rules are set for specific actions. An example would be setting a rule for data transit where the data must be encrypted at all times or the action is denied. The rule triggers in response to an event.
A DAC or discretionary access control model is used in windows to link objects with owners, or files with users. This is easily expressed in a linux based system where you can view permission rights on a single file in a format such as: rw; read and write. A SID or security identifier is a long string of characters that is represented by your typical username. This is similar to how a domain name represents the actual underlying IP address. Every object, file or folder, includes a discretionary access control list (DACL) that identifies who can access it. A DACL is a list of Access Control Entries (ACE) which are composed of SID’s and the permissions granted to those SID’s.
NTFS or New Technology File System is a common example of a DAC model where admins restrict access to files. SELinux or Security-Enhanced Linux uses a Mandatory Access Control (MAC) model as opposed to Windows and popular Linux systems which use DAC. MAC makes use of sensitivity labels which classify levels of data and clearances granted to individuals. ABAC or Attribute-Based Access Control models evaluate attributes and grants access based on the value of those attributes. The ABAC model is common in Software Defined Networks (SDN)
2. Authorization Management Systems
Windows Active Directory uses Kerberos which is a network authentication mechanism. RFC is the acronym for Request for Comments. Kerberos uses symmetric key cryptography and requires a ticket issuing method, time synchronization, and a database, Active Directory, that stores user information. A Key Distribution Center (KDC) issues Ticket-Granting Tickets (TGT) and other tickets. It places user credentials in a ticket which is used for accessing files on a file server. Kerberos looks in its database for user credentials and then utilizes the KDC to grant tickets to whoever is requesting access to specific files. Kerberos version 5 enhanced its time-sync requirements by requiring all systems to be synchronized within five minutes of each other. Side Note: This may or may not involve NTP port. Each ticket is time stamped before being issued which negates any replay-attack effort where actors try to impersonate a client after intercepting a ticket, for example. The timestamp basically gives the actor the smallest time window to do any dirty deed and then denies them access after ticket expiration.
New Technology LAN Manger (NTLM) is a suite of protocols that provide authentication, integrity, and confidentiality within Windows Systems. It used MD4 to hash user’s passwords, but since that has been cracked, both NTLM and MD4 are no longer used. NTLMv2 comes into play. As a user attempts to login, NTLMv2 creates a HMAC-MD5 hash composed of several pieces of information including the user’s password which is first encrypted and also the computer’s name. NTLM2 Session, an enhancement of NTLMv2, forces both the client and the server to reciprocate authentication with each other.
LDAP or Lightweight Directory Access Protocol is the standard for speaking to directories like Active Directory and is based on an earlier version called X.500. You can think of LDAP as what HTTP is to a webserver or SQL to a SQL database. Objects are identified with queries such as “UserAccount=User” and “DC=domainName”. LDAP encrypts using TLS.
SSO or Single Sign-On is the ability for a user to access multiple services and systems by logging in once. A great example SSO is Okta which provides a federated platform for users to sign in once and be granted tokens for all the applications and services integrated into their account. So for example, your Okta account might include your microsoft account and spotify account – when you login to Okta, it then will automatically authenticate your logins to microsoft and spotify so all you do is click on the application and you are granted access. Instead of logging into each account separately, you only do it once. Okta can be considered to be an entity that utilizes the Principle of Least Privilege control because it only grants access to what you NEED and not anything else. Both Kerberos and LDAP make use of SSO.
Domains, logical groups of computers, within a LDAP-based network use Transitive Trust for SSO. Domains are placed in trees where there is a root domain, or parent, at the top and below are children. Transitive Trust is the direct relationship between parent and child. Trust flows upward. Two children become indirectly related because of their connection to a single parent. For example, the root domain theotherpath.io might have two subdomains or children domains, test.theotherpath.io and email.theotherpath.io. These two children domain share the resources of the root domain and are indirectly related by being directly related to theotherpath.io. If you are authenticated for theotherpath.io, you are also authenticated for the two children domains because of that upward flow of trust. If you are trusted by the root domain, all subdomains end up trusting you and this enables SSO for that particular tree.
SAML or Security Assertion Markup Language is an Extensible Markup Language (XML) based data format used for SSO on web browsers. SAML is used for federated identity management systems. It is what is used with the example given before, Okta. Shibboleth is a popular open source SSO architecture that also uses SAML. QAuth is an open source framework used for authorization. Again, Okta is a QAuth2.0 compliant federated identity management system which provides SSO through the use of SAML. An example of a Qauth2.0 compliant transaction would be using paypal to pay for an order on a clothes selling website. The website never truly interacts with your paypal information and therefore cannot become a point of failure when it comes to credential security. OpenID Connect is a SAML re-write that is QAuth2.0 compliant and allows clients to verify the identity of users without managing their credentials – the paypal example exemplifies this. More examples would include signing into applications using your facebook account.