Implementing Identity and Account Management Controls

# Implement Identity and Account Types ## Identity Management Controls - Certificates and smart cards - Public key crypto - subject identified by a public key , wrapped in a digital ceritficate - Private key must be kept secure - Tokens - Authorizations issued under a single sign-on Avoids need for user to authenticate to each service - Identity Provider (IDP) - provisions and manages accounts - processes authentication - Federated identity management ## Background Check and Onboarding Policies - HR and personnel policies - Recruitment - operation - Termination/separation - Background check - Onboarding - Welcome new ppl - account provisioning - Issue credentials - Asset allocation - Training/policies - NDAs ## Personnel Policies for Privilege Management - Mitigate insider threat - Separation of duties - Standard operating procedures (SOPs) - Share authority - Least privilege - Assign sufficient permissions only - Reduce risk from compromised accounts - Job rotation - Distributes institutional knowledge and expertise - Reduces critical dependencies - Mandatory vacations ## Offboarding Policies - disable accounts - Retrieve company assets - return personal assets ## Security Account Types and Credential Management - Standard users - Limited privileges - Should not be able to change system config - Restricted account profile - Credential management policies for personnel - PW policy - Protect access to the account and prevent compromise - Educate risks from reusing credentials and social engineering - Guest accounts - Account with no credentials (anonymous logon) - Unauthenticated access to hosts and websites - Must have very limited privileges or be disabled ## Security Group-Based Privileges - User assigned privilege - assigned directly to user accounts - Unmanageable if number of users is large - Group based - Assigned permissions to security groups and add users to those groups - Issues with users inheriting multiple permissions ## Administrator/Root Accounts - Privileged administrative accounts - Change sys config - Generic admin/root/superuser - Key target for attackers - Often disabled or usage restricted ![[Pasted image 20230630084410.png]] ## Shared/Generic/Device Accounts and Credentials - Shared account - Credentials are known to more then one person - Generic account - Accounts created by default on OS install - Only account available to manage a device - May use default PW - Risks from share and generic accts - Breaks principle of non-repudiation - Difficult to keep credential secure - Credential policies for devices - Privilege access management software ## Secure Shell Keys and 3rd Party Credentials - SSH used for remote access - Host key identifies the server - user key pair used to authenticate to server - Server holds copy of valid users' public keys - keys must be actively managed - 3rd party credentials - Passwords and keys to manage cloud services - Highly vulnerable to accidental disclosure # Implement Account Policies ![[Pasted image 20230630084910.png]] ![[Pasted image 20230630084923.png]] ## Account Restrictions - Network Location - Connecting from a VLAN or IP subnet/remote IP - Connecting to a machine type or group - Interactive vs remote logon - Geolocation - b y IP address - by location services - Geofencing - geotagging - Time-based restrictions - Logon hours - logon duration - Impossible travel time/risky login - like maybe you are logging in from texas and then 10 minutes later logging in from california ## Account Audits - Looking at security logs for accounts - Even viewer (windows) - Recertification - Monitoring use of privileges - Granting/revoking privileges - Communication between IT and HR ## Account Permissions - Impact of improperly configured accounts - Insufficient Permissions - Unnecessary permissions - Escalating and revoking privileges - Permission auditing tools ## Usage Audits - Account logon and management events - Process creation - Object access (file system / file shares) - Changes to audit policy - Changes to system security and integrity (anti-virus, host firewall, and so on) ## Account Lockout and Disablement - Lockout - login is prevented and will automatically re-enable - perhaps after login failing too many times - Disablement - Not gonna automatically re-enable - someone manually has to turn it on again # Implement Authorization Solutions ## File System Security - **ACL** - **ACE -> Access Control Entry ** - File system support - Linux permissions and `chmod` - Symbolic `# chmod --x /etc/nixos` - rwx - USER / GROUP / WORLD - Octal - r=4 - w=2 - x=1 ## Discretionary and Role-Based Access Control - **Discretionary Access Control (DAC)** - Based on resource ownership - ACLs - Vulnerable to compromised privilege user accounts - Owner sets the permissions - **Role-Based Access Control (RBAC)** - Access based on role - more centralized control ## Rule-Based Access Control - Non-discretionary - System determines rules, not users - Conditional access - Continual authentication - User account control (UAC) - Privileged access management - Policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts ![[Pasted image 20230630090023.png]] ## Mandatory and Attribute-Based Access Control - USAER CANNOT SET PERMISSIONS THE SYSTEM IS SET AND NOTHING WILL CHANGE - **Mandatory Access Control (MAC)** - Labels and clearance - System polices to restrict access - **Attribute-Based Access Control (ABAC)** - Access decisions based on a combination of subject and object attributes plus and context-sensitive or system-wide attributes - Conditional access ## Directory Services - Database of subjects - Users, computers, security groups/roles, and services - ACLs (authorizations) - X.500 and LDAP - protocol that communicates with a directory database like active directory - **Port 389 (LDAP)** - **Port 636 LDAPs (Secure LDAP)** - Distinguished names - Attribute=Value pairs ## Federation and Attestation - Federated identity management - networks under separate administrative control share users - Identity providers and attestation - Cloud vs on-prem requirements ## Security Assertations Markup Language (SAML) - Open standard for implementing identity and service provider communications - Attestations/assertions - XML format - Signed using XML signature specification - Communications protocols - HTTPS - Simple Object Access Protocol (SOAP) ![[Pasted image 20230630090727.png]] ## OAuth and OpenID Connect - User centric federated services better for consumer websites - REST APis (RESTful APIs) - Framework for implementation, not a protocl - OAuth - Designed to communicate authorizations rather than explicitly authenticate a subject - Client sites and apps interact with OAuth IdPs and resource servers that hold the principal’s account/data - Different flow types for server to server or mobile app to server - JavaScript object notation (JSON) web token (JWT) - OpenID Connect (OIDC) - Adds functions and flows to OAuth to support explicit authentication # Importance of Personnel Policies ## Conduct Policies - Acceptable use policy (AUP) - Employee use of employer’s hardware and software assets - Rules of behavior and social media analysis - General requirements for professional standards - Covers personal communications and social media accounts - Additional clauses for privileged users - Use of personally owned devices - Bring your own device - Shadow IT - Typically not a great idea - Clean desk ## User and Role-Based Training - Impacts and risks from untrained users - Topics for security awareness - Overview of security policies - Incident response procedures - Site security procedures - Data handling - Password and account management - Awareness of social engineering and malware threats - Secure use of software such as browsers and email clients - Role-based training - Appropriate language - Level of technical content ## Diversity of Training Techniques - Engagement and retention - Training delivery methods - Phishing campaigns - Simulating phishing messages to test employee awareness - Capture the flag - Computer-based training (CBT) - Simulations - Branching scenarios - Gamification elements