Identity and Access Management Explained | TryHackMe

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on guys welcome back to the security engineer track from Toy hack me and in today's video we're going to cover identity and access management room so let's take a look at this room and you have you have this illustration here uh this illustration actually summarizes all the concepts that we're gonna talk about in this room which are or that are the identity and access management Concepts as you can see it starts off with what someone looks like a bodyguard is asking who are you and you as the person who's trying to get access to some area you answered with your name I am Lucas and here the security guard is telling you how can or can you prove it and then you're pulling out your ID card that's that states your name and then after The Bodyguard has authenticated you or identified and authenticated you through your name and through your ID card he has actually authorized you to get access to uh wherever you're trying to get access so it could be your gym subscription it could be your company or it could be a new hiring who on your first day so he's telling you are authorized to enter don't break anything we have cameras everywhere so as you can see first is the identification phase the security guard is trying to identify Who You Are it's the same process when you try to log in to your account in any website when you try to log into try hack me it asks you for your username so at this stage we are asking for the identification and then as you can see here the security guard wanted a proof so they ask you prove that you are who you claim to be so you pull your ID card so here you are kind of Performing or proving your identity through the ID card but if you're looking to a website you approve you prove your identity through the password so and then the security guard is telling you you are authorized to enter here the security guard is telling you what you can do and what you cannot do in a website example you can do certain aspects in your profile you can edit your profile you can upload a new photo you can browse the site but search most probably most uh definitely you're going to be able to access the administration panel of that website so we are authorized to do certain aspects this is called the authorization phase and then we have the last phase which is the accountability so here the security guard is telling you don't break anything we have cameras everywhere so the cameras are playing the role um of the entity which can prove that you did something or you did not do something in the case of cyber security this is the phase of accountability which is achieved by logging so logging the website is a drag queen for example has logs for your activities in the platform these logs serve the accountability they can prove that you did or did not do a certain aspects so this illustration here has all the story of this video identity and access management all right let's talk now about identity and access management so the first thing I would like to tell you guys I am preparing notes for CompTIA Security Plus certificates this is in the pipeline before we have finished the offensive Securities to find professional nodes you can find them if you are subscribed to channel membership now let's talk about the identity and access management now everything that actually or organizes identity is part of what's called Access Control now is control is there to maintain confidentiality of the information we don't want sensitive information to uh get disclosed or fall in the wrong hands so we want to maintain confidentiality through access control and access control we try to manage identities so identification authentication authorization and accountability so as you saw previously in the figure guys this is the identification phase here we ask who you are okay so in here identification can be achieved by asking for who you are through a username it could be an email address it could be a username it could be an ID number or it could be an ID card it could be a name here so it is that that identify who you are and the next phase we have the authorization authentication in authentication we try to prove that you are who you claim to be in that case here we ask for the identity card but in other instances we might be asking or you might be asked to provide proof there are three types of proofs that you can provide we start with something you know so something you know is something that you memorize it could be password it could be pin or it could be a passphrase this is certainly something you are familiar with when you log into a website or to your profile you ask about your password this is something you know now in other instances you might be asked about something you have it could be uh a security key here okay it could be a phone so a phone has a SIM card the SIM card could receive an SMS that verifies Who You Are so yeah something you have and something you know and lastly something you are here we prove your identity through biometric readers such as fingerprint readers facial recognition they are widely used now in cell phones so here the authentication phase can be achieved through three different aspects either something you know a password something you have a physical key or physical object or something you are through a biometric recognition now recently all the Technologies started to implement multi-factor authentication it combines two of these it either combines something you know with something you have or it could combine something you know with something you are so an example of multi-factor authentication is a password with a phone so in here you enter the password and then an SMS is sent to the phone number if you are the owner of the phone number you would be able to receive the SMS and enter it to be to be able to log into your profile so Access Control here guys first you identify you will authenticate you and then after you are authenticated we set there are policies there to set what you are authorized and what you are not authorized to do this authorization this sets your permissions and privileges level okay so here and the example here as you can see you are authorized to enter only to the facilities here you might we might not be authorized to enter other facilities this is called the authorization now in a digital world it could be um doing like for example here I can access these pages right in the platform but certainly the website Roy hack me has other pages that I cannot access because I'm not authorized to do that there are policies set to prevent me from doing that so authorization is enforced through security policies and permissions and after we set the permissions we do accountability the accountability is achieved by logging so logging is important to account or to hold someone accountable for their actions so in the case of the illustration here the security cameras achieve this objective by monitoring what you do while you are in the facility in the digital world we use logging so the logging Windows login Windows Event logging for example Apache logs all sorts of logging they contain the user actions they did they did and time what what kind of actions they perform all of that is to achieve accountability now these four phases are part of the identity and access management okay now let's look let's see uh what what are the what are the questions required to answer now in summary this is all what you all what you need all what you need to know about this room questions now let's see you are granted access to read and send an email what's the name of this process this is authorization here you can do certain aspects and you cannot do other aspects which process would require you to enter your username of course it is the identification we want to see who you are although you have right access you should only make changes if necessary for the task what your process is required to enforce response it is the accountability all right questions regarding identification which of the following cannot be used for identification email address can be used for identification mobile number can be used for identification because there are unique things that can or that are attributable to you as a person I mean your email address no one can have your email address right it's Unique for you no one can register the same mobile number year of birth what year of birth here it is not something unique many people could have the same year of birth as you and therefore universe is not considered something that can be used for identification I mean yeah sure because you cannot expect an officer to ask you or to identify You by asking you what's your year of birth man what's the year of birth I want to know who you are it's ridiculous which of the following cannot be used for identification okay landline number can be used it's Unique it's only tied to you it's registered under your name Street number can now be used for identification because the street number is actually for the street it identifies the streets it doesn't identify you so the answer is 2. Authentication okay when you want to check your email you enter your username and password what kind of authentication is your email provider using it is something you know here we explain these in a document something you know it is something you memorize in your mind password passphrase pin your bank lets you finish most Azure banking operations using its app you can login into your banking app by providing a username and password and then entering the code received via SMS what kind of authentication is the banking app use it's a multi-factor Authentication it's combining your identity something you know and something you have both you do your new landline phone system at home allows callers to leave you a message when the call is not picked up voicemail okay you can call your home number and enter a secret number to listen to the recorded messages what kind of authentication is being used here so basically your voice mail system has an Authentication so that it asks you for something you know to enter the the messages so it's one you have just started working as an advanced research Center or an at an advanced Research Center you learned that you need to swipe your card and enter a four digit PIN whenever you want to use the elevator this is common in modern facilities under which group does this authentication fall it's again multi-factor why because it's combining two more than one sort of authentication first the first sort or the first type it is something you have swipe your card it's something you have physical and something you know you remember as in your mind it's something you know so if you combine both you end up with multi-factor Authentication okay authorization the new policy states that the security should be able to send an email on the manager's behalf what is this policy dictating it is authorization you are authorized you are given permission to send an email on behalf your manager it could mean that you will be able to get access to their email of course after their consent and send emails on their behalf this is authorization authorization is seen through guys permissions right permissions to read modify change delete files directories this is an example you shared a document with your colleague and gave them permissions view if you gave them view permissions so they could read without making changes okay what would ensure that your file won't be modified now here you authorized your colleague to access your file and only read it okay now this is Access Control why because it is more than only authorization you have already authorized your colleague okay to get access to the document but you applied additional permissions okay which is only make it only living the colleague read the file this is Access Control so the hotel management decided that the cleaning staff needed access to all the hot rooms to do their work what phase is this decision part of it is a phase one authorization now if we say that yeah all cleaning staff will get access to all hotel rooms but let's say they will not be authorized to um let's say um yeah let's say for example there will not be authorized to enter the bathrooms of all the hotter rooms this is more than authorization this is also Access Control okay now accountability and logging here no answers required identity management now let's talk about the difference between identity and access management and identity management now first thing first identity management guys or access management they shared one common thing which is managing identities meaning creating provisioning and deleting users that's the the cool concept of both but IIM or identity and access management expands on identity management by providing broader aspects such as specifying permissions specifying roles onboarding and off-boarding and revoking access attacks against Authentication it's not a complete task by the way so I'm not going to touch on this it's I'm gonna just cover the answer replay attack because there are many attacks against authentication that are not mentioned in this room in in this task sorry so it's enough to know that the answer here for this is replay attack replay attack is when someone is if it's dropping on the packets that you exchange between you and the websites so if someone is able to capture these packets they would take these packets and resend it to the exact same server or website you are trying to get access to this is called replay attack all right he allows you to talk about access control models now there are three kinds of Isis control models we have the discretionary role based and mandatory I will expand on these in my document later but for description Access Control it's where you it's where the data owner okay specifies to whom they will send the document and what level of access they have it's very common between family and friends when you share your file we will share a document with your friends through WhatsApp or the Google drive this is discretionary it's up to you the file owner what to do with the fine and to whom you send it to role-based Access Control it's based on job description or what you need to do to accomplish your job so based on your job we will uh what's based on your job the permissions and the level of Arc is assigned and mandatory is control is the strictest level of access control it's common in military organizations where it is there to maintain confidentiality of Highly classified data single sign-on it's using one account and one password for all the services example is when you log into any site using your Google credentials or using your Facebook credentials this is single sign-on does single science simplify MFA use as it needs to be set up once yes because again guys back to Google example when you log into any site using Google if you set up multi-factor authentication on your account in Google it can ask you for the code sent to the SMS so yes it simplifies is it true that single sign-on can be cumbersome nope does SSO allow users to access the right Services after signing in yes because an example would be accessing your Gmail so if we go to Gmail now okay with our username and password we can access all of the services Here YouTube play meet Gmail news chat contacts all these are services hosted behind Gmail with single sign-on with your Gmail credentials you'll be able to access these Services similarly in active directory organizations active directory setups when you log into an account you'll be able to access the file share you'll be able to access other services and programs right right from one account those days I need to create I remember a single password yes it's a single password for a single account now to this scenario this is a timed quiz okay so let's start you sure you unlock his computer and went to the look we have timing here so we're gonna make sure we hit the time correctly you should lock his computer and went to the cafeteria to have lunch but you sure you had been doing numerous blue team rooms recently therefore when he came back he checked for invalid logins so you have here the locks that indicate inverted logins so what is this called This is called as you can see he knows that someone tried to log in what makes such auditing possible we need logging this is logging guys and this achieves accountability okay and logging Thomas checks his computer logs regularly he comes across the following unlocked login curing but he was on a vacation on that day so it must be an intruder what process makes such detection possible it is logging Juliana or a Mexican Juliana called the ID Department the support person and asked for her name and she replied this is asking for identification identity is identification do withdraw money from the bank's ATM yoshira must answer this card with pin code with pin is this Authentication still haven't enrolled his fingerprint you should unlock his phone by doing a pattern this is also authentication using something you are you have sorry after a lengthy meeting between different concerned Apartments the new the newly designed policies to Grant Management this authorization controlling access quick no time after finishing in his course Juliana knows okay we have logs here no not locks what do you call this restriction impossible it is Access Control authorization yeah you hit the timing so okay so what do you call this restriction imposed by the operating system this is Access Control always forgetting strong passwords Thomas decided to use a passphrase that invokes imagination 11 white what does a passphrase help with of course Authentication Juliana noticed that her smartphone was blinking as a new message had arrived to unlock the phone she used her fingerprint fingerprint is something you are which is part of Authentication yoshiro decided to beef up his skills in cyber security he opened his browser to login at trihakme in the username or email field he writes this this is identification right and this is a flag so that was it guys for this room I'm gonna go on further with all of the rooms to finish this track so stay tuned and I'm gonna see you in the next video
Info
Channel: Motasem Hamdan
Views: 805
Rating: undefined out of 5
Keywords:
Id: BOheCZe-ENk
Channel Id: undefined
Length: 23min 19sec (1399 seconds)
Published: Thu Sep 14 2023
Related Videos
Cybersecurity Architecture: Who Are You? Identity and Access Management
IBM Technology
49K
Linux Forensics Investigation | TryHackMe Linux Forensics
Motasem Hamdan
6.1K
What is Cloud IAM?
Google Cloud Tech
7.8K
What is Access Control?
intricity101
30K
TryHackMe - Walking an Application
David Alves Web
18K
Identity & Access Management (IAM)
IBM Technology
23K
Why Identity and Access Management is Critical in Every Organization | Misconceptions about IAM
TechTual Chatter
635
Common Level 1 IT Issues (Desktop Support, Technical Support, IT Support)
Kevtech IT Support
317K
KeyCloak Introduction : An Overview of Open Source Identity Access Management (IAM)
syncbricks
4.3K
Security Engineering Explained | TryHackMe Security Engineer Intro
Motasem Hamdan
1.2K
Access Control Models - CompTIA Security+ SY0-501 - 4.3
Professor Messer
127K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.