TECH2400

Cyber Security

Workshop 7
Access Control & Authentication
 COMMONWEALTH OF AUSTRALIA
Copyright Regulations 1969

WARNING

This material has been reproduced and communicated to you by or on behalf of

Kaplan Business School pursuant to Part VB of the Copyright Act 1968 (the Act).

The material in this communication may be subject to copyright under the Act.
Any further reproduction or communication of this material by you may be the
subject of copyright protection under the Act.

Do not remove this notice.

Subject Learning Outcomes
Explain the terminology associated with cyber
LO1: security.

Explain the vulnerabilities and threats pertaining to

LO2: the IT infrastructure of organisations.

Analyse risk mitigation strategies that address

LO3: cyber security vulnerabilities and threats.

Describe privacy, legal, ethical and security issues

LO4: and solutions related to the IT infrastructure and
use of technologies in organisations.
 Weekly Schedule
Week Topic
Week 1 Introduction and Cyber Security Foundations

Week 2 Cyber Threat Landscape

Week 3 Risk Management in Cyber Security

Week 4 Cryptography Basics and Network Fundamentals Review

Week 5 Network Security Fundamentals

Week 6 Study Success Week

Week 7 Access Control and Authentication

Week 8 Ethics and Legal Aspects of Cyber Security

Week 9 Incident Response and Management (Part 1)

Week 10 Incident Response and Management (Part 2)

Week 11 Introduction to Secure Software Development

Week 12 In-Class Assessment

 Weekly Schedule
Week Topic
Week 1 Introduction and Cyber Security Foundations

Week 2 Cyber Threat Landscape

Week 3 Risk Management in Cyber Security

Week 4 Cryptography Basics and Network Fundamentals Review

Week 5 Network Security Fundamentals

Week 6 Study Success Week

Week 7 Access Control and Authentication

Week 8 Ethics and Legal Aspects of Cyber Security

Week 9 Incident Response and Management (Part 1)

Week 10 Incident Response and Management (Part 2)

Week 11 Introduction to Secure Software Development

Week 12 In-Class Assessment

What to expect from this workshop
- Learn the importance of access control in protecting
organisations
- Learn key access control principles
- Understand different access control models
- Explore authentication mechanisms
- Hands-on activity:
o Implement multi-factor authentication (MFA) using
an open-source tool
 Access Control
The process of restricting access to resources, ensuring
only authorised users can perform specific actions.

Importance:
- Protects sensitive data and systems from unauthorised
access
- Enforces organisational security policies
- Helps meet compliance requirements (e.g., ISO27001,
GDPR, etc.)
- Reduces the risk of insider threats and external attacks
 Access Control Principles
Least Privilege

- Users are given the minimum permissions necessary to

perform their tasks

- Reduces the risk of unauthorised access and limits

potential damage if an account is compromised

- Example: A user in the finance department should only

have access to financial data, not HR data
 Access Control Principles
Separation of Duties

- Responsibilities are divided among multiple users to

prevent fraud, errors, or misuse

- Ensures that no single user has control over all aspects

of a critical process

- Example: One person authorizes transactions, while

another person is responsible for reviewing them
 Access Control Principles
Defense in Depth

- A layered security approach that uses multiple

defenses to protect systems and data

- Even if one security measure is bypassed, others will

still provide protection

- Example: Firewalls, encryption, and multi-factor

authentication work together to secure access
 Access Control Models
Access Control Models define the framework for
managing and restricting access to resources based on
defined rules and policies. They govern who can access
specific resources and under what conditions.

The main models are:

- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Rule-Based Access Control (RUBAC)
 Access Control Models
Discretionary Access Control (DAC)

- Owners define access rules for resources

- Example: A file owner grants read/write access to

specific users

- Real-World Scenario: A shared Google Drive folder

where the creator assigns permissions
 Access Control Models
Mandatory Access Control (MAC)

• Access policies are strictly enforced by a central

authority

• Example: Military classification levels (Top Secret,

Confidential, etc.)

• Real-World Scenario: A government agency restricting

access to classified documents
 Access Control Models
Role-Based Access Control (RBAC)

• Access is granted based on roles assigned to users.

• Example: Admins have full access, Managers have

departmental access, Employees have restricted
access to necessary resources

• Real-World Scenario: Admins have full access,

Managers have departmental access, Employees have
restricted access to necessary resources
 Access Control Models
Attribute-Based Access Control (ABAC)

- Access is granted based on attributes (e.g., location,

job title, time of day)

- Example: A system only allows access to employees

logging in from corporate devices

- Real-World Scenario: A cloud application restricting

access based on user location.
 Access Control Models
Rule-Based Access Control (RUBAC)

- Access is granted based on a set of predefined rules

- Example: A firewall blocking access to certain websites

during business hours

- Real-World Scenario: A financial system allowing

transactions only within specified hours
Activity: Access Control Models
Scenario 1

A hospital uses a system where doctors, nurses, and

administrative staff each have different levels of access to
patient records. Doctors can access full medical records,
nurses can access specific treatment plans, and
administrative staff only access non-sensitive data, like
appointment scheduling.

Question: Which model fits best where users are

assigned roles that dictate access levels to resources?
Activity: Access Control Models
Scenario 2

In a government agency handling classified information,

access to documents is strictly regulated by system-
enforced security policies. Only authorised personnel with
the correct security clearance can access certain files,
regardless of user preferences.

Question: Which model would be best in highly secure

environments where access is strictly controlled and not
based on user discretion?
Activity: Access Control Models
Scenario 3

A professor allows students to create and share their own

lecture notes. Students can decide who has access to
their files, whether it's other students, teaching assistants,
or faculty members.

Question: Which access control model would work best

where users manage their own access to resources?
Activity: Access Control Models
Scenario 4

An online platform automatically blocks access to users

trying to log in from suspicious locations or at unusual
times, based on predefined rules such as the time of day
or IP address location.

Question: Which model is best when access is granted or

denied based on specific system-defined rules?
Activity: Access Control Models
Scenario 5

A company has an employee database, and access to

records is determined by attributes such as department,
job title, and location. A project manager in a different
department but the same office can access certain project
data, while others cannot, based on a dynamic set of
attributes.

Question: Which model works best where access is

based on various attributes (like department, job title, etc.)
and their relationship to the resource?
Authentication vs Authorisation
While access control models focus on defining who can
access what, authentication and authorisation are the
mechanisms that make those rules enforceable

Authentication
- The process of verifying the identity of a user or system
- Are you allowed to enter?

Authorisation
- The process of determining what an authenticated user
or system is allowed to do (e.g., access, modify, delete)
- What are you allowed to do once you're inside?
 Authentication Mechanisms
Authentication mechanisms verify a user's identity before
granting access to a system or resource.

1) Passwords
o A secret combination of characters that a user
must enter to prove their identity
o Example: Logging into an email account using a
username and password
o Benefits: Simple, widely used, easy to implement
o Disadvantages: Can be weak, easily guessed,
and vulnerable to attacks (e.g., phishing, brute
force)
 Authentication Mechanisms
2) Tokens
o A physical or digital item that generates or stores
authentication data
o Example: A one-time password (OTP) sent via
SMS or generated by an authenticator app
o Benefits: More secure than passwords alone,
prevents access if a password is stolen, time-
limited for added security
o Disadvantages: Physical tokens can get lost,
SMS-based tokens can be intercepted, requires an
additional device or software
 Authentication Mechanisms
3) Biometrics
o Authentication based on unique biological traits,
such as fingerprints, facial recognition, or iris scans
o Example: Unlocking a smartphone using a
fingerprint
o Benefits: Unique to individuals, eliminates the
need for passwords, fast and convenient
o Disadvantages: Can be spoofed, biometric data
cannot be changed if compromised, privacy
concerns regarding storage and misuse
 Multi-Factor Authentication (MFA)
A security mechanism that requires users to verify their
identity using two or more authentication factors from
different categories.

This reduces the risk of unauthorised access, even if one

factor is compromised.

Benefits:
- Enhances security
- Reduces reliance on passwords
- Mitigates phishing and credential theft attacks
- Improves compliance with security regulations
 Multi-Factor Authentication (MFA)
Combine at least two of these factors for MFA
implementation

Factor Examples
Something you KNOW Passwords, PINs

Something you HAVE Smart cards, tokens

Something you ARE Biometrics

Something you DO Typing speed, mouse movements,

(Behavioural biometrics) touchscreen gestures
 MFA Examples
You want to log into your online banking account.

Steps Factor Method

1 Something you KNOW You enter your Username &
Password
2 Something you HAVE You receive an OTP from your
phone and enter it

Question:
What could happen if your password was stolen? How
does MFA help?
 MFA Examples
You need to access sensitive company data remotely.

Steps Factor Method

1 Something you HAVE You plug in your company-issued
smart card
2 Something you ARE You complete a fingerprint scan
to verify your identity

Question:
Why would a smart card alone be not enough for
security?
 MFA Examples
You want to approve a payment on your phone using a
banking application.
Steps Factor Method
1 Something you ARE You unlock your phone using
facial recognition
2 Something you DO The application detects your
usual typing speed and pattern
before allowing the transaction

Question:
What makes behavioural biometrics different from
traditional authentication?
 MFA Examples
You work in a government agency handling classified
data. To enter your office, you must go through multiple
authentication steps.
Steps Factor Method
1 Something you KNOW You enter a PIN code at the entrance

2 Something you HAVE You scan your employee badge at the

security checkpoint
3 Something you ARE A fingerprint scan verifies your identity
before unlocking the door

Question:
Why do organisations implement a third authentication
factor despite the added time and resource costs?
 MFA Examples
You are a software developer who needs to log into your
company's system from home securely.

Steps Factor Method

1 Something you KNOW You enter your username & password

2 Something you HAVE You use an authenticator app to

generate an OTP
3 Something you DO Your laptop checks your typing pattern
to confirm it is really you

Question:
What are some drawbacks of using typing biometrics as
an authentication factor?
 MFA Implementation
MFA can be integrated into applications via authentication
tools that provide multiple verification steps.

Typically implemented through identity and access

management (IAM) platforms, authentication APIs, or
built-in security features of existing software.

Popular Tools for MFA Implementation:

Open Source Non-Open Source
- Authelia - Microsoft Azure Active Directory (AAD)
- Keycloak - Okta
- PrivacyIDEA - Duo Security
- FreeIPA - Auth0
 Auth0
- A cloud-based identity and access management platform
- Provides authentication, authorisation, and MFA capabilities

Key Features & Benefits

- Simple Integration with web, mobile, and API applications

- Supports SMS, email, time-based one-time password (TOTP), web
authentication (WebAuthn)
- Customizable UI for seamless user experience
- Free development tier available
 Activity: MFA Implementation
Implement MFA using Auth0 and test logging in with MFA enabled.

Step 1: Set up your free Auth0 account

1) Go to https://auth0.com/ and sign up for an account
2) Select Personal as account type
3) Click Next
 Activity: MFA Implementation
Step 2: Create an
application

1) From the Auth0

sidebar, go to
Applications >
Applications
2) Click on Create
Application
3) Enter a name (e.g.,
MFA Demo App)
4) Choose Regular
Web Applications
and click Create
 Activity: MFA Implementation
Step 3: Enable Multi-Factor Authentication
1) From the sidebar, go to Security > Multi-factor Auth
2) Under "Factors", enable One-Time Password and Email
 Activity: MFA Implementation
Step 3: Enable Multi-Factor Authentication
1) From the sidebar, go to Security > Multi-factor Auth
2) Under "Factors", enable One-Time Password and Email
 Activity: MFA Implementation
Step 3: Enable Multi-Factor Authentication
3) Scroll down and select Always require MFA for testing purposes
4) Click Save
 Activity: MFA Implementation
Step 4: Create a test user
1) Go to User Management >
Users
2) Click Create User
3) Enter details
o Connection:
Username-Password-
Authentication
o Your email address
o A password
4) Click Create
 Activity: MFA Implementation
Step 5: Test the Login Flow
1) Navigate to Authentication > Database
2) Click on the Username-Password-Authentication Database
 Activity: MFA Implementation
Step 5: Test the Login Flow
3) Click on Try Connection
 Activity: MFA Implementation
Step 5: Test the Login Flow
4) Enter the login credentials
you entered in Step 4
5) Click Continue
 Activity: MFA Implementation
Step 5: Test the Login Flow
You will be prompted to set up
your MFA using your preferred
authenticator app

6) Scan the QR code to enroll

in your authenticator app

7) Then, use the app to get the

current one-time code

8) Enter into the auth0 login

9) Click Continue
 Activity: MFA Implementation
Step 5: Test the Login Flow
If the test is successful, you will see a confirmation page
 Access Enforcement
Once authenticated, access control systems enforce authorisation
decisions to ensure users can only access permitted resources.

• Access Control Lists (ACLs): Define which users or systems can

access specific resources and perform actions (read, write, delete).

• Permission Checking: Verifies if the authenticated user has

permission to access the requested resource. Access is granted or
denied accordingly.

• Role/Attribute Validation: Compares the authenticated user's role

or attributes with the resource’s access control policies to make a
decision.
 Next Week

Week 8: Legal Aspects of Cyber Security

- Professional ethics
- Cyber security laws and regulations
- Data privacy and protection regulations
- Compliance and reporting
- Ethical hacking, and its legal and ethical
boundaries