FUNDAMENTALS OF CYBER SECURITY (CYB 201) LECTURE NOTE

TOPICS INCLUDES:

 Confidentiality
 Integrity
 Availability
 Authentication
 Access Control

 Introduction to/need for Cybersecurity

Our everyday lives have become more dependent on the connected technological information
network. This network is used by a wide range of organizations, including medical, financial,
and educational institutions. They make use of the network to gather, process, store, and shar
e massive volumes of digital data. The safety of digital information is becoming increasingly
important to our national security and economic stability as more digital data is collected and
shared.

Cybersecurity is the ongoing effort to protect these networked systems and all of the data
from unauthorized use or harm.
You must protect your identity, data, and computer equipment on a personal level. Protecting
the organization's reputation, data, and customers is everyone's duty at the corporate level. Na
tional security, as well as individuals' safety and well-being, are at stake at the state level.

Your Online and Offline Identity

As more time is spent online, your online and offline identities can have an impact on your
life. Your offline identity is the person with whom you engage with your friends and family
on a regular basis at home, school, or job. They have access to personal information such as
your name, age, and residence. Who you are in cyberspace is your online identity. How you
show yourself to people online is your online persona. Only a little quantity of information
about you should be revealed through this online identity.

When choosing a username or alias for your online identity, be cautious. There should be no
personal information in the username. Something suitable and courteous should be used. This
username should not lead strangers to think you are an easy target for cybercrimes or
unwanted attention

 Your Data

You can consider any information about you to be your data. This personal data can be used
to uniquely identify you as a person. This information includes the pictures and messages you
send and receive online with your family and friends. Other information, such as name, social
security number, date and place of birth, or mother‘s maiden name, is known by you and used

1
to identify you. Medical, educational, financial, and job information may all be used to track
you down on the internet.

 Medical Records

More information is added to your health records every time you visit the doctor. Your family
doctor's prescription becomes part of your medical history. Your health records, which may
or may not be medically linked, contain information about your physical and mental health,
as well as other personal information. For example, if you had therapy as a kid due to severe
family changes, this will be included in your medical records. Health records may also
contain information about your family in addition to your medical history and personal
information.

Medical devices, such as fitness bands, leverage the cloud platform to allow for wireless
transmission, storage, and display of clinical data such as heart rates, blood pressures, and
blood sugars. These gadgets can create a lot of clinical data, which could end up in your
medical records.

 Education Records

Your education record may contain information on your grades and test scores, attendance,
courses completed, awards and degrees received, and any disciplinary reports as you move
through your education. This record may also include contact information, health and
immunization records, and special education records including individualized education
programs (IEPs).

 Employment and Financial Records

Information about your income and expenses may be included in your financial record.
Paycheck stubs, credit card statements, your credit rating, and other banking information are
all examples of tax records. Your employment information can include your past employment
and your performance.

 Where is Your Data

All of this information is about you. Every nation has its own set of laws that protect your
privacy and data. But do you know where your information is stored? Do you know who
could have a copy of your photos if you post them online with your friends? You have copies
of the photos on your own devices. Those photos may have been transferred into the devices
of your friends. Strangers may have copies of the photos if they are posted publicly. They
may either download or have screenshots of those images. Because the photos were shared on
the internet, they are also kept on servers throughout the world.

 They Want Your Money

2
Criminals are interested in everything valuable you have. Your credentials on the internet are
quite valuable. The criminals get access to your accounts using these credentials. Your
relationships might potentially be used by a criminal. They might get access to your online
accounts and reputation in order to dupe you into sending money to friends or family
members. The thief might send you messages claiming that your relatives or friends need
money sent to them so they can return home after losing their wallets while traveling.

When it comes to deceiving you into handing them money, thieves are incredibly
imaginative. They are capable of stealing not just your money, but also your identity and
ruining your life.

 They Want Your Identity

Apart from taking your money for a short-term monetary gain, thieves also aim to take your
identity for long-term benefit. They can use your stolen identity to create credit card accounts
and run up debts in your name. Your credit rating will suffer as a result, making it more
difficult for you to get loans.

 Types of Organizational Data

 Traditional Data

Personnel information, intellectual property, and financial data are all examples of corporate
data. Application materials, paychecks, offer letters, employee agreements, and any other
information needed in making hiring choices are all included in the personnel information.
Patents, trademarks, and new product plans are examples of intellectual property that allow a
company to obtain an economic edge over its competitors. This intellectual property might be
deemed a trade secret, and losing it could be devastating for the company's future. The
financial data of a firm, such as income statements, balance sheets, and cash flow statements,
provides insight into the company's health.

 Internet of Things and Big Data

There is a lot more data to manage and safeguard now that the Internet of Things (IoT) has
emerged. The Internet of Things (IoT) is a vast network of physical things such as sensors
and equipment that extends beyond a typical computer network. All of these connections,
along with the fact that we've increased storage capacity and storage services through cloud
and virtualization, have resulted in exponential data growth. This information has sparked a
new interest in technology and business known as "Big Data." With the velocity, amount, and
diversity of data created by IoT and business activities on a regular basis, data security,
integrity, and availability are critical to the company's existence.

Cybersecurity refers to the practice of protecting internet-connected systems, including

hardware, software, and data, from attack, damage, or unauthorized access. This includes
protecting against a wide range of threats, including hacking, malware, and ransomware.
Effective cybersecurity practices involve implementing a combination of technical controls,

3
such as firewalls and encryption, as well as administrative controls, such as employee
training and incident response plans. The goal of cybersecurity is to ensure the
confidentiality, integrity, and availability of information and systems.

CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY - THE CIA TRIAD

The CIA Triad

Confidentiality, integrity and availability, known as the CIA triad, is a guideline for
information security for an organization.

What is the CIA Triad

The goal of cybersecurity is to protect the organization’s vital assets against rapidly
increasing cyber-attacks. This can be ensured by implementing the right security protocols
that can detect and prevent such threats. . Every security control and every security
vulnerability can be viewed in light of one or more of these key concepts. For a security
program to be considered comprehensive and complete, it must adequately address the entire
CIA Triad.

The key purpose of cybersecurity is to ensure the Confidentiality, Integrity, and Availability
(CIA) of data and services. CIA or the CIA triad forms the foundation of any organization’s
security infrastructure, indicating that once data or a system is attacked, these principles were
violated.

What does each of these principles means, and how each play a role?

1. CONFIDENTIALITY

4
Another term for confidentiality would be privacy. Confidentiality means that data, objects
and resources are protected from unauthorized viewing and other access. The purpose of
‘Confidentiality’ is to ensure the protection of data by preventing the unauthorized disclosure
of information. Company policies should limit access to information to authorized workers
and guarantee that only those persons who are authorized may access to it. The information
can be divided into categories based on its level of security or sensitivity. A Java software
developer, for example, should not have access to all workers' personal information.
Employees should also be trained on the best practices for securing sensitive information in
order to protect themselves and the company from cyber-attacks.

 Examples of data with high confidentiality concerns include:

 Social Security numbers, which must remain confidential to prevent identity theft.
 passwords, which must remain confidential to protect systems and accounts.
 What to consider when managing data confidentiality:
 To whom data can be disclosed
 Whether laws, regulations, or contracts require data to remain confidential
 Whether data may only be used or released under certain conditions
 Whether data is sensitive by nature and would have a negative impact if disclosed
 Whether data would be valuable to those who aren't permitted to have it (e.g.,
hackers)
 Some guidelines for data confidentiality
When managing data confidentiality, follow these guidelines:
 Encrypt sensitive files: Encryption is a process that renders data unreadable
to anyone except those who have the appropriate password or key. By
encrypting sensitive files (by using file passwords, for example), you can
protect them from being read or used by those who are not entitled to do
either.
 Manage data access: Controlling confidentiality is, in large part, about
controlling who has access to data. Ensuring that access is only authorized
and granted to those who have a "need to know" goes a long way in limiting
unnecessary exposure. Users should also authenticate their access with strong
passwords and, where practical, two-factor authentication. Periodically
review access lists and promptly revoke access when it is no longer
necessary.
 Physically secure devices and paper documents: Controlling access to data
includes controlling access of all kinds, both digital and physical. Protect
devices and paper documents from misuse or theft by storing them in locked
areas. Never leave devices or sensitive documents unattented in public
locations.

5
  Securely dispose of data, devices, and paper records:
When data is no longer necessary for University-related purposes, it must be
disposed of appropriately.
o Sensitive data, such as Social Security numbers, must be securely erased to
ensure that it cannot be recovered and misused.
o Devices that were used for University-related purposes or that were otherwise
used to store sensitive information should be destroyed or securely erased to
ensure that their previous contents cannot be recovered and misused.
o Paper documents containing sensitive information should be shredded rather
than dumped into trash or recycling bins.
 Manage data acquisition: When collecting sensitive data, be conscious of how much
data is actually needed and carefully consider privacy and confidentiality in the
acquisition process. Avoid acquiring sensitive data unless absolutely necessary; one
of the best ways to reduce confidentiality risk is to reduce the amount of sensitive data
being collected in the first place.
 Manage data utilization: Confidentiality risk can be further reduced by using
sensitive data only as approved and as necessary. Misusing sensitive data violates the
privacy and confidentiality of that data and of the individuals or groups the data
represents.
 Manage devices: Computer management is a broad topic that includes many essential
security practices. By protecting devices, you can also protect the data they contain.
Follow basic cybersecurity hygiene by using anti-virus software, routinely patching
software, whitelisting applications, using device passcodes, suspending inactive
sessions, enabling firewalls, and using whole-disk encryption.

 Common threats against confidentiality are:

1. Insider Threats/Malicious insiders: Employees or contractors who misuse their

authorized access to confidential information for malicious purposes.
2. Phishing and Social Engineering: Techniques that manipulate individuals into
divulging confidential information, often through deceptive emails or messages.
3. Advanced Persistent Threats (APTs): Prolonged and targeted cyberattacks designed
to gain access to and exfiltrate sensitive information.
4. Data Breaches: Incidents where unauthorized parties gain access to confidential
information, potentially leading to identity theft and financial loss.
5. Man-in-the-Middle (MitM) attack is a type of cyberattack where an attacker
intercepts and possibly alters the communication between two parties without their
knowledge. The attacker can eavesdrop, modify, or inject false information into the
communication, potentially leading to data breaches, identity theft, and other
malicious activities.
6. An eavesdropping attack occurs when a hacker intercepts, deletes, or modifies data
that is transmitted between two devices. Eavesdropping, also known as sniffing or

6
 snooping, relies on unsecured network communications to access data in transit
between devices.
7. Encryption cracking is the process of attempting to decode or decrypt encrypted data
without access to the original encryption key. This practice is typically carried out by
attackers with malicious intent, but it can also be conducted by security researchers to
test the strength of encryption algorithms.

 Some information security basics to keep your data confidential are:

Encryption
Password
Two-factor authentication
Biometric verification

Best Practices for Ensuring Confidentiality

1. Regular Audits and Monitoring: Continuous monitoring of access logs and security
controls to detect and respond to unauthorized access attempts.
2. User Education and Training: Educating employees about the importance of
confidentiality and best practices for protecting sensitive information.
3. Incident Response Planning: Developing and maintaining a plan to respond to data
breaches and other security incidents promptly and effectively.
4. Data Classification: Categorizing data based on its sensitivity and implementing
appropriate security measures for each category.

Legal and Regulatory Compliance

1. GDPR (General Data Protection Regulation): European regulation that enforces strict
data protection and privacy requirements for personal data.
2. HIPAA (Health Insurance Portability and Accountability Act): U.S. regulation that
mandates the protection of health information.
3. PCI-DSS (Payment Card Industry Data Security Standard): Standards designed to
secure payment card information.

2. INTEGRITY

Integrity means that data is protected from unauthorized changes to ensure that it is reliable
and correct. Integrity refers to the data's correctness, consistency, and trustworthiness over its

7
entire life cycle. During transit, data must be unmodified and unaffected by unauthorized
individuals. Unauthorized access can be prevented using file permissions and user access
control. Version control can be used to prevent authorized users from making accidental
modifications. Backups must be accessible in case of data corruption, and checksum hashing
can be employed to ensure data integrity during transmission.

A checksum is used to verify the integrity of files, or strings of characters, after they have
been transferred from one device to another across your local network or the Internet. Hash
functions are used to calculate checksums. A hash function transforms data into a fixed-
length value that reflects the data using a mathematical method. The hashed value is only for
comparison purposes. The original data cannot be retrieved directly from the hashed value. If
you forget your password, for example, the hashed value cannot be used to retrieve it. The
password needs to be reset.

You may check a file's integrity after it's been downloaded by comparing the hash values
from the source to the one you generated using any hash calculator. You can confirm that the
file has not been tampered with or damaged during the transfer by comparing the hash values.

A critical requirement of both commercial and government data processing is to ensure the
integrity of data to prevent fraud and errors. As a result, no user should be able to alter data in
a way that might corrupt or destroy assets or financial records, or make decision-making
information unreliable.
Air traffic control systems, military fire control systems, and social security and welfare
systems are examples of government systems where integrity is critical.
Medical prescription systems, credit reporting systems, production control systems, and
payroll systems are examples of commercial systems that require a high level of integrity.

Key Concepts of Integrity

1. Accuracy:
 Data must be correct and free from errors. Any changes to the data should be
intentional and performed by authorized individuals.
2. Consistency:
 Data should remain consistent across different systems and processes. This
includes ensuring that data is uniformly updated and synchronized.
3. Trustworthiness:
 Data should be reliable and reflect the real-world situation it represents. Users
should be able to trust that the information they access is genuine and has not
been tampered with.

8
  Protecting against Threats to Integrity:
Like confidentiality, integrity can also be arbitrated by hackers, masqueraders, unprotected
downloaded files, LANs, unauthorized user activities, and unauthorized programs like Trojan
Horse and viruses, because each of these threads can lead to unauthorized changes to data or
programs.
For example, unauthorized user can corrupt or change data and programs intentionally or
accidentally if their activities on the system are not properly controlled.
 Generally, three basic principles are used to establish integrity controls:
Need-to-know access: User should be granted access only on to those files and programs that
they need in order to perform their assigned jobs functions.
Separation of duties: To ensure that no single employee has control of a transaction from
beginning to end, two or more people should be responsible for performing it.
Rotation of duties: Job assignment should be changed periodically so that it becomes more
difficult for the users to collaborate to exercise complete control of a transaction and subvert
it for fraudulent purposes.
 Integrity Models –
Integrity models are used to describe what needs to be done to enforce the information
integrity policy. There are three goals of integrity, which the models address in various ways:
o Preventing unauthorized users from making modifications to data or programs.
o Preventing authorized users from making improper or unauthorized modifications.
o Maintaining internal and external consistency of data and programs.

Threats to Integrity
1. Unauthorized Modification:
 Attackers may alter data maliciously, such as changing records in a database,
modifying configuration files, or injecting malicious code.
 Mitigation: Strong access control measures, authentication, and authorization
mechanisms.
2. Accidental Errors:
 Human errors, software bugs, or hardware failures can lead to unintentional
changes in data, compromising its integrity.
3. Malware:
 Malicious software, such as viruses, worms, or ransomware, can corrupt data
or introduce harmful changes.

9
  Mitigation: Regular software updates, antivirus programs, and
security patches.

4. Man-in-the-Middle Attacks:
 Attackers intercept and alter data during transmission between two parties,
leading to compromised integrity.
5. Insider Threats:
 Employees or contractors with authorized access might intentionally or
unintentionally alter data.
 Mitigation: Monitoring, auditing, and implementing the principle of least
privilege.

6. Transmission Errors:
 Description: Data corruption during transmission due to network issues or
interference.
 Mitigation: Error-checking mechanisms like checksums and CRCs (Cyclic
Redundancy Check).
7. Software Bugs and Glitches:
 Description: Errors in software that can lead to data corruption.
 Mitigation: Rigorous testing, validation, and maintaining updated software.

8. Software Bugs and Glitches:

 Description: Errors in software that can lead to data corruption.
 Mitigation: Rigorous testing, validation, and maintaining updated software.

Mechanisms to Ensure Integrity

1. Hashing:
 Description: Hash functions (like SHA-256) convert data into a fixed-size
string of characters, which acts as a unique fingerprint.
 Usage: Any change in the original data will result in a different hash value,
making it easy to detect alterations.
2. Checksums:

10
  Description: Similar to hashing, checksums are used to verify the integrity of
data during transmission or storage.
 Usage: Commonly used in software distribution to ensure that files have not
been altered.
3. Digital Signatures:
 Description: Digital signatures use public key cryptography to verify the
authenticity and integrity of data.
 Usage: Ensures that the data has not been altered and verifies the identity of
the sender.
4. Message Authentication Codes (MACs):
 Description: MACs are generated using a secret key and a cryptographic hash
function.
 Usage: Verifies both the integrity and authenticity of a message.
5. Data Backups:
 Description: Regularly backing up data ensures that an unaltered copy of the
data is available for restoration.
 Usage: Helps recover original data in case of corruption or tampering.
6. Access Controls:
 Description: Restricting access to data based on user roles and permissions.
 Usage: Ensures that only authorized users can modify data, reducing the risk
of accidental or malicious changes.
7. Audit Trails and Logging:
 Description: Recording all actions and changes made to data.
 Usage: Provides a record of who accessed or modified data, enabling the
detection and investigation of unauthorized changes.
Best Practices for Maintaining Integrity
1. Implement Robust Access Controls:
 Use role-based access control (RBAC) to ensure that only authorized
personnel can modify sensitive data.
2. Regularly Update and Patch Systems:
 Keep software and systems up-to-date with the latest security patches to
mitigate vulnerabilities that could compromise data integrity.
3. Conduct Regular Audits:
11
  Perform periodic audits of data and systems to identify and address potential
integrity issues.
4. Educate Employees:
 Train employees on the importance of data integrity and best practices for
maintaining it.
5. Use Strong Encryption:
 Encrypt data both at rest and in transit to protect it from unauthorized
alterations.

3. AVAILABILITY

Availability means that authorized users have access to the systems and the resources they
need. In cybersecurity, availability ensures that information and resources are accessible to
authorized users whenever they are needed. The primary goal is to guarantee the continuous
operation of systems, applications, and data access, thus preventing service disruptions that
can impact business operations.

In order for an information system to be useful it must be available to authorized users.

Availability measures protect timely and uninterrupted access to the system. The availability
of the network and data to authorized users is ensured by maintaining equipment, conducting
hardware repairs, keeping operating systems and software up to date, and creating backups.
Plans should be in place to recover quickly from natural or man-made disasters. Security
equipment or software, such as firewalls, protects against downtime caused by denial of
service attacks (DoS). Denial of service occurs when an attacker attempts to overwhelm
resources so the services are not available to the users.

Key Aspects of Availability

1. Uptime:
 Ensuring that systems and services are operational and accessible most of the
time.
 Measured in terms of uptime percentage, where higher percentages indicate
better availability.
2. Redundancy:
 Implementing multiple instances of critical components (e.g., servers,
networks) to prevent single points of failure.
 Ensures that if one component fails, others can take over without disrupting
service.
3. Scalability:

12
  The ability to handle increased load by adding resources or optimizing
existing ones.
 Ensures that systems can accommodate growth and increased demand without
degradation in performance.
4. Disaster Recovery and Backup:
 Having strategies and plans in place to recover from catastrophic events such
as natural disasters, cyberattacks, or system failures.
 Regular backups ensure data can be restored in the event of data loss.

There are mainly two threats to availability of the system which are as follows:
o Denial of Service
o Loss of Data Processing Capabilities

The above two facets of availability are explained as following below:

i. Denial of Service:
Denial of Service specifies to actions that lock up computing services in a way
that the authorized users are unable to use the system whenever needed.
Availability is also blocked in case, if a security office unintentionally locks up an
access control of database during the routine maintenance of the system thus for a
period of time authorized users are block to access. In the computer systems,
internet worm overloaded about 10% of the system on the network, causing them
to be non responsive to the need of users is an example of denial of service.

ii. Loss of Data Processing Capabilities:

The loss of data processing capabilities are generally caused by the natural
disasters or human actions is perhaps more common. Contingency planning is the
measure to counter such type of losses, which helps in minimizing the time for
that a data processing capability remains unavailable. Contingency planning
provides an alternative means of processing which involves business resumption
planning, alternative site processing or simply disaster recovery planning thereby
ensures data availability.

Other Threats to Availability

1. Distributed Denial of Service (DDoS) Attacks:
 Attackers overwhelm a system or network with traffic, rendering it unusable
for legitimate users.
 Mitigation: Use DDoS protection services, rate limiting, and traffic filtering.
2. Hardware Failures:

13
  Physical components such as servers, hard drives, or network devices can fail,
causing downtime.
 Mitigation: Use redundant hardware, regular maintenance, and monitoring.
3. Software Bugs and Glitches:
 Software errors can cause systems to crash or become unresponsive.
 Mitigation: Rigorous testing, updates, and patches.
4. Natural Disasters:
 Events such as earthquakes, floods, or fires can damage infrastructure and
disrupt services.
 Mitigation: Disaster recovery planning, off-site backups, and geographically
distributed data centers.
5. Human Error:
 Mistakes by users or administrators, such as misconfigurations or accidental
deletions, can impact availability.
 Mitigation: Training, strict access controls, and automated systems to reduce
human intervention.

 Security aspects of Availability:

Generally, three basic issues are aspects of security initiatives that are used to address
availability, they are:
i. Physical issues:
The physical issues includes access controls that prevent unauthorized persons
from coming into contact with computing resources, various fire and water control
mechanisms, hot and cold sites for use in alternative site processing, and backup
storage facilities.
ii. Technical issues:
Technical issues includes the fault-tolerance mechanisms, electronic vaulting
(automatically backup to a secure location) and access control software to restrict
unauthorized users from disrupting services. Fault tolerance mechanisms involves
hardware redundancy, disk mirroring and application checkpoint restart.
iii. Administrative issues:
The issues comes in the administrative aspect of availability are access control
policies, operating procedures, contingency planning and user training. Proper
training of operators, programmers and security personnel can help avoid many
computing stages that leads to the loss of availability.

14
  Information Security Measures for Mitigating Threats To Data Availability
Include:
i. Off-site backups: Off-site backup is a method of backing up data to a remote
server or to media that is transported off site, usually via the Internet.
ii. Disaster recovery: Disaster recovery is an organization's method of regaining
access and functionality to its IT infrastructure after events like a natural
disaster, cyber attack, or even business disruptions.
iii. Redundancy: Data redundancy occurs when the same piece of data exists in
multiple places
iv. Failover: Failover is the ability to switch automatically and seamlessly to a
reliable backup system.
v. Proper monitoring: Security monitoring activities help protect a business
from threats within the company, as well as from external threats.
vi. Environmental controls: Physical and environmental security programs
define the various measures or controls that protect organizations from loss of
connectivity and availability of computer processing caused by theft, fire,
flood, intentional destruction, unintentional damage, mechanical equipment
failure and power failures.
vii. Virtualization: Virtualization security is the collective measures, procedures
and processes that ensure the protection of a virtualization infrastructure /
environment. Virtualization uses software to create an abstraction layer over
computer hardware that allows the hardware elements of a single computer—
processors, memory, storage and more—to be divided into multiple virtual
computers, commonly called virtual machines (VMs).
viii. Server clustering: A server cluster is a unified group of servers, distributed
and managed under a single IP address, which serves as a single entity to
ensure higher availability, proper load balancing, and system scalability. Each
server is a node with its own storage (hard drive), memory (RAM), and
processing (CPU) resources to command.
ix. Continuity of operations planning: A continuity of operations plan
establishes policy and guidance ensuring that critical functions continue and
that personnel and resources are relocated to an alternate facility in case of
emergencies. The plan should develop procedures for: alerting, notifying,
activating and deploying employees

Best Practices for Availability

1. Implement High Availability (HA) Architecture:
 Design systems with high availability in mind, using techniques like clustering
and replication to ensure continuous operation.
2. Conduct Regular Testing:

15
  Regularly test disaster recovery plans, failover mechanisms, and backup
procedures to ensure they work as expected.
3. Use Cloud Services:
 Leverage cloud providers' built-in redundancy and scalability features to
enhance availability.
4. Automate Processes:
 Automate routine tasks to minimize human error and ensure consistent
performance.
5. Stay Informed:
 Keep up with the latest developments in cybersecurity and availability to adapt
to new threats and technologies.

4. AUTHENTICATION

Basic Concept of Authentication

Trust and recognition have been staples of human relationships since the beginning of time,
forcing early humans to create ways of identifying each other through the use of signatures,
facial features, names, and more recently through the use of documents like official
identification and passports. The concept of authentication has become incredibly
complicated with the advent and use of the internet in daily life. Administrators sit behind
screens, unable to verify the identity of invisible users by sight, name or signature – now they
use technology to protect their networks from those with the desire to bypass authentication
methods with malicious intent.
 Definition of Authentication
The process of authentication in the context of computer systems means assurance and
confirmation of a user's identity. Authentication is a fundamental process in cybersecurity
that verifies the identity of a user, device, or system before granting access to resources. It
ensures that only authorized entities can access sensitive data, systems, or services, thereby
protecting against unauthorized access and potential security breaches.
Before a user attempts to access information stored on a network, he or she must prove their
identity and permission to access the data. When logging onto a network , a user must
provide unique log-in information including a user name and password, a practice which was
designed to protect a network from infiltration by hackers. Authentication has further
expanded in recent years to require more personal information of the user, for example,
biometrics, to ensure the security of the account and network from those with the technical
skills to take advantage of vulnerabilities.

16
  History of Authentication
Passwords were developed and put into use in the 1960's for larger than life computers with
multiple users. In the 1970's, Bell Labs researcher Robert Morris learned that it was a bad
idea to store passwords in a clear text file. Morris created a cryptographic concept, or hash
function, designed to verify the identity of the user without storing the actual password in the
machine. Interestingly enough, as a clear indicator of what was to come in the technology
industry, Morris created the first ever computer worm, in 1988. In the 1970's, private key
cryptography allowed users to maintain one set of information to use to verify their identity
when logging into a system, and one set of information to share with the world when using
internet – thus giving internet users a face and name on the internet. One-time passwords,
public-key cryptography and CAPTCHAs followed, bringing us to today, where we use both
MFA (multi-factor authentication) and biometrics.
 How Authentication work with security
Authentication employs different combinations of data, passcodes, QR codes, passwords,
pass cards, digital signatures, fingerprint, retinal, face and voice scans to verify a users'
identity before they can access a network. Proper authentication is often provided through a
solution like a secure web gateway and deployment of multiple, cohesive security protections
and solutions, like next-generation firewall and endpoint protection.
 Authentication leads to Authorization
Authentication now gives allowed users access to systems and applications. But there is
more, Once the system knows who users are, policies can be applied that control where the
users can go, what the users can do, and what resources they can access. This is called
authorization. Authorization is important as it ensures that users cannot have more access to
systems and resources then they need. This also makes it possible to identify when someone
is trying to access something they should not. For example, only giving medical personnel
and not administrative personnel access to patient records, ensuring patient confidentiality.

Key Components of Authentication

1. Identification:
 The process where a user declares an identity, typically through a username or
ID.
2. Verification:
 The process where the system checks the declared identity against a set of
credentials to confirm authenticity.

Key Concepts of Authentication

1. Authentication Factors:
17
 Something You Know: Information that the user knows, such as passwords,
PINs, or security questions. The most common example of this is our
passwords—no special hardware needed for bio-scans, no additional tools
needed to provide secret codes. This is why it is so important that you create
passwords that are hard to guess. In most situations, your password is the only
piece of information that other people do not know, and the only way for you
to keep your information secure
- Examples: Passwords, PINs, security questions.
- Strengths: Simple to implement and use.
- Weaknesses: Can be guessed, forgotten, or stolen through phishing
attacks.
 Something You Have: Physical items in the user's possession, like smart
cards, tokens, or mobile devices. This has become increasingly popular given
our general unwillingness to detach from our mobile phones. This type of
access control typically takes the form of a one-time token key that you get
from an external source (a key, your email, a text message, or an
authentication app). Traditionally, providing users with the device that
delivers the token key has been the biggest deterrent to wider deployment, but
today with most users having smart devices always available, the something
you have method of authentication is gaining ground.
- Examples: Smart cards, tokens, mobile devices, security keys.
- Strengths: Harder to duplicate than knowledge-based authentication.
- Weaknesses: Can be lost, stolen, or damaged.
 Something You Are: Biological characteristics unique to the user, such as
fingerprints, facial recognition, or iris scans. This tends to be the strongest and
hardest to crack—it’s not easy to replicate an iris scan or duplicate a
fingerprint. However, the technology to deploy this type of authentication is
expensive and does not translate easily to all the ways we access resources.
We are starting to see more adoption of this authentication method (think Face
ID in iPhones), but we are years away from this making serious headway.
- Examples: Fingerprints, facial recognition, iris scans, voice recognition.
- Strengths: Difficult to forge or share.
- Weaknesses: Can be expensive to implement, and biometric data can be
compromised.
 Somewhere You Are: Location-based verification, using GPS data or IP
addresses to confirm the user’s location.
- Examples: Geolocation, IP address.
- Strengths: Adds another layer of security.
- Weaknesses: Location can be spoofed.

18
  Something You Do: Behavioral biometrics, like typing patterns, voice
recognition, or gait analysis.
- Examples: Typing patterns, navigation habits.
- Strengths: Adds a unique layer of security.
- Weaknesses: Requires monitoring and analysis, which can raise privacy
concerns.
2. Single-Factor Authentication (SFA):
 Uses one of the above factors to verify identity.
 Commonly relies on passwords or PINs.
3. Multi-Factor Authentication (MFA):
 Combines two or more authentication factors to enhance security.
 Example: A user enters a password (something they know) and then a code
sent to their phone (something they have).
4. Two-Factor Authentication (2FA):
 A specific type of MFA that uses exactly two factors.
 Example: ATM transactions require a bank card (something you have) and a
PIN (something you know).
5. Biometric Authentication:
 Uses unique biological characteristics for identification.
 Example: Fingerprint scanning, facial recognition, and retina scans.

Authentication Methods
1. Passwords:
 The most common form of authentication.
 Best Practices: Use strong, complex passwords, change them regularly, and
avoid reuse across multiple accounts.
2. Tokens:
 Physical devices that generate or store authentication codes.
 Examples: Hardware tokens, smart cards, and USB keys.
3. One-Time Passwords (OTPs):
 Codes that are valid for a single login session or transaction.
 Can be delivered via SMS, email, or authentication apps.
19
 4. Public Key Infrastructure (PKI):
 Uses pairs of cryptographic keys (public and private) for authentication.
 Commonly used in SSL/TLS for secure communications.
5. Biometric Systems:
 Systems that use physical characteristics for authentication.
 Increasingly common in consumer electronics (e.g., smartphones with
fingerprint or facial recognition).
6. Behavioral Biometrics:
 Analyzes patterns in user behavior for authentication.
 Examples: Typing rhythm, mouse movement patterns, and voice recognition.
Threats to Authentication
1. Password Attacks:
 Brute Force: Trying all possible combinations until the correct one is found.
 Dictionary Attack: Using a list of common passwords to attempt access.
 Phishing: Trick users into revealing their passwords.
2. Man-in-the-Middle (MitM) Attacks:
 Intercepting and potentially altering communication between the user and the
authentication system.
3. Replay Attacks:
 Capturing and reusing valid authentication data to gain unauthorized access.
4. Credential Stuffing:
 Using lists of compromised credentials from one service to gain access to
other services.
5. Biometric Spoofing:
 Creating fake biometric data to fool biometric authentication systems.

Authentication Protocols
1. Kerberos:
 Description: A network authentication protocol that uses secret-key
cryptography to authenticate client-server applications.
 Strengths: Secure and efficient in large, distributed networks.
20
  Weaknesses: Complex to set up and manage.
2. OAuth:
 Description: An open standard for access delegation, commonly used as a
way to grant websites or applications limited access to user information
without exposing passwords.
 Strengths: Widely used for third-party access, reduces the risk of password
exposure.
 Weaknesses: Implementation flaws can lead to security vulnerabilities.
3. SAML (Security Assertion Markup Language):
 Description: An open standard for exchanging authentication and
authorization data between parties, typically an identity provider and a service
provider.
 Strengths: Facilitates single sign-on (SSO), widely used in enterprise
environments.
 Weaknesses: Can be complex to implement and manage.
4. RADIUS (Remote Authentication Dial-In User Service):
 Description: A networking protocol that provides centralized Authentication,
Authorization, and Accounting (AAA) management for users connecting to a
network.
 Strengths: Scalable and widely used in large network environments.
 Weaknesses: Older protocol, less secure than modern alternatives if not
properly configured.

Best Practices for Authentication

1. Use Strong Password Policies:
 Enforce complex passwords and regular updates.
 Implement password managers to help users manage complex passwords.
2. Implement Multi-Factor Authentication (MFA):
 Use MFA wherever possible to add an extra layer of security.
 Ensure that MFA methods are varied and not just multiple knowledge-based
factors.
3. Monitor and Audit Authentication Systems:
 Regularly review authentication logs for suspicious activity.
21
  Conduct periodic audits to ensure compliance with security policies.
4. Educate Users:
 Train users on the importance of secure authentication practices.
 Provide guidance on recognizing phishing attacks and other threats.
5. Regularly Update and Patch Systems:
 Keep authentication systems and software up to date to protect against
vulnerabilities.
 Use automated tools to manage updates and patches.
6. Use Encryption and Secure Channels:
 Encrypt authentication data both in transit and at rest.
 Use secure communication protocols like HTTPS and TLS.

5. ACCESS CONTROL

Access control is a security technique that regulates who or what can view or use resources in
a computing environment. It is a fundamental concept in security that minimizes risk to the
business or organization.

Access control is the process of controlling who does what and ranges from managing
physical access to equipment to dictating who has access to a resource, such as a file, and
what they can do with it, such as read or change the file. Many security vulnerabilities are
created by the improper use of access controls.

To secure a facility, organizations use electronic access control systems that rely on user
credentials, access card readers, auditing and reports to track employee access to restricted
business locations and proprietary areas, such as data centers. Some of these systems
incorporate access control panels to restrict entry to rooms and buildings, as well as alarms
and lockdown capabilities, to prevent unauthorized access or operations.

Access control systems perform identification authentication and authorization of users and
entities by evaluating required login credentials that can include passwords, personal
identification numbers (PINs), biometric scans, security tokens or other authentication
factors. Multifactor authentication (MFA), which requires two or more authentication factors,
is often an important part of a layered defense to protect access control systems.

Components of Access Control

1. Identification: Users provide an identity, such as a username or ID, to access a

system or resource.

22
 2. Authentication: The process of verifying the claimed identity using credentials like
passwords, biometrics, tokens, or certificates.

3. Authorization: Once authenticated, users are granted permissions based on their

roles, responsibilities, or specific access rights.

4. Accounting: Logging and monitoring access activities to track who accessed what
resources and when, aiding in auditing and incident response.

 Why access control is important

The goal of access control is to minimize the security risk of unauthorized access to physical
and logical systems. Access control is a fundamental component of security compliance
programs that ensures security technology and access control policies are in place to protect
confidential information, such as customer data. Most organizations have infrastructure and
procedures that limit access to networks, computer systems, applications, files and sensitive
data, such as personally identifiable information (PII) and intellectual property.

Access control systems are complex and can be challenging to manage in dynamic IT
environments that involve on-premises systems and cloud services. After some high-profile
breaches, technology vendors have shifted away from single sign-on (SSO) systems to
unified access management, which offers access controls for on-premises and cloud
environments.

 How access control works

These security controls work by identifying an individual or entity, verifying that the person
or application is who or what it claims to be, and authorizing the access level and set of
actions associated with the username or Internet Protocol (IP) address. Directory services and
protocols, including Lightweight Directory Access Protocol (LDAP) and Security Assertion
Markup Language (SAML), provide access controls for authenticating and authorizing users
and entities and enabling them to connect to computer resources, such as distributed
applications and web servers.

Organizations use different access control models depending on their compliance

requirements and the security levels of information technology (IT) they are trying to protect.

Types Of Access Control

The main models of access control are the following:

23
1. Mandatory access control (MAC). This is a security model in which access rights
are regulated by a central authority based on multiple levels of security. Often used in
government and military environments, classifications are assigned to system
resources and the operating system (OS) or security kernel. It grants or denies access
to those resource objects based on the information security clearance of the user or
device. For example, Security Enhanced Linux (SELinux) is an implementation of
MAC on the Linux OS.
- Description: A strict hierarchical model where access decisions are based
on security labels assigned to subjects (users or processes) and objects
(resources).
- Examples: SELinux, Bell-LaPadula model.

2. Discretionary access control (DAC). This is an access control method in which

owners or administrators of the protected system, data or resource set the policies
defining who or what is authorized to access the resource. Many of these systems
enable administrators to limit the propagation of access rights. A common criticism of
DAC systems is a lack of centralized control.

- Description: Allows users to control access to resources they own or have

explicit permissions for.
- Examples: Unix file permissions (chmod), Windows access control lists
(ACLs).

3. Role-based access control (RBAC). This is a widely used access control mechanism
that restricts access to computer resources based on individuals or groups with defined
business functions -- e.g., executive level, engineer level 1, etc. -- rather than the
identities of individual users. The role-based security model relies on a complex
structure of role assignments, role authorizations and role permissions developed
using role engineering to regulate employee access to systems. RBAC systems can be
used to enforce MAC and DAC frameworks.

- Description: Assigns permissions based on roles within an organization,

making it easier to manage access for large user groups.
- Examples: Administrator, manager, employee roles with predefined
permissions.

4. Rule-based access control. This is a security model in which the system

administrator defines the rules that govern access to resource objects. Often, these
rules are based on conditions, such as time of day or location. It is not uncommon to
use some form of both rule-based access control and RBAC to enforce access policies
and procedures.

5. Attribute-based access control (ABAC). This is a methodology that manages access

rights by evaluating a set of rules, policies and relationships using the attributes of
users, systems and environmental conditions.

24
 - Description: Makes access decisions based on attributes associated with
users, resources, and environmental conditions.
- Examples: User attributes (department, job title), resource attributes
(sensitivity level), time-based attributes.

Access Control Mechanisms

1. Access Control Lists (ACLs):

 Lists of permissions attached to resources that specify which users or groups

can access them and what actions they can perform.

2. Firewalls:

 Network security devices that filter incoming and outgoing traffic based on
predefined rules, blocking unauthorized access.

3. Authentication Protocols:

 Mechanisms like Kerberos, OAuth, and SAML facilitate secure authentication

and authorization processes.

4. Biometric Access Control:

 Uses physiological or behavioral characteristics like fingerprints, iris scans, or

voice recognition for authentication.

5. Two-Factor Authentication (2FA) / Multi-Factor Authentication (MFA):

 Requires users to provide two or more factors of authentication (e.g., password

+ SMS code, fingerprint + PIN) for added security.

 Implementing Access Control

Access control is a process that is integrated into an organization's IT environment. It can

involve identity management and access management systems. These systems provide access
control software, a user database, and management tools for access control policies, auditing
and enforcement.

When a user is added to an access management system, system administrators use an

automated provisioning system to set up permissions based on access control frameworks,
job responsibilities and workflows.

The best practice of least privilege restricts access to only resources that employees require to
perform their immediate job functions.

25
  Challenges Of Access Control

Many of the challenges of access control stem from the highly distributed nature of modern
IT. It is difficult to keep track of constantly evolving assets as they are spread out both
physically and logically. Some specific examples include the following:

 dynamically managing distributed IT environments;

 password fatigue;

 compliance visibility through consistent reporting;

 centralizing user directories and avoiding application-specific silos; and

 data governance and visibility through consistent reporting.

 Access-Control Problems
Nearly all access controls and security practices can be overcome if the attacker has
physical access to target equipment. For example, no matter what you set a file’s
permissions to, the operating system cannot prevent someone from bypassing the
operating system and reading the data directly off the disk. To protect the machine
and the data it contains, physical access must be restricted and encryption techniques
must be used to protect data from being stolen or corrupted. Access-Control
Problems are listed below:

1. Overprivileged Users:
 Issue: Users being granted excessive permissions beyond what is necessary
for their roles and responsibilities.
 Impact: Increases the risk of unauthorized access and potential misuse of
sensitive data or resources.
 Solution: Implement the principle of least privilege (PoLP) to grant users only
the minimum level of access required to perform their tasks.
2. Underprivileged Users:
 Issue: Users not having sufficient permissions to carry out their job functions
effectively.
 Impact: Decreases productivity and may lead to frustration among users who
require access to certain resources.
 Solution: Regularly review and adjust access permissions based on user roles
and responsibilities to ensure they have appropriate access rights.
3. Ineffective Role-Based Access Control (RBAC):

26
  Issue: Poorly defined roles, inconsistent permissions, or outdated access
control policies.
 Impact: Increases the risk of access control errors, unauthorized access, and
compliance violations.
 Solution: Define clear roles and responsibilities, regularly review and update
RBAC policies, and conduct audits to ensure compliance.
4. Access Creep:
 Issue: Accumulation of unnecessary access permissions over time, often due
to role changes or promotions without proper access reviews.
 Impact: Increases the attack surface, making systems more vulnerable to
insider threats and unauthorized access.
 Solution: Conduct regular access reviews, revoke unused permissions, and
enforce periodic re-certification of access rights.
5. Weak Authentication Mechanisms:
 Issue: Reliance on weak authentication methods, such as simple passwords or
lack of multi-factor authentication (MFA).
 Impact: Increases the risk of credential theft, brute force attacks, and
unauthorized access.
 Solution: Implement strong authentication mechanisms, such as MFA,
biometrics, smart cards, and password policies that require complexity and
regular updates.
6. Insufficient Monitoring and Logging:
 Issue: Lack of comprehensive monitoring and logging of access activities,
including failed login attempts and unauthorized access.
 Impact: Limits visibility into potential security incidents, making it
challenging to detect and respond to unauthorized access attempts.
 Solution: Implement robust logging and monitoring solutions, regularly
review access logs, and set up alerts for suspicious activities.
7. Misconfigured Access Controls:
 Issue: Incorrectly configured access control settings, such as misconfigured
firewall rules or incorrect permissions on files and directories.
 Impact: Creates security gaps and vulnerabilities that can be exploited by
attackers to gain unauthorized access.
 Solution: Conduct regular security assessments, penetration testing, and audits
to identify and remediate misconfigurations in access controls.
27
Best Practices for Access Control
1. Principle of Least Privilege (PoLP):
 Grant users the minimum level of access necessary to perform their job
functions, reducing the risk of unauthorized access or accidental data
exposure.
2. Regular Auditing and Monitoring:
 Monitor access logs and audit trails for suspicious activities, unauthorized
access attempts, and policy violations.
3. Strong Authentication Mechanisms:
 Implement robust authentication methods like MFA, biometrics, and smart
cards to strengthen access control.
4. Access Control Policies:
 Develop and enforce access control policies that define rules, permissions, and
procedures for accessing resources.
5. Employee Training:
 Educate employees on access control best practices, security policies, and the
importance of protecting sensitive information.
6. Continuous Evaluation and Updates:
 Regularly review and update access control configurations, permissions, and
user roles to adapt to changing security requirements and mitigate risks.

28