CySA+ domain #2 Software and Systems Security – for identity and access management (IAM) [updated 2021]
The area of identity and access management (IAM) is now firmly established as an important discipline within information security. The IAM space is a massive area that covers everything from logging into an application or portal to full-blown complex citizen identity platforms with connectivity to myriad applications and services. This means IAM covers a whole gamut of cybersecurity areas from network security to cloud access control to social engineering and beyond.
The CompTIA Cybersecurity Analyst (CySA+) certification is an intermediate-level exam for security professionals looking for a career as a security analyst. It offers many subdomains within the certification. This article will look at one specific area covered within the CySA+ exam: identity and access management security.
About the CySA+ exam
The CySA+ exam consists of multiple-choice and performance-based questions — that is, the exam will ask for “scenario examples” as well as offer multiple-choice answers. The certification is approved by the U.S. Department of Defense to fulfill Directive 8570.01-M requirements.
Candidates need a Network+ and Security+ certification or equivalent knowledge and a minimum of four years of experience.
The exam itself lasts for 165 minutes. It is ideally placed to build on the CompTIA Security+ certification.
There are five main domains the exam covers (the percentage in brackets shows the weight of each):
- 1.0 Threat and vulnerability management (22%)
- 2.0 Software and systems security (18%)
- 3.0 Security operations and monitoring (25%)
- 4.0 Incident response (22%)
- 5.0 Compliance and assessment (13%)
Identity as a topic is covered under Domain 2, software and systems security. The new CySA+ certification was launched on April 21, 2020(exam number: CS0-002). The English version of CSO-001 was retired on October 21, 2020.
What is covered in the identity and access management security CySA+ domain?
Version CSO-002 of the CySA+ exam reflects the use of identity as a security layer across an extended network that incorporates myriad endpoints. In this new version of the CySA+ exam, the identity domain falls under software and systems security to reflect the wider identity in a world of myriad connected devices, people and processes.
Section 2.1 of the exam, “Given a scenario, apply security solutions for infrastructure management,” covers several key areas in IAM. CySA+ questions form around scenarios such as, “Given a scenario, apply security solutions for infrastructure management.”
In terms of this, understanding the application of various aspects of IAM can help in composing an answer. Areas of IAM that are covered by CySA+ are:
Privilege management: how to control and administer digital identities and apply the correct rights controls using those identities to allow access to specified resources. The concept of role-based access (RBA) and the principle of least privilege should be understood by the candidate. The area of enterprise-scale privilege management and how attribute-based access control (ABAC) and policy-based access control (PBAC) are used to achieve rights management should be understood.
Multi-factor authentication (MFA): what is MFA and what types of MFA are available for use under any given use case? How can MFA be adjusted to improve the user experience and ramp up authentication that uses rules to decide if additional factors are needed during login.
Single sign-on (SSO): how this authentication scheme is used to allow users to sign into multiple parties using a single login credential.
Federation: the use of federation schemes to link digital identity accounts across multiple identity management systems. What protocols are used to support federation and how is it different from SSO?
Role-based: the use of roles in a directory system or other identity management service to control access to resources.
Attribute-based: the use of identity attributes like email address, name and more to control access to resources.
Other IAM security concepts
Section 2 and other sections of the exam weave in the use of IAM throughout. Section 3 of the CySA+ exam, “security operations and monitoring” has many areas where IAM is a key component. To give full and knowledgeable answers in the CySA+ exam a candidate must understand the application of IAM principles across many concepts:
- Social engineering, including spear phishing
- Credential management. This is a wide-scope area and includes the implementation of password security (along the lines of NIST advisories on creating strong passwords) and password hygiene issues such as privileged users sharing passwords
- Secure account recovery
- Dormant accounts (including digital death)
- Secure delegation within an account
- Audit, including security audit checks
- Account takeover/theft
Within both an enterprise and a consumer setting, there are considerations around how to verify the user to a reasonable level of assurance. This includes, in the enterprise, internal employee checks. For the consumer, these checks may involve the use of third-party APIs.
Endpoints also have to be identified and secured. Endpoints have several specific security considerations. In particular, malware infection of endpoints can be used to gain control of resources. Unknown endpoints within a network can be behind security gaps that open up new entry points for cybercriminals. Provisioning and de-provisioning of endpoint access is another area that needs to be hardened against attack.
Servers have to be protected against DDoS attacks and backdoor accounts can be used to take over server control, so knowledge needs to be shown on hardening both.
Services that run on machines have similar security needs in terms of authentication to their human counterparts.
Role-based access control (RBAC) is a key principle of privileged access management (PAM). Policies and procedures must reflect an organization’s principles of PAM and RBAC.
Finally, application access control is a key area of IAM security that needs to be demonstrated. This includes identity federation, which is a tool used to allow access to multiple applications using a single identifier/set of credentials. Within the scope of a federation is single sign-on (SSO), used to allow access to multiple applications from a single login event. SSO should always be moderated using context-based authentication rules, to provide a more secure model of operation.
Federation and single sign-on security issues
Federation and SSO have become a useful way to reduce friction when employees have to log in to several apps during work. However, this usability can have consequences for security. Exploits include:
- Impersonation (account taken over by a malicious entity) achieved via social engineering or credential hijacking
- Man-in-the-middle (MitM) attacks which intercept network/internet traffic
- Session hijack intercepts a session identifier for an authenticated user
- Cross-site scripting (XSS) where malicious scripts are injected into a trusted website which then accesses session tokens of an authenticated user
- Privilege escalation
Privileged access management (PAM) is a key security area of IAM. Compromised privileged accounts have been behind many massive data breaches, including the Uber breach. The principle of least privilege is used to control access on a need-to-know basis.
Privilege escalation uses mechanisms to escalate the privileges of a user to gain access to otherwise unauthorized areas. There are two types:
- Vertical: based on exploits to upgrade their privileges and access resources
- Horizontal: based on using another individual’s credentials/identity account
Finally, never forget rootkit attacks. These are used to escalate user privileges to the administration level. Various methods exist, including backdoor install, trojan infection or malicious changes to the kernel.
Data privacy and protection
The CySA+ exam has a section that specifically tackles data privacy and protection. Candidates should understand the difference between security and privacy. This section covers the regulatory nuances of data protection and looks at various standards.
Non-technical controls
Classification: classification of data assets is crucial in understanding what measures should be used to protect these data.
Retention: regulations set retention periods for data, after which all data should be deleted.
Data types: the type of data, along with its class helps to define security and privacy policies.
Data sovereignty: data is subject to the laws and governance structures of the originating nation. Data sovereignty is linked with data security, cloud computing and technological sovereignty, and informs cloud hosting choices. Data sovereignty can impact regulation requirements such as adequacy and appropriate safeguards.
Data minimization: reducing the amount of data collected can help reduce the risk of data exposure. This is also a key requirement of privacy by design (PbD) and falls under regulations such as the GDPR.
Technical controls
Candidates must understand the type of measures and their appropriate use for the protection of data, both from a privacy and security perspective.
- Encryption
- Data loss prevention (DLP)
- Data masking
- De-identification
- Tokenization
- Digital rights management (DRM)
- Watermarking
- Geographic access requirements
- Access controls
Identity and access management covers many aspects of the CySA+ exam. This makes sense as IAM is an intrinsic security layer. To pass the CySA+ exam, you should have a broad understanding of the areas of IAM that are exploitable and require hardening. Many of these areas overlap and impact one another. The list above is not exhaustive and should be supplemented with knowledge of the OWASP Top 10 web security projects.
Sources:
NIST Special Publication 800-63: Digital Identity Guidelines, NIST
Top Ten Project, OWASP