CBK Domain 5 - Identity and Access Management.

LDAP (The Lightweight Directory Access Protocol): Open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network. Application layer protocol and use TCP and UDP port 389. LDAP is commonly used for central usernames and passwords storage, many different applications and services can connect to the LDAP server to validate users.

TACACS (The Terminal Access Controller Access Control System): Centralized access control system requiring users to send an ID and reusable (vulnerable) passwords for authentication, because of this it is no longer considered secure. Uses TCP/UDP port 49. TACACS has generally been replaced by TACACS+ and RADIUS.

We could use nonces, salting and key stretching as well as minimum password age. Nonce is arbitrary number that may only be used once. Salting is random data that is used as an additional input to a one-way function that hashes a password or passphrase. Key stretching – Adding 1-2 seconds to password verification. If an attacker is brute forcing password and need millions of attempts it will become an unfeasible attack. Minimum password age is used to prevent users from cycling through passwords to return to their favorite password again.

DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OS’. Uses DACL’s (Discretionary ACL), based on user identity.

When an administrator uses their own credentials to allow systems access, the system will keep those credentials until logged out. It should not be done. If the administrator enters a wrong password, the system will keep re-authenticating, and that will eventually keep locking the account.

Something you are - Type 3 Authentication (Biometrics): Can inadvertently breach our employees privacy: Some fingerprint patterns are related to chromosomal diseases. Iris patterns could reveal genetic sex, retina scans can show if a person is pregnant or diabetic. Hand vein patterns could reveal vascular diseases. Most behavioral biometrics could reveal neurological diseases, etc.

Something you have - Type 2 Authentication: ID, passport, smart card, token, cookie on PC, these are called Possession factors. The subject uses these to authenticate their identity, if they have the item, they must be who they say they are.