Identity and Access Management (IAM) - Paiet/Tech-Journal-for-Everything GitHub Wiki
-
Security issues associated with context-based authentication
-
Time
- Attacks occur at night
- Windows
net user <username> /time:<day>,<time>net user dlowrie /time:M-F,8am-6pm
-
Location
- Attacks can come from anywhere
-
Frequency
- Attacks can happen like a machine gun
- Brute-force login
- DDoS
- Attacks can happen like a machine gun
-
Behavioral
- Behaviors must be learned FIRST
- Unknown behaviors are allowed
-
Security issues associated with identities
-
Personnel
- Insider threat
- Social Engineering
- Phishing/Spear-Phishing
- Security Awareness Training
-
Endpoints
- Capture Attacks
- Keystroke logger
- Screen Capture
- Cred Stealing
- Capture Attacks
-
Servers
-
Services
-
Roles
-
Applications
-
Security issues associated with identity repositories
-
Directory services
- LDAP is common
- Like a phonebook for digital identities
- Contact info
- Org hierarchy
- DoS/DDoS
- Use Replication to mitigate
- Allows anonymous and unauthenticated access
- Disallow
- Enable authenticated access only
- Require password auth
- Require the use of TLS
- LDAP Injection Attack
- Passing LDAP queries through unnatural means
- Unnatural = Web app that support LDAP queries
- Passing LDAP queries through unnatural means
- Pass the Hash
- Passwords can be secured by hashing/salting
- CRYPT,MD5,SHA,SASL,SSHA
- One doesn't actually have to crack the password to authenticate
- You just need the hash string
- Passwords can be secured by hashing/salting
- ACLs
- Directory object ACCESS can be limited
- MODIFICATION of directory objects can be limited
- LDAP is common
-
Security Issues related to identity repositories
-
TACACS+ (Terminal Access Controller Access-Control System)
- Lack of Integrity checks
- 1 check (sum of component lengths matches the total size of the packet)
- Attacker can sniff the wire
- Make data modifications
- Perform Replay/Relay Attacks (MITM)
- Weak encryption
- Network Isolation/Segmentation
- Choose strong encryption key
- Stronger password requirements will make password cracking more difficult
- Don't run as administrative user if possible
- Lack of Integrity checks
-
RADIUS (Remote Authentication Dial-in User Service)
- Session Replay
- Attacker sniffs traffic
- Learns what legit requests and responses look like
- Sees a request and responds like it was the desired device
- Shared Secret Brute Force
- DoS
- Protection
- End-to-End Encryption (TLS)
- Session Replay
-
Security issues associated with federation and single sign-on
-
Manual vs. automatic provisioning/deprovisioning
- Account life cycle
- Create and set password
- Provision account
- Services
- Rights
- Roles
- Maintenance
- Make necessary modifications as needed
- Disable
- Deprovision/Delete
- Social Engineering the account creation process
- Manipulate someone into manually creating/deleting an account
- Account life cycle
-
Self-service password reset
- Usually employs some easily bypassed authentication mechanism
- Security questions
- Usually employs some easily bypassed authentication mechanism
-
Exploits
-
Impersonation
- Pretending to be a trusted entity
- Carefully crafted email
- Email address aesthetic
- Open redirects
- Pretending to be a trusted entity
-
Man-in-the-middle
-
Session hijack
-
Cross-site scripting
-
Privilege escalation
-
Rootkit