SYO-701 Security Operations Study Guide for the CompTIA Security+

Identity and Access Management

Identity and access management is a vital aspect of cybersecurity. You should be able to understand and implement common identity and access management controls. The questions about these concepts will be scenario-based.

Provisioning/Deprovisioning User Accounts

Provisioning is the process of creating a user and assigning the appropriate security configurations and resource access permissions, as well as ensuring the identity verification of the user who will be attached to the account. Deprovisioning is the process of terminating the user account. Deprovisioning includes not only the deletion of the user account but also any files, data, configurations, or other artifacts that may be present in the network.

Permission Assignments and Implications

Permission assignments is the process of allowing or denying access to resources by a user to ensure the principle of least privilege has been maintained. If permission assignments are mishandled, the user may be allowed access to unnecessary resources or, if the permissions of one user are assigned to another user without proper inspection, permission creep may occur. This is common when new roles are assigned to existing users or new users are assigned to existing roles, resulting in unintended access to unnecessary resources.

Identity Proofing

Identity proofing is the process of verifying that the physical individual for whom a user account is created is who they say they are. Verification methods can include government identification or knowledge-based questions.

Federation

A federation is a group of federated identity deployments run by identity providers (IdPs) that authenticate principals to service providers (SPs) These are sometimes referred to as the relying party (RP). In a federation the principal is the user, the IdP is the entity that provides the identity and authentication services, and the SP provides services to the user.

Single Sign-On (SSO)

An SSO system is designed to use one login credential to access multiple systems and services on a network. SSO systems typically use authentication protocols such as LDAP, OAuth, and SAML for authentication.

Lightweight Directory Access Protocol (LDAP)

The LDAP is an open-standard protocol for accessing and maintaining directory information on the internet or an intranet. It can be used to access files or usernames and passwords in an SSO environment. An LDAP injection uses untrusted input to retrieve queries without prior sanitation or validation. LDAP injections use characters such as [ ], &, “ ”, and * to alter the meaning of the input and change the intended output.

Open Authorization (OAuth)

OAuth is an open standard authentication method commonly used on websites. OAuth allows the user to decide how much information they wish to share with a third-party application without sharing credential information, such as whether or not the user wishes to allow the website to access their files or photos.

Security Assertions Markup Language (SAML)

SAML is an open standard used for the exchange of authentication and authorization information between an IdP and an SP. A request is made by a client through the SP, and the SP sends this request to the IdP, which authenticates the request and sends the resulting information back to the SP. This is a trust-based relationship and is used with federations for SSO capabilities.

Interoperability

Interoperability is the ability of different authentication and authorization systems, such as OAuth and SAML, to be able to communicate with one another. Without interoperability, communicating users would be required to use the same authentication tool to communicate with one another.

Attestation

Attestation, like authentication, provides confirmation of identity in order to access a system. Unlike authentication, however, attestation does not validate users, but rather the hardware or devices. Attestation compares hardware identifiers against known validated identifiers to ensure that only allowed devices are able to connect to a network.

Access Controls

An access control scheme is a method for designating what privileges, services, and programs a user is allowed to use. Access control schemes can be very limiting or very broad depending on the scheme applied.

Mandatory

A mandatory access control (MAC) scheme uses the OS of the system for rule enforcement policies set by the system administrator. For example, a file could be designated as secret or top secret, which would only allow access to users who meet the specified criteria. A MAC transfers access control to the entity being accessed, as set by an administrator, rather than to the user.

Discretionary

Discretionary access control (DAC) schemes place access control in the hands of the object’s owner. An owner creates a file and then has the ability to change the permissions associated with that file. DAC schemes are commonly seen in home networks.

Role-Based

A role-based access control scheme (RBAC) bases permissions on roles assigned to a user. For example, a user may be assigned the role of human resources, which allows them to access all data related and needed for the execution of this role. RBAC has three main components: role assignment, role authorization, and permission authorization.

Rule-Based

A rule-based access control (RuBAC) scheme (sometimes referred to as RBAC, but RuBAC is used here for clarity) bases permissions on a preset ACL for specific resources. For example, a firewall is a RuBAC since it bases access decisions on a preset list of rules.

Attribute-Based

An attribute-based access control (ABAC) scheme bases permission decisions on attributes, or characteristics, of the user. An ABAC scheme allows for the most granular control and flexibility over a user’s rights but may be difficult to manage due to this complexity.

Time-of-Day Restrictions

Time-of-day restrictions place a definitive time period for accessibility to a resource. For example, an organization that only operates from 9 a.m. to 5 p.m. may place time-of-day restrictions on network access from 8:30 a.m. to 5:30 p.m., denying access when not in that time period.

Least Privilege

The principle of least privilege is one of the most important concepts in identity and access management. Least privilege states that a user’s permissions should be limited to only the resources that are required to accomplish a task or job function. Least privilege ensures that a user will not be able to access unnecessary resources or portions of a network. In case of a breach, the principle of least privilege ensures the threat actor is only able to access minimal resources and will not be able to escalate their position.

Multi-Factor Authentication (MFA)

MFA is using two or more ways to authenticate to a system. This includes using factors such as “something you know,” “something you have,” and “something you are.” It is common to use a hardware token and a password, which is something you have (hardware token) and something you know (password). We will go into these concepts in more detail below.

Implementations

There are a number of technologies that assist with implementing user authentication into a system.

Biometrics

Biometrics are methods used to identify physical characteristics (e.g., fingerprints), also known as “something you are.” They confirm a person’s identity. Here are descriptions of many of these methods:

• Fingerprinting examines the patterns of the ridges and valleys of a finger.
• Retina scanning uses the pattern of blood vessels in the retina of a person’s eye.
• An iris scan uses infrared imaging of the eye.
• A facial scan matches the image of a person’s face against a database.
• A voice scan matches the sounds and patterns of a person’s voice.
• A vein scan detects patterns in veins, most often in a person’s finger.

Note: A vein scanner does not need to touch the person, which is a benefit over fingerprint scanners.

Hard/Soft Authentication Tokens

The term token key can be used interchangeably with the term token, hardware token, or security token. This is a hardware device that is used to authenticate into a system, typically using an HMAC-based one-time password (HOTP). This system uses either a physical token or a code-generation application and a validation server to produce OTPs by using a shared seed value and an iterative value to produce a single-use password when an action is taken, such as pressing a button.

Security Keys

A security key is a passwordless method of authentication that employs a hardware device capable of creating OTPs, certificates, and public key cryptography. The security key, previously provisioned, communicates with the authentication system of the connected device and typically requires an additional method of authentication, such as a PIN number or a biometric factor, without requiring a password.

Factors

There are multiple common authentication factors and attributes that can make up MFA.

Something You Know

This factor is something like a PIN or a password that only a person who has been granted access would know.

Something You Have

This factor is something like a smart card or a token that only a person who has been granted access would have.

Something You Are

This is a physical trait of a person who has been granted access, like a fingerprint or retina.

Somewhere You Are

This is a location factor and is reliant on a person’s current location or GPS coordinates. For example, the user’s IP address may be used when authenticating.

Password Concepts

Passwords are among the most vulnerable components of a network. Due to the high number of passwords that a user may be required to remember, simple passwords, reused passwords, and easily discovered passwords are common. To create a secure network, employing these secure password concepts is paramount.

Password Best Practices

Password best practices are guidelines and protocols designed to protect an account from breach. Account policies can dictate the restrictions and guidelines for password creation.

Length

Password length refers to the requirement of a password to contain a specific number of characters to be accepted. Passwords should not be too short, under eight characters for instance, nor should they be too long, such as over 15 characters.

Complexity

Password complexity refers to the requirement that certain criteria be met when creating a password, such as a minimum length or the usage of capitalization, numbers, and/or special characters.

Reuse

Password reuse refers to the creation of a password that has previously been used by a user. Password reuse policies may define how many different passwords must be used before a password is available for reuse.

Expiration

Password expiration refers to the placement of a time limit on the use of a current password before it must be reset. For example, a password may require resetting every three months.

Age

Password age refers to how long a password must be in use before resetting is allowed. Password age requirements prevent users from attempting to trick an authentication system by resetting a password over and over again to bypass the reuse policy, for example.

Password Managers

A password vault, sometimes referred to as a password manager, is a software authentication management tool that provides a central location for the storage, management, and security of multiple passwords.

Passwordless

Passwordless authentication is a method that uses a physical device, such as a password key, to authenticate to a system. A password key, sometimes referred to as a security key, stores authentication data. Password keys come in numerous form factors and connectivity types and may provide one-time passwords, public key cryptography, or other security protocols.

Privileged Access Management (PAM) Tools

PAM tools are controls that allow for the managing of privileged accounts to increase security. Since privileged accounts have greater control over a system, PAM schemes are usually based on the principle of least privilege.

Just-in-Time (JIT) Permissions

JIT permissions are permissions that are only accessible on an as-needed basis. A user will gain JIT permissions only when required and will lose access to those permissions when finished. These permissions are often attached to a specific duration and will automatically terminate access when the time expires.

Password Vaulting

Password vaulting is the process of storing passwords in a centralized, encrypted location with highly restricted access limited to PAM users. It allows a PAM user to access multiple credentialed resources without requiring password input, similar to how a cellular device remembers credentials and passwords for autofill.

Ephemeral Credentials

Ephemeral credentials are temporary credentials with a predefined limited life span. Ephemeral credentials are commonly created with guest accounts or for users who need temporary access to non-typical resources.

Automation and Orchestration

Automation and orchestration is the process of using programs and systems to complete security tasks automatically with minimal human interaction. Automation is the practice of using software to test and monitor code for flaws, such as security vulnerabilities, reducing the need for human interaction and increasing security effectiveness. Scripting allows for tasks to be automated or streamlined, which saves time for other jobs.

Orchestration is the process of integrating all the different security tools and systems, including ones using automation, into one cohesive network. For the Security+ exam, you must be able to explain the importance of automation and orchestration related to secure operations.

Use Cases of Automation and Scripting

Security orchestration, automation, and response (SOAR) is a service that is designed to provide an organization automation of manual processes such as monitoring, altering, investigation, remediation, reporting, and compliance. It provides real-time visibility into networks and endpoints on the network. SOAR and similar systems have multiple use cases.

User Provisioning

Automation can use scripts to provision and deprovision user resources, adding and removing permissions based on predefined rules, reducing the possibility of human error.

Resource Provisioning

Scripts may also be used to provision or allocate resources on an as-needed basis, increasing and supporting performance without relying on human intervention.

Guardrails

A guardrail is a security tool that uses a predefined set of rules to monitor a system to ensure security standards are adhered to. They are commonly used for automation monitoring. Guardrails provide a clear set of boundaries to automated systems, ensuring that the automation process does not exceed its intended scope.

Security Groups

Automation may also be used to monitor and control security groups, supporting proper user permissions and group admission and membership.

Ticket Creation

A ticket is a common tool for reporting technical problems within an organization. Automation can create tickets and ensure the proper support personnel are notified in a timely manner.

Escalation

When a significant incident is identified, it may require intervention from higher-level entities. Using automation for escalation increases the speed and efficiency of the intervention.

Enabling/Disabling Services and Access

When a network component, such as a system, service, device, or access point, needs to be enabled or disabled, automation can be used to accomplish the task quickly and easily without relying on human intervention.

Continuous Integration and Testing

In the continuous integration and delivery (CI/CD) process, continuous integration refers to moving new or altered code into the code respiratory on a continual basis to streamline the development process. During continuous integration, when a developer adds or alters code in the repository, an automated action can be triggered to build, test, and deploy the changes directly into the software being developed.

Integrations and Application Programming Interfaces (APIs)

An API is the interface between clients, servers, applications, and operating systems that informs how they communicate with each other. There are multiple methods to protect APIs, all of which can be automated, such as authentication, which can prevent unauthorized access, and authorization, which ensures each developer does not have root access, just the access level that is needed to do their job.

Benefits

Using software for automation and orchestration can provide numerous benefits to a network by removing the human error factor.

Efficiency/Time Saving

By using automation, a computing device can quickly and efficiently complete tasks that may have taken a human hours or even days to complete, saving significant time.

Enforcing Baselines

A baseline is only effective if it is enforced. Automation can be used to monitor for lapses in baseline standards, increasing security.

Standard Infrastructure Configurations

In a large enterprise, the process of configuring devices can be time-consuming if done manually. Automation can be used to streamline the process and reduce the potential for human error in the process.

Scaling in a Secure Manner

Scaling is the process of increasing a network’s infrastructure, which creates more complex and integrated communications within the network. Scaling using automation increases security by evaluating and applying security configurations to all communications.

Employee Retention

Using automation to perform highly repetitive and mundane tasks rather than requiring an employee to complete them can increase employee satisfaction, which leads to higher employee retention.

Reaction Time

Automation can identify and respond to a security issue extremely quickly, greatly increasing the speed at which a network, system, or entity can react to the incident.

Workforce Multiplier

Automation can be used as a workforce multiplier by completing tasks that would take multiple human workforce members to complete.

Other Considerations

While the benefits of using an automation and orchestration system for security-related tasks may seem wonderful, there are drawbacks that must be considered.

Complexity

Creating and maintaining scripts for automation is a highly complex process and requires extensive technical skill to accomplish.

Cost

The additional costs of using automation and orchestration systems include upfront costs, training costs, upkeep costs, and the possible addition of highly skilled employees.

Single Point of Failure

If the security of an entire network is dependent on a single automation and orchestration system, it creates a single point of failure, meaning if that system fails, the entire network is vulnerable.

Technical Debt

Technical debt occurs when a system is unable to keep up with current changes in the technical environment. Automation scripts may quickly become outdated, leading to technical debt.

Ongoing Supportability

To remain effective, all computing systems require support from the manufacturer in the form of patches, updates, and technical support. As a system ages, it may reach end-of-life (EOL) and no longer be supported. Likewise, as technology progresses, the system may no longer be interoperable with newer devices.