Access Control and Security Technologies Quiz

Questions and Answers

What does confidentiality in the CIA of security primarily aim to prevent?

Theft of physical hardware

Loss of data integrity

Inaccessible data to authorized users

Unauthorized disclosure of data (correct)

Which of the following methods is NOT associated with ensuring confidentiality?

Access controls

Encryption

Data replication (correct)

Secure communication protocols

What does the process of authentication establish?

The identity of a user (correct)

The level of access granted to data

The confidentiality of data

The legality of a transaction

In the context of access control, what is authorization primarily concerned with?

Who can use a system

Which of the following books is focused more specifically on access control and security technologies?

Security and Access Control Using Biometric Technologies

What is one example of encryption mentioned that helps achieve confidentiality?

Advanced Encryption Standard (AES)

Which of the following is an essential objective of access control?

Understanding security concepts and processes

What role does a username play in the identification process?

Identifies the user seeking access

Which term refers to ensuring that data is accessible to authorized users only?

Confidentiality

What is NOT a typical focus of hardening access control?

Increasing hardware performance

Which factor of authentication is generally considered the strongest?

Something you are

What is the primary purpose of a digital signature?

To assure authentication and non-repudiation

What does hashing primarily assure in data security?

Integrity

What is a common drawback when increasing confidentiality in a security system?

Reduced availability

What is the purpose of account lockout policies?

To prevent unauthorized access

What does PKI stand for and what is its role?

Public Key Infrastructure, to issue and manage certificates

Which of the following is NOT considered a factor in creating strong passwords?

Contains only lowercase letters

What does non-repudiation provide in terms of security?

Verification of an action taken

What common step should be taken with default passwords on devices?

Change them before initial use

Which technique is NOT an example of ensuring availability in data security?

Data encryption

What is the main characteristic of a TOTP?

It generates passwords that expire every 30 seconds.

What does the False Acceptance Rate (FAR) indicate?

The rate at which unauthorized users are granted access.

In Multi-factor Authentication, which of the following would not qualify as two-factor authentication?

A password and a PIN number.

Which protocol is designed for Central Authentication for multiple remote access servers?

RADIUS

What is a defining feature of Kerberos?

It provides a ticket-granting mechanism for access control.

What does Single Sign-On (SSO) allow users to do?

Access multiple systems using a single set of credentials.

What is the primary use of Security Assertion Markup Language (SAML)?

To facilitate Single Sign-On across web browsers.

Which statement correctly describes the Crossover Error Rate (CER)?

It is the point at which FAR and FRR are equal.

Which authentication method is more secure than MS-CHAP?

MS-CHAPv2

What does the term Federated Identity Management System refer to?

It allows cross-platform identity verification.

Study Notes

Housekeeping Notice

• Mute your handphone during class.

Course Information

• Biometrics: A Very Short Introduction by Michael Fairhurst (2018), Oxford University Press, ISBN-13: 978-0198809104.
• Biometrics by Anil Jain, Ruud Bolle, Sharath Pankanti (2013), Springer, ISBN: 1475782950.
• Biometrics by Information Resources Management Association, (2016), IGI Global, ISBN: 1522509844.
• Advanced Biometrics by Zhang, David (2017), Springer International Publishing Ag, ISBN: 3319615440.
• Security and Access Control Using Biometric Technologies by Robert Newman (2010), Cengage Learning, ISBN-13: 978-1-4354-4105-7.

Course Title and Chapter

• TPB 6323 Password Authentication and Biometrics
• Chapter 1: Access Control: Introduction to Authentication

Objectives

• Look at various security concepts and processes
• Understanding the core concept of access control: authentication, authorization
• Identify various techniques which can be used for hardening access control

CIA of Security

• The CIA of security is a triangle with Confidentiality, Integrity, and Availability at the corners.

CIA: Confidentiality

• Prevents unauthorized disclosure of data
• Ensures data is only viewable by authorized users
• Examples: Personally Identifiable Information (PII)
• Methods: Encryption (e.g., Advanced Encryption Standard (AES)), Access controls

Access Controls

• Identification: Stating your name (without proving it).
• Authentication: Proving your identity (with password, fingerprint).
• Authorization: Granting access to resources based on proven identity.

CIA: Integrity

• Assures data hasn't been modified, tampered with, or corrupted
• Only authorized users should modify data
• Hashing assures integrity
• Examples of hash types: MD5, SHA-1, HMAC, SHA-2
• If data changes, the hash value changes

Hash Value for Download

• Examples of hash values (SHA256sum) and their corresponding files/data are provided.

Digital Signatures

• Makes agreements legally binding
• Similar to a handwritten signature
• Provides authentication
• Provides non-repudiation

Non-Repudiation

• Prevents entities from denying action
• Examples: Signing a loan, credit-card purchase
• Techniques: Digital signatures, audit logs

Certificates and PKI

• Certificates prove server/user identity
• PKI manages certificates
• Similar to credit card companies

CIA: Availability

• Data and services available when needed
• Remove Single Point of Failure (SPOF)
• Techniques: Disk redundancies (RAID), Server redundancies (clusters), Load balancing, Site redundancies, Backups, Alternate power, Cooling systems

Balancing CIA

• Perfect security is impossible
• Increasing one CIA component can harm others
• Example: Complex passwords harder to remember but decrease system availability

Exploring Authentication Concepts

• Explains various authentication concepts

Access Control

• Identification, Authentication, and Authorization are key to access control.

Identity Proofing

• Verifying user's identity before issuing or replacing credentials

Five Factors of Authentication

• Something you know (password, weakest)
• Something you have (smartcard)
• Something you are (fingerprint, strongest)
• Something you do (gestures on touch screen)
• Somewhere you are (geolocation)

Password Rules

• Passwords must be strong (at least 10 characters, mix of upper/lowercase, numbers, symbols)
• Regularly change passwords
• Verify user identity before resetting a password
• Don't reuse passwords
• Implement account lockout policies
• Change default passwords
• Don't write down passwords
• Don't share passwords
• Password history remembers previous passwords

Password Rules (cont'd)

• Account lockout policies: maximum number of incorrect attempts before locking the account (typically 5 attempts), and lockout duration (typically 30 minutes).

Previous Logon Notification

• Gmail displays recent access information.

Creating Strong Passwords

– Passwords must be over 10 characters – Passwords should not be words found in a dictionary – Passwords should contain Uppercase letters, Lowercase letters, Numbers, Special Characters (at least 3 types)

Changing Default Passwords

– Default passwords on devices (like routers) need changing prior to use

Something You Have

• Smart Cards contain certificates, read by a card reader

Smart Cards

• Contain certificates
• Read by a card reader

Embedded Certificate, Public Key Infrastructure

• Allows issuance and management of certificates
• Common Access Card (CAC): used for replacing key usage in various applications (door access, hotel, common room access)
• Personal Identity Verification (PIV) card (e.g., MMU smart card, Malaysian IC, ATM card).

Something You Have (cont'd)

• Token/Key Fob/Smart Phone (HOTP/HMAC-based One-Time Password)
• Open standard; uses secrete key, incrementing counter
• Creates 6/8-digit value
• Password valid until used
• Time-based One-Time Password (TOTP): Uses timestamps, expires every 30 seconds

Something You Are (Biometrics)

• Fingerprint, Handprint, Palm scanner
• Retinal scanners (uncomfortable for some)
• Iris scanners (easier to use)

False Acceptance and False Rejection

– False Acceptance Rate (FAR): Incorrectly identifying unauthorized users. – False Rejection Rate (FRR): Incorrectly rejecting authorized users. – Crossover Error Rate (CER/Equal Error Rate (EER): The crossover value of FAR and FRR.

Somewhere You Are

– IP address: Gives general location. – MAC address: Identifies a specific device.

Something You Do

• Windows 8 picture passwords
• Gestures like tapping/drawing lines
• Keystroke dynamics (typing)
• Way you walk
• Way you sign your name
• Also called behavioral

Multifactor Authentication

• More than one authentication method.
• Could be something you know, have, are, or do.

Comparing Authentication Services

• Compares different authentication services.

Authentication Services

• Kerberos: Used in Windows Active Directory Domains, Unix realms, developed at MIT, prevents Man-in-the-Middle and replay attacks

Kerberos Requirements

– A method of issuing tickets used for authentication. – KDC (Key Distribution Center) grants ticket-granting tickets. – Time synchronization within five minutes. – Database (e.g., Microsoft’s Active Directory) of users/subjects

Kerberos Details

• KDC issues a ticket-granting ticket (TGT).
• TGT has a 10-hour lifetime.
• Kerberos uses port 88 (TCP and UDP).
• Kerberos uses symmetric cryptography

Kerberos Realm

• User sends credentials (principal identity) to KDC
• KDC checks database for principal.
• KDC creates TGT and wraps it in principal's user key.
• TGT decrypted and stored in credentials cache.
• Keytab checks list of active TGT

Single Sign-On

• Users can access multiple systems after providing credentials only once.

SSO and Transitive Trusts

• Parent domains trust child domains.
• Trust is transitive.

SSO and a Federation

• Federated Identity Management System
• Login into a comment system using Facebook identity.

Identity Management Reference Architecture

• Diagram outlining roles and responsibilities.
• Includes security policy.
• Emphasizes creating trusted identities, and controlling access to resources.

SSO and SAML

• Security Assertion Markup Language (SAML)
• XML-based data format
• SSO on web browsers
• SAML defines:
  • Principal
  • Identity Provider
  • Service provider

SAML and Authorization

• SAML provides authentication.
• Authorization is separate.
• Transfer authorization data between systems.

Authenticating RAS (Remote Access Service) Clients

• Discusses authenticating remote access service clients

Remote Access

• VPN (Virtual Private Network) or dial-up connections.

Remote Access Authentication Methods

• PAP (Password Authentication Protocol)
• CHAP (Challenge Handshake Protocol)
• MS-CHAP
• MS-CHAPv2

Remote Access Methods (cont'd)

• RADIUS: Central authentication for multiple remote access servers, encrypts passwords locally but not throughout the authentication process, UDP protocol.
• Diameter: Improvement over RADIUS, supports Extensible Authentication Protocol (EAP).

Remote Access Methods (cont'd)

• TACACS: Terminal Access Controller Access-Control System (rare nowadays), UNIX system.
• TACACS+: Cisco proprietary, alternative to RADIUS, interacts with Kerberos, encrypts the entire authentication process, and use TCP

AAA Protocols

• Authentication: Verifying user identification
• Authorization: Determining if user has access
• Accounting: Tracking user access (sometimes called non-repudiation)
• RADIUS and TACACS+ are examples of AAA protocols. Kerberos uses a single sign-on with no accounting.

Form/Assignment Group

• Instructions for team names and members
• 4-member limit per group include leader.
• Same group for all group assessments

Description

Test your knowledge on the principles of access control and security technologies in information security. This quiz covers key concepts such as confidentiality, authentication, and authorization, along with specific methods and technologies related to these principles.