WEBVTT 00:00.000 --> 00:02.895 >> Authorization controls. 00:02.895 --> 00:05.490 The learning objectives for this lesson are to 00:05.490 --> 00:08.325 describe the different types of access control methods, 00:08.325 --> 00:11.190 to evaluate authentication protocols, 00:11.190 --> 00:14.210 and to describe identity proofing mechanisms. 00:14.210 --> 00:17.910 Let's get started. The first type of 00:17.910 --> 00:20.220 access control method we will discuss is 00:20.220 --> 00:22.965 discretionary access control or DAC. 00:22.965 --> 00:25.350 With DAC, the resource owner 00:25.350 --> 00:28.095 determines who has access to everything. 00:28.095 --> 00:31.190 DAC is very flexible and it's used by 00:31.190 --> 00:34.280 default in Unix/Linux and Windows systems. 00:34.280 --> 00:37.340 It's the weakest model because it requires 00:37.340 --> 00:39.410 centralized administration and this 00:39.410 --> 00:41.015 is difficult to enforce. 00:41.015 --> 00:42.380 It's also vulnerable to 00:42.380 --> 00:46.290 insider threats and compromised account abuse. 00:47.180 --> 00:51.765 The next method is mandatory access control or MAC. 00:51.765 --> 00:53.405 MAC is very different. 00:53.405 --> 00:56.585 It's based on security clearance levels. 00:56.585 --> 00:59.540 Labels are applied to objects and 00:59.540 --> 01:02.765 subjects and each of these are granted a clearance level. 01:02.765 --> 01:06.380 Labeling is performed using pre-established rules. 01:06.380 --> 01:09.935 These rules cannot be changed by subject accounts. 01:09.935 --> 01:13.480 MAC is also considered to be non-discretionary. 01:13.480 --> 01:15.710 When you see a question on 01:15.710 --> 01:18.485 the test and it mentions labels, it's MAC. 01:18.485 --> 01:22.160 Also, a key point again is that it's non-discretionary. 01:22.160 --> 01:25.115 A quick breakdown of how this would work is that 01:25.115 --> 01:29.370 all data users would be given specific labels 01:29.370 --> 01:32.705 and then those labels have their own rules as to 01:32.705 --> 01:37.580 what they're allowed to access with those labels. 01:37.580 --> 01:39.800 Everything is built on this system. 01:39.800 --> 01:41.300 It's cumbersome to set up, 01:41.300 --> 01:44.765 but it's very secure because it enforces, 01:44.765 --> 01:46.310 hence the mandatory, 01:46.310 --> 01:50.520 access on the data based on those labels. 01:51.350 --> 01:55.770 Next, we have role-based access control or RBAC. 01:55.770 --> 01:58.010 This is adding an additional element to 01:58.010 --> 02:00.710 DAC based on the subject's roles. 02:00.710 --> 02:03.650 Users can gain rights based on their roles. 02:03.650 --> 02:05.750 For example, in a corporation, 02:05.750 --> 02:09.335 the HR department may have additional access to data, 02:09.335 --> 02:11.060 so all users that are in 02:11.060 --> 02:14.740 that HR department role would have access to that. 02:14.740 --> 02:18.760 We also have attribute-based access control, ABAC. 02:18.760 --> 02:21.500 This is a more fine-grained approach as it 02:21.500 --> 02:24.455 utilizes a combination of any attributes. 02:24.455 --> 02:26.385 It also uses the eXtensible 02:26.385 --> 02:28.470 Access Control Markup Language, 02:28.470 --> 02:30.270 XACML. 02:30.270 --> 02:33.170 If you see a question talking about XACML, 02:33.170 --> 02:34.690 then you know that it's attribute-based 02:34.690 --> 02:36.545 access control, ABAC. 02:36.545 --> 02:39.765 Finally, we have rule-based access control. 02:39.765 --> 02:43.130 This is where we have policies that are determined by 02:43.130 --> 02:47.180 a system enforced rules rather than by system users. 02:49.430 --> 02:52.365 Authentication protocols. 02:52.365 --> 02:55.565 First, we have single sign-on or SSO. 02:55.565 --> 02:57.650 This allows a user to authenticate 02:57.650 --> 03:00.170 once to a local server and 03:00.170 --> 03:02.300 then be authenticated to other servers 03:02.300 --> 03:05.530 without having to enter in their credentials again. 03:05.530 --> 03:08.190 Then we have Remote Authentication 03:08.190 --> 03:10.730 Dial-In User Service or RADIUS. 03:10.730 --> 03:12.925 This uses the UDP protocol 03:12.925 --> 03:15.860 and it authenticates with a shared secret. 03:15.860 --> 03:17.725 Next, we have diameter. 03:17.725 --> 03:20.170 This is considered an improved version of RADIUS. 03:20.170 --> 03:22.315 It's TCP based and it requires 03:22.315 --> 03:26.200 IPSec and TLS for the confidentiality of the data. 03:26.200 --> 03:28.630 It gets its name diameter because 03:28.630 --> 03:31.580 it's considered to be twice as good as RADIUS. 03:33.030 --> 03:35.590 We also have Terminal Access 03:35.590 --> 03:40.000 Controller Access-Control System Plus or TACACS+. 03:40.000 --> 03:42.555 This is a Cisco developed protocol. 03:42.555 --> 03:46.245 It runs on TCP and port 49. 03:46.245 --> 03:51.000 The data is encrypted and all AAA functions are discrete. 03:51.000 --> 03:53.560 Next, we have Lightweight Directory 03:53.560 --> 03:56.660 Access Protocol or LDAP. 03:56.660 --> 03:58.675 This is a directory service protocol 03:58.675 --> 04:00.565 that runs over TCP IP. 04:00.565 --> 04:03.640 LDAP service uses a directory database to 04:03.640 --> 04:06.895 determine who can and cannot access data, 04:06.895 --> 04:08.845 or in some cases, 04:08.845 --> 04:11.480 if you're allowed to authenticate to a network. 04:11.480 --> 04:14.880 Finally, we have Secure LDAP or LDAPS. 04:14.880 --> 04:19.000 This is simply LDAP that runs over SSL or TLS. 04:20.610 --> 04:24.789 The next, we have the granddaddy of them all, Kerberos. 04:24.789 --> 04:28.630 This is a single sign-on network authentication protocol. 04:28.630 --> 04:30.700 It's used in Active Directory. 04:30.700 --> 04:34.330 First, a client request services from a server. 04:34.330 --> 04:36.880 Clients and servers both rely on 04:36.880 --> 04:39.985 the Key Distribution or KDC for authentication. 04:39.985 --> 04:41.890 The KDC has two parts. 04:41.890 --> 04:43.945 The first is the Authentication Service 04:43.945 --> 04:46.240 and the second is the Ticket Granting Service. 04:46.240 --> 04:48.850 The KDC will issue what is known as a ticket 04:48.850 --> 04:51.485 granting ticket for authentication, 04:51.485 --> 04:56.770 the KDC runs on port 88 TCP or UDP. 04:57.030 --> 05:01.180 Here's a simplified breakdown of Kerberos and Action. 05:01.180 --> 05:04.105 First, the client asks for authentication to 05:04.105 --> 05:08.335 the Kerberos Key Distribution Center or the KDC. 05:08.335 --> 05:09.790 This is composed of 05:09.790 --> 05:11.320 the Authentication Server and 05:11.320 --> 05:12.665 the Ticket Granting Server, 05:12.665 --> 05:15.795 it's asking for the Ticket Granting Ticket. 05:15.795 --> 05:17.780 Authorization is given and 05:17.780 --> 05:20.840 the TGT is then passed to the client. 05:20.840 --> 05:22.670 The client uses the TGT, 05:22.670 --> 05:26.295 the Ticket Granting Ticket to access the server, 05:26.295 --> 05:28.775 that is what establishes authentication, 05:28.775 --> 05:31.440 and then the server allows access. 05:33.050 --> 05:36.860 Next, we have Open Authorization or OAuth. 05:36.860 --> 05:38.840 This is often used for authentication and 05:38.840 --> 05:41.570 authorization for a RESTful API. 05:41.570 --> 05:45.445 A user account is hosted by one or more resource servers. 05:45.445 --> 05:47.180 Authorization requests are 05:47.180 --> 05:49.910 processed by authorization servers. 05:49.910 --> 05:52.460 It uses JavaScript object notation or 05:52.460 --> 05:55.710 JSON web token, JWT format. 05:55.710 --> 05:57.985 It can be passed in URLs and 05:57.985 --> 05:59.830 HTTP headers and can be 05:59.830 --> 06:03.620 digitally signed to ensure authentication and integrity. 06:07.700 --> 06:11.710 Extensible Authentication Protocol or EAP. 06:11.710 --> 06:14.200 This provides a framework for deploying 06:14.200 --> 06:17.035 different authentication protocols and system. 06:17.035 --> 06:19.300 It mostly uses digital certificates 06:19.300 --> 06:22.640 rather than passwords to help establish the trust. 06:25.340 --> 06:29.020 802.1x, this uses EAP for 06:29.020 --> 06:31.840 wireless Ethernet or VPN gateways 06:31.840 --> 06:33.145 to provide authentication. 06:33.145 --> 06:36.010 It has three parts. The first is the supplicate. 06:36.010 --> 06:38.715 This is the device requesting access. 06:38.715 --> 06:41.470 Then we have the network access server or NAS. 06:41.470 --> 06:44.360 Don't confuse this with network attached storage. 06:44.360 --> 06:47.975 This is edge equipment such as switches or access points. 06:47.975 --> 06:50.820 Then finally, we have the Authentication, 06:50.820 --> 06:53.420 Authorization and Accounting, or AAA server. 06:53.420 --> 06:56.760 This is the server that authenticates the requests. 06:57.950 --> 07:01.080 Identity Proofing Mechanisms. 07:01.080 --> 07:03.200 Identity Proofing is verifying 07:03.200 --> 07:05.135 that a user's various characteristics 07:05.135 --> 07:06.740 and credentials are accurate 07:06.740 --> 07:09.520 and unique to that individual. 07:09.520 --> 07:12.740 Multi-factor Authentication uses one 07:12.740 --> 07:14.375 or more of the following. 07:14.375 --> 07:17.299 Something you know, which is usually a password, 07:17.299 --> 07:20.645 something you have: a token or similar device, 07:20.645 --> 07:22.940 something you are: biometrics. 07:22.940 --> 07:24.230 We're all familiar with 07:24.230 --> 07:26.780 Multi-factor Authentication in one form or another. 07:26.780 --> 07:28.370 Oftentimes when you're accessing 07:28.370 --> 07:29.615 your online bank accounts, 07:29.615 --> 07:31.070 you may receive a text. 07:31.070 --> 07:33.260 This would be something you have, 07:33.260 --> 07:35.930 something that is sent to you. 07:35.930 --> 07:39.910 That is an example of two-factor authentication. 07:39.910 --> 07:42.560 Multi-factor is adding in even more than that. 07:42.560 --> 07:44.600 You can add in a password to 07:44.600 --> 07:45.950 authenticate and then you must 07:45.950 --> 07:47.615 use a second password, say, 07:47.615 --> 07:50.525 using OAuth or Google Authenticator, 07:50.525 --> 07:52.880 and maybe sometimes you have to use a thumbprint. 07:52.880 --> 07:54.790 This is something you are. 07:54.790 --> 07:57.020 You can use a combination 07:57.020 --> 07:58.760 of these things to help uniquely 07:58.760 --> 07:59.930 identify a person and 07:59.930 --> 08:03.120 ensure that you're letting the right person in. 08:04.580 --> 08:07.615 We can also use two-step verification, 08:07.615 --> 08:09.410 like I mentioned with the SMS before. 08:09.410 --> 08:11.434 These are out of band mechanisms 08:11.434 --> 08:13.985 that generate a token on the server side, 08:13.985 --> 08:16.105 and then that's sent to a user. 08:16.105 --> 08:19.100 Like I mentioned earlier, SMS messages, 08:19.100 --> 08:22.710 phone calls, push notifications, or email. 08:25.640 --> 08:28.590 HMAC Based One-Time Password, 08:28.590 --> 08:30.405 or also known as HTOP, 08:30.405 --> 08:34.355 is an algorithm for token-based authentication. 08:34.355 --> 08:38.555 The client and server both share the same shared secret. 08:38.555 --> 08:41.465 They're stored as an eight byte value 08:41.465 --> 08:44.545 that generated by a random number generator. 08:44.545 --> 08:48.540 The next we have is a Time-Based One-time Password, 08:48.540 --> 08:50.175 or TOTP. 08:50.175 --> 08:53.400 This is a refined version of HMAC, 08:53.400 --> 08:55.880 by adding in a value taken from 08:55.880 --> 08:58.790 the timestamp of both the client and the server. 08:58.790 --> 09:00.815 This allows each token has 09:00.815 --> 09:03.740 a short usage time, 30-60 seconds. 09:03.740 --> 09:06.860 A good example of this is Google Authenticator. 09:08.380 --> 09:11.435 Identity Proofing Mechanisms, 09:11.435 --> 09:14.210 Hardware root of Trust RoT. 09:14.210 --> 09:16.025 This is a trust anchor. 09:16.025 --> 09:20.275 A secure subsystem that can provide attestation. 09:20.275 --> 09:25.055 It's established using a Trusted Platform Module or TPM, 09:25.055 --> 09:27.470 which is a hardware module to store 09:27.470 --> 09:31.175 encryption keys or other forms of identification. 09:31.175 --> 09:33.260 The TPMs are built usually 09:33.260 --> 09:36.170 into the motherboard of a computer. 09:36.170 --> 09:39.140 We also have JavaScript Object Notation, 09:39.140 --> 09:41.555 JSON, Web Token, JWT. 09:41.555 --> 09:44.210 This is a subset of JavaScript used in 09:44.210 --> 09:47.065 the REST style of web app architecture. 09:47.065 --> 09:49.490 JSON Web Tokens are 09:49.490 --> 09:53.015 a method to transfer claims between two parties. 09:53.015 --> 09:56.495 JWTs have a header, a payload, 09:56.495 --> 09:58.100 and a signature separated by 09:58.100 --> 10:01.950 dots and are expressed in Base64. 10:02.830 --> 10:06.110 Let's summarize. We discussed 10:06.110 --> 10:08.890 the different types of access control methods. 10:08.890 --> 10:12.290 We presented the types of authentication protocols, 10:12.290 --> 10:13.820 and we went over the different 10:13.820 --> 10:15.425 types of identity proofing. 10:15.425 --> 10:18.145 Let's do some example questions. 10:18.145 --> 10:21.440 Which type of access control is used for 10:21.440 --> 10:25.170 security clearance levels and utilizes labels? 10:25.420 --> 10:29.490 Mandatory access control or MAC. 10:29.630 --> 10:34.830 Question 2, this authorization protocol improves upon 10:34.830 --> 10:37.400 RADIUS by adding a failover mechanism 10:37.400 --> 10:40.470 and requiring IPSec and TLS? 10:41.000 --> 10:44.090 Diameter. Remember, diameter is 10:44.090 --> 10:46.950 considered to be twice as good as RADIUS. 10:47.420 --> 10:51.305 Question 3, which type of token has 10:51.305 --> 10:52.970 a built-in expiration for 10:52.970 --> 10:56.070 each token to prevent future attacks? 10:56.930 --> 11:00.865 Time-based one-time password or TOTP, 11:00.865 --> 11:05.160 because they're only useful for that 30-60 second block. 11:05.780 --> 11:08.035 Finally, Question 4, 11:08.035 --> 11:11.360 which access control model is the most flexible and is 11:11.360 --> 11:15.810 used by default in Unix/Linux and Windows systems? 11:15.950 --> 11:19.395 Discretionary access control or DAC. 11:19.395 --> 11:21.110 I hope that lesson was useful for 11:21.110 --> 11:23.430 you, and I'll see you in the next one.