Identity and Access Management

 IAM (Identity and Access Management)

A modern access control system is usually implemented through an Identity and Access Management (IAM) system, which consists of four critical processes: identification (creating a unique user account), authentication (proving a user's identity), authorization (defining what access a user has to resources), and accounting (tracking user activity and alerting on suspicious behavior); essentially ensuring the right people have access to the correct information at the right time while monitoring their actions for security purposes.

Explanation of each process:

Identification:

This initial step involves creating a unique identifier for a user, device, or process on a network, like a username or an account number, so that the system can recognize them.

Authentication:

This process verifies that the user is who they claim to be by checking credentials like passwords, security tokens, or biometric data when they attempt to access a resource.

Authorization:

Once authenticated, the system determines the user's level of access to specific resources based on their assigned permissions, which can be managed through different models, such as discretionary (owner-defined) or mandatory (system-enforced).

Accounting:

This final stage involves recording user activity, including what resources they accessed, when, and any potential anomalies, providing an audit trail for security purposes.

Key points to remember:

Multi-factor authentication:

Modern IAM systems often incorporate multiple authentication factors (like a password and a code sent to your phone) for enhanced security.

Centralized management:

IAM systems typically manage user identities and access rights from a single platform, simplifying administration.

Compliance requirements:

IAM systems are crucial in meeting data privacy and security regulations by controlling who can access sensitive information.

 BPDU & Root Guard

A switch utilizes a cache of MAC addresses linked to each port to efficiently forward traffic. Still, when this cache is updated (like during topology changes in STP), it may need to "flood" unicast frames to all ports if it doesn't know the correct destination port, potentially impacting network performance; to mitigate this, configure access ports (connecting directly to host devices) with features like "PortFast" on Cisco switches to exclude them from topology change notifications, minimizing unnecessary flooding of unicast traffic.

 Key points:

 MAC address cache:

A switch stores MAC addresses associated with each port to quickly direct traffic.

 Flooding:

When a switch doesn't know the correct port for a destination MAC address, it sends the frame to all ports, even a unicast frame.

STP and topology changes:

Frequent changes in network topology, especially with Rapid Spanning Tree Protocol (RSTP), can cause the switch to update its MAC address cache frequently, leading to more flooding.

How to minimize flooding on access ports:

PortFast:

Configure "PortFast" on access ports on Cisco switches to prevent them from participating in topology change notifications, reducing unnecessary flooding.

 Edgeport (other vendors):

Similar functionality on non-Cisco switches is often referred to as "edgeport."

 STP commands to further control flooding:

 BPDU Guard:

If a port configured with PortFast receives a Bridge Protocol Data Unit (BPDU), which is expected on switch-to-switch links, it disables the port to prevent misconfiguration.

 BPDU Filter:

It drops all BPDUs on a port and is valid for links between separate switching domains.

Root Guard:

Prevents a switch connected to a specific port from becoming the root bridge in the Spanning Tree network, ensuring that only designated "core" switches can be the root.

Spanning Tree Port States

 Port States - Spanning Tree

When all network bridges have all their ports either in a "blocking" (inactive) or "forwarding" (active) state, the network is considered converged, meaning it has reached a stable loop-free topology; however, if a network change occurs, the network can become temporarily unavailable until the bridges recalculate their states and converge again, with RSTP (a few seconds or less) significantly reducing this downtime compared to the older STP (tens of seconds) protocol by converging much faster.

STP & RSTP - Spanning Tree

 Spanning Tree Protocol

This protocol requires a managed switch. Spanning tree prevents switching loops, which causes a broadcast storm. Without this, the switching loops continue until manually stopped.

Switching loops occur when both ends of the same cable are plugged into the same switch or adjacent wall jacks. This would also happen with multiple uplinks between two switches if LACP (Link Aggregation Control Protocol) is not configured. 

RSTP (Rapid Spanning Tree Protocol) improves STP by providing much faster convergence after any change to the topology. 

The other systems connected to the switch will eventually lose connection as though a DoS (Denial of Service) attack occurs. 

The DP (Designated Port) sends traffic down through the network. The RP (Root Port) sends traffic towards the root bridge. The BP (Blocking Port) prevents a switching loop.

Key Escrow - Private Key

 Key Escrow

A key escrow is typically a third party that safely stores a copy of private keys. They use the M of N control. The M has to be greater than 1, and the N has to be greater than the M. For example, employing 5 trusted individuals (N) would require at least 2 (M), each having part of the key.

This is in case a private key is damaged or lost. Making multiple copies of the private key becomes challenging to manage and could lead to compromise if stored on organization media. 

A company could implement its key escrow by having multiple trusted employees with part of the key. Two or three of them could have USB drives with part of the key. 

Why Password Salting is Essential for Protecting Against Cyberattacks

 Salting Passwords

Password salting is a security measure that enhances the protection of stored passwords by adding random data, known as a "salt," before the password is hashed. This process generates unique hashes for even identical passwords, making it significantly more difficult for attackers to crack them using techniques such as rainbow tables or brute-force attacks. 

What are Salted Passwords and Password Hashing? 

Here's a detailed explanation:

1. What is a salt?

A salt is a random string of characters generated for each password. It's unique to each password instance and is used to enhance the security of the hashing process. 

2. How does it work?

Salt Generation: When a user creates or updates a password, the system generates a random salt. 

Salt Combination: The salt is combined with the user's password before it is hashed. This can be done by prepending or appending the salt to the password, or even by using a more complex method. 

Hashing: The combined string (salt + password) is then processed using a cryptographic hash function (like SHA-256 or bcrypt). 

Storage: The salt and the resulting hash are stored separately in the database. 

3. Why is it important?

Preventing Rainbow Table Attacks: Rainbow tables are precomputed tables of hash values for common passwords. By salting passwords, each password has a unique hash, even if multiple users have the same password, rendering rainbow tables ineffective. 

Defending Against Brute-Force Attacks: Salting makes brute-force attacks significantly more difficult and time-consuming because attackers would need to try every possible salt-password combination. 

Protecting Against Dictionary Attacks: Salting also helps prevent dictionary attacks, where attackers try common words and phrases as passwords, by making each password's hash unique. 

4. Example: 

Let's say two users have the same password, "password". Without salting, they would have the same hash. However, with salting, each user would have a unique salt (e.g., user1: "salt123", user2: "salt456"). The system would then hash "salt123password" and "salt456password" separately, resulting in different hashes, even though the original password was the same. 

5. Best Practices: 

• Random and Unique Salts: Salts should be generated randomly and be unique for each password. 
• Salts are not secrets: While the salt is not a secret, it's essential to store it securely alongside the hash. 
• Re-salting on Password Change: its good practice to generate a new salt each time a user changes their password.

Key Stretching - Protecting Passwords

 Key Stretching

Key stretching is a way of slowing the attacker down from discovering a password in a hashed format. This method uses thousands of rounds of hashing. It first hashes the password, then hashes the hash, and continues this process.

The attacker would have to guess the password and start the hashing process by testing each hash until they find a match.

There are two main methods of key stretching: bcrypt & PBKDF2 (Password-Based Key Derivation 2)