Skip to content

Latest commit

 

History

History
79 lines (60 loc) · 2.56 KB

D4.md

File metadata and controls

79 lines (60 loc) · 2.56 KB

Authentication Factors

  • Something you know: Password, PIN, birth date
  • Something you are: Iris, retina, fingerprint, palm, voice
  • Something you do: Swipe, gait, signature
  • Somewhere you are: Location, London, Poland
  • Single factor: All from the same group
  • Dual factor: From more than one group

Federation Services

  • Third-party to third-party authentication
  • Uses extended attributes
  • SAML: XML-based
  • Shibboleth: Open source using cookies
  • RADIUS federation: Federation services connecting via wireless

AAA

  • RADIUS: UDP port 1812
  • RADIUS accounting port 1813
  • DIAMETER: Upgrade of RADIUS using EAP
  • TACACS+ - Cisco AAA: TCP port 49
  • RADIUS accounting: Logs and tracks users

Authentication Types

  • Kerberos: Uses tickets, prevents replay and pass-the-hash attacks
  • OAuth: Uses tokens
  • Federation services: Uses cookies
  • Open ID Connect: Uses a Facebook or Google account and needs OAuth
  • Context-aware: Based on location

Account Types

  • User: For employees
  • Service: For applications
  • Privileged: For service technicians and administrators
  • Generic/default: Change immediately
  • Identity: Smart card or username
  • Authentication: Password or PIN
  • Authorization: Access levels

Account Policy Enforcement

  • Password history: Prevents reuse of a password
  • Password length: The longer the better; increases the compute time for brute-force attacks
  • Complexity: Three from uppercase, lowercase, numbers, and special characters not used in programming
  • Account lockout: With low value prevents brute-force attacks
  • Account expiry: Required for the length of the employee's contract

Access Control Models

  • MAC: Based on classification, the owner gives classification and the administrator gives access
  • DAC: NTFS permissions
  • ABAC: Based on a user's attributes
  • Role-based access control: Subset of the department, a subset of duties
  • Rule-based access control: Applies to the whole organization

Physical Access Control

  • Smart cards
  • Proximity cards
  • Tokens
  • TOTP: Needs a device to display code

Biometrics

  • FAR: Allows unauthorized access
  • FRR: Prevents authorized access
  • CER: Where FAR and FRR are equal; low value shows working well

General Concepts

  • Least privilege: Allocates only the rights for the job role
  • Off-boarding: Claims back company equipment
  • Exit interview: Carried out by HR to determine the reason for leaving
  • Standard naming convention: Structure for new accounts, printers, and computers
  • Permission auditing and reviews: Ensures employees have the correct level of permissions