Access Control and Authentication Quiz - Week 4

Questions and Answers

What is a primary concern when using biometrics in systems?

• Privacy concerns over storing sensitive data (correct)
• Cost of hardware
• Speed of data processing
• User interface design

Authorization is the same as identification in security systems.

False (B)

What does the Principle of Least Privilege entail?

Users should only be given the minimum access necessary to perform their job.

Vertical escalation involves gaining access to a ________ privilege account.

higher

Match the following access control terms with their definitions:

Authorization = Permission to perform a task Privilege Escalation = Gaining unauthorized access to higher-level account Reference Monitor = Checks user authorization for resources Basic Access Modes = Types of actions that can be performed on an object

What are the three stages involved in access control?

Identification, Authentication, Authorization (B)

Multifactor Authentication (MFA) enhances security but does not affect usability.

False (B)

What is a method used to protect passwords during storage?

Hashing

A long pseudo-random string added to a password before hashing is known as a ______.

salt

Which of the following is NOT a challenge in password security?

Password hashing (D)

Match the following biometrics with their types:

Facial identification = Physical biometrics Typing patterns = Behavioural biometrics Fingerprint recognition = Physical biometrics Voice recognition = Behavioural biometrics

Liveliness detection aims to confirm that a biometric sample comes from a live person.

True (A)

Name one type of attack aimed at compromising password security.

Brute force attack

Which of the following is NOT a concern related to biometric systems?

Increased speed of verification (C)

Authorization and authentication are the same concepts in security systems.

False (B)

What does the Principle of Least Privilege aim to achieve?

Limit user access to the minimum necessary for their job

In a traditional access control model, the __________ monitors and checks if the user has the correct authorization.

reference monitor

Match the following types of privilege escalation with their descriptions:

Vertical escalation = Gaining access to a higher privilege account Horizontal escalation = Accessing similar functions but different data

Which of the following factors is NOT considered in authentication?

Something you see (D)

Multifactor Authentication is used primarily for easing usability.

False (B)

What is the purpose of a salt in password security?

To make password hashes unique and protect against attacks.

___ are examples of biometric identification methods.

Facial identification and fingerprint recognition

Which modeling technique helps in estimating the difficulty of guessing passwords?

Shannon's entropy (A)

Match the following types of biometrics with their characteristics:

Fingerprint recognition = Physical biometrics Typing speed = Behavioral biometrics Facial identification = Physical biometrics Voice recognition = Behavioral biometrics

Name one type of attack that targets password security.

Brute force attack or dictionary attack.

Behavioural biometrics include how a user interacts with their device.

True (A)

Flashcards

Behavioral Biometrics

Using patterns in human behavior, like typing style, for identification.

Biometrics Privacy Concerns

Storing biometric data raises worries about security and misuse of personal information.

Biometric Capture Failure

Difficulty in capturing biometric data during registration or validation, reducing usability.

False Accept/Reject Rates

Balancing system accuracy with ease of use and cost in biometric systems.

Biometric Training Set Diversity

Ensuring that machine learning models in biometrics use data representing various groups to avoid biases.

Authorization

Determining if a user can perform a specific task after logging in.

Identification vs. Authentication vs. Authorization

Identification is who you are, authentication proves who you are, and authorization defines what you can do.

Lampson's Access Control Model

A model for access control that uses subjects, objects, requests, and a reference monitor.

Reference Monitor

The part of a system that checks if a user has permission to access a resource.

Least Privilege Principle

Giving users only the minimum access needed to do their job, reducing security risks.

Privilege Escalation

Gaining unauthorized higher permission.

Vertical Escalation

Gaining access to a higher privilege account.

Horizontal Escalation

Accessing data or functions meant for other users.

Access Control

A process with three stages: identification, authentication, and authorization to manage who accesses what

Identification

Claiming an identity; the first stage of access control

Authentication

Verifying an identity; the second stage of access control

Authorization

Checking permissions for accessing resources; the third stage of access control

Authentication Factors

Methods used to prove identity (something you know, have, or are)

Multifactor Authentication (MFA)

Using multiple authentication factors for enhanced security

Password Security

Creating, storing, and protecting passwords to resist attacks

Password Entropy

A measure of the difficulty of guessing a password

Password Hashing

Converting passwords into a one-way hash, protecting passwords in storage

Salts in Hashing

Random strings added to passwords before hashing to prevent identical password attacks.

Brute-Force Attack

Trying many passwords until achieving access

Dictionary Attack

Trying common passwords or words as potential access credentials.

Biometrics

Identify individuals based on measurable physical or behavioral characteristics.

Identification Mode (Biometrics)

Finding a user in a database using biometrics.

Verification Mode (Biometrics)

Verifying a user using biometrics.

Liveliness Detection

Ensuring biometric input is from a live person, not a forgery.

Vertical Privilege Escalation

Gaining access to a higher privilege account, like from a regular user to an administrator account, often with more control.

Horizontal Privilege Escalation

Accessing data or functions meant for different users with similar system privileges, like accessing another user's bank account without authorization.

Study Notes

Access Control

• Involves three stages: identification, authentication, and authorization
• Identification: claiming an identity
• Authentication: proving identity
• Authorization: checking permissions for specific actions or data

Authentication Factors

• Something you know (e.g., passwords)
• Something you have (e.g., access cards)
• Something you are (e.g., biometrics)

Multifactor Authentication (MFA)

• Uses two or more authentication factors for enhanced security
• May impact usability

Password Security

• Challenges balancing strength and memorability
• Password strength is often measured by entropy
• Common passwords skew entropy calculations
• Shannon's entropy model helps estimate difficulty of guessing predictable passwords

Password Storage

• Uses hashing and salts to protect passwords
• Salt: a long, pseudo-random string prepended or appended to a password before hashing
• This prevents direct storage of plain text passwords
• Different passwords, even with the same value, result in different hashed values due to the inclusion of a salt

Password Attacks

• Brute-force attacks
• Dictionary attacks
• Pre-computed hash table attacks

Password Guidance

• Use three random words for memorable and strong passwords

Biometrics

• Physical biometrics: facial identification, fingerprint recognition
• Behavioural biometrics: how a user types
• Identification Mode: Using biometrics to find a user in a database

Verification Mode

• User matches with a stored template of biometric recognition

Fingerprint Biometrics Limitations

• Fingerprints can change due to cuts or damage
• Wet or faked fingerprints can cause issues
• Fingerprints can be lifted from surfaces

Biometric Concerns

• Privacy concerns over storing sensitive biometric data
• Failure to capture biometrics during enrollment or verification
• Balancing false accept and false reject rates with system usability and cost
• Concerns about diversity in machine learning training sets for biometrics

Access Control Model

• Four entities: subject (user/process), access request, object (resource), reference monitor

Least Privilege Principle

• Users should only have the minimum necessary access to perform their job
• Reduces risk of information disclosure and privilege escalation

Privilege Escalation Attacks

• Vertical escalation: gaining access to a higher privilege account
• Horizontal escalation: accessing similar functions with different data (e.g., another user's account)
• Often performed through password guessing or SQL injection