CySA+ domain #14: Identity and access management security
The area of Identity and Access Management (IAM) is now firmly established as an important area within the discipline of information security. The IAM space is a massive area that covers everything from logging into an application or portal to full-blown complex citizen identity platforms with connectivity to myriad applications and services. In doing so, it covers a whole gamut of cybersecurity areas from network security to cloud access control to social engineering and beyond.
The CompTIA Cybersecurity Analyst (CySA+) certification is an intermediate-level exam for security professionals looking for a career as a security analyst. It offers a number of subdomains within the certification. This article will look at one specific area covered within the CySA+ exam: identity and access management security.
About the CySA+ exam
The CySA+ exam consists of multiple choice and performance-based questions — that is, the exam will ask for “scenario examples” as well as offer multiple-choice answers. The certification is approved by U.S. Department of Defense to fulfill Directive 8570.01-M requirements.
The exam itself lasts for 165 minutes. It is ideally placed to build on from the CompTIA Security+ certification.
There are four main domains the exam covers (the percentage in brackets shows the weighting of each):
- 1.0: Threat Management (27%)
- 2.0: Vulnerability Management (26%)
- 3.0: Cyber Incident Response (23%)
- 4.0: Security Architecture and Tool Sets (24%)
Identity and access management security is dealt with under domain 4, subdomain 4.2.
What is covered in the identity and access management security CySA+ domain?
This sentence is taken from the exam and gives you an idea of the expected scope of the exam answers:
“Given a scenario, use data to recommend remediation of security issues related to identity and access management.”
To prepare for the exam, you must have a knowledge of the following areas:
Security issues associated with context-based authentication
Context-based authentication goes beyond traditional login credentials. It uses rules to apply additional factors or even suppress existing factors. For example, you could set time of log in as a rule to control access to resources (e.g., you can only access it from 9 AM to 5 PM). You can add in other context areas too, such as geo-location. This would prevent access based on the place of log in (e.g., you can only log in from a corporate IP address).
Frequency of login is also a useful way to manage access; some attack patterns can be spotted using this technique to prevent an account being hacked. The ultimate tool in context-based authentication is the use of behavioral patterns, including of account use — these patterns can be tracked over time.
Security issues associated with identities
Not all digital identities reflect a human being. Computers, servers and even an Internet of Things device can have an identity. This section covers typical issues associated with each type of identity.
Personnel identities have a number of areas that have security issues associated. These include:
- Social engineering, including spearphishing
- Credential management. This is a wide-scope area and includes the implementation of password security (along the lines of NIST advisories on creating strong passwords) and password hygiene issues such as privileged users sharing passwords
- Secure account recovery
- Dormant accounts (including digital death)
- Secure delegation within an account
- Audit, including security audit checks
- Account takeover/theft
Within both an enterprise and a consumer setting, there are considerations around how to verify the user to a reasonable level of assurance. This includes, in the enterprise, internal employee checks. For the consumer, these checks may involve the use of third-party APIs.
Endpoints also have to be identified and secured. Endpoints have a number of specific security considerations. In particular, malware infection of endpoints can be used to gain control of resources. Unknown endpoints within a network can be behind security gaps that open up new entry points for cybercriminals. Provisioning and deprovisioning of endpoint access is another area that needs to be hardened against attack.
Servers have to be protected against DDoS attacks and backdoor accounts can be used to take over server control, so knowledge needs to be shown on hardening both.
Services that run on machines have similar security needs in terms of authentication to their human counterparts.
Role-based access control (RBAC) is a key principle of privileged access management (PAM). Policies and procedures must reflect an organization’s principles of PAM and RBAC.
Finally, application access control is a key area of IAM security that needs to be demonstrated. This includes identity federation, which is a tool used to allow access to multiple applications using a single identifier/set of credentials. Within the scope of federation is Single Sign-On (SSO), used to allow access to multiple applications from a single login event. SSO should always be moderated using context-based authentication rules, to provide a more secure model of operation.
Security issues associated with identity repositories
This section focuses on security issues associated with identity directories, including Active Directory (AD), LDAP, RADIUS and TACACS+. Directory services have a number of areas of consideration in IAM security. For example, port security is an issue in hardening these directories against external attack.
AD has a number of security considerations you should be aware of. These include: the use of the Kerberos protocol; client-server authentication; session key compromise issues of Kerberos; time synchronization issues; and password guessing hacks.
TACACS+ and RADIUS considerations include: Single Sign-On (SSO) and identity federation security considerations; identity propagation across tiers; and legal agreements across a vendor ecosystem to cover access control.
General issues in identity directory security include password reset. Individually controlled password management is often used to reduce help desk calls. It needs to be performed under certain rules. The use of out-of-band such as email/challenge questions, as part of the reset procedure, should be used. Exploits such as Man-in-the-Middle (MitM) require consideration and deprovisioning, and provisioning of identities and roles are pivotal in the management of secure access.
Security issues associated with federation and single sign-on
Federation and SSO have become a useful way to reduce friction when employees have to login to a number of apps in the working day. However, this usability can have consequences for security. Exploits include:
- Impersonation (account taken over by a malicious entity) achieved via social engineering or credential hijacking
- Man-in-the-Middle (MitM) attacks which intercept network/internet traffic
- Session hijack which intercepts a session identifier for an authenticated user
- Cross-site scripting (XSS) where malicious scripts are injected into a trusted website which then accesses session tokens of an authenticated user
- Privilege escalation
Privileged Access Management (PAM) is a key security area of IAM. Compromised privileged accounts have been behind many massive data breaches, including the Uber breach. The principle of least privilege is used to control access on a need-to-know basis.
Privilege escalation uses mechanisms to escalate privileges of a user to gain access to otherwise unauthorized areas. There are two types:
- Vertical: Based on exploits to upgrade their privileges and access resources
- Horizontal: Based on using another individual’s credentials/identity account
Finally, never forget Rootkit attacks. These are used to escalate user privileges to administration level. Various methods exist, including backdoor install, trojan infection, malicious changes to the kernel.
As you can see, the identity and access management security domain of the CySA+ exam is very detailed. You need to have a broad understanding of the areas of IAM that are exploitable and that require hardening. Many of these areas overlap and impact on one another. The list above is not exhaustive and should be supplemented with knowledge of the OWASP top ten web security projects.