Authentication Services
Authentication Services
Authentication Services
Access Control
Access Controls
Welcome to the Access Control lesson of the Chapter on Authentication Services. In today’s
lesson not only do we explore the different types of Access Control, but we also look explain
the Access Control life cycle and what that process looks like both server and client site.
We’ll define for you what authentication is, how that differs from authorization and what an
Access Control list is. You’ll learn the difference between mandatory and discretionary
access, what Rule vs. Role Based Access is, if the two ever work together, and why that is
important.
Transcript
Welcome, my name is John Oyeleke, subject matter expert for the CompTIA Security Plus.
Today we will be looking at different types of access controls. First, we start with…to access
a system a user needs to identify themselves to the system and this is the stage called
identification. When you identify, you simply provide your identity to the system. It could be
in the form of a username, a user id or an email that is the identification stage. The first
process. Next the system has to verify, this credentials that you are giving. You also need to
provide an authentication factor. What is authentication? Authentication is a process. It is
the process by which the system verifies that you are who you say you are. You have
identified yourself as user a, with a password you also have you provide for the
authentication step. You provide your username and your password. The system will then
compare that to what in the database. If there is a match, you are granted access. If there is
a mismatch, access denied you get an error message after authentication is done the next
step is authorization. Authorization has to do with the system checking your permissions.
The system will check your permission. Something like having [inaudible] the access control
list, to see what you are allowed to do or not allowed to do on the system once you are
granted access. These three steps must happen in that fashion. One, two and three. We
don’t need or we don’t want these steps happening authentication happening before
identification or even before authorization before authentication. They must happen
identification, authentication then authorization. The access control lists are simply list of
permissions associated to objects. Basically the access control list, they specify the type of
access that a user could have or a group of users could have on a specific object or groups
of objects. All of these are very important so that we can have accountability whose had
what access, who did what and when. We are now going to discuss some access control
models. We have mandatory access. This is an access control model based on the security
labels. Usually, you have the objects are granted security labels and the subjects are also
granted security labels. The subject is the entity trying to access the object so the system
will see. The system will check what is the security label of the subject trying to access the
object. The system effects, simply checks the security labels to determine if access should
be granted. In the mandatory access control, access control is based on security labels. It is
put in effect by the system. For discretionary access control we use…the discretionary
access control depends on the discretion of the owner of the object. The owner is usually, it
could be the head of the department, that person will approve or deny access to it could be
a database, it could be a facility…most cases a database. The owner gives the discretion.
The owner’s discretion will grant access or deny access to the object. The most important
thing is to remember the owner of the resource permits or denies access or grants access
or denies access to the resource. Next we look at is rule based access control. This is
access control based on a set of rules. In many cases we implement our firewalls using rule
based access control. You implement the rules, you dictate the rules on the firewall and the
firewall is able to filter traffic based on the rules you set. Where you set no rules your
firewall will allow all traffic. When you set the rules, the firewall will inspect the traffic and
based on the rules you have determine when to drop the traffic or allow the traffic. Next we
have role based access control. What role do you play? This type of access control
depends on the role you play on the organization. What you access on the database
depends on the role you play. Where you can go in the facility depends on the role you play.
What you can do on the network depend on the role you play. The role you play dictates
what you have access to. Say we have a basic user in the HR department. The user can
see probably my date of employment but not my date of birth. The HR director could see my
date of birth and everything else about me because of the role they play. The role you play
dictates the level of access you have for role based access control. Please bear in mind for
the exam do not confuse rule–>based with role–>based. It’s very often a little trick. You
could fall for that. We have rule based access control, role based access control. The
principles are clearly different from each other. Lastly, we have something called time of day
restrictions. With time of day restrictions, we have the ability to restrict access to a facility,
network devices, PCs based on the day of the week or the time of the day for the individual
users or a collective group of users. We could restricts access to a facility on certain days of
the week, certain time of the day, we could use this on a network to restrict access to
printers, restrict access to computers based on the time of the day or the day of the week
for specific users. We use this as a form of access control. You could implement this on a
server to ensure your users can only sign on a specific date at a specific time. They can
only stay logged on for a specific duration. We refer to this as time of day restriction.
Authentication Factors
For this lesson we now look at 5 Authentication Factors, define how they are deployed as a
security strategy, and discuss the pros and cons of each.
For examples, You’ll learn why using “Something You Know” concept may be good for
users when assigning and remembering their own PIN codes and Passwords, but why it’s
also an obvious key to a hacker for breaking into your computer or accessing a secure
document, account, or other resources.
You’ll learn the benefits of signature authorization for tracking and accessing individuals by
location and how what insights that can provide when monitoring for example, authorized
and unauthorized entry events.
Transcript
We’ll now be looking at authentication factors, factors that facilitate authentication we have
something you know, something you have, something you are, somewhere you are, and
something you do. Something you know something; some could you know could be a pin, a
pass word or a pass gate, a pin personal identification number or a password or a pass
phrase When you’re trying to log on to a system you’re required to provide a pin or a
password or a pass phrase that is a something you know only you should know that.
Something you have this refers to tokens we have different types of tokens sometime
tokens you press it generate a code you key the code into the system then you are granted
access if there a perfect match. So it must be a device in your passing it could be a token, it
could be a U.S.B, It could be a key something you have. And some think you are we say
this is bio-metrics with something you’re we’re doing bio-metrics and that involves using the
physical attributes of a person to uniquely identify that individual. So you’re using the
physical attributes of human beings to uniquely identify the individuals. This could be a
fingerprint, hand geometry, the pupil pattern, retina pattern at the back of the eye those are
just some examples of bio metrics. Some where you are, where are you log in from it could
be you’re working from home, you are at the office, your office is on the third floor and
you’re trying to log on maybe at management floor in the fifth floor you might not have
access. Somewhere you’re dictates what systems are you login from? You could have the
access to log on from your desk but not at the front desk. Somewhere you are where are
you in the facility? Where are you authorized to log on from? Something you do has to do
with signature dynamics or keyboard dynamics. With the signature the system will capture
how you provide your signature. So every time you provide your signature we use a special
pressure sensitive plate to capture your signature. Yes, somebody else could try faking your
signature but they couldn’t exert the same pressure as you did. For keyboards dynamics we
have something called the flight time and the dwell time. So we use specialized keyboards
to capture from your credentials. So when you type your credentials in enrollment several
times over the keyboard will capture your flight time, that’s how long it takes to travel
between the keys and your dwell time How long you actually spend on the keys should
somebody else happen to know your passwords they couldn’t perfect a match between your
flight time and your dwell time, so these are the different authentication factors. We also has
what we call the one factor authentication, two factor authentication or multi factor
authentication. So if you’re log on to any system or at the facility and you’re using any one
of these authentication factors it’s one factor authentication. So you’re log in to your email
you provide only your password that is single factor authentication. If you’re log in on and
you have to provide any two that is, two factor authentications it’s also multi factor
authentication. If you have to use modern two’s that is you’re using three or more multi
factor authentication please be careful. If you’re two from the same line say two from there
or two from there it’s not two factor authentications. It is got to be one from there and one
from there or one from there and one from there or one from here and one from there to
make it two factor authentication. The two factors cannot be in the same line for two factor
authentication. They would try that on the exact watch out for that. So we have something
you know, something you have, something you are these are the basic authentication
factors. Next we have the somewhere you are and something you do and that is it for the
authentication factors.
Transport Encryption
Next we look at Transport Encryption, or the process of security data as it moves across the
network.
This lesson diagrams a general VPN network and shows the interrelationships of nodes and
users to demonstrate how the Transportation Encryption process works and where that
encryption takes place and why.
Transcript
The next topic we look at is Transport encryption. Transport encryption guarantees
confidentiality for data in motion. While we are sending data across the internet, we need to
ensure confidentiality for this data as it moves across the internet. Periodically we could
have remote users working from home or third party or other company’s locations and they
have to communicate with their internal networks. These communications are being sent
across the internet. As we know many people are connected to the internet today. Good
guys, bad guys, everybody has access to the internet. So what we want to do to ensure
confidentiality is to use solutions like VPN, SSL-Secure Socket Layer; this guarantees end
to end security between the remote users and internal network servers. When we use VPN-
Virtual Private Network. This allows organizations to create a tunnel through the internet, a
virtual network so that information stays confidential to all the other people on the network.
That way, the information is sent via VPN to the internal networks. Usually on such
architectures we could also have VPN concentrators to ensure that everything coming in to
the network or traffic are encrypted because certain devices in the network cannot process
encrypted traffic, so all traffic is decrypted as it comes into the network. The VPN
concentrators also ensure that all traffic getting to the VPN is encrypted. That way,
confidentiality is assured as communications move across the internet. So it is best practice
to encrypt our traffic, otherwise people on the internet could eavesdrop on our
communications and thereby have unauthorized access to the content of such
communications. A VPN is best practice used in this strategy.
Welcome to Cybrary.IT, My name is John Oyeleke, subject matter expert for the security
plus-certification. In this video I’m giving an overview of the exam – the security plus exam.
The exam is broken down into one, two, three, four, five, six sections. We start off with
network security. This is 21% of the exam. Then we talk about the compliance and
operational security that takes 18% of the exam, with threats and vulnerability taking 21%.
Application data and host security consist of 16% and access control and identity
management 13% of the exam. The smallest section on the exam is that of cryptography
taking 11%. In total you have a 100%. For this exam, we have to look at the number of
questions on the exam is put at 90. That is in maximum of 90 questions. Well, in some
cases students could get anything between 75 and 80 questions. Well, the maximum is 90
questions. So, why do you prepare for the exam? Ninety questions at a time whatever
question banks you are preparing from use 90 questions at a time and for the time you have
90 minutes. So, test yourself. See that you can do 90 questions in 90 minutes such that
even if you are given less questions, you can still finish the exams comfortably in the time
provided. Now, what type of questions would we have? We have multiple choice or
performance based questions. For multiple choice, you are given options A, B, C, D, E or F.
You would be asked to select one, or you could be asked to select two or three. Where you
are required to select two, it would also be stated after the question; “Choose two.” Where
you are required to select three; “Choose three.” The performance based questions are
simulation based questions where you have drag and drop, mix and match, click and select,
you know, these are simulation type questions. Usually on the exams, they would present
you the performance based questions first. Students are advised if you can’t really answer
the performance based questions, you click for review move on to the next. So, you could
click for review so that while you are done with the objectives you could return to review the
performance based. You possibly would have a better understanding by the time you have
gone through some objectives or you’ve been able to calm down and review the objective
properly. This way, you could provide better answers to performance based questions. But
please, I advise, do not waste too much time trying to understand the performance based
questions. Rather, if you don’t understand it, mark for review, proceed to the next one. So
you don’t run out of time. Finally, the passing score is 750 points. Anything below that is a
fail. And everything above that is a good pass. You get 750, you pass the exam. You get
above 750, you still pass the exam. However, nobody requires your passing score once you
pass the exam. After you pass the exam CompTIA will send you an email that grants
access to a portal where you could download the PDF copy of the certificate. A couple of
weeks after the exam, you get the actual certificate in the post and a wallet card stating the
certificate for which you have been successful.