LESSON 5
PRODUCE - This authentication factor depends
ACCESS CONTROL - Access control is the
process through which systems decide when
and how a person can be allowed into an
organization's protected area. Access control is
accomplished by a blend of laws, services, and
technologies. Access controls can be
compulsory, nondiscretionary, or optional.
IDENTIFICATION – is a process through which
unverified entity called supplicant who wants
access to a resource sets out a mark through
which the system recognizes them . Each
supplicant has unique label called ID, which is
used to track one part within the security range.
AUTHENTICATION – is the mechanism by which
a supposed identify of a supplicant is confirmed.
ACCOUNTABILITY – Means that an
authenticated identity can be traced to all
activities on a system whether authorized or
unauthorized. Accountability is most commonly
done by machine reports and database papers ,
and the auditing of these documents . Systems
logs document relevant information, such as
failed attempts to login, and system changes.
SOMETHING A SUPPLICANT KNOWS – This
authentication factor is dependent on what
petitioners knows and call recall – for example,
a password, passphrase, or other special
authentication code such PIN.
SOMETHING A SUPPLICANT HAS – this element
of authentication is based on something which
a supplicant has and can produce when
appropriate. For example, card such as ID cards
or ATM with magnetic strips containing the
digital (and sometimes encrypted) user PIN,
compared to the number of user inputs. The
smart card incorporates a computer chips
capable of checking and validating a variety of
pieces of information rather than just a PIN.
SOMETHING A SUPPLICANT IS OR CAN
on individual features such as fingerprints, palm
prints, hand topography, hand anatomy, or
retina and iris scans, or something that a
supplicant may generate on demand, such as
speech patterns, signatures, or kinetic
measurements on the keyboard. Any of those
apps, collectively known as biometrics.
Logical Access Controls - are methods and
procedures used in computer information
systems to define, authenticate, approve and
assume responsibility. Logical access is often
necessary for remote hardware access, and is
often compared with the term "physical
access". Logical access controls implement
mechanisms for access control of systems,
services, procedures, and information. The
controls may be built into operating systems,
software, add-on security products, or
management systems for database and
telecommunication. Solutions for Logical Access
Control may include Biometrics, Tokens,
Passwords, and Single Sign-on.
Biometric Access Controls - is focused over the
use of some observable human characteristic or
attribute to verify the identity of a potential
user (a supplicant) of the systems. Fingerprint
comparison, Palm print comparison, Hand
geometry, Facial recognition, Retinal print
comparison are useful biometric authentication
tools.
Minutiae - are unique point of reference in
one’s biometric that is stored as image to be
verified upon a requested access. Each single
attempt at access results in a calculation that is
compared to the encoded value to decide if the
consumer is who he or she claims to be. A
concern with this approach is that is changes as
our body develops over time. For authentication
during a transaction, retail stores uses signature
capture. The customer shall sign a digital tab
with a special pen recording the signature. The
signature will stored for future reference, or
compared for validation to a signature on a
database. Voice recognition operates in a
similar manner by recording the user 's initial
voiceprint reciting a word. Later, the
authentication mechanism allows the user to
utter the same phrase when the user tries to
access the device so that the algorithm can
match the actual voiceprint to the stored value.
EFFECTIVENESS OF BIOMETRICS - Biometrics
are assessed using parameters such as; the false
rejection rate, which is the rate of supplicants
who are in fact approved users but who are
denied access; False acceptance rate, which is
the percentage of users who are unauthorized
users but are allowed access; and third, the
crossover error rate, which is the amount at
which the number of false dismissals is equal to
the false acceptances.
Authentication Types:
-Knowledge something you know
-Ownership something you have
-Characteristics | Something unique to you
-Location somewhere you are
-Action something you do/ how you do it
AUTHENTICATING WITH KERBEROS AND
SESAME -Kerberos was named after the Greek
mythology which uses symmetric key
encryption to authorize an individual user with
specific network resources. Kerberos maintains
a data repository that contains system’s private
keys. Network services operate on servers in
the Kerberos network registry, as do the clients
using those services. Such private keys are
referred to the Kerberos program and can check
a host to another
KERBEROS INTERACTING SERVICES
AUTHENTICATION SERVER (AS) - Kerberos
server that authenticates clients and servers
KEY DISTRIBUTION CENTER (KDC) - generates
and issues session keys
KERBEROS TICKET GRANTING SERVICES(TGS) -
provides tickets to clients who request services
KERBEROS IS BASED ON THE LOGIC OF THE
FOLLOWING PRINCIPLES;
1. The KDC is aware of the hidden keys of both
network clients and servers. Through using
these hidden keys, the KDC initially shares
information with the client and the server.
2. By providing temporary session keys for
communication between the client and KDC,
the server and KDC, and the client and server,
Kerberos authenticates a client through a
requested service on a server via TGS.
Communications between the client and the
server are then made using these temporary
session keys.
LESSON 5.2
SECURITY AUDIT - is a comprehensive
assessment of a business's information system
security by evaluating how well it follows a set
of defined requirements. A comprehensive
audit usually reviews the protection of the
physical configuration and environment,
applications, processes of information
processing, and user practices in the system.
Security assessments are also used to assess
regulatory enforcement despite legislation
outlining how information needs to be treated
by organizations.
Security audits assess efficiency of an
information system against a set of criteria. On
the other hand, a vulnerability evaluation
requires a systematic analysis of a whole
information system, searching for possible
security vulnerabilities. Penetration testing is a
secret activity in which a security specialist
attempts a variety of attacks to determine
whether or not a device will survive a malicious
hacker's same types of attacks. Each of the
approaches has inherent strengths, and using
two or more of them in conjunction may be the
most effective approach of all.
SECURITY CYCLE
SECURITY MONITORING FOR COMPUTER
SYSTEMS SECURITY MONITORING FOR
COMPUTER SYSTEMS MAY BE IDENTIFIED
BASED TO THE INFORMATION IT CAPTURES
NAMELY;
1. Real-time Monitoring- this focuses on the
Host IDS, System Integrity Monitoring and Data
Loss Prevention.
2. Non-real-time Monitoring- it checks
application and system logging.
3. Log Activities- this monitor host-based
activities and networks and its devices. With
regards to Log Activities, Event Logs, Access
Logs, Security Logs, Audit Logs are basically
involved.
CRYPTOPOLOGY - is characterized as the
method of having communications inaccessible
to all individuals excluding those who have the
ability to read and interpret it. There are two
portions that is being studied in Cryptology.
First the CRYPTOPGRAPHY that involves the
confidentiality program and its structure itself,
and second CRYPTANALYSIS which is associated
with breaking the above-mentioned system of
anonymity.
CODE - A compilation of knowledge enabling
terms to be transferred to symbols or other
phrases. Banana can be a code for gun.
However, This isn't some kind of cryptography
that can be evaluated. The only means a
message can be decrypted is by having the
terms set and their codes.
PLAINTEXT is the meaning you wish to convey
in a coded form. Plain text is generally written
without spaces in any lower case letter. There
are figures printed out, and the punctuation is
overlooked. It is also referred to as clear.
KEY refers to data that enables us to encode the
plaintext and decode the ciphertext as well.
Monoalphabetic and Polyalphabetic Cipher
Monoalphabetic cipher is a substitution cipher
in which for a given key, the cipher alphabet for
each plain alphabet is fixed throughout the
encryption process. For example, if ‘A’ is
encrypted as ‘D', for any number of occurrences
in that plaintext, ‘A’ will always get encrypted to
‘D’. All of the ciphers above are
monoalphabetic; these ciphers are highly
susceptible to cryptanalysis. Polyalphabetic
Cipher is a substitution cipher in which the
cipher alphabet for the plain alphabet may be
different at different places during the
encryption process.
THE ADDITIVE (OR SHIFT) CIPHER SYSTEM
Increasing plaintext character is substituted in
the Additive Cipher method by another
character whose location in the alphabet is a
certain number of units apart. In reality we
move a certain number of places over each
letter. One of the first additive ciphers was used
by Julius Caesar around 50 B.C. Each letter of
the alphabet was replaced by the third letter
following it. So, ais replaced by D, bis replaced
by E, c is replaced by F, and so on. The problem
comes when we get to x. x is the 24th letter of
the alphabet. If we add 3 to 24, we get 27. So
we go back to the beginning of the alphabet and
replace x with A, y with B, and z with c. So once
we ad, if the number is greater than 26, we
subtract 26 from it. The chart shows each letter
in plaintext and its corresponding letter in
cipher text.