Access Control and Authentication Quiz - Week 4

Questions and Answers

What is a primary concern when using biometrics in systems?

Privacy concerns over storing sensitive data (correct)

Cost of hardware

Speed of data processing

User interface design

Authorization is the same as identification in security systems.

False

What does the Principle of Least Privilege entail?

Users should only be given the minimum access necessary to perform their job.

Vertical escalation involves gaining access to a ________ privilege account.

higher

Match the following access control terms with their definitions:

Authorization = Permission to perform a task Privilege Escalation = Gaining unauthorized access to higher-level account Reference Monitor = Checks user authorization for resources Basic Access Modes = Types of actions that can be performed on an object

What are the three stages involved in access control?

Identification, Authentication, Authorization

Multifactor Authentication (MFA) enhances security but does not affect usability.

False

What is a method used to protect passwords during storage?

Hashing

A long pseudo-random string added to a password before hashing is known as a ______.

salt

Which of the following is NOT a challenge in password security?

Password hashing

Match the following biometrics with their types:

Facial identification = Physical biometrics Typing patterns = Behavioural biometrics Fingerprint recognition = Physical biometrics Voice recognition = Behavioural biometrics

Liveliness detection aims to confirm that a biometric sample comes from a live person.

True

Name one type of attack aimed at compromising password security.

Brute force attack

Which of the following is NOT a concern related to biometric systems?

Increased speed of verification

Authorization and authentication are the same concepts in security systems.

False

What does the Principle of Least Privilege aim to achieve?

Limit user access to the minimum necessary for their job

In a traditional access control model, the __________ monitors and checks if the user has the correct authorization.

reference monitor

Match the following types of privilege escalation with their descriptions:

Vertical escalation = Gaining access to a higher privilege account Horizontal escalation = Accessing similar functions but different data

Which of the following factors is NOT considered in authentication?

Something you see

Multifactor Authentication is used primarily for easing usability.

False

What is the purpose of a salt in password security?

To make password hashes unique and protect against attacks.

___ are examples of biometric identification methods.

Facial identification and fingerprint recognition

Which modeling technique helps in estimating the difficulty of guessing passwords?

Shannon's entropy

Match the following types of biometrics with their characteristics:

Fingerprint recognition = Physical biometrics Typing speed = Behavioral biometrics Facial identification = Physical biometrics Voice recognition = Behavioral biometrics

Name one type of attack that targets password security.

Brute force attack or dictionary attack.

Behavioural biometrics include how a user interacts with their device.

True

Study Notes

Access Control

• Involves three stages: identification, authentication, and authorization
• Identification: claiming an identity
• Authentication: proving identity
• Authorization: checking permissions for specific actions or data

Authentication Factors

• Something you know (e.g., passwords)
• Something you have (e.g., access cards)
• Something you are (e.g., biometrics)

Multifactor Authentication (MFA)

• Uses two or more authentication factors for enhanced security
• May impact usability

Password Security

• Challenges balancing strength and memorability
• Password strength is often measured by entropy
• Common passwords skew entropy calculations
• Shannon's entropy model helps estimate difficulty of guessing predictable passwords

Password Storage

• Uses hashing and salts to protect passwords
• Salt: a long, pseudo-random string prepended or appended to a password before hashing
• This prevents direct storage of plain text passwords
• Different passwords, even with the same value, result in different hashed values due to the inclusion of a salt

Password Attacks

• Brute-force attacks
• Dictionary attacks
• Pre-computed hash table attacks

Password Guidance

• Use three random words for memorable and strong passwords

Biometrics

• Physical biometrics: facial identification, fingerprint recognition
• Behavioural biometrics: how a user types
• Identification Mode: Using biometrics to find a user in a database

Verification Mode

• User matches with a stored template of biometric recognition

Fingerprint Biometrics Limitations

• Fingerprints can change due to cuts or damage
• Wet or faked fingerprints can cause issues
• Fingerprints can be lifted from surfaces

Biometric Concerns

• Privacy concerns over storing sensitive biometric data
• Failure to capture biometrics during enrollment or verification
• Balancing false accept and false reject rates with system usability and cost
• Concerns about diversity in machine learning training sets for biometrics

Access Control Model

• Four entities: subject (user/process), access request, object (resource), reference monitor

Least Privilege Principle

• Users should only have the minimum necessary access to perform their job
• Reduces risk of information disclosure and privilege escalation

Privilege Escalation Attacks

• Vertical escalation: gaining access to a higher privilege account
• Horizontal escalation: accessing similar functions with different data (e.g., another user's account)
• Often performed through password guessing or SQL injection

Description

Test your knowledge on the key aspects of access control, including identification, authentication, and authorization. Explore multifactor authentication, password security, and effective password storage techniques. This quiz covers essential concepts critical for maintaining security in digital systems.