SlideShare a Scribd company logo

UNIT 2 Information Security Sharad Institute

S
SatishPise4

Notes

Education
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
1 UNIT 2 User Authentication and Access Control What Is User Authentication? Authentication is the process of identifying users that request access to a system, network, or device. Access control often determines user identity according to credentials like username and password. Other authentication technologies like biometrics and authentication apps are also used to authenticate user identity. Why Is User Authentication Important? User authentication is a method that keeps unauthorized users from accessing sensitive information. For example, User A only has access to relevant information and cannot see the sensitive information of User B. Cybercriminals can gain access to a system and steal information when user authentication is not secure. The data breaches companies like Adobe, Equifax, and Yahoo faced are examples of what happens when organizations fail to secure their user authentication. Hackers gained access to Yahoo user accounts to steal contacts, calendars and private emails between 2012 and 2016. The Equifax data breach in 2017 exposed credit card data of more than 147 million consumers. Without a secure authentication process, any organization could be at risk.
2 How Does User Authentication Work? User authentication is typically achieved through passcodes, identification cards, or other means of verification. It typically occurs the following way: • The user enters the login credentials on the login page to verify their identity. • The server decrypts the personalized information it has received and compares it to the stored credentials in its database. • If the information matches, the user is granted access. If not, the request is declined. • Depending on the security settings, the user may be allowed to initiate another request or be blocked from accessing the web application altogether. 5 Common Authentication Types Cybercriminals always improve their attacks. As a result, security teams are facing plenty of authentication-related challenges. This is why companies are starting to implement more sophisticated incident response strategies, including authentication as part of the process. The list below reviews some common authentication methods used to secure modern systems. 1. Password-based authentication Passwords are the most common methods of authentication. Passwords can be in the form of a string of letters, numbers, or special characters. To protect yourself you need to create strong passwords that include a combination of all possible options. However, passwords are prone to phishing attacks and bad hygiene that weakens effectiveness. An average person has about 25 different online accounts, but only 54% of users use different passwords across their accounts. The truth is that there are a lot of passwords to remember. As a result, many people choose convenience over security. Most people use simple passwords instead of creating reliable passwords because they are easier to remember. The bottom line is that passwords have a lot of weaknesses and are not sufficient in protecting online information. Hackers can easily guess user credentials by running through all possible combinations until they find a match.
3 2. Multi-factor authentication Multi-Factor Authentication (MFA) is an authentication method that requires two or more independent ways to identify a user. Examples include codes generated from the user’s smartphone, Captcha tests, fingerprints, voice biometrics or facial recognition. MFA authentication methods and technologies increase the confidence of users by adding multiple layers of security. MFA may be a good defense against most account hacks, but it has its own pitfalls. People may lose their phones or SIM cards and not be able to generate an authentication code. 3. Certificate-based authentication Certificate-based authentication technologies identify users, machines or devices by using digital certificates. A digital certificate is an electronic document based on the idea of a driver’s license or a passport. The certificate contains the digital identity of a user including a public key, and the digital signature of a certification authority. Digital certificates prove the ownership of a public key and issued only by a certification authority. Users provide their digital certificates when they sign in to a server. The server verifies the credibility of the digital signature and the certificate authority. The server then uses cryptography to confirm that the user has a correct private key associated with the certificate. 4. Biometric authentication Biometrics authentication is a security process that relies on the unique biological characteristics of an individual. Here are key advantages of using biometric authentication technologies: • Biological characteristics can be easily compared to authorized features saved in a database. • Biometric authentication can control physical access when installed on gates and doors. • You can add biometrics into your multi-factor authentication process. Biometric authentication technologies are used by consumers, governments and private corporations including airports, military bases, and national borders. The technology is increasingly adopted due to the ability to achieve a high level of security without creating friction for the user. Common biometric authentication methods include: • Facial recognition—matches the different face characteristics of an individual trying to gain access to an approved face stored in a database. Face recognition can be inconsistent when
4 comparing faces at different angles or comparing people who look similar, like close relatives. Facial liveness like ID R&D’s passive facial liveness prevents spoofing. • Fingerprint scanners—match the unique patterns on an individual’s fingerprints. Some new versions of fingerprint scanners can even assess the vascular patterns in people’s fingers. Fingerprint scanners are currently the most popular biometric technology for everyday consumers, despite their frequent inaccuracies. This popularity can be attributed to iPhones. • Speaker Recognition —also known as voice biometrics, examines a speaker’s speech patterns for the formation of specific shapes and sound qualities. A voice-protected device usually relies on standardized words to identify users, just like a password. • Eye scanners—include technologies like iris recognition and retina scanners. Iris scanners project a bright light towards the eye and search for unique patterns in the colored ring around the pupil of the eye. The patterns are then compared to approved information stored in a database. Eye-based authentication may suffer inaccuracies if a person wears glasses or contact lenses. 5. Token-based authentication Token-based authentication technologies enable users to enter their credentials once and receive a unique encrypted string of random characters in exchange. You can then use the token to access protected systems instead of entering your credentials all over again. The digital token proves that you already have access permission. Use cases of token-based authentication include RESTful APIs that are used by multiple frameworks and clients.
5 Types of Password Attacks Password cracking is one of the crucial stages of systemhacking. Password-cracking mechanisms often exploit otherwise legal means to gain unauthorized systemaccess, such as recovering a user’s forgotten password. Classification of password attacks depends on the attacker’s actions, which are of the following four types: ▪ Non-Electronic Attacks: This is, for most cases, the attacker’s first attempt at gaining target system passwords. Non-electronic or non-technical attacks do not require any technical knowledge about hacking or systemexploitation. Techniques used to perform non-electronic attacks include shoulder surfing, social engineering, dumpster diving, etc. ▪ Active Online Attacks: This is one of the easiest ways to gain unauthorized administrator- level system access. Here, the attacker communicates with the target machine to gain password access. Techniques used to perform active online attacks include password guessing, dictionary and brute-forcing attacks, hash injection, LLMNR/NBT-NS poisoning, use of Trojans/spyware/keyloggers, internal monologue attacks, Markov-chain attacks, Kerberos password cracking, etc. ▪ Passive Online Attacks: A passive attack is a type of systemattack that does not lead to any changes in the system. In this attack, the attacker does not have to communicate with the system, but passively monitor or record the data passing over the communication channel, to
6 and from the system. The data are then used to break into the system. Techniques used to perform passive online attacks include wire sniffing, man-in-the-middle attacks, replay attacks, etc. ▪ Offline Attacks: Offline attacks refer to password attacks in which an attacker tries to recover clear text passwords from a password hash dump. Offline attacks are often time consuming but have a high success rate, as the password hashes can be reversed owing to their small key space and short length. Attackers use pre-computed hashes from rainbow tables to perform offline and distributed network attacks. Password Guessing Password Guessing Password guessing is a password-cracking technique that involves attempting to log on to the target system with different passwords manually. Guessing is the key element of manual password cracking. The attacker creates a list of all possible passwords from the information collected through social engineering or any other method and tries them manually on the victim’s machine to crack the passwords. The following are the steps involved in password guessing: ▪ Find a valid user ▪ Create a list of possible passwords
7 ▪ Rank passwords from high to low probability ▪ Key in each password, until the correct password is discovered Hackers can crack passwords manually or by using automated tools, methods, and algorithms. They can also automate password cracking using a simple FOR loop or create a script file that tries each password in a list. These techniques are still considered manual cracking. The failure rate of this type of attack is high. What is Social Engineering? Before performing a social engineering attack, the attacker gathers information about the target organization from various sources such as: ▪ The organization’s official websites, where employees’ IDs, names, and email addresses are shared ▪ Advertisements of the target organization cast through media reveal information such as products and offers. ▪ Blogs, forums, and other online spaces where employees share basic personal and organizational information. After gathering information, an attacker executes social engineering attacks using various approaches such as impersonation, piggybacking, tailgating, reverse social engineering, and other methods.
8 Piggybacking Piggybacking usually implies entry into a building or security area with the consent of the authorized person. For example, an attacker might request an authorized person to unlock a security door, saying that they have forgotten their ID badge. In the interest of common courtesy, the authorized person will allow the attacker to pass through the door. Non-ElectronicAttacks: This is, for most cases, the attacker’s first attempt at gaining target system passwords. Non-electronic or non-technical attacks do not require any technical knowledge about hacking or systemexploitation. Techniques used to perform non- electronic attacks include shoulder surfing, social engineering, dumpster diving, etc. Shoulder Surfing Shoulder Surfing • Shoulder surfing is the technique of looking over someone’s shoulder as they key information into a device.
9 • Attackers use shoulder surfing to find out passwords, personal identification numbers, account numbers, and other information. They sometimes even use binoculars and other optical devices or install small cameras to record the actions performed on the victim’s system to obtain login details and other sensitive information. Dumpster Diving • Dumpster diving is the process of retrieving sensitive personal or organizational information by searching through trash bins. • Attackers can extract confidential data such as user IDs, passwords, policy numbers, network diagrams, account numbers, bank statements, salary data, source code, sales forecasts, access codes, phone lists, credit card numbers, calendars, and organizational charts on paper or disk. • Attackers can then use this information to perform various malicious activities. Sometimes attackers even use pretexts to support their dumpster diving initiatives, such as impersonating a repair person, technician, cleaner, or other legitimate worker. Information that attackers can obtain by searching through trash bins includes: ▪ Phone lists: Disclose employees’ names and contact numbers. ▪ Organizational charts: Disclose details about the structure of the company, physical infrastructure, server rooms, restricted areas, and other organizational data. ▪ Email printouts, notes, faxes, and memos: Reveal personal details of an employee, passwords, contacts, inside working operations, certain useful instructions, and other data. ▪ Policy manuals: Reveal information regarding employment, systemuse, and operations. ▪ Event notes, calendars, or computer use logs: Reveal information regarding the user’s log on and off timings, which helps the attacker to decide on the best time to plan their attack. Biometric Authentication Biometric access control is based on the use of some measurable human characteristic or trait to authenticate the identity of a proposed systems user (a supplicant). It relies upon recognition— the same thing you rely upon to identify friends, family, and other people you know. The use of biometric-based authentication is expected to have a significant impact in the future as technical and ethical issues with the technology are resolved. Biometric authentication technologies include the following:
10 • Fingerprint comparison of the supplicant’s actual fingerprint to a stored fingerprint • Palm print comparison of the supplicant’s actual palm print to a stored palm print • Hand geometry comparison of the supplicant’s actual hand to a stored measurement • Facial recognition using a photographic ID card, in which a human security guard compares the supplicant’s face to a photo • Facial recognition using a digital camera, in which a supplicant’s face is compared to a stored image • Retinal print comparison of the supplicant’s actual retina to a stored image • Iris pattern comparison of the supplicant’s actual iris to a stored image Among all possible biometrics, only three human characteristics are usually considered truly unique. They are as follows: • Fingerprints • Retina of the eye (blood vessel pattern) • Iris of the eye (random pattern of features found in the iris, including freckles, pits, • striations, vasculature, coronas, and crypts) How Biometrics Work At the most basic level, you need two things to verify an individual's identity with a biometric identifier: a way to collect or measure the desired characteristic and a record of that characteristic to compare your measurement to. However, to automate the biometric authentication process, modern biometric systems typically require three steps: 1. A physical measurement device that reads or scans the biometric characteristic you're using to authenticate a person 2. Software that translates a biometric scan into a digital format and compares it to the record of that biometric characteristic 3. A stored record of that biometric characteristic that the software can compare the new scan to in order to verify a person Centralized vs. Decentralized Biometric Data Storage (and Why It Matters) Biometric data is typically stored either on a central server or the authentication device itself — with the former being a controversial method for doing so. Storing biometric data on a server like you would a password means that if the database is breached, your users' biometric data is breached. And since you can't reset biometric data like
11 you would a password, it means your users' biometric data is compromised for the rest of their life. Device-level storage keeps biometric data distributed, which eliminates the risk of large quantities of biometric data being exposed all at once (better protection for users and organizations). Types of Biometrics Below are the most common types of biometric characteristics in use today: • Fingerprint Biometrics. The patterns found on a person's fingers are unique to them and are already used to verify smartphone users. • Behavioral Biometrics. Behavioral biometrics use patterns in an individual's behavior, such as keystroke patterns and computer mouse movements or other behavioral characteristics like a user's physical location, to identify them. • Ear Biometrics. A person's ear has a unique shape, and research shows ear recognition could be more accurate than fingerprint recognition. • Voice Biometrics. A person’s voice is unique to them. Voice recognition systems are 90% accurate on average. • Facial Recognition Biometrics. Research shows that an individual's face is unique when measured in sufficient detail and therefore is effective for accurately identifying them. Face recognition algorithms are far from perfect (studies show the technology is less effective in identifying darker-skinned individuals). However, companies are taking steps to improve their accuracy with artificial intelligence (AI). • Hand Geometry Biometrics. Hand geometry is unique from person to person and has been used to identify a person since the 1960s. Although hand geometry is unique, using it to identify an individual does carry some important limitations, according to the Infosec Institute. • Gait Biometrics. Gait analysis measures the way a person walks to identify them. Gait recognition is still a new technology, but researchers have already developed systems for smartphones that could be used to implement it. • Retina Biometrics. Retina biometrics use the unique pattern on a person's retina to identify them. Research shows that retinal scans are very accurate. • Iris Biometrics. Iris biometrics are similar to retina biometrics, except they use the unique pattern of a person's iris instead of the retina. Research by the National Institute of Standards and Technology (NIST) shows that iris scans are 90-99% accurate. • Vein Recognition Biometrics. Vein recognition is also known as vascular biometrics and uses subdermal vein patterns to identify a person. Vein recognition is the most accurate biometric technology in use today. However, researchers have cracked vein
12 recognition in the past using a wax hand. So although it's effective at distinguishing between individuals, it's susceptible to attack. • DNA Biometrics. 99.9% of the average person's DNA is identical to every other person on Earth. However, the 0.1% that's different is enough to identify a person with a high degree of accuracy. • Voice Recognition This method of authentication analyzes the sounds a person makes when they speak. • Digital Signatures These analyses include static systems that simply compare the signature to an existing handwriting sample and dynamic systems that also track the movement of the person’s hand when it’s writing. The Pros and Cons of Biometrics for Cybersecurity Biometrics promise organizations improved security and better experiences for users. But they also create new risks that organizations need to account for if they choose to use them to verify employees or end users. Pros Biometrics are an effective way to verify users because biometric traits are harder to fake, replicate or transfer than traditional username/password (U/P) authentication. Research also shows that consumers prefer biometric authentication to U/P authentication because it's easier for them to authenticate themselves — they just scan their finger, and they're in. This benefits organizations because a positive user experience can also reduce security risks and offer a competitive advantage. Finally, biometric data often saves companies money because it uses less server space than traditional authentication measures and eliminates the need to reset a password.Auth0 customers report costs of up to $120 per password reset. Cons Biometric identification systems can be costly to implement if a company is installing everything from scratch. For example, although some biometric technologies like fingerprint scanners are now fairly cheap to purchase, the more accurate and reliable technologies are often quite expensive.
13 One way to substantially bring down these costs is to use scanners within existing devices, such as mobile phones, as the authentication mechanism. And although biometrics do reduce many security risks, cybercriminals have still found ways to crack biometric authentication systems, as well as breach the databases biometric data is stored on. Biometrics are also a challenge to store securely because the hashing process used to protect passwords doesn't work with biometric data. So any organization that utilizes biometrics to verify their users has to ensure that any biometric data they store centrally is adequately encrypted or they'll put their users at risk. Common Examples of Biometrics in Use Today Biometrics are most commonly used in smartphones, tablets, and laptops. For example, both Apple and Samsung use fingerprint and facial recognition to unlock their devices. However, enterprises, government agencies, and even law enforcement are also using a variety of biometric identifiers for access control or to verify an individual's identity. • Financial Services. Behavioral biometrics are used in financial and banking industries to prevent fraud and identity theft. • Law Enforcement. Law enforcement agencies use fingerprints, palm prints, and DNA to verify the identity of criminals. • Immigration and Customs. Many countries use biometrics to document foreign residents and issue visas. For example, the United States Department of Homeland Security uses fingerprints and facial recognition to verify an individual when they enter the country, as well as issue a green card to foreign residents. • Healthcare and Medicine. Biometrics are currently used to identify patients in hospitals and retrieve medical records. • Customer Service. Voice biometrics are used to authenticate users when they call a customer service center. The Future of Biometrics The total market value of the biometrics industry is expected to grow 87% in the next five years as more organizations adopt biometric authentication to secure data, devices, and applications. As that occurs, there are several trends emerging that organizations should pay attention to:
14 ▪ Continuous improvement of biometric security is a must. Bad actors are finding new ways to circumvent biometric authentication systems. So reducing security risks to biometric data is a continuous effort, not a one-and-done event. ▪ Using biometrics in continuous authentication applications will gain more traction. Continuous authentication happens on a rolling basis while a person uses your systems, rather than once at the beginning. Many experts expect biometrics to be widely incorporated into continuous authentication systems as they become available in the near future. ▪ Regulations around biometric data are tightening. Biometrics are still a relatively new technology. But given the privacy concerns associated with biometric data, regulators are beginning to tighten restrictions around how biometric data is collected, used, and stored. Keystroke Recognition Think of this element as the digital world’s version of handwriting analysis. It’s not to be confused with keylogging, which is taking note of what a person is actually typing. Keystroke recognition is a method of recording a person’s individual typing pattern, including the pace at which a person types particular letters or words, in order to isolate and identify the person doing the typing. Gait Recognition Although a system that tracks the way a person walks may not be feasible in every situation, it can be an accurate identifier of an individual. Advantages of Biometrics There are many advantages to using biometrics as a form of identification for access, including that biometrics: – Cannot be lost: You can always forget your key, access card or password, but you can’t forget your fingerprints or your eyes. If biometrics are the only means of authentication, a user can never be locked out if they’re entitled to access. If you use multi-factor identification, a biometric factor is one less thing that users need to remember. – Cannot be transferred or stolen: It is easy and not uncommon for people to leave access cards or notepads containing passwords lying around where unwanted personnel could get hands on them. You cannot lose your biometrics due to carelessness, and they cannot be transferred or stolen without causing physical trauma to the user. – Are person-specific: Unless a user is colluding with an unauthorized person, you can be confident that the person who is using biometrics to gain access is who they purport to be.
15 – Are intuitive: Most users should have little difficulty figuring out how to press their finger onto a fingerprint scanner or look into an eye scanner. This process can be much faster and more convenient than hunting around for another password or trying to find the right way to insert an access card. Access Controls: Definition:
16 Access control is the method by which systems determine whether and how to admit a user into a trusted area of the organization—that is, information systems, restricted areas such as computer rooms, and the entire physical location. Access control is achieved by means of a combination of policies, programs, and technologies. Access controls can be mandatory, nondiscretionary, or discretionary. Why is access control important? Access control keeps confidential information such as customer data, personally identifiable information, and intellectual property from falling into the wrong hands. It’s a key component of the modern zero trust security framework, which uses various mechanisms to continuously verify access to the company network. Without robust access control policies, organizations risk data leakage from both internal and external sources. Access control is particularly important for organizations with hybrid cloud and multi-cloud cloud environments, where resources, apps, and data reside both on premises and in the cloud. Access control can provide these environments with more robust access security beyond single sign-on (SSO), and prevent unauthorized access from unmanaged and BYO devices. Types: 1. Discretionary access control (DAC) 2. Mandatory access controls (MAC) 3. Role based access controls(RBAC) 4. Privileged based access controls(PBAC) 5. Rule-based access control 6. Attribute-based access control 7. Identity-based access control 8. History-based access control Authentication Authentication is the process of validating a supplicant’s purported identity. There are three widely used authentication mechanisms, or authentication factors: Something a Supplicant Knows This factor of authentication relies upon what the supplicant knows and can recall—for example, a password, passphrase, or other unique authentication code, such as a personal identification number (PIN). Something a Supplicant Has This authentication factor relies upon something a supplicant has and can produce when necessary. One example is dumb cards, such as ID cards or ATM cards with magnetic stripes containing the digital (and often encrypted) user PIN, against which the number a user input is compared.
17 Something a Supplicant Is or Can Produce This authentication factor relies upon individual characteristics, such as fingerprints, palm prints, hand topography, hand geometry, or retina and iris scans, or something a supplicant can produce on demand, such as voice patterns, signatures, or keyboard kinetic measurements Security Access Managerprovides the following authentication mechanisms: One-time password authentication mechanisms A one-time password is a password that is generated for an authentication event and is valid for one use. The one-time password authentication capability in Security Access Manager provides the following features: • One-time password generation and validation with support for various implementations as provided. • One-time password delivery with email and short message service (SMS) implementation. • Time-based, counter-based, and RSA one-time password generation and validation that requires no delivery mechanism. Username and Password mechanism Users provide a user name and password. HTTP Redirect mechanism Use this mechanism to integrate a custom authentication mechanism into the workflow of an authentication policy. Users provide credentials that are required by the custom authentication mechanism. Consent to device registration mechanism Users provide consent to allow their device to be registered. Authentication policies By grouping the provided authentication mechanisms into the workflow of an authentication policy, you can achieve several types of authentication: • Simple authentication Users provide basic identifying information such as a user name and password. • Step-up authentication Users provide a specific type of credential usually to access sensitive resources. The users might be challenged to authenticate and provide an extra set of credentials to prove that they are allowed to access sensitive resources. • Multi-factor authentication Users provide more than one type of credential to access a protected resource.
18 Principal authentication A principal is uniquely identified by a user name, and has a set of attributes. These attributes include: • User Name - Unique identifier for a principal. • Password - Credential for this principal. • Roles - One or more roles granting access to administrative commands. • Password Expiration - The duration in days that the password is valid. • Remote Access - Allow access only from trusted hosts, or from any host. • Password Required - Define whether a password is always required, or only from untrusted hosts. Authorization:
19 Authorization is the matching of an authenticated entity to a list of information assets and corresponding access levels. This list is usually an ACL or access control matrix. In general, authorization can be handled in one of three ways: Authorization for each authenticated user, in which the system performs an authentication process to verify each entity and then grants access to resources for only that entity. This quickly becomes a complex and resource-intensive process in a computer system. Authorization for members of a group, in which the system matches authenticated entities to a list of group memberships, and then grants access to resources based on the group’s access rights. This is the most common authorization method. Authorization across multiple systems, in which a central authentication and authorization system verifies entity identity and grants it a set of credentials. What Is Authorization? ➢ Authorization in system security is the process of giving the user permission to access a specific resource or function. This term is often used interchangeably with access control or client privilege. ➢ Giving someone permission to download a particular file on a server or providing individual users with administrative access to an application are good examples of authorization. ➢ In secure environments, authorization must always follow authentication. Users should first prove that their identities are genuine before an organization’s administrators grant them access to the requested resources.
20 Authentication Authorization In the authentication process, the identity of users are checked for providing the access to the system. While in authorization process, a the person’s or user’s authorities are checked for accessing the resources. In the authentication process, users or persons are verified. While in this process, users or persons are validated. It is done before the authorization process. While this process is done after the authentication process. It needs usually the user’s login details. While it needs the user’s privilege or security levels. Authentication determines whether the person is user or not. While it determines What permission does the user have? Generally, transmit information through an ID Token. Generally, transmit information through an Access Token. The OpenID Connect (OIDC) protocol is an authentication protocol that is generally in charge of user authentication process. The OAuth 2.0 protocol governs the overall system of user authorization process. Popular Authentication Techniques- • Password-Based Authentication • Passwordless Authentication • 2FA/MFA (Two-Factor Authentication / Multi-Factor Authentication) • Single sign-on (SSO) • Social authentication Popular Authorization Techniques- • Role-Based Access Controls (RBAC) • JSON web token (JWT) Authorization • SAML Authorization • OpenID Authorization • OAuth 2.0 Authorization
21 Authentication Authorization The authentication credentials can be changed in part as and when required by the user. The authorization permissions cannot be changed by user as these are granted by the owner of the system and only he/she has the access to change it. The user authentication is visible at user end. The user authorization is not visible at the user end. The user authentication is identified with username, password, face recognition, retina scan, fingerprints, etc. The user authorization is carried out through the access rights to resources by using roles that have been pre-defined. Example: Employees in a company are required to authenticate through the network before accessing their company email. Example: After an employee successfully authenticates, the system determines what information the employees are allowed to access. Accountability Accountability, also known as auditability, ensures that all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity. Accountability is most often accomplished by means of system logs and database journals, and the auditing of these records. Systems logs record specific information, such as failed access attempts and systems modifications. Logs have many uses, such as intrusion detection, determining the root cause of a system failure, or simply tracking the use of a particular resource. Policies:
22 Discretionary access control (DAC): ▪ Discretionary access control (DAC) is a type of security access control that grants or restricts object access via an access policy determined by an object’s owner group and/or subjects. ▪ DAC mechanism controls are defined by user identification with supplied credentials during authentication, such as username and password. ▪ DACs are discretionary because the subject (owner) can transfer authenticated objects or information access to other users. In other words, the owner determines object access privileges. ▪ In DAC, each system object (file or data object) has an owner, and each initial object owner is the subject that causes its creation. Thus, an object’s access policy is determined by its owner. ▪ Discretionary access control decentralizes security decisions to resource owners. The owner could be a document’s creator or a department’s system administrator. DAC systems use access control lists (ACLs) to determine who can access that resource. These tables pair individual and group identifiers with their access privileges. ▪ The sharing option in most operating systems is a form of DAC. For each document you own, you can set read/write privileges and password requirements within a table of individuals and user groups. System administrators can use similar techniques to secure access to network resources. What are the basic principles of DAC?
23 1. Object characteristics (size, name, directory path) are invisibleto users that aren’t authorized. 2. Several failed access attempts enforce additional multi-factor authentication or deny access. 3. Users can transfer their object ownership to other users. Also, the owner determines the access type of other users. Based on these access privileges, the operating system decides whether to grant access to a file. Advantages of DAC Conceptual simplicity — ACLs pair a user with their access privileges. As long as the user is in the table and has the appropriate privileges, they may access the resource. Responsiveness to business needs — Since policy change requests do not need to go through a security administration, decision-making is more nimble and aligned with business needs. Disadvantages of DAC Over/underprivileged users — A user can be a member of multiple, nested workgroups. Conflicting permissions may over- or under privilege the user. Limited control — Security administrators cannot easily see how resources are shared within the organization. And although viewing a resource’s ACL is straightforward, seeing one user’s privileges requires searching every ACL. Compromised security — By giving users discretion over access policies, the resulting inconsistencies and missing oversight could undermine the organization’s security posture. DAC attributes include: ▪ User may transfer object ownership to another user(s). ▪ User may determine the access type of other users. ▪ After several attempts, authorization failures restrict user access.
24 ▪ Unauthorized users are blind to object characteristics, such as file size, file name and directory path. ▪ Object access is determined during access control list (ACL) authorization and based on user identification and/or group membership. DAC is easy to implement and intuitive but has certain disadvantages, including: ▪ Inherent vulnerabilities (Trojan horse) ▪ ACL maintenance or capability ▪ Grant and revoke permissions maintenance ▪ Limited negative authorization power Mandatory access control ➢ Mandatory access control is access control policies that are decided by the system and not the application or data owner. ➢ Mandatory Access Control (MAC) is a group of security policies constrained according to system classification, configuration and authentication. ➢ MAC policy management and settings are created in one secure network and defined to system administrators. ➢ MAC defines and provides a centralized enforcement of confidential security policy parameters. ➢ Mandatory access control creates strict security policies for single users and the resources, systems, or data they are enabled to access. ➢ These policies are controlled by a management; single users are not given the authority to set, alter, or revoke permissions in a method that contradicts current policies. MAC works by applying security labels to resources and individuals. These security labels consist of two elements: Classification and clearance — MAC relies on a classification system (restricted, secret, top- secret, etc.) that describes a resource’s sensitivity. Users’ security clearances determine what kinds of resources they may access.
25 Compartment — A resource’s compartment describes the group of people (department, project team, etc.) allowed access. A user’s compartment defines the group or groups they participate in. A user may only access a resource if their security label matches the resource’s security label. MAC originated in the military and intelligence community. Beyond the national security world, MAC implementations protect some companies’ most sensitive resources. Banks and insurers, for example, may use MAC to control access to customer account data. What are the basic principles of MAC? 1. The utmost privacy and confidentiality of the organization’s resources are paramount. No one has default privileges to access or edit someone’s data. 2. Access provisioning is centrally administered. 3. Each individual and resource in the system has security labels with their classification and category. Advantages of MAC Enforceability — MAC administrators set organization-wide policies that users cannot override, making enforcement easier.
26 Compartmentalization — Security labels limit the exposure of each resource to a subset of the user base. Disadvantages of MAC Collaboration — MAC achieves security by constraining communication. Highly collaborative organizations may need a less restrictive approach. Management burden — A dedicated organizational structure must manage the creation and maintenance of security labels. Modern access control systems basedupon − ▪ It can be integrated enterprise user and identity databases and Lightweight Directory Access Protocol (LDAP) directories. ▪ It can be powerful business procedure pertaining to the provisioning and deprovisioning of a user. ▪ It can be provisioning application integrated with the business provisioning and de- provisioning process. ▪ A global enterprise id for each user to integrate the user’s identity among some applications and systems. ▪ A strong end to end audit of everywhere the physical person went and the systems, software and information systems they accessed. ▪ RBAC stands for Role-based access control. It also known as role-based security. It is an access control method that creates permissions to end-users depends on their role within the organization. RBAC supports fine-grained control, providing a simple, controllable method to access administration that is less error-prone than individually assigning permissions. ▪ This can decrease cybersecurity risk, protect sensitive information, and provides that employees can only access information and perform actions they required to do their jobs. This is referred to as principle of least privilege. ▪ Roles are based on multiple elements in RBAC, such as authorization, responsibility, and job specialization. Organizations generally designate roles for several users, such as an end-user, an administrator, or a specialist user. The capability to view, make or change files within a role can also be limited for definite tasks.
27 What is role-based access control (RBAC)? ➢ Role-based access control grants access privileges based on the work that individual users do. A popular way of implementing “least privilege‚ policies, RBAC limits access to just the resources users need to do their jobs. ➢ Implementing RBAC requires defining the different roles within the organization and determining whether and to what degree those roles should have access to each resource. ➢ Accounts payable administrators and their supervisor, for example, can access the company’s payment system. The administrators’ role limits them to creating payments without approval authority. Supervisors, on the other hand, can approve payments but may not create them. Advantages of RBAC Flexibility — Administrators can optimize an RBAC system by assigning users to multiple roles, creating hierarchies to account for levels of responsibility, constraining privileges to reflect business rules, and defining relationships between roles. Ease of maintenance — With well-defined roles, the day-to-day management is the routine on- boarding, off-boarding, and cross-boarding of users’ roles. Centralized, non-discretionary policies — Security professionals can set consistent RBAC policies across the organization. Lower risk exposure — Under RBAC, users only have access to the resources their roles justify, greatly limiting potential threat vectors. Disadvantages of RBAC Complex deployment — The web of responsibilities and relationships in larger enterprises makes defining roles so challenging that it spawned its own subfield: role engineering. Balancing security with simplicity — More roles and more granular roles provide greater security, but administering a system where users have dozens of overlapping roles becomes more difficult. Layered roles and permissions — Assigning too many roles to users also increases the risk of over-privileging users. How does RBAC work? Let’s consider the main components of the role-based approach to access control: User – an individual with a unique identifier (UID) that has access to a system Role – a named job function (indicates the level of authority) Permission – equivalent to access rights
28 Session– a period of working time during which a user utilizes permissions of the roles assigned to them Object – a system resource that requires permission to access Operation – any action in the protected network The basic rules of RBAC are: 1. All user activities are carried out through operations. 2. A user can execute an operation only if the user has been assigned a role that allows them to do so. 3. Identification and authentication are not considered operations. Origin: https://www.ekransystem.com/en/blog/rbac-vs-abac © Ekran System

More Related Content

PDF
CISSP Domain 05 Identity and Access Management (IAM).pdf
gealehegn
 
PDF
Understanding User Authentication- Methods, Importance, and Best Practices.pdf
jvinay0898
 
PDF
information security Lecture by cyber security
faiziikanwal47
 
PDF
Understanding User Authentication_ A Cornerstone of Cybersecurity.pdf
jvinay0898
 
PDF
free blogger templates documents based on knowledge
vc2738012
 
PDF
Enhancing Security with LoginRadius Adaptive MFA for Broken Authentication
Kevin Mathew
 
PDF
Securing User Access: Fixing Broken Authentication Through MFA
Kevin Mathew
 
PPTX
Evolution of MFA.pptx
IsraaAkramBasheer
 
CISSP Domain 05 Identity and Access Management (IAM).pdf
gealehegn
 
Understanding User Authentication- Methods, Importance, and Best Practices.pdf
jvinay0898
 
information security Lecture by cyber security
faiziikanwal47
 
Understanding User Authentication_ A Cornerstone of Cybersecurity.pdf
jvinay0898
 
free blogger templates documents based on knowledge
vc2738012
 
Enhancing Security with LoginRadius Adaptive MFA for Broken Authentication
Kevin Mathew
 
Securing User Access: Fixing Broken Authentication Through MFA
Kevin Mathew
 
Evolution of MFA.pptx
IsraaAkramBasheer
 

Similar to UNIT 2 Information Security Sharad Institute (20)

PDF
Understanding User Authentication- The First Line of Defense in Cybersecurity...
jvinay0898
 
PDF
Eliminate Password Fatigue with Smart Authentication Solutions.pdf
ensuritytech1
 
PPT
Eds user authenticationuser authentication methods
lapao2014
 
PDF
Three Step Multifactor Authentication Systems for Modern Security
ijtsrd
 
PDF
Two-factor authentication- A sample writing _Zaman
Asad Zaman
 
PPTX
Unit-4-User-Authentication.pptx
Puskar Bhandari
 
PDF
Multi Factor Authentication Whitepaper Arx - Intellect Design
Rajat Jain
 
PDF
Module 3-cyber security
Sweta Kumari Barnwal
 
PDF
120 i143
Hai Nguyen
 
PDF
Brafton White Paper Example
Kayla Perry
 
PDF
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
PPTX
protection & security of e-commerce ...
Rishav Gupta
 
PDF
Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Peter Choi
 
PPTX
Ethical Hacking .pptx
johnnymaaza
 
PDF
Introduction to Solus
Solus
 
PDF
What, Exactly, is Multi-Factor Authentication, and How To Use It?
Caroline Johnson
 
PPTX
Cyber security detailed ppt and understand
docpain605501
 
PPTX
Authentication and session v4
skimil
 
PDF
M-Pass: Web Authentication Protocol
IJERD Editor
 
PDF
C02
newbie2019
 
Understanding User Authentication- The First Line of Defense in Cybersecurity...
jvinay0898
 
Eliminate Password Fatigue with Smart Authentication Solutions.pdf
ensuritytech1
 
Eds user authenticationuser authentication methods
lapao2014
 
Three Step Multifactor Authentication Systems for Modern Security
ijtsrd
 
Two-factor authentication- A sample writing _Zaman
Asad Zaman
 
Unit-4-User-Authentication.pptx
Puskar Bhandari
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Rajat Jain
 
Module 3-cyber security
Sweta Kumari Barnwal
 
120 i143
Hai Nguyen
 
Brafton White Paper Example
Kayla Perry
 
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
protection & security of e-commerce ...
Rishav Gupta
 
Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Peter Choi
 
Ethical Hacking .pptx
johnnymaaza
 
Introduction to Solus
Solus
 
What, Exactly, is Multi-Factor Authentication, and How To Use It?
Caroline Johnson
 
Cyber security detailed ppt and understand
docpain605501
 
Authentication and session v4
skimil
 
M-Pass: Web Authentication Protocol
IJERD Editor
 
C02
newbie2019
 
Ad

Recently uploaded (20)

PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PDF
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PPTX
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
PPTX
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
RMMM.pdf make it easy to upload and study
sajedul2
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
Institutional Correction lecture only . . .
limvtheghins
 
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
Ad

UNIT 2 Information Security Sharad Institute

  • 1. 1 UNIT 2 User Authentication and Access Control What Is User Authentication? Authentication is the process of identifying users that request access to a system, network, or device. Access control often determines user identity according to credentials like username and password. Other authentication technologies like biometrics and authentication apps are also used to authenticate user identity. Why Is User Authentication Important? User authentication is a method that keeps unauthorized users from accessing sensitive information. For example, User A only has access to relevant information and cannot see the sensitive information of User B. Cybercriminals can gain access to a system and steal information when user authentication is not secure. The data breaches companies like Adobe, Equifax, and Yahoo faced are examples of what happens when organizations fail to secure their user authentication. Hackers gained access to Yahoo user accounts to steal contacts, calendars and private emails between 2012 and 2016. The Equifax data breach in 2017 exposed credit card data of more than 147 million consumers. Without a secure authentication process, any organization could be at risk.
  • 2. 2 How Does User Authentication Work? User authentication is typically achieved through passcodes, identification cards, or other means of verification. It typically occurs the following way: • The user enters the login credentials on the login page to verify their identity. • The server decrypts the personalized information it has received and compares it to the stored credentials in its database. • If the information matches, the user is granted access. If not, the request is declined. • Depending on the security settings, the user may be allowed to initiate another request or be blocked from accessing the web application altogether. 5 Common Authentication Types Cybercriminals always improve their attacks. As a result, security teams are facing plenty of authentication-related challenges. This is why companies are starting to implement more sophisticated incident response strategies, including authentication as part of the process. The list below reviews some common authentication methods used to secure modern systems. 1. Password-based authentication Passwords are the most common methods of authentication. Passwords can be in the form of a string of letters, numbers, or special characters. To protect yourself you need to create strong passwords that include a combination of all possible options. However, passwords are prone to phishing attacks and bad hygiene that weakens effectiveness. An average person has about 25 different online accounts, but only 54% of users use different passwords across their accounts. The truth is that there are a lot of passwords to remember. As a result, many people choose convenience over security. Most people use simple passwords instead of creating reliable passwords because they are easier to remember. The bottom line is that passwords have a lot of weaknesses and are not sufficient in protecting online information. Hackers can easily guess user credentials by running through all possible combinations until they find a match.
  • 3. 3 2. Multi-factor authentication Multi-Factor Authentication (MFA) is an authentication method that requires two or more independent ways to identify a user. Examples include codes generated from the user’s smartphone, Captcha tests, fingerprints, voice biometrics or facial recognition. MFA authentication methods and technologies increase the confidence of users by adding multiple layers of security. MFA may be a good defense against most account hacks, but it has its own pitfalls. People may lose their phones or SIM cards and not be able to generate an authentication code. 3. Certificate-based authentication Certificate-based authentication technologies identify users, machines or devices by using digital certificates. A digital certificate is an electronic document based on the idea of a driver’s license or a passport. The certificate contains the digital identity of a user including a public key, and the digital signature of a certification authority. Digital certificates prove the ownership of a public key and issued only by a certification authority. Users provide their digital certificates when they sign in to a server. The server verifies the credibility of the digital signature and the certificate authority. The server then uses cryptography to confirm that the user has a correct private key associated with the certificate. 4. Biometric authentication Biometrics authentication is a security process that relies on the unique biological characteristics of an individual. Here are key advantages of using biometric authentication technologies: • Biological characteristics can be easily compared to authorized features saved in a database. • Biometric authentication can control physical access when installed on gates and doors. • You can add biometrics into your multi-factor authentication process. Biometric authentication technologies are used by consumers, governments and private corporations including airports, military bases, and national borders. The technology is increasingly adopted due to the ability to achieve a high level of security without creating friction for the user. Common biometric authentication methods include: • Facial recognition—matches the different face characteristics of an individual trying to gain access to an approved face stored in a database. Face recognition can be inconsistent when
  • 4. 4 comparing faces at different angles or comparing people who look similar, like close relatives. Facial liveness like ID R&D’s passive facial liveness prevents spoofing. • Fingerprint scanners—match the unique patterns on an individual’s fingerprints. Some new versions of fingerprint scanners can even assess the vascular patterns in people’s fingers. Fingerprint scanners are currently the most popular biometric technology for everyday consumers, despite their frequent inaccuracies. This popularity can be attributed to iPhones. • Speaker Recognition —also known as voice biometrics, examines a speaker’s speech patterns for the formation of specific shapes and sound qualities. A voice-protected device usually relies on standardized words to identify users, just like a password. • Eye scanners—include technologies like iris recognition and retina scanners. Iris scanners project a bright light towards the eye and search for unique patterns in the colored ring around the pupil of the eye. The patterns are then compared to approved information stored in a database. Eye-based authentication may suffer inaccuracies if a person wears glasses or contact lenses. 5. Token-based authentication Token-based authentication technologies enable users to enter their credentials once and receive a unique encrypted string of random characters in exchange. You can then use the token to access protected systems instead of entering your credentials all over again. The digital token proves that you already have access permission. Use cases of token-based authentication include RESTful APIs that are used by multiple frameworks and clients.
  • 5. 5 Types of Password Attacks Password cracking is one of the crucial stages of systemhacking. Password-cracking mechanisms often exploit otherwise legal means to gain unauthorized systemaccess, such as recovering a user’s forgotten password. Classification of password attacks depends on the attacker’s actions, which are of the following four types: ▪ Non-Electronic Attacks: This is, for most cases, the attacker’s first attempt at gaining target system passwords. Non-electronic or non-technical attacks do not require any technical knowledge about hacking or systemexploitation. Techniques used to perform non-electronic attacks include shoulder surfing, social engineering, dumpster diving, etc. ▪ Active Online Attacks: This is one of the easiest ways to gain unauthorized administrator- level system access. Here, the attacker communicates with the target machine to gain password access. Techniques used to perform active online attacks include password guessing, dictionary and brute-forcing attacks, hash injection, LLMNR/NBT-NS poisoning, use of Trojans/spyware/keyloggers, internal monologue attacks, Markov-chain attacks, Kerberos password cracking, etc. ▪ Passive Online Attacks: A passive attack is a type of systemattack that does not lead to any changes in the system. In this attack, the attacker does not have to communicate with the system, but passively monitor or record the data passing over the communication channel, to
  • 6. 6 and from the system. The data are then used to break into the system. Techniques used to perform passive online attacks include wire sniffing, man-in-the-middle attacks, replay attacks, etc. ▪ Offline Attacks: Offline attacks refer to password attacks in which an attacker tries to recover clear text passwords from a password hash dump. Offline attacks are often time consuming but have a high success rate, as the password hashes can be reversed owing to their small key space and short length. Attackers use pre-computed hashes from rainbow tables to perform offline and distributed network attacks. Password Guessing Password Guessing Password guessing is a password-cracking technique that involves attempting to log on to the target system with different passwords manually. Guessing is the key element of manual password cracking. The attacker creates a list of all possible passwords from the information collected through social engineering or any other method and tries them manually on the victim’s machine to crack the passwords. The following are the steps involved in password guessing: ▪ Find a valid user ▪ Create a list of possible passwords
  • 7. 7 ▪ Rank passwords from high to low probability ▪ Key in each password, until the correct password is discovered Hackers can crack passwords manually or by using automated tools, methods, and algorithms. They can also automate password cracking using a simple FOR loop or create a script file that tries each password in a list. These techniques are still considered manual cracking. The failure rate of this type of attack is high. What is Social Engineering? Before performing a social engineering attack, the attacker gathers information about the target organization from various sources such as: ▪ The organization’s official websites, where employees’ IDs, names, and email addresses are shared ▪ Advertisements of the target organization cast through media reveal information such as products and offers. ▪ Blogs, forums, and other online spaces where employees share basic personal and organizational information. After gathering information, an attacker executes social engineering attacks using various approaches such as impersonation, piggybacking, tailgating, reverse social engineering, and other methods.
  • 8. 8 Piggybacking Piggybacking usually implies entry into a building or security area with the consent of the authorized person. For example, an attacker might request an authorized person to unlock a security door, saying that they have forgotten their ID badge. In the interest of common courtesy, the authorized person will allow the attacker to pass through the door. Non-ElectronicAttacks: This is, for most cases, the attacker’s first attempt at gaining target system passwords. Non-electronic or non-technical attacks do not require any technical knowledge about hacking or systemexploitation. Techniques used to perform non- electronic attacks include shoulder surfing, social engineering, dumpster diving, etc. Shoulder Surfing Shoulder Surfing • Shoulder surfing is the technique of looking over someone’s shoulder as they key information into a device.
  • 9. 9 • Attackers use shoulder surfing to find out passwords, personal identification numbers, account numbers, and other information. They sometimes even use binoculars and other optical devices or install small cameras to record the actions performed on the victim’s system to obtain login details and other sensitive information. Dumpster Diving • Dumpster diving is the process of retrieving sensitive personal or organizational information by searching through trash bins. • Attackers can extract confidential data such as user IDs, passwords, policy numbers, network diagrams, account numbers, bank statements, salary data, source code, sales forecasts, access codes, phone lists, credit card numbers, calendars, and organizational charts on paper or disk. • Attackers can then use this information to perform various malicious activities. Sometimes attackers even use pretexts to support their dumpster diving initiatives, such as impersonating a repair person, technician, cleaner, or other legitimate worker. Information that attackers can obtain by searching through trash bins includes: ▪ Phone lists: Disclose employees’ names and contact numbers. ▪ Organizational charts: Disclose details about the structure of the company, physical infrastructure, server rooms, restricted areas, and other organizational data. ▪ Email printouts, notes, faxes, and memos: Reveal personal details of an employee, passwords, contacts, inside working operations, certain useful instructions, and other data. ▪ Policy manuals: Reveal information regarding employment, systemuse, and operations. ▪ Event notes, calendars, or computer use logs: Reveal information regarding the user’s log on and off timings, which helps the attacker to decide on the best time to plan their attack. Biometric Authentication Biometric access control is based on the use of some measurable human characteristic or trait to authenticate the identity of a proposed systems user (a supplicant). It relies upon recognition— the same thing you rely upon to identify friends, family, and other people you know. The use of biometric-based authentication is expected to have a significant impact in the future as technical and ethical issues with the technology are resolved. Biometric authentication technologies include the following:
  • 10. 10 • Fingerprint comparison of the supplicant’s actual fingerprint to a stored fingerprint • Palm print comparison of the supplicant’s actual palm print to a stored palm print • Hand geometry comparison of the supplicant’s actual hand to a stored measurement • Facial recognition using a photographic ID card, in which a human security guard compares the supplicant’s face to a photo • Facial recognition using a digital camera, in which a supplicant’s face is compared to a stored image • Retinal print comparison of the supplicant’s actual retina to a stored image • Iris pattern comparison of the supplicant’s actual iris to a stored image Among all possible biometrics, only three human characteristics are usually considered truly unique. They are as follows: • Fingerprints • Retina of the eye (blood vessel pattern) • Iris of the eye (random pattern of features found in the iris, including freckles, pits, • striations, vasculature, coronas, and crypts) How Biometrics Work At the most basic level, you need two things to verify an individual's identity with a biometric identifier: a way to collect or measure the desired characteristic and a record of that characteristic to compare your measurement to. However, to automate the biometric authentication process, modern biometric systems typically require three steps: 1. A physical measurement device that reads or scans the biometric characteristic you're using to authenticate a person 2. Software that translates a biometric scan into a digital format and compares it to the record of that biometric characteristic 3. A stored record of that biometric characteristic that the software can compare the new scan to in order to verify a person Centralized vs. Decentralized Biometric Data Storage (and Why It Matters) Biometric data is typically stored either on a central server or the authentication device itself — with the former being a controversial method for doing so. Storing biometric data on a server like you would a password means that if the database is breached, your users' biometric data is breached. And since you can't reset biometric data like
  • 11. 11 you would a password, it means your users' biometric data is compromised for the rest of their life. Device-level storage keeps biometric data distributed, which eliminates the risk of large quantities of biometric data being exposed all at once (better protection for users and organizations). Types of Biometrics Below are the most common types of biometric characteristics in use today: • Fingerprint Biometrics. The patterns found on a person's fingers are unique to them and are already used to verify smartphone users. • Behavioral Biometrics. Behavioral biometrics use patterns in an individual's behavior, such as keystroke patterns and computer mouse movements or other behavioral characteristics like a user's physical location, to identify them. • Ear Biometrics. A person's ear has a unique shape, and research shows ear recognition could be more accurate than fingerprint recognition. • Voice Biometrics. A person’s voice is unique to them. Voice recognition systems are 90% accurate on average. • Facial Recognition Biometrics. Research shows that an individual's face is unique when measured in sufficient detail and therefore is effective for accurately identifying them. Face recognition algorithms are far from perfect (studies show the technology is less effective in identifying darker-skinned individuals). However, companies are taking steps to improve their accuracy with artificial intelligence (AI). • Hand Geometry Biometrics. Hand geometry is unique from person to person and has been used to identify a person since the 1960s. Although hand geometry is unique, using it to identify an individual does carry some important limitations, according to the Infosec Institute. • Gait Biometrics. Gait analysis measures the way a person walks to identify them. Gait recognition is still a new technology, but researchers have already developed systems for smartphones that could be used to implement it. • Retina Biometrics. Retina biometrics use the unique pattern on a person's retina to identify them. Research shows that retinal scans are very accurate. • Iris Biometrics. Iris biometrics are similar to retina biometrics, except they use the unique pattern of a person's iris instead of the retina. Research by the National Institute of Standards and Technology (NIST) shows that iris scans are 90-99% accurate. • Vein Recognition Biometrics. Vein recognition is also known as vascular biometrics and uses subdermal vein patterns to identify a person. Vein recognition is the most accurate biometric technology in use today. However, researchers have cracked vein
  • 12. 12 recognition in the past using a wax hand. So although it's effective at distinguishing between individuals, it's susceptible to attack. • DNA Biometrics. 99.9% of the average person's DNA is identical to every other person on Earth. However, the 0.1% that's different is enough to identify a person with a high degree of accuracy. • Voice Recognition This method of authentication analyzes the sounds a person makes when they speak. • Digital Signatures These analyses include static systems that simply compare the signature to an existing handwriting sample and dynamic systems that also track the movement of the person’s hand when it’s writing. The Pros and Cons of Biometrics for Cybersecurity Biometrics promise organizations improved security and better experiences for users. But they also create new risks that organizations need to account for if they choose to use them to verify employees or end users. Pros Biometrics are an effective way to verify users because biometric traits are harder to fake, replicate or transfer than traditional username/password (U/P) authentication. Research also shows that consumers prefer biometric authentication to U/P authentication because it's easier for them to authenticate themselves — they just scan their finger, and they're in. This benefits organizations because a positive user experience can also reduce security risks and offer a competitive advantage. Finally, biometric data often saves companies money because it uses less server space than traditional authentication measures and eliminates the need to reset a password.Auth0 customers report costs of up to $120 per password reset. Cons Biometric identification systems can be costly to implement if a company is installing everything from scratch. For example, although some biometric technologies like fingerprint scanners are now fairly cheap to purchase, the more accurate and reliable technologies are often quite expensive.
  • 13. 13 One way to substantially bring down these costs is to use scanners within existing devices, such as mobile phones, as the authentication mechanism. And although biometrics do reduce many security risks, cybercriminals have still found ways to crack biometric authentication systems, as well as breach the databases biometric data is stored on. Biometrics are also a challenge to store securely because the hashing process used to protect passwords doesn't work with biometric data. So any organization that utilizes biometrics to verify their users has to ensure that any biometric data they store centrally is adequately encrypted or they'll put their users at risk. Common Examples of Biometrics in Use Today Biometrics are most commonly used in smartphones, tablets, and laptops. For example, both Apple and Samsung use fingerprint and facial recognition to unlock their devices. However, enterprises, government agencies, and even law enforcement are also using a variety of biometric identifiers for access control or to verify an individual's identity. • Financial Services. Behavioral biometrics are used in financial and banking industries to prevent fraud and identity theft. • Law Enforcement. Law enforcement agencies use fingerprints, palm prints, and DNA to verify the identity of criminals. • Immigration and Customs. Many countries use biometrics to document foreign residents and issue visas. For example, the United States Department of Homeland Security uses fingerprints and facial recognition to verify an individual when they enter the country, as well as issue a green card to foreign residents. • Healthcare and Medicine. Biometrics are currently used to identify patients in hospitals and retrieve medical records. • Customer Service. Voice biometrics are used to authenticate users when they call a customer service center. The Future of Biometrics The total market value of the biometrics industry is expected to grow 87% in the next five years as more organizations adopt biometric authentication to secure data, devices, and applications. As that occurs, there are several trends emerging that organizations should pay attention to:
  • 14. 14 ▪ Continuous improvement of biometric security is a must. Bad actors are finding new ways to circumvent biometric authentication systems. So reducing security risks to biometric data is a continuous effort, not a one-and-done event. ▪ Using biometrics in continuous authentication applications will gain more traction. Continuous authentication happens on a rolling basis while a person uses your systems, rather than once at the beginning. Many experts expect biometrics to be widely incorporated into continuous authentication systems as they become available in the near future. ▪ Regulations around biometric data are tightening. Biometrics are still a relatively new technology. But given the privacy concerns associated with biometric data, regulators are beginning to tighten restrictions around how biometric data is collected, used, and stored. Keystroke Recognition Think of this element as the digital world’s version of handwriting analysis. It’s not to be confused with keylogging, which is taking note of what a person is actually typing. Keystroke recognition is a method of recording a person’s individual typing pattern, including the pace at which a person types particular letters or words, in order to isolate and identify the person doing the typing. Gait Recognition Although a system that tracks the way a person walks may not be feasible in every situation, it can be an accurate identifier of an individual. Advantages of Biometrics There are many advantages to using biometrics as a form of identification for access, including that biometrics: – Cannot be lost: You can always forget your key, access card or password, but you can’t forget your fingerprints or your eyes. If biometrics are the only means of authentication, a user can never be locked out if they’re entitled to access. If you use multi-factor identification, a biometric factor is one less thing that users need to remember. – Cannot be transferred or stolen: It is easy and not uncommon for people to leave access cards or notepads containing passwords lying around where unwanted personnel could get hands on them. You cannot lose your biometrics due to carelessness, and they cannot be transferred or stolen without causing physical trauma to the user. – Are person-specific: Unless a user is colluding with an unauthorized person, you can be confident that the person who is using biometrics to gain access is who they purport to be.
  • 15. 15 – Are intuitive: Most users should have little difficulty figuring out how to press their finger onto a fingerprint scanner or look into an eye scanner. This process can be much faster and more convenient than hunting around for another password or trying to find the right way to insert an access card. Access Controls: Definition:
  • 16. 16 Access control is the method by which systems determine whether and how to admit a user into a trusted area of the organization—that is, information systems, restricted areas such as computer rooms, and the entire physical location. Access control is achieved by means of a combination of policies, programs, and technologies. Access controls can be mandatory, nondiscretionary, or discretionary. Why is access control important? Access control keeps confidential information such as customer data, personally identifiable information, and intellectual property from falling into the wrong hands. It’s a key component of the modern zero trust security framework, which uses various mechanisms to continuously verify access to the company network. Without robust access control policies, organizations risk data leakage from both internal and external sources. Access control is particularly important for organizations with hybrid cloud and multi-cloud cloud environments, where resources, apps, and data reside both on premises and in the cloud. Access control can provide these environments with more robust access security beyond single sign-on (SSO), and prevent unauthorized access from unmanaged and BYO devices. Types: 1. Discretionary access control (DAC) 2. Mandatory access controls (MAC) 3. Role based access controls(RBAC) 4. Privileged based access controls(PBAC) 5. Rule-based access control 6. Attribute-based access control 7. Identity-based access control 8. History-based access control Authentication Authentication is the process of validating a supplicant’s purported identity. There are three widely used authentication mechanisms, or authentication factors: Something a Supplicant Knows This factor of authentication relies upon what the supplicant knows and can recall—for example, a password, passphrase, or other unique authentication code, such as a personal identification number (PIN). Something a Supplicant Has This authentication factor relies upon something a supplicant has and can produce when necessary. One example is dumb cards, such as ID cards or ATM cards with magnetic stripes containing the digital (and often encrypted) user PIN, against which the number a user input is compared.
  • 17. 17 Something a Supplicant Is or Can Produce This authentication factor relies upon individual characteristics, such as fingerprints, palm prints, hand topography, hand geometry, or retina and iris scans, or something a supplicant can produce on demand, such as voice patterns, signatures, or keyboard kinetic measurements Security Access Managerprovides the following authentication mechanisms: One-time password authentication mechanisms A one-time password is a password that is generated for an authentication event and is valid for one use. The one-time password authentication capability in Security Access Manager provides the following features: • One-time password generation and validation with support for various implementations as provided. • One-time password delivery with email and short message service (SMS) implementation. • Time-based, counter-based, and RSA one-time password generation and validation that requires no delivery mechanism. Username and Password mechanism Users provide a user name and password. HTTP Redirect mechanism Use this mechanism to integrate a custom authentication mechanism into the workflow of an authentication policy. Users provide credentials that are required by the custom authentication mechanism. Consent to device registration mechanism Users provide consent to allow their device to be registered. Authentication policies By grouping the provided authentication mechanisms into the workflow of an authentication policy, you can achieve several types of authentication: • Simple authentication Users provide basic identifying information such as a user name and password. • Step-up authentication Users provide a specific type of credential usually to access sensitive resources. The users might be challenged to authenticate and provide an extra set of credentials to prove that they are allowed to access sensitive resources. • Multi-factor authentication Users provide more than one type of credential to access a protected resource.
  • 18. 18 Principal authentication A principal is uniquely identified by a user name, and has a set of attributes. These attributes include: • User Name - Unique identifier for a principal. • Password - Credential for this principal. • Roles - One or more roles granting access to administrative commands. • Password Expiration - The duration in days that the password is valid. • Remote Access - Allow access only from trusted hosts, or from any host. • Password Required - Define whether a password is always required, or only from untrusted hosts. Authorization:
  • 19. 19 Authorization is the matching of an authenticated entity to a list of information assets and corresponding access levels. This list is usually an ACL or access control matrix. In general, authorization can be handled in one of three ways: Authorization for each authenticated user, in which the system performs an authentication process to verify each entity and then grants access to resources for only that entity. This quickly becomes a complex and resource-intensive process in a computer system. Authorization for members of a group, in which the system matches authenticated entities to a list of group memberships, and then grants access to resources based on the group’s access rights. This is the most common authorization method. Authorization across multiple systems, in which a central authentication and authorization system verifies entity identity and grants it a set of credentials. What Is Authorization? ➢ Authorization in system security is the process of giving the user permission to access a specific resource or function. This term is often used interchangeably with access control or client privilege. ➢ Giving someone permission to download a particular file on a server or providing individual users with administrative access to an application are good examples of authorization. ➢ In secure environments, authorization must always follow authentication. Users should first prove that their identities are genuine before an organization’s administrators grant them access to the requested resources.
  • 20. 20 Authentication Authorization In the authentication process, the identity of users are checked for providing the access to the system. While in authorization process, a the person’s or user’s authorities are checked for accessing the resources. In the authentication process, users or persons are verified. While in this process, users or persons are validated. It is done before the authorization process. While this process is done after the authentication process. It needs usually the user’s login details. While it needs the user’s privilege or security levels. Authentication determines whether the person is user or not. While it determines What permission does the user have? Generally, transmit information through an ID Token. Generally, transmit information through an Access Token. The OpenID Connect (OIDC) protocol is an authentication protocol that is generally in charge of user authentication process. The OAuth 2.0 protocol governs the overall system of user authorization process. Popular Authentication Techniques- • Password-Based Authentication • Passwordless Authentication • 2FA/MFA (Two-Factor Authentication / Multi-Factor Authentication) • Single sign-on (SSO) • Social authentication Popular Authorization Techniques- • Role-Based Access Controls (RBAC) • JSON web token (JWT) Authorization • SAML Authorization • OpenID Authorization • OAuth 2.0 Authorization
  • 21. 21 Authentication Authorization The authentication credentials can be changed in part as and when required by the user. The authorization permissions cannot be changed by user as these are granted by the owner of the system and only he/she has the access to change it. The user authentication is visible at user end. The user authorization is not visible at the user end. The user authentication is identified with username, password, face recognition, retina scan, fingerprints, etc. The user authorization is carried out through the access rights to resources by using roles that have been pre-defined. Example: Employees in a company are required to authenticate through the network before accessing their company email. Example: After an employee successfully authenticates, the system determines what information the employees are allowed to access. Accountability Accountability, also known as auditability, ensures that all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity. Accountability is most often accomplished by means of system logs and database journals, and the auditing of these records. Systems logs record specific information, such as failed access attempts and systems modifications. Logs have many uses, such as intrusion detection, determining the root cause of a system failure, or simply tracking the use of a particular resource. Policies:
  • 22. 22 Discretionary access control (DAC): ▪ Discretionary access control (DAC) is a type of security access control that grants or restricts object access via an access policy determined by an object’s owner group and/or subjects. ▪ DAC mechanism controls are defined by user identification with supplied credentials during authentication, such as username and password. ▪ DACs are discretionary because the subject (owner) can transfer authenticated objects or information access to other users. In other words, the owner determines object access privileges. ▪ In DAC, each system object (file or data object) has an owner, and each initial object owner is the subject that causes its creation. Thus, an object’s access policy is determined by its owner. ▪ Discretionary access control decentralizes security decisions to resource owners. The owner could be a document’s creator or a department’s system administrator. DAC systems use access control lists (ACLs) to determine who can access that resource. These tables pair individual and group identifiers with their access privileges. ▪ The sharing option in most operating systems is a form of DAC. For each document you own, you can set read/write privileges and password requirements within a table of individuals and user groups. System administrators can use similar techniques to secure access to network resources. What are the basic principles of DAC?
  • 23. 23 1. Object characteristics (size, name, directory path) are invisibleto users that aren’t authorized. 2. Several failed access attempts enforce additional multi-factor authentication or deny access. 3. Users can transfer their object ownership to other users. Also, the owner determines the access type of other users. Based on these access privileges, the operating system decides whether to grant access to a file. Advantages of DAC Conceptual simplicity — ACLs pair a user with their access privileges. As long as the user is in the table and has the appropriate privileges, they may access the resource. Responsiveness to business needs — Since policy change requests do not need to go through a security administration, decision-making is more nimble and aligned with business needs. Disadvantages of DAC Over/underprivileged users — A user can be a member of multiple, nested workgroups. Conflicting permissions may over- or under privilege the user. Limited control — Security administrators cannot easily see how resources are shared within the organization. And although viewing a resource’s ACL is straightforward, seeing one user’s privileges requires searching every ACL. Compromised security — By giving users discretion over access policies, the resulting inconsistencies and missing oversight could undermine the organization’s security posture. DAC attributes include: ▪ User may transfer object ownership to another user(s). ▪ User may determine the access type of other users. ▪ After several attempts, authorization failures restrict user access.
  • 24. 24 ▪ Unauthorized users are blind to object characteristics, such as file size, file name and directory path. ▪ Object access is determined during access control list (ACL) authorization and based on user identification and/or group membership. DAC is easy to implement and intuitive but has certain disadvantages, including: ▪ Inherent vulnerabilities (Trojan horse) ▪ ACL maintenance or capability ▪ Grant and revoke permissions maintenance ▪ Limited negative authorization power Mandatory access control ➢ Mandatory access control is access control policies that are decided by the system and not the application or data owner. ➢ Mandatory Access Control (MAC) is a group of security policies constrained according to system classification, configuration and authentication. ➢ MAC policy management and settings are created in one secure network and defined to system administrators. ➢ MAC defines and provides a centralized enforcement of confidential security policy parameters. ➢ Mandatory access control creates strict security policies for single users and the resources, systems, or data they are enabled to access. ➢ These policies are controlled by a management; single users are not given the authority to set, alter, or revoke permissions in a method that contradicts current policies. MAC works by applying security labels to resources and individuals. These security labels consist of two elements: Classification and clearance — MAC relies on a classification system (restricted, secret, top- secret, etc.) that describes a resource’s sensitivity. Users’ security clearances determine what kinds of resources they may access.
  • 25. 25 Compartment — A resource’s compartment describes the group of people (department, project team, etc.) allowed access. A user’s compartment defines the group or groups they participate in. A user may only access a resource if their security label matches the resource’s security label. MAC originated in the military and intelligence community. Beyond the national security world, MAC implementations protect some companies’ most sensitive resources. Banks and insurers, for example, may use MAC to control access to customer account data. What are the basic principles of MAC? 1. The utmost privacy and confidentiality of the organization’s resources are paramount. No one has default privileges to access or edit someone’s data. 2. Access provisioning is centrally administered. 3. Each individual and resource in the system has security labels with their classification and category. Advantages of MAC Enforceability — MAC administrators set organization-wide policies that users cannot override, making enforcement easier.
  • 26. 26 Compartmentalization — Security labels limit the exposure of each resource to a subset of the user base. Disadvantages of MAC Collaboration — MAC achieves security by constraining communication. Highly collaborative organizations may need a less restrictive approach. Management burden — A dedicated organizational structure must manage the creation and maintenance of security labels. Modern access control systems basedupon − ▪ It can be integrated enterprise user and identity databases and Lightweight Directory Access Protocol (LDAP) directories. ▪ It can be powerful business procedure pertaining to the provisioning and deprovisioning of a user. ▪ It can be provisioning application integrated with the business provisioning and de- provisioning process. ▪ A global enterprise id for each user to integrate the user’s identity among some applications and systems. ▪ A strong end to end audit of everywhere the physical person went and the systems, software and information systems they accessed. ▪ RBAC stands for Role-based access control. It also known as role-based security. It is an access control method that creates permissions to end-users depends on their role within the organization. RBAC supports fine-grained control, providing a simple, controllable method to access administration that is less error-prone than individually assigning permissions. ▪ This can decrease cybersecurity risk, protect sensitive information, and provides that employees can only access information and perform actions they required to do their jobs. This is referred to as principle of least privilege. ▪ Roles are based on multiple elements in RBAC, such as authorization, responsibility, and job specialization. Organizations generally designate roles for several users, such as an end-user, an administrator, or a specialist user. The capability to view, make or change files within a role can also be limited for definite tasks.
  • 27. 27 What is role-based access control (RBAC)? ➢ Role-based access control grants access privileges based on the work that individual users do. A popular way of implementing “least privilege‚ policies, RBAC limits access to just the resources users need to do their jobs. ➢ Implementing RBAC requires defining the different roles within the organization and determining whether and to what degree those roles should have access to each resource. ➢ Accounts payable administrators and their supervisor, for example, can access the company’s payment system. The administrators’ role limits them to creating payments without approval authority. Supervisors, on the other hand, can approve payments but may not create them. Advantages of RBAC Flexibility — Administrators can optimize an RBAC system by assigning users to multiple roles, creating hierarchies to account for levels of responsibility, constraining privileges to reflect business rules, and defining relationships between roles. Ease of maintenance — With well-defined roles, the day-to-day management is the routine on- boarding, off-boarding, and cross-boarding of users’ roles. Centralized, non-discretionary policies — Security professionals can set consistent RBAC policies across the organization. Lower risk exposure — Under RBAC, users only have access to the resources their roles justify, greatly limiting potential threat vectors. Disadvantages of RBAC Complex deployment — The web of responsibilities and relationships in larger enterprises makes defining roles so challenging that it spawned its own subfield: role engineering. Balancing security with simplicity — More roles and more granular roles provide greater security, but administering a system where users have dozens of overlapping roles becomes more difficult. Layered roles and permissions — Assigning too many roles to users also increases the risk of over-privileging users. How does RBAC work? Let’s consider the main components of the role-based approach to access control: User – an individual with a unique identifier (UID) that has access to a system Role – a named job function (indicates the level of authority) Permission – equivalent to access rights
  • 28. 28 Session– a period of working time during which a user utilizes permissions of the roles assigned to them Object – a system resource that requires permission to access Operation – any action in the protected network The basic rules of RBAC are: 1. All user activities are carried out through operations. 2. A user can execute an operation only if the user has been assigned a role that allows them to do so. 3. Identification and authentication are not considered operations. Origin: https://www.ekransystem.com/en/blog/rbac-vs-abac © Ekran System