Chapter 7 begins with a horror story, as usual, making the point that if thieves are not kept from resources, they will help themselves. Surprised? I didn't think so.
Page 227 continues with one of the author's metaphors that seems to fall apart. A baby sitter is instructed to allow a package service to pick up a package from the home where she is watching a child. She follows four steps to accomplish this, and the author is oblivious that she messes up one of them. Read the story, then come back here.
Did you see which step she got wrong?
In our example from the book there is no part five. It is not a monster movie or a thriller. The point is that it could have been. Could the babysitter have called FedEx to check on the identity of the supposed driver? Yes, and in most circumstances she would have been thought paranoid. If you are not protecting important assets, you are not expected to take precautions. When you are protecting a network, you must take precautions. (And if you are protecting a child in a monster movie, grab a baseball bat and tell the killer to come back next week.)
The book points out that there is a distinction between authorization and access. Authorization is permission, and access is means. Other than that, page 228 brings up more vocabulary words without elaborating on any but the last three:
The text turns specifically to the topic of access control. In a previous chapter, this phrase meant making sure devices were "clean" before they were allowed to connect to the network. This chapter uses the more familiar meaning, allowing, restricting, and denying access to resources. Page 229 introduces four access control methods. You should know something about each of them for the exam objectives:
The book points out that two of the acronyms above are the same. This is dumb, and it may explain why most Internet resources seem to present only three of the four methods. Note the other names given for rule based access control: rule-based role-based access control, and automated provisioning. Remember to breathe in, then out.
The text continues with a set of best practices that might be used along with the models above:
Logical Access Control
This set of methods is more related to software than hardware.
Access Control Lists
You can think of an ACL (Access Control List) as a property of an object that lists what users have what permissions regarding that object. The example on page 234 shows a UNIX file that has various read, write, and execute permissions set for various entities on the system. The example on page 235 shows a text file in a Windows environment. Three entities have been given explicit permissions to the file. Selecting each entity in turn would display the assigned permissions on the Security tab of the object's properties. Setting permissions in an access control list allows granular control, but it is labor intensive for administrators.
Group Policies are a feature of Windows Active Directory, the database system used to manage users and assets in a Windows based network. As the text explains, Group Policies can affect users when they log in, and devices when they boot up. Systems check for updates at intervals controlled by network administrators. A Group Policy can have an effect on multiple domains.
The text describes Local Group Policies as having fewer options, having smaller scope, and being associated with older systems that are not using Active Directory.
Page 237 shows an example of time restrictions applied to a user. In this case the example is of Parental Controls, but user accounts can be restricted the same way in an enterprise environment by user account or by Group Policy.
The text describes an orphan account, an account that belonged to someone who left the organization, as being a waste of resources and a security vulnerability. It proposes that this vulnerability can be reduced by using preset expiration dates for user accounts, or setting an account to expire once the associated password has been expired for a specific number of days.Passwords
The text discusses some myths about passwords. Its main point is that passwords should be longer, should be memorable to the user, and should be changed frequently. The text describes some password attack methods:
Microsoft uses a newer version of the hash algorithm, NTLM hash, that eliminates some of the shortcomings of the LM hash algorithm. The problem with this, discussed on page 241, is that the LM hash algorithm is still used in many versions of Windows (along with NTLM hash) unless the password is longer than 14 characters.
The text mentions the use of salt in creating hashes, and that LM and NTLM hashes do not include these random bits to enhance the encryption of a password.
The author moves on to discuss passwords themselves again, advocating a strong password policy: mixture of character types, no actual words, longer when possible, and so on. He adds the idea of using characters that are not on the keyboard but are available in Windows through holding down an Alt key and entering a four character code on the numeric keypad. The main problem with this idea is this method is not available on all systems, and the codes are not memorable unless you use them frequently.Domain Password Policy
Most users who log in to a Windows domain use passwords that must meet the restrictions set in the Domain Password Policy. Page 243 lists six attributes that can be set for domain passwords. The maximum settings given were true at the time the text was printed
Physical Access Control (or, Lock the Door!)
The text discusses some aspects of physical security:
Chapter 8 begins with a definition that is sort of two. Authentication was defined in the last chapter as the second phase of access control: when the requester's credentials are checked and confirmed.
The second meaning offered here for authentication is more of a second context. A new slant on security is presented on page 267, telling us that authentication is one of three key elements to security:
As he has done before, the author expands a bullet into three more. Three reasons to gather accounting information are listed:
The author uses a story problem to illustrate a simple principle. Most security is based on one or more of three types of things: something you have (like a key or an ID card), something you know (like a PIN or a password), or something you are (like a fingerprint). When a person logs in from a standard workstation in a normal environment, one level of protection, like a password may be secure enough. For a situation that is more vulnerable, like logging in from a remote location through a public data network, two levels may be required, such as a user name-password pair along with a one-time password from a security device (that may require a PIN as well).
This category includes the passwords that a vendor sends you in an email when you need access to your account to set a new password. Such one-time passwords are time-synchronized because they expire after a stated time limit, or one use, whichever comes first.
The example in the text describes the use of a token that generates a new numeric password at a set rate, like once a minute. Each password is good only once, and must match the same password that is generated by receiving software on the system end. An example of such a device is the RSA SecurID. This device works on two factors, requiring you to know a Personal ID number for their system, and to have the current OTP from the device you have been issued.
Some devices support the use of challenges. A challenge would be a code that the login interface would give to you. You would input the challenge into an interface on the token, which would generate a response that would be used as the password.
Biometric devices measure something about a living being, such a fingerprint, face shape, hand print, iris pattern, and retina pattern. The text discusses two kinds of fingerprint scanners. Static fingerprint scanners read a print from a finger that is placed on a scanner. This technology has some known spoofs, such as using gummy bears. Dynamic fingerprint scanners require a finger to be passed across a reader that uses electrical resistance to create the image of the fingerprint.
Measuring how a person performs a task is the concept behind behavioral biometrics. Several possibilities are listed, each with their own faults and virtues:
This method asks the user for particular facts about specific life events. This seems to be a faulty idea. If I were to respond to a series of questions about a wedding, wouldn't most other people who had attended the same event share the same knowledge about it? As an indicator of the possible failure rate for this type of metric, I note that a search on the Internet for the company mentioned as an example in the text came up empty.
As noted above, it is much more secure to rely on two or three factors for identification rather than one.
The ability to access multiple resources with one login is desirable to many users. Within a given company, logging in to one interface and then being authorized to access multiple resources is an example of single sign-on. Presently, when you log in to the Baker Solar system you use the same ID and password that you use to log in to the Baker email system. This is not an example of single sign-on because you are still required to log in to each service separately.
Accessing the resources of multiple companies with a single log in is an example of federated identity management (FIM). The text offers some examples of this kind of service:
The drawback to this concept seems to be that not every service is accepted by every vendor, so you still have to manage multiple IDs and recall how to sign in with each one.
The text discusses four kinds of authentication servers, which may perform authentication only, or may perform authorization and accounting functions as well.
Remote Authentication User Dial-In Service has some specific and non-intuitive terminology.
The text says that Kerberos is an authentication system. It is also proper to call it a protocol. It is noteworthy because it can be used on Windows, Linux, and Mac OS X networks. As the text explains, a network user requests access to services, Kerberos issues an identifying ticket, and the ticket is examined by the entity that grants access to the service. This is a standard part of logging in to an Active Directory network.
Terminal Access Control Access Control System (TACACS+)
TACACS+ must have been created by someone with a love for redundancy. It performs authentication, authorization, and accounting functions, and is meant to support a large number of connections.
Lightweight Directory Access Protocol (LDAP)
The text waits until this discussion to mention that Directory Service is a database service on a network. (It is one of the classic services of a network.) LDAP is a protocol that is used to access such databases. The text contrasts it to DAP (its big brother):
Extended Authentication Protocols
The chapter lists three legacy protocols that are no longer used, two protocols that are not recommended, then finally two protocols that are recommended:
Not used much any more
Remote Authentication and Security
This is the last major topic of the chapter. It concerns connections from staff who work remotely.
Remote Access Services
The book gives a vague definition of this service, as any combination of hardware and software that enables a remote user to access network resources. This could include dedicated data lines, modems, public networks, and the equipment that must be set up to accept connection from these sources.
Virtual Private Networks (VPNs)
A VPN is one type of remote access. The use of an RSA SecurID device is a common method of creating a secure data channel across a public network, like the Internet. This is an example of the first type of VPN described in the text, a remote access VPN that connects a user to a LAN through a VPN server. The connection can be made by IP address or by dial up connection. Dial up connections are typically used when there is no Internet access.
The second type of VPN described in the text is a connection between sites, called a site-to-site VPN.
Remote Access Policies
The text briefly discusses the need for consistent policies and consistent application of them to minimize risks that VPN connections can create.