What is access control?
Access control authenticates and authorize individuals to access information that they are allowed to see & use.
What are the 3 authentication categories?
- Knowledge (password)
- Token (cards)
- Biometrics (fingerprints)
What are some problems with knowledge-based passwords?
- Reused passwords
- Modified passwords for reuse
- Using easily guessed passwords
- Shared passwords
- Written passwords
What is the problem with password managers?
- Single point of failure
- Runs in memory, can be leaked via memory forensic
What are three forms of password attacks?
- Bruteforce
- Dictionary
- Social Engineering
What is the issue with Single Sign-On systems?
Single point of failure.
What are some threats with 2FA?
- Phishing website that steals session cookies
- Zeus/MITM attack that steals 2FA data
What is the issue with graphical passwords?
- Low password space
- Shoulder surfing
- Smudge attacks
What are tokens?
- Physical device to aid authentication
- Stores credential on device, successful authentication gives access to said credentials.
- Ledgers, bank tokens, etc.
What are smart cards?
- Cards embedded with microprocessor with computational & storage capabilities
- Store info (PIN)
- Securely communicate with endpoint such as card reader
- Tamper resistance
What are RFID tags?
- Radio Frequency Identification Tags
- Integrated circuits with antenna that can respond to RF signal with identity information
- Susceptible to MITM or side-channel attacks
What are biometrics?
- Physical or Behavioural traits of a person used as authentication and identification
What are the 4 requirements of characteristics as a biometric?
- Universality: everyone should have that characteristic
- Distinctiveness: any two person should be sufficiently different
- Permanence: characteristic should be invariant
- Collectability: can be measured quantitatively
How is accuracy measured in biometrics?
False acceptance rate should be 0 and true acceptance rate should be 1.
Receiver Operating Characteristic shows trade off between FAR and TAR.
What are some iris scanning characteristics?
- 256 unique characteristics, patterns are sufficiently different even with genetically identical twins.
- FAR is 1 in 10 million.
- Not very invasive like retinal but costlier than fingerprint
What are some retinal scanning characteristics?
- 400 unique characteristics
- 70 times more accurate than iris, 20,000 times more accurate than fingerprint.
- Very invasive and takes long time, glaucoma might affect, less permanence.
- Very expensive
What are some fingerprinting characteristics?
- Super unique, 1 in 64 billion chance of match.
- Permanence is high.
- FAR is 1 in 100,000 for smart phones.
- Cheap
What are some facial recognition characteristics?
- Non-intrusive
- Less permanence
- FAR is 1 in 1 million
- More expensive than fingerprint, cheaper than rest.
What are the pros and cons of multi-factor authentication using biometric?
Pros:
- Unique data harder to crack as biometric has super high variation
- Fast & convenient as biometric requires a few seconds at most.
- Scalable: biometric mFA solutions easily and flexibly accept new user data
Cons:
- Unrecoverable if compromised as once stolen, we cannot change the factors of our biometric (how to change face?)
- New & expensive: recent & requires new software + hardware
- Privacy: how is biometrics stored and what if it is exposed?
What are the 3 types of access control systems?
- Discretionary Access Control
- Role Based Access Control
- Mandatory Access Control
What is discretionary access control?
- Assign rights based on rules specified for different users (Read, Write, Execute - RWX).
Owner Group World
RWX RWX RWX
What is role-based access control?
Assign rights based on organization roles allows the organization to address the principle of least privilege.
Individual only needs the access they need since access connected to their job role / scope.
What is mandatory access control?
Access to resource objects controlled by the OS based on sysadmin configured settings.
What is the principle of least privilege?
PLOP requires limiting privileges to the minimum necessary to perform the job or task.
Reduces the risk of unauthorized access.
