Access Control and Security Technologies Quiz

Questions and Answers

What does confidentiality in the CIA of security primarily aim to prevent?

• Theft of physical hardware
• Loss of data integrity
• Inaccessible data to authorized users
• Unauthorized disclosure of data (correct)

Which of the following methods is NOT associated with ensuring confidentiality?

• Access controls
• Encryption
• Data replication (correct)
• Secure communication protocols

What does the process of authentication establish?

• The identity of a user (correct)
• The level of access granted to data
• The confidentiality of data
• The legality of a transaction

In the context of access control, what is authorization primarily concerned with?

Who can use a system (A)

Which of the following books is focused more specifically on access control and security technologies?

Security and Access Control Using Biometric Technologies (D)

What is one example of encryption mentioned that helps achieve confidentiality?

Advanced Encryption Standard (AES) (D)

Which of the following is an essential objective of access control?

Understanding security concepts and processes (B)

What role does a username play in the identification process?

Identifies the user seeking access (B)

Which term refers to ensuring that data is accessible to authorized users only?

Confidentiality (D)

What is NOT a typical focus of hardening access control?

Increasing hardware performance (B)

Which factor of authentication is generally considered the strongest?

Something you are (A)

What is the primary purpose of a digital signature?

To assure authentication and non-repudiation (D)

What does hashing primarily assure in data security?

Integrity (C)

What is a common drawback when increasing confidentiality in a security system?

Reduced availability (A)

What is the purpose of account lockout policies?

To prevent unauthorized access (A)

What does PKI stand for and what is its role?

Public Key Infrastructure, to issue and manage certificates (C)

Which of the following is NOT considered a factor in creating strong passwords?

Contains only lowercase letters (B)

What does non-repudiation provide in terms of security?

Verification of an action taken (A)

What common step should be taken with default passwords on devices?

Change them before initial use (C)

Which technique is NOT an example of ensuring availability in data security?

Data encryption (D)

What is the main characteristic of a TOTP?

It generates passwords that expire every 30 seconds. (B)

What does the False Acceptance Rate (FAR) indicate?

The rate at which unauthorized users are granted access. (A)

In Multi-factor Authentication, which of the following would not qualify as two-factor authentication?

A password and a PIN number. (D)

Which protocol is designed for Central Authentication for multiple remote access servers?

RADIUS (C)

What is a defining feature of Kerberos?

It provides a ticket-granting mechanism for access control. (C)

What does Single Sign-On (SSO) allow users to do?

Access multiple systems using a single set of credentials. (C)

What is the primary use of Security Assertion Markup Language (SAML)?

To facilitate Single Sign-On across web browsers. (A)

Which statement correctly describes the Crossover Error Rate (CER)?

It is the point at which FAR and FRR are equal. (D)

Which authentication method is more secure than MS-CHAP?

MS-CHAPv2 (B)

What does the term Federated Identity Management System refer to?

It allows cross-platform identity verification. (D)

Flashcards

Confidentiality

Confidentiality ensures that only authorized individuals can access sensitive information, preventing unauthorized disclosure. Think of it like a secret code only known to a select few.

Integrity

Integrity ensures that data remains accurate and complete, preventing unauthorized modifications. It's like having a tamper-proof seal on a document.

Availability

Availability ensures that authorized users can access data and resources whenever they need them. It's like a reliable power source that's always on.

Authentication

Authentication verifies the identity of a user, making sure they are who they claim to be. It's like checking someone's ID before granting them access.

Authorization

Authorization determines which actions a user is allowed to perform after their identity has been verified. It's like assigning permissions based on a job role.

Access Control

Access control is a security mechanism that limits access to resources based on user identity and authorization. It's like a gatekeeper who decides who can enter a building.

Hardening Access Control

Hardening access control involves strengthening security measures to make it more difficult for unauthorized users to gain access. It's like reinforcing a building's defenses against intruders.

Data Integrity

Ensures that data has not been altered or corrupted, upholding data accuracy and reliability.

Hashing

A technique to verify the integrity of data by creating a unique hash value. Any alteration to the data will result in a different hash value.

Digital Signature

A digital signature provides authentication and non-repudiation, guaranteeing the origin and authenticity of a document.

Non-repudiation

Ensures entities cannot deny taking a specific action, providing accountability for actions.

Public Key Infrastructure (PKI)

A group of companies that issue and verify certificates, managing the digital identities of individuals and entities.

Identity Proofing

A process to verify the identity of individuals before issuing them credentials, ensuring they are who they claim to be.

Something You Have

A type of authentication method using something you have, for example, a physical card or a token.

HOTP (HMAC-based One-Time Password)

A one-time password generated using HMAC and an incrementing counter. It's valid only once and then expires. Think of it as a disposable code.

TOTP (Time-based One-Time Password)

A one-time password generated using a timestamp, making it expire after a set time, usually 30 seconds. Think of it as a time-limited code.

Something You Are (Biometrics)

A type of authentication method using biometric data, such as fingerprints or iris scans. Think of it as using your body for identification.

False Acceptance Rate (FAR)

The rate at which an unauthorized user is incorrectly identified as authorized. Think of it as a false positive.

False Rejection Rate (FRR)

The rate at which an authorized user is incorrectly rejected. Think of it as a false negative.

Crossover Error Rate (CER)/ Equal Error Rate (EER)

The point where False Acceptance Rate (FAR) and False Rejection Rate (FRR) intersect. Think of it as the balance point between security and convenience.

Multifactor Authentication

Using more than one factor of authentication to verify a user's identity. Think of it as having multiple layers of security.

Single Sign-On (SSO)

A system that allows users to access multiple systems after providing credentials only once. Think of it as a single login for various applications.

Transitive Trust

A type of trust relationship in which a parent domain trusts two or more child domains, leading to mutual trust between the child domains. Think of it as a family tree of trust.

Study Notes

Housekeeping Notice

• Mute your handphone during class.

Course Information

• Biometrics: A Very Short Introduction by Michael Fairhurst (2018), Oxford University Press, ISBN-13: 978-0198809104.
• Biometrics by Anil Jain, Ruud Bolle, Sharath Pankanti (2013), Springer, ISBN: 1475782950.
• Biometrics by Information Resources Management Association, (2016), IGI Global, ISBN: 1522509844.
• Advanced Biometrics by Zhang, David (2017), Springer International Publishing Ag, ISBN: 3319615440.
• Security and Access Control Using Biometric Technologies by Robert Newman (2010), Cengage Learning, ISBN-13: 978-1-4354-4105-7.

Course Title and Chapter

• TPB 6323 Password Authentication and Biometrics
• Chapter 1: Access Control: Introduction to Authentication

Objectives

• Look at various security concepts and processes
• Understanding the core concept of access control: authentication, authorization
• Identify various techniques which can be used for hardening access control

CIA of Security

• The CIA of security is a triangle with Confidentiality, Integrity, and Availability at the corners.

CIA: Confidentiality

• Prevents unauthorized disclosure of data
• Ensures data is only viewable by authorized users
• Examples: Personally Identifiable Information (PII)
• Methods: Encryption (e.g., Advanced Encryption Standard (AES)), Access controls

Access Controls

• Identification: Stating your name (without proving it).
• Authentication: Proving your identity (with password, fingerprint).
• Authorization: Granting access to resources based on proven identity.

CIA: Integrity

• Assures data hasn't been modified, tampered with, or corrupted
• Only authorized users should modify data
• Hashing assures integrity
• Examples of hash types: MD5, SHA-1, HMAC, SHA-2
• If data changes, the hash value changes

Hash Value for Download

• Examples of hash values (SHA256sum) and their corresponding files/data are provided.

Digital Signatures

• Makes agreements legally binding
• Similar to a handwritten signature
• Provides authentication
• Provides non-repudiation

Non-Repudiation

• Prevents entities from denying action
• Examples: Signing a loan, credit-card purchase
• Techniques: Digital signatures, audit logs

Certificates and PKI

• Certificates prove server/user identity
• PKI manages certificates
• Similar to credit card companies

CIA: Availability

• Data and services available when needed
• Remove Single Point of Failure (SPOF)
• Techniques: Disk redundancies (RAID), Server redundancies (clusters), Load balancing, Site redundancies, Backups, Alternate power, Cooling systems

Balancing CIA

• Perfect security is impossible
• Increasing one CIA component can harm others
• Example: Complex passwords harder to remember but decrease system availability

Exploring Authentication Concepts

• Explains various authentication concepts

Access Control

• Identification, Authentication, and Authorization are key to access control.

Identity Proofing

• Verifying user's identity before issuing or replacing credentials

Five Factors of Authentication

• Something you know (password, weakest)
• Something you have (smartcard)
• Something you are (fingerprint, strongest)
• Something you do (gestures on touch screen)
• Somewhere you are (geolocation)

Password Rules

• Passwords must be strong (at least 10 characters, mix of upper/lowercase, numbers, symbols)
• Regularly change passwords
• Verify user identity before resetting a password
• Don't reuse passwords
• Implement account lockout policies
• Change default passwords
• Don't write down passwords
• Don't share passwords
• Password history remembers previous passwords

Password Rules (cont'd)

• Account lockout policies: maximum number of incorrect attempts before locking the account (typically 5 attempts), and lockout duration (typically 30 minutes).

Previous Logon Notification

• Gmail displays recent access information.

Creating Strong Passwords

– Passwords must be over 10 characters – Passwords should not be words found in a dictionary – Passwords should contain Uppercase letters, Lowercase letters, Numbers, Special Characters (at least 3 types)

Changing Default Passwords

– Default passwords on devices (like routers) need changing prior to use

Something You Have

• Smart Cards contain certificates, read by a card reader

Smart Cards

• Contain certificates
• Read by a card reader

Embedded Certificate, Public Key Infrastructure

• Allows issuance and management of certificates
• Common Access Card (CAC): used for replacing key usage in various applications (door access, hotel, common room access)
• Personal Identity Verification (PIV) card (e.g., MMU smart card, Malaysian IC, ATM card).

Something You Have (cont'd)

• Token/Key Fob/Smart Phone (HOTP/HMAC-based One-Time Password)
• Open standard; uses secrete key, incrementing counter
• Creates 6/8-digit value
• Password valid until used
• Time-based One-Time Password (TOTP): Uses timestamps, expires every 30 seconds

Something You Are (Biometrics)

• Fingerprint, Handprint, Palm scanner
• Retinal scanners (uncomfortable for some)
• Iris scanners (easier to use)

False Acceptance and False Rejection

– False Acceptance Rate (FAR): Incorrectly identifying unauthorized users. – False Rejection Rate (FRR): Incorrectly rejecting authorized users. – Crossover Error Rate (CER/Equal Error Rate (EER): The crossover value of FAR and FRR.

Somewhere You Are

– IP address: Gives general location. – MAC address: Identifies a specific device.

Something You Do

• Windows 8 picture passwords
• Gestures like tapping/drawing lines
• Keystroke dynamics (typing)
• Way you walk
• Way you sign your name
• Also called behavioral

Multifactor Authentication

• More than one authentication method.
• Could be something you know, have, are, or do.

Comparing Authentication Services

• Compares different authentication services.

Authentication Services

• Kerberos: Used in Windows Active Directory Domains, Unix realms, developed at MIT, prevents Man-in-the-Middle and replay attacks

Kerberos Requirements

– A method of issuing tickets used for authentication. – KDC (Key Distribution Center) grants ticket-granting tickets. – Time synchronization within five minutes. – Database (e.g., Microsoft’s Active Directory) of users/subjects

Kerberos Details

• KDC issues a ticket-granting ticket (TGT).
• TGT has a 10-hour lifetime.
• Kerberos uses port 88 (TCP and UDP).
• Kerberos uses symmetric cryptography

Kerberos Realm

• User sends credentials (principal identity) to KDC
• KDC checks database for principal.
• KDC creates TGT and wraps it in principal's user key.
• TGT decrypted and stored in credentials cache.
• Keytab checks list of active TGT

Single Sign-On

• Users can access multiple systems after providing credentials only once.

SSO and Transitive Trusts

• Parent domains trust child domains.
• Trust is transitive.

SSO and a Federation

• Federated Identity Management System
• Login into a comment system using Facebook identity.

Identity Management Reference Architecture

• Diagram outlining roles and responsibilities.
• Includes security policy.
• Emphasizes creating trusted identities, and controlling access to resources.

SSO and SAML

• Security Assertion Markup Language (SAML)
• XML-based data format
• SSO on web browsers
• SAML defines:
  • Principal
  • Identity Provider
  • Service provider

SAML and Authorization

• SAML provides authentication.
• Authorization is separate.
• Transfer authorization data between systems.

Authenticating RAS (Remote Access Service) Clients

• Discusses authenticating remote access service clients

Remote Access

• VPN (Virtual Private Network) or dial-up connections.

Remote Access Authentication Methods

• PAP (Password Authentication Protocol)
• CHAP (Challenge Handshake Protocol)
• MS-CHAP
• MS-CHAPv2

Remote Access Methods (cont'd)

• RADIUS: Central authentication for multiple remote access servers, encrypts passwords locally but not throughout the authentication process, UDP protocol.
• Diameter: Improvement over RADIUS, supports Extensible Authentication Protocol (EAP).

Remote Access Methods (cont'd)

• TACACS: Terminal Access Controller Access-Control System (rare nowadays), UNIX system.
• TACACS+: Cisco proprietary, alternative to RADIUS, interacts with Kerberos, encrypts the entire authentication process, and use TCP

AAA Protocols

• Authentication: Verifying user identification
• Authorization: Determining if user has access
• Accounting: Tracking user access (sometimes called non-repudiation)
• RADIUS and TACACS+ are examples of AAA protocols. Kerberos uses a single sign-on with no accounting.

Form/Assignment Group

• Instructions for team names and members
• 4-member limit per group include leader.
• Same group for all group assessments