Unit 2 – Authentication and Access Control

2.1 Identification and Authentication

Identification is the claiming of an identity. Authentication is the act of verifying or proving
the claimed identity. Identification and authentication are two terms that describe the
initial phases of the process of allowing access to a system.
Identification is the act of identifying a particular user, often through a username.
Authentication is the proof of this user’s identity, which is commonly managed by entering a
password. Only after a user has been properly identified and authenticated can they then be
authorized access to systems or privileges.

Authentication involves identifying a particular user based on their login credentials, such as
usernames and passwords, biometric scans, PINs, or security tokens.
Authorization refers to giving a user the appropriate level of access as determined by access
control policies. These processes are typically automated.

But managing password security can be quite expensive. A user plays very important role in
protecting a password.
There are a number of methods to crack a user’s password, but the most prominent one is a
Password Guessing Attack. Basically, this is a process of attempting to gain the system’s
access by trying on all the possible passwords (guessing passwords).
To combat these advancements, today's passwords need the following traits: At least 12
characters long is recommended, 8 at the minimum A combination of both upper- and
lower-case letters, numbers, and symbols Random enough that they do not contain any
predictable sequence.
Exhaustive search: A brute-force attack consists of an attacker submitting
many passwords or passphrases with the hope of eventually guessing correctly. The attacker
systematically checks all possible passwords and passphrases until the correct one is found.
Alternatively, the attacker can attempt to guess the key which is typically created from the
password using a key derivation function. This is known as an exhaustive key search.
Intelligent search: Here an attacker searches a password with the help of user’s personal
data, like name, DOB, family members names, phone numbers etc. Ex: Dictionary attack.
A dictionary attack is a brute-force technique where attackers run through common
words and phrases, such as those from a dictionary, to guess passwords. The fact people
often use simple, easy-to-remember passwords across multiple accounts means
dictionary attacks can be successful while requiring fewer resources to execute.

1
Protection techniques which can be used by users:
a. Default password: Keep on changing the default password given by administrator.
b. Length of password: Length of password should be at least 8 characters.
c. Password should have (A-Z) (a-z) (0-9) and some special characters like - !@#$&*,:;?
d. Avoid obvious password.

Techniques that system can follow to improve password security:

1. Password checkers: Password Checker Online helps you to evaluate the strength
of your password. More accurately, Password Checker Online checks the
password strength against two basic types of password cracking methods – the
brute-force attack and the dictionary attack. It also analyses the syntax of your
password and informs you about its possible weaknesses. This tool can thus also
help you create stronger password from a weak one. It’s drawbacks – If the job is
done right, then it is resource intensive. A strong-minded opponent who is able
to steal password file, can dedicate full CPU time only to this task for many hours
or even days.
2. Password generation: Many OS can produce computer generated passwords.
These passwords are random in nature and can be pronounceable. Here users are
not allowed to select their own password. As the generated password is random,
user feels difficulty to remember it.
3. Password aging: The password can be set with its expiry date. It will force the
users to change their password at regular intervals. It is normally used in
conjunction with a setting to prevent re-use of X number of previous passwords -
the minimum password age is intended to discourage users from cycling through
their previous passwords to get back to a preferred one.
4. Limit login attempts: One of the very common attacks is Brute Force attack. This
basically means that a hacker keeps trying to guess your password until they get
it right. Most of the times, they use a script for this. Limit Login Attempts allows
us to track and limit the number of failed login attempts.

Password attacks

Piggybacking: Piggybacking is a social engineering attack in which an attacker uses

another person’s legitimate access to a physical or electronic location to gain unauthorized
access themselves.

This type of attack is often seen in office buildings, where an attacker will follow someone
with an access badge into a secured area. It can also be seen in IT systems, where an
attacker may log into a system using another user’s credentials. Piggybacking can also be
used as a form of eavesdropping, where an attacker uses another person’s access to a
location in order to listen in on conversations or harvest sensitive information.

2
Piggybacking attacks are relatively easy to carry out and are often very hard to detect.
However, there are several steps that organizations can take in order to protect themselves
against this type of attack. For example, they can limit access to sensitive areas only to
authorized individuals with proper credentials or set up a system for detecting unauthorized
access attempts.

Overall, piggybacking is a serious security threat that can have serious consequences for
organizations. Therefore, it is important for organizations to be aware of this type of attack
and take measures to protect themselves against it.

Shoulder Surfing: Shoulder surfing is using direct observation techniques, such as looking
over someone’s shoulder, to get information. Shoulder surfing is an effective way to get
information in crowded place because it is relatively easy to stand next to someone and
watch as they fill out a form, enter a pin number at an ATM machine etc. It can also be done
long distance with the aid of binoculars or other vision-enhancing devices. This attack is the
most successful type of attack against password and some other graphical password.

Dumpster Diving: Getting familiar with the dumpster diving definition is the first step to fight
this attack. Here, cyber attackers take the idiom “One man’s trash is another man’s treasure”
to a whole new realm.

Dumpster diving in cybersecurity is the process of investigating an individual or organization’s

trash to retrieve information that could be used to compromise network resources or plan a
cyberattack.

A person going through your trash can gather enough data to create a complex profile and
commit identity theft. Aside from physical trash, cyber actors can also access recycle or
electronic waste bins, phone list, calendar or organizational chart for sensitive information that
can severely compromise your company. Cybercriminals often use malware to achieve this.
When a dumpster diver goes through your trash, they’re looking for any information to
execute a cyberattack. Some of the data such criminals can obtain from your trash include:

• Domicile or email addresses

• Private passwords, PINs, or any other sensitive data
• Bank account statements
• Digital signatures

To prevent dumpster divers from learning any valuable information about a user or his
organization, establish a disposal policy. Ensure all unwanted information, documents, notes,

3
and hardware is properly destroyed. Below are a few practices to prevent dumpster diving in
cyber security.

1. Implement a Trash Management Plan

2. Practice Storage Media Deletion
3. Enforce a Data Retention Policy
4. Use a Shredder

Biometrics:
Biometrics can be defined as the most practical means of identifying and authenticating
individuals in a reliable and fast way through unique biological characteristics.
The term Biometrics is composed of two words − Bio (Greek word for Life)
and Metrics (Measurements). Biometrics is a branch of information technology that aims
towards establishing one’s identity based on personal traits. Each human being is unique in
terms of characteristics, which make him or her different from all others. The physical
attributes such as finger prints, colour of iris, colour of hair, hand geometry, and behavioural
characteristics such as tone and accent of speech, signature, or the way of typing keys of
computer keyboard etc., make a person stand separate from the rest.
The biometric sample is acquired from candidate user. The prominent features are extracted
from the sample and it is then compared with all the samples stored in the database. When
the input sample matches with one of the samples in the database, the biometric system
allows the person to access the resources; otherwise prohibits.

4
Types of Biometric:
1. Fingerprints: Are an impression or mark made on a surface by a person's fingertip,
able to be used for identifying individuals from the unique pattern of whorls and
lines on the fingertips. It involves a finger size identification sensor with a low cost
biometric chip. Fingerprint matching system extracts no. of features from the
fingerprints for storage as a numerical substitute.
The software works by extracting meaningful features known as minutia points from
the fingerprint. The scanner picks out attributes such as orientation, change of ridge
direction, arches, loops and whorls in the print. Some scanners can even pick up
pores on the skin. The software then records and stores these minutia points in
order to verify the user’s identity in the future.
It's limitations:
a. Hardware and software programs can be expensive.
b. It can lead to false rejections and false acceptance.
c. It makes mistakes with dryness or dirty finger’s skin, and well as with age.

2. Hand Print: Handprint is obtained from the inner surface of a hand between the
wrist and the top of the fingers, which contains the principal lines, wrinkles and
ridges on the palm, finger and fingerprint. As in the case of finger print, everybody
has unique handprints. A handprint Biometric Systems scan hand and fingers and the
data is compared with the specimen stored for you in the system. The user is allowed
or denied based on the result of this verification.

3. Retina: Everybody has a unique retinal vascular pattern. Retina Pattern Biometric
system uses an infrared beam to scan your retina. Retina pattern biometric systems
examine the unique characteristics of user’s retina and compare that information
with stored pattern to determine whether user should be allowed access. Some
other biometric systems also perform iris and pupil measurements. Retina Pattern
Biometric Systems are highly reliable. Users are often worried in using retina
scanners because they fear that retina scanners will blind or injure their eyes.

4. Voice/Speech Patterns: Voice Patterns Biometric Systems examine the unique

characteristics of user’s voice. Voice biometrics can work with existing security
measures to speed up authentication. It enhances consumer confidence which is
crucial for trust. Users are saved from the trouble of remembering multiple
passwords and switching between devices and OTPs. Voice biometrics authentication
creates your voice signature from a recording of your voice and then uses this to
identify you back later. Whether or not it relies on you saying a specific phrase
depends on each system, more on that below.

5
 5. Signature and Writing Pattern: Signature recognition is a biometric modality that
stores and compares the behavioural patterns which are integral to the process of
generating a signature. Some of the factors that are analysed include the speed,
variations in timing and the pressure applied to the pen when an individual
composes a signature.

Of all the biometric modalities in existence, signature recognition carries the most
potential in terms of adaptability, security and implementation. In addition, the costs
involved in the deployment and procurement of this biometric modality are minimal
in contrast to the much more complex modalities like retinal and fingerprint
recognition.
6. Keystrokes: The behavioural biometric of Keystroke Dynamics uses the manner and
rhythm in which an individual types characters on a keyboard or keypad. The
keystroke rhythms of a user are measured to develop a unique biometric template of
the user's typing pattern for future authentication. Keystrokes are separated into
static and dynamic typing, which are used to help distinguish between authorized
and unauthorized users. Vibration information may be used to create a pattern for
future use in both identification and authentication tasks.

Access Control
Access control is an essential element of security that determines who is allowed to access
certain data, apps, and resources—and in what circumstances. In the same way that keys
and pre-approved guest lists protect physical spaces, access control policies protect digital
spaces. In other words, they let the right people in and keep the wrong people out. Access
control policies rely heavily on techniques like authentication and authorization, which allow

6
organizations to explicitly verify both that users are who they say they are and that these
users are granted the appropriate level of access based on context such as device, location,
role, and much more.

Access control keeps confidential information—such as customer data and intellectual

property—from being stolen by bad actors or other unauthorized users. It also reduces the
risk of data exfiltration by employees and keeps web-based threats at bay. Rather than
manage permissions manually, most security-driven organizations lean on identity and
access management solutions to implement access control policies.
Access is the privilege or assigned permission to use computer data or resources in some
manner. For instance, a user may be allowed read access to a file, but will not be allowed to
edit or delete it.
Access control is a security technique that regulates who or what can view or use resources
in a computing environment. It is a fundamental concept in security that minimizes risk to
the business or organization.

Authentication Mechanism - In security, authentication is the process of verifying

whether someone (or something) is, in fact, who (or what) it is declared to be.
There are three methods of authentication: something you know (i.e., passwords),
something you have (i.e. token keys), or something you are (scanned body part, i.e.
fingerprint)

Authentication and Authorisation

Authentication is the act of validating that users are whom they claim to be. This is the first
step in any security process.

Complete an authentication process with:

• Passwords. Usernames and passwords are the most common authentication factors.
If a user enters the correct data, the system assumes the identity is valid and grants
access.
• One-time pins. Grant access for only one session or transaction.
• Authentication apps. Generate security codes via an outside party that grants
access.
• Biometrics. A user presents a fingerprint or eye scan to gain access to the system.

In some instances, systems require the successful verification of more than one factor
before granting access. This multi-factor authentication (MFA) requirement is often
deployed to increase security beyond what passwords alone can provide.

7
Authorization in system security is the process of giving the user permission to access a
specific resource or function. This term is often used interchangeably with access control or
client privilege.

Giving someone permission to download a particular file on a server or providing individual

users with administrative access to an application are good examples of authorization.

In secure environments, authorization must always follow authentication. Users should first
prove that their identities are genuine before an organization’s administrators grant them
access to the requested resources.

Difference between Authentication and Authorization

Authentication Authorization
What does it do? Verifies credentials Grants or denies permissions
Through passwords, biometrics, Through settings maintained by
How does it work? one-time pins, or apps security teams
Is it visible to the user? Yes No
It is changeable by the
user? Partially No
How does data move? Through ID tokens Through access tokens

In the most basic sense, access control in information security is about determining who
gets access to what stuff (files, directories, applications, etc.). For example, if I access our
company’s file server, I can see documents related to marketing. Someone in our Finance
department, on the other hand, would be able to review financial documents. But someone
external to the company wouldn’t be able to access any of these things.

8
All of these things are possible thanks to access controls that determine who can access
what.

Looking for a more technical definition? Access control is a broad term that describes
policies and methods that ensure only verified individuals can physically or virtually touch
items that they have permission to access. This process involves restricting access or
granting permissions that allow someone to do something to a protected item. This includes
having permissions to do any of the following to protected items (digital or physical
resources):

• Access,
• Read,
• Modify,
• Communicate,
• Delete or otherwise destroy.

“Subjects are usually people or groups. Objects are usually files or directories. The key is,
subjects access objects, and so access controls regulate how subjects access objects.”

In this understanding, objects could be resources that you want to protect from
unauthorized access, use, or disclosure. And the subject is the user (or group of users or
even non-person entities such as applications or services) that the access controls apply to.
So, access controls (in a more technical sense) are the tools, policies, models, and
mechanisms that enable you to grant or restrict access to your organization’s digital or
physical resources. This includes everything from restricting or granting access to specific
files and databases to IT systems and physical locations.

Access Control Matrix (ACM)

In computer science, an access control matrix or access matrix is an abstract, formal

security model of protection state in computer systems, that characterizes the rights of
each subject with respect to every object in the system. It was first introduced by Butler W.
Lampson in 1971.

9
An access control matrix is a table that defines access permissions between specific subjects
and objects. A matrix is a data structure that acts as a table lookup for the operating
system. For example, Table above is a matrix that has specific access permissions defined by
user and detailing what actions they can enact.

Access Control List (ACL)

In computer security, an access-control list (ACL) is a list of permissions associated with

a system resource (object). An ACL specifies which users or system processes are granted
access to objects, as well as what operations are allowed on given objects. Each entry in a
typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that
contains (Alice: read, write; Bob: read), this would give Alice, permission to read and write
the file and give Bob permission only to read it.

10
The advantages of using access control lists include:
• Better protection of internet-facing servers.
• More control of access through entry points.
• More control of access to and traffic between internal networks.
• More granular control of user and group permissions.
• Better protection from spoofing and denial of service attacks.

Audit - An audit is an investigation and evaluation of IT systems, infrastructures, policies,

and operations. Through IT audits, a company can determine if the existing IT controls
protect corporate assets, ensure data integrity and align with the organization’s business
and financial controls. Basically, to gain assurance that these information systems are also
working as intended and the controls are in place in these systems and are working correctly
to ensure that the information processed and stored in reliable.

IT auditing or information technology audit basically examines the internal control structure
in information systems set up.

Access Control policies

Discretionary access control (DAC)

Discretionary access control (DAC) is a type of security access control that grants or
restricts object access via an access policy determined by an object's owner group and/or
subjects. DAC mechanism controls are defined by user identification with supplied
credentials during authentication, such as username and password. DACs are discretionary
because the subject (owner) can transfer authenticated objects or information access to
other users. In other words, the owner determines object access privileges.

11
In DAC, each system object (file or data object) has an owner, and each initial object owner
is the subject that causes its creation. Thus, an object's access policy is determined by its
owner.

A typical example of DAC is Unix file mode, which defines the read, write and execute
permissions in each of the three bits for each user, group and others.

DAC attributes include:

• User may transfer object ownership to another user(s).

• User may determine the access type of other users.
• After several attempts, authorization failures restrict user access.
• Unauthorized users are blind to object characteristics, such as file size, file name and
directory path.
• Object access is determined during access control list (ACL) authorization and based
on user identification and/or group membership.

DAC is easy to implement and intuitive but has certain disadvantages, including:

• Inherent vulnerabilities (Trojan horse)

• ACL maintenance or capability
• Grant and revoke permissions maintenance
• Limited negative authorization power

Mandatory access control (MAC)

The high levels of confidentiality and integrity mean that Mandatory Access Control is used
in areas that deal with sensitive data and require a high level of security. This typically
includes the military, government, politics, foreign trade, healthcare, and intelligence. But
MAC also has uses for normal companies. The security system Security-Enhanced Linux
(SELinux), for example, is based on an implementation of MAC in the Linux kernel.
Mandatory Access Control uses a hierarchical approach: Each object in a file system is
assigned a security level, based on the sensitivity of the data. Examples of security levels
include “confidential” and “top secret”. Users and devices are ranked in the same way. When
a user tries to access a resource, the system automatically checks whether or not they are
allowed access. Additionally, all users and information are assigned a category, which is also
checked when a user requests access. Users must fulfil both criteria – security level and
category – in order to access data.
Mandatory Access Control is one of the most secure access systems, as it’s pretty much
tamper-proof. Unlike with RBAC, users cannot make changes. The checking and enforcing of
access privileges is completely automated. This lends Mandatory Access Control a high level
of confidentiality. Furthermore, the system boasts a high level of integrity: Data cannot be
modified without proper authorization and are thus protected from tampering.

However, MAC requires detailed planning and greater administrative work. You’ll need to
regularly check and update each assignment of access rights to objects and users.

12
Maintenance work also includes adding new data or users and implementing changes in
categorizations and classifications.

Role-based access control (RBAC)

Role-based access control (RBAC) is a way of granting access to resources based on users’
roles in an organization. Role-based access control (RBAC) is a policy-neutral access-control
mechanism defined around roles and privileges.
The components of RBAC such as role-permissions, user-role and role-role relationships
make it simple to perform user assignments. RBAC can be used to facilitate administration of
security in large organizations with hundreds of users and thousands of permissions.
Although RBAC is different from MAC and DAC access control frameworks, it can enforce
these policies without any complication.
Within an organization, roles are created for various job functions. The permissions to
perform certain operations are assigned to specific roles. Since users are not assigned
permissions directly, but only acquire them through their role (or roles), management of
individual user rights becomes a matter of simply assigning appropriate roles to the user's
account; this simplifies common operations, such as adding a user, or changing a user's
department.
Role based access control interference is a relatively new issue in security applications,
where multiple user accounts with dynamic access levels may lead to encryption key
instability, allowing an outside user to exploit the weakness for unauthorized access. Key
sharing applications within dynamic virtualized environments have shown some success in
addressing this problem.

13