Copyright © 2018 CompTIA, Inc. All rights reserved. Screenshots used for illustrative purposes are the property of the software proprietor. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed inany form or by any means, or stored in a database or retrieval system, without the prior written permission CompTIA, 3500 Lacey Road, Suite 100, Downers Grove, IL 60515-5439. CompTIA® and the CompTIA logo are registered trademarks of CompTIA, Inc., in
the U.S. and other countries. All other product and service names used may be common law or registered trademarks of their respective proprietors.
Module 5 / Unit 3 / Using Access Controls
CompTIA IT Fundamentals+(Exam FC0-U61)
CompTIA IT Fundamentals+2
•Distinguish between identification, authentication,
authorization, and accounting in access control systems
• Identify different authentication factors and understand their
use in providing strong authentication
• List best practices when choosing passwords
• Explain how encryption technologies are used for
authentication and access control
• Access control system
o Subjects and objects
o Access Control List (ACL)
• Identification—creating an account or ID that identifies the user or process on the computer system
• Authentication—proving that a subject is who or what it claims to be when it attempts to access the resource
• Authorization—determining what rights or permissions subjects should have on each resource and enforcing those rights
• Accounting—tracking authorized and unauthorized usage of a resource or use of rights by a subject
Access Controls
CompTIA IT Fundamentals+3
•Least privilege
oAssign as few rights and permission as possible
•Implicit deny
oAccess controls should deny access by default
Least Privilege and Implicit Deny
CompTIA IT Fundamentals+4
• Discretionary Access Control (DAC)
o Based on ownership
o Owner is granted full control over the resource, meaning that he or she can modify its ACL to grant rights to others
• Role-based Access Control (RBAC)
o A set of organizational roles are defined and users allocated to those roles
• Mandatory Access Control (MAC)
o Based on the idea of security clearance levels and labels
o Subjects are only permitted to access objects at their own clearance level or below
• Rule-based access control
o Any sort of access control model where access control policies are determined by system-enforced rules rather than system users
Authorization Access Models
CompTIA IT Fundamentals+5
•Accounting
oAudit trail of how rights have been exercised
oBacked by system of logging
•Non-repudiation
oPrinciple that a user cannot deny having done something
oVideo
oBiometrics
oSignature
oReceipt
Accounting and Non-repudiation
CompTIA IT Fundamentals+6
• Ensures that the identity of someone using a computer is validated by the operating system at log on
• Mandatory logon
• Windows default accounts
o Administrator—in modern Windows versions, disabled in favor of the user created during setup
o Guest—disabled by default in modern Windows versions
o A user account created during setup (becomes an administrator)
• Additional user accounts should be configured as standard users, unless there are very good reasons for creating more administrators
User Account Types
CompTIA IT Fundamentals+7
•Most user accounts get their privileges from membership of group accounts
•A user account can be a member of multiple group accounts
•Windows default group accounts
oAdministrators—user accounts belonging to this group have complete control over the computer
oStandard users—this group allows use of Microsoft Store apps and basic configuration of display and input settings, but tasks such as installing software, configuring hardware, or changing system properties are restricted
Group Accounts
CompTIA IT Fundamentals+8
•Authentication factors—methods of submitting user credentials
•Something You Know
oPassword/passphrase
oPersonal Identification Number (PIN)
oPattern lock
oPersonally Identifiable Information (PII) and security questions
Something You Know Authentication
CompTIA IT Fundamentals+9
Something You Have Authentication•Hardware tokens
oSmart card or key fob with digital certificate issued to user
oOne-time password token generators
•Software tokens
oStored on a computer or smartphone rather than a dedicated security device
oCookieCompTIA IT Fundamentals+
10
Something You Are Authentication• Biometric recognition systems
• Template scan
o Fingerprint
o Iris
o Retina
o Facial features
• Confirmation scan
• Privacy considerations
• False positives and false negatives
CompTIA IT Fundamentals+11
Somewhere You Are Authentication• Geographic location determined
by location services
o Global Positioning System (GPS)
o Indoor Positioning System (IPS)
o GeoIP
• Logical location
o Subnet or IP address range (or not on an excluded IP address list)
• Continuous authentication and access controls
CompTIA IT Fundamentals+12
•Requiring credentials from a combination of
factors is stronger than single-factor
•Must be different factors
Multifactor and Two-factor Authentication
CompTIA IT Fundamentals+13
Single Sign-On•Authenticate once to access multiple services
•Kerberos authentication to Windows domains
•Microsoft account PC sign-in gives access to cloud services too
CompTIA IT Fundamentals+14
•Protect information even if it is stolen - thief must possess the information and the encryption key
•Send data across a public network or channel while protecting confidentiality
•Authenticate sender and receiver to one another
oPlain text (or clear text)—this is an unencrypted message.
oCipher text—an encrypted message.
oCipher—this is the process (or algorithm) used to encrypt and decrypt a message.
•Cryptographic hashing, symmetric encryption, asymmetric encryption
Uses of Encryption
CompTIA IT Fundamentals+15
•Uses the same secret key for encrypting and decrypting
•Fast but difficult to distribute the key securely
•Used to encode data for storage and network transmission
•Ciphers—3DES, AES, RC (Rivest Cipher), IDEA, Blowfish/Twofish, CAST
•Key size
Symmetric Encryption
CompTIA IT Fundamentals+16
•Uses a key pair (public and private)
o Sender can tell recipients the public key—no need to keep this secret
o Recipients can use public key to encrypt a message but NOT to decrypt it again
o Only the sender can decrypt the message (using the linked private key)
•Only works well on small amounts of data but solves the problem of key distribution
•Use asymmetric encryption to encrypt a symmetric secret key and use the symmetric key to encode the larger message
•Only the recipient can decrypt the secret key and therefore the message
Asymmetric Encryption
CompTIA IT Fundamentals+17
• System for authenticating subjects—users and computers—on public networks
• Subjects are issued digital certificates by Certificate Authorities (CA), which are responsible for verifying the identity of the subject
• Digital certificate contains the subject’s public key
• If client trusts the CA—by installing its root certificate—it can trust the subject’s digital certificate
• Can also be used for smart card authentication
• Most asymmetric encryption is based on the RSA cipher
Public Key Infrastructure (PKI)
CompTIA IT Fundamentals+18
•Digital certificates are used for authentication and
confidentiality
•Digital signatures are used for authentication and
integrity
•The private key is used to encrypt a signature
while the public key is used to decrypt it
Digital Signatures
CompTIA IT Fundamentals+19
• Hashing creates a fixed length string from a variable amount of data
• Cryptographic hash functions are designed with the following properties
o It is not possible to recover any information about the original data from the hash
o No two data inputs create the same hash value (a collision)
• Sender creates a cryptographic hash of a message and encrypts the hash with an asymmetric encryption private key—this is attached to the message as a digital signature
• Recipient can use the public key to decrypt the signature and validate the hash by performing their own hash—should prove that the recipient created the message and that it has not been changed in transit
• Also used for secure password storage
• SHA-1 and SHA-2 (Secure Hash Algorithm) and MD5 (Message Digest) ciphers
Cryptographic Hashes
CompTIA IT Fundamentals+20
•Data at rest
oData in some sort of persistent storage media
oEncrypt using techniques such as whole disk encryption, mobile device encryption, database encryption, and file- or folder-level encryption
•Data in transit (or data in motion)
oData is transmitted over a network
oData can be protected by a transport encryption protocol, such as Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
•Virtual Private Networks (VPN)
Data States and VPNs
CompTIA IT Fundamentals+21
• Intercept network traffic to “sniff” passwords
• Obtain password databases or files
• Use cracking software to decrypt password hashes
o Dictionary approach
o Brute force approach
Password Cracking
CompTIA IT Fundamentals+22
•Use long passwords
•Use complexity (entropy)
oNo dictionary words
oMix alphanumeric and symbol characters
•Use a phrase that is easy to remember but difficult to guess
•Do not share passwords
•Change the password periodically
•Use a unique password for each account
Password Best Practices
CompTIA IT Fundamentals+23
Password Managers/Fillers and Resets• Policies prevent users from
writing down passwords or sharing the same password between sites
• Password fillers store multiple credentials for secure submission to websites
• Password reset mechanisms allow users to self-select a new password
CompTIA IT Fundamentals+24
ReviewImage by Wavebreak Media © 123rf.com
• Distinguish between identification, authentication, authorization, and accounting in access control systems
• Identify different authentication factors and understand their use in providing strong authentication
• List best practices when choosing passwords
• Explain how encryption technologies are used for authentication and access control
CompTIA IT Fundamentals+25
Top Related