Please enable JavaScript.
Coggle requires JavaScript to display documents.
Information and Security Management (Lecture B - User Authentication &…
Information and Security Management
Lecture B -
User Authentication & Access Control
User Authentication Fundamentals
User Authentication Fundamentals is the process of
verifying an identity
claimed by or for a system entity.
Authentication Process
Identification step
: Presenting an identifier to the security system (e.g. user provides ID)
Verification step
: presenting or generating authentication information that confirms the binding between the entity and the identifier
Password Authentication
User provides name/login and password. System compares that password with the one stored for that specified login.
The user ID determines that the user is authorised to access the system, and their privileges. And is used in discretionary access control.
Token-based Authentication: Cards
Card Types
Memory Cards (Magnetic Strip & Electronic memory)
Magnetic bar on back and Electronic memory inside (e.g. Hotel room card or prepaid phone card).
Smart Tokens (Contact & Contactless)
Electrical contacts exposed on surface and Radio antenna embedded inside (e.g. Current credit card or Visa payWave/MasterCard PayPass).
Embossed
Raised characters only, on front (e.g. Old credit card)
Biometric Authentication
Attempts to authenticate an individual based on
unique physical characteristics
(e.g. Facial characteristics, Fingerprints, Hand geometry, Retinal patter, Iris, Signature and Voice).
Security Issues for User Authentication
Host Attacks
Replay
Eavesdropping
Client Attacks
Trojan Horse
Denial-of-service
Access Control Principles
The process of granting or denying specific requests to: Obtain and use information and related information processing services and to enter specific physical facilities.
Discretionary Access Control (DAC)
Controls access based on the identity of the requestor and on access rules stating what requestors are allowed to do.
Role-based Access Control (RBAC)
Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.
Attribute-based Access Control (ABAC)
Controls access based on attributes of the user, the resource to be accessed, and current environment conditions.
Subjects, Objects and Access Rights
Objects
A resource to which access is controlled. Entity used to contain and.or receive information.
Access Rights
Describes the way in which a subject may access an object. Could include: Read, Write, Execute, Delete, Create and Search.
Subjects
An entity capable of accessing objects with three classes: Owner, Group and World.
Lecture A -
Cryptography Basics
What is Information Security
Information security provides protection of applicable objectives of preserving the
confidentiality
,
integrity
, and
availability
of information system resources.
Assets of a System
Data
Communication facilities and networks
Software
Hardware
Vulnerabilities, Threats and Attacks
Threats
Capable of
exploiting vulnerabilities
,
represent potential security harm
to an asset.
Attacks (threats carried out)
Passive
- attempt to learn or make use of information from the system that does not affect system resources.
Active
- attempt to alter system resources or affect their operation
Insider
- initiated by an entity inside the security parameter
Outsider
- initiated from outside the perimeter
Categories of vulnerabilities (weaknesses)
Corrupted = loss of
integrity
Leaky = loss of
confidentiality
Unavailable or very slow = loss of
availability