Information and Security Management (Lecture B - User Authentication &…
Information and Security Management
Lecture B -
User Authentication & Access Control
User Authentication Fundamentals
User Authentication Fundamentals is the process of
verifying an identity
claimed by or for a system entity.
: Presenting an identifier to the security system (e.g. user provides ID)
: presenting or generating authentication information that confirms the binding between the entity and the identifier
User provides name/login and password. System compares that password with the one stored for that specified login.
The user ID determines that the user is authorised to access the system, and their privileges. And is used in discretionary access control.
Token-based Authentication: Cards
Memory Cards (Magnetic Strip & Electronic memory)
Magnetic bar on back and Electronic memory inside (e.g. Hotel room card or prepaid phone card).
Smart Tokens (Contact & Contactless)
Electrical contacts exposed on surface and Radio antenna embedded inside (e.g. Current credit card or Visa payWave/MasterCard PayPass).
Raised characters only, on front (e.g. Old credit card)
Attempts to authenticate an individual based on
unique physical characteristics
(e.g. Facial characteristics, Fingerprints, Hand geometry, Retinal patter, Iris, Signature and Voice).
Security Issues for User Authentication
Access Control Principles
The process of granting or denying specific requests to: Obtain and use information and related information processing services and to enter specific physical facilities.
Discretionary Access Control (DAC)
Controls access based on the identity of the requestor and on access rules stating what requestors are allowed to do.
Role-based Access Control (RBAC)
Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.
Attribute-based Access Control (ABAC)
Controls access based on attributes of the user, the resource to be accessed, and current environment conditions.
Subjects, Objects and Access Rights
A resource to which access is controlled. Entity used to contain and.or receive information.
Describes the way in which a subject may access an object. Could include: Read, Write, Execute, Delete, Create and Search.
An entity capable of accessing objects with three classes: Owner, Group and World.
Lecture A -
What is Information Security
Information security provides protection of applicable objectives of preserving the
of information system resources.
Assets of a System
Communication facilities and networks
Vulnerabilities, Threats and Attacks
represent potential security harm
to an asset.
Attacks (threats carried out)
- attempt to learn or make use of information from the system that does not affect system resources.
- attempt to alter system resources or affect their operation
- initiated by an entity inside the security parameter
- initiated from outside the perimeter
Categories of vulnerabilities (weaknesses)
Corrupted = loss of
Leaky = loss of
Unavailable or very slow = loss of