INFORMATION NETWORK

SECURITY ADMINISTRATION

Page 1 of 19
 INTRODUCTION

5 Authentication method
Identity and ways to
1
assert identity
6 Access Control Schemes
2 Authentication and
Authorization
7 Provisioning and
Deprovisioning Accounts
3 Single Sign On

4 Priviledge access 8 File System Permission

Managment

Page 2 of 19
IDENTITY AND ACCESS MANAGEMENT

Identities are the sets of claims made

about a subject
Identities are typically linked to information
about the subject, including details that are
important to the use of their identity
Lost Key Pairs lost key pairs can be a major security hassle

Page 3 of 19
 username
common ways to
assert or claim an token
identity:
Certificate

SSH key

Page 4 of 19
 Defn Authentication ensure that the subject is who they
claim that they are and determine who access the
resources.
Authorization verifies what you have access to. When
combined, authentication and authorization first verify

AUTHENTICATION who you are, and then allow you to access resources,
systems, or other objects based on what you are

AND
authorized to use.
The Extensible Authentication Protocol (EAP) is an
authentication framework that is commonly used for
AUTHORIZATION wireless networks
Challenge-Handshake Authentication Protocol(CHAP)
It operates by sending a challenge to the user, who must
respond with a hashed value derived from their password.
RADIUS :-Is one of the most common AAA systems for network
03 devices,
wireless networks, and other services.

Page 5 of 19
 SINGLE
SIGN-ON
(SSO) systems allow a user to log in with a single
identity and then use multiple systems or services
without reauthenticating
Internet-based systems and architectures often rely on a number of
core technologies to accomplish authentication and authorization
that can also be used for single sign-on. These include the following:

Security Assertion Markup is an XML-based open standard for exchanging authentication

Language (SAML) and authorization information
IT IS used between identity providers and service providers
for web-based applications.

OpenID is an open standard for decentralized authentication

Microsoft, Amazon, and many other organizations are
OpenID identity providers (IdPs)
OAuth is an open standard for authorization
used by many websites

Page 6 of 19
 AUTHENTICATION METHOD
Passwords
A password is a string of characters used to verify the identity of a user during the
authentication process

NIST specifically suggests that modern password practices follow a few guidelines:
Reducing password complexity requirements and instead emphasizing length Not requiring special
characters
Allowing ASCII and Unicode characters in passwords
Allowing pasting into password fields to allow password managers to work properly
Monitoring new passwords to ensure that easily compromised passwords are not used
Eliminating password hints

many services support configuration options for passwords, including:

Length
Complexity
04 Reuse limitations
Age settings for passwords

Page 7 of 19
 Passwordless
Passwordless authentication is common with
authenticating relying on something you have
—security tokens, onetime password
applications, or certificates—or something that
you are, like biometric factors.

Multifactor Authentication
becoming broadly available and in fact is increasingly a default option for more
security-conscious organizations

Something you are, which relies on a physical characteristic of

the person who is authenticating themselves. Fingerprints,
retina scans, voice prints, and even your typing speed and
patterns are all included as options for this type of factor.
Somewhere you are, sometimes called a location factor, is
based on your current location. GPS, network location, and
other data can be used to ensure that only users who are in
the location they should be can authenticate.

Page 8 of 19
 ONE-TIME a one-time password is
usable only once

PASSWORDS
two primary models for generation
of one-time passwords.
time-based one-time
passwords (TOTP)
code is compromised it will be valid for
only a relatively short period of time.

hash-based message authentication codes

TOTP(HOTP).
HOTP uses a seed value that both the token or
HOTP code-generation application and the
validation server use, as well as a moving factor
SHORT MESSAGE TEXT(SMS) when a user attempts to
authenticate, an SMS
message is sent to their phone

Page 9 of 19
ATTACKING ONE-TIME
PASSWORDS
One-time passwords aren't immune to attack,
although they can make traditional attacks on
accounts that rely on acquiring passwords fail
This means that attackers must use a stolen TOTP
password immediately.

Attacks against SMS OTP as well as

application-based OTP are on the rise as
malicious actors recognize the need to
overcome multifactor authentication.

Page 10 of 19
 Thynk Unlimited

BIOMETRICS
Biometric factors are an example of the “something you
are” factor, and they rely on the unique physiology of
the user to validate their identity.

Some of the most common biometric

technologies include the following:
Retina scanning
Fingerprints

Facial recognition
Voice recognition
systems

Page 11 of 19
 VEIN RECOGNITION
Gait analysis

Biometric technologies are assessed

based on major measures.

Type I errors, or the false rejection rate (FRR)

mean that a legitimate biometric measure was presented and
the system rejected it
Type II errors, or false acceptance Rate(FAR)
Rate(FAR)are
are measured as the
false acceptance rate (FAR). occur when a biometric
factor is presented and is accepted when it shouldn't be

The ROC compares the FRR against the FAR of a system,

typically as a graph.

The accuracy of a system should be set to minimize false

acceptance and prevent false rejection is an important
element in the configuration of biometric systems.

Page 12 of 19
 is Claiming an identity and being authorized to access a
system or service requires an account. Accounts contain
the information about a user, including things like rights and
permissions that are associated with the account.

Account Types
There are many types of accounts, and they can almost
all be described as one of a few basic account types:
Privileged or administrative account

User accounts
Shared and generic accounts or credentials
Guest accounts
Service accounts associated with
applications and services.

Page 13 of 19
 Provisioning and Deprovisioning Accounts
two of the most important THE user account life cycle are when accounts are
provisioned, or created, and when they are deprovisioned, or terminated.

When an account is provisioned, it is created and resources,

permissions, and other attributes are set for it
Account creation and identity proofing are commonly done during employee
onboarding. Onboarding processes related to account creation include adding
employees to groups and ensuring they have the right permissions to accomplish
their role,

When an account is terminated, a process

known as deprovisioning

This removes the account, permissions, and related data, files, or

other artifacts as required by the organization's processes and
procedures

Page 14 of 19
 PAM:definition tools can be used to
Privileged Access handle the administrative and
Management privileged accounts you read about
earlier in this section.
PAM tools focus on ensuring that the
concept of least privilege
specific features
specific features of
of PAM
PAM tools
tools
permissions that are granted and revoked only when needed.

Just-in-time (JIT) which are then removed when the task is completed or a set time
period expires.
Password vaulting allow users to access privileged accounts without needing to
know a password.
are temporary accounts with limited lifespans.
Ephemeral
They may be used for guestsfor specific purposes in an organization
accounts when a user needs

Page 15 of 19
 Access Control
Schemes
systems also implement access control schemes to determine which
users, services, and programs can access various files or other
objects that they host.
common access control
schemes

Mandatory access systems rely on the operating system to

control (MAC) enforce control as set by a security policy
administrator

In a MAC implementation, users do not have the ability

to grant access to files or otherwise change the
security policies that are set centrally

Page 16 of 19
 Discretionary access assigns owners for objects like files and directories, and then
control (DAC) allows the owner to delegate rights and permissions to those
objects as they desire. eg Linux file permissions

Role-based access systems rely on roles that are then matched with
control (RBAC) privileges that are assigned to those roles

applied using a set of rules,When an attempt is made to

Rule-based access access an object, the rule is checked to see if the access
control(RBAC) is allowed.eg Firewall

used for enterprise systems that have complex user

Attribute-based access roles and rights that vary depending on the way and
control (ABAC) role that users interact with a system

Page 17 of 19
 Filesystem controls determine which accounts, users, groups, or services can
perform actions like reading, writing, and executing (running) files
Each operating system has its own set of filesystem permissions and capabilities
for control,.
Linux filesystem permissions are shown in file listings with the letters drwxrwxrwx,
indicating whether a file is a directory, and then displaying user, group, and world (sometimes
called other) permissions

The modify permission allows viewing as well as changing files or folders.

Read and execute does not allow modification or changes but does allow the files to be run,
whereas read and write work as you'd expect them to.
Filesystem permissions are an important control layer for systems, and improperly set or insecure
permissions are often leveraged by attackers to acquire data and to run applications that they
should not be able to.

Page 18 of 19
 +251973346269

+251 96 248 6938

PRESENTED BY :TADESSE AND HAWWI

Page 19 of 19