COURSE CODE: IT311 – Information Assurance and

Security
Module 5

Week 6-7: September 21-27, 2020 | 1st Semester, S.Y. 2020-2021

Introduction
Technical controls are essential to a well-planned information security
program, particularly to enforce policy for the many IT functions that are not
under direct human control. Networks and computer systems make millions of
COURSE MODULE

decisions every second and operate in ways and at speeds that people
cannot control in real time. Technical control solutions, properly implemented,
can improve an organization’s ability to balance the often conflicting
objectives of making information readily and widely available and of
preserving the information’s confidentiality and integrity. This chapter, along
with Chapters 7 and 8, describes how many of the more common technical
control solutions function, and also explains how they fit into the physical
design of an information security program. Students who want to acquire
expertise on the configuration and maintenance of technology-based
control systems will require additional education and usually specialized
training in these areas.

Intended Learning Outcomes

 Explain what is meant by integrity, confidentiality, and authentication

Topic – Authentication

Access control is the method by which systems determine whether and how
to admit a user into a trusted area of the organization—that is, information
systems, restricted areas such as computer rooms, and the entire physical
location. Access control is achieved by means of a combination of policies,
programs, and technologies. Access controls can be mandatory,
nondiscretionary, or discretionary.
Mandatory access controls (MACs) use data classification schemes; they give
users and data owners limited control over access to information resources. In
a data classification scheme, each collection of information is rated, and
each user is rated to specify the level of information that user may access.
These ratings are often referred to as sensitivity levels, and they indicate the
level of confidentiality the information requires. A variation of this form of
access control is called lattice-based access control, in which users are
assigned a matrix of authorizations for particular areas of access.
 The level of authorization may vary between levels, depending on the
classification authorizations individuals possess for each group of information
or resources. The lattice structure contains subjects and objects, and the
boundaries associated with each pair are demarcated. Lattice-based control
specifies the level of access each subject has to each object. With this type of
control, the column of attributes associated with a particular object (such as a
printer) is referred to as an access control list (ACL). The row of attributes
associated with a particular subject (such as a user) is referred to as a
capabilities table. Nondiscretionary controls are a strictly-enforced version of
MACs that are managed by a central authority in the organization and can be
based on an individual’s role—role-based controls—or a specified set of tasks
COURSE MODULE

(subject- or object-based)—task-based controls. Rolebased controls are tied to

the role a user performs in an organization, and task-based controls are tied to a
particular assignment or responsibility. The role and task controls make it easier
to maintain the controls and restrictions associated with a particular role or task,
especially if the individual performing the role or task changes often. Instead of
constantly assigning and revoking the privileges of individuals who come and go,
the administrator simply assigns the associated access rights to the role or task,
and then whenever individuals are associated with that role or task, they
automatically receive the corresponding access. When their turns are over, they
are removed from the role or task and the access is revoked.

Discretionary access controls (DACs) are implemented at the discretion or option

of the data user. The ability to share resources in a peer-to-peer configuration
allows users to control and possibly provide access to information or resources at
their disposal. The users can allow general, unrestricted access, or they can allow
specific individuals or sets of individuals to access these resources. For example, a
user has a hard drive containing information to be shared with office coworkers.
This user can elect to allow access to specific individuals by providing access, by
name, in the share control function.

Figure 6-1 shows an example of a discretionary access control from a peer-to-

peer network using Microsoft Windows.

In general, all access control approaches rely on as the following mechanisms:

 Identification
 Authentication
 Authorization
 Accountability

Identification

Identification is a mechanism whereby an unverified entity—called a

supplicant—that seeks access to a resource proposes a label by which they are
known to the system. The label applied to the supplicant (or supplied by the
supplicant) is called an identifier (ID), and must be mapped to one and only one
entity within the security domain. Some organizations use composite identifiers,
concatenating elements—department codes, random numbers, or special
characters—to make unique identifiers within the security domain. Other
organizations.
COURSE MODULE

Figure 6-1 Example Discretionary Access Control

generate random IDs to protect the resources from potential attackers.

Most organizations use a single piece of unique information, such as a
complete name or the user’s first initial and surname.

Authentication
Authentication is the process of validating a supplicant’s purported identity.
There are three widely used authentication mechanisms, or authentication
factors:

 Something a supplicant knows

 Something a supplicant has
 Something a supplicant is

Something a Supplicant Knows This factor of authentication relies upon what

the supplicant knows and can recall—for example, a password, passphrase,
or other unique authentication code, such as a personal identification
number (PIN). A password is a private word or combination of characters
that only the user should know. One of the biggest debates in the
information security industry concerns the complexity of passwords. On the
One hand, a password should be difficult to guess, which means it cannot
be a series of letters or a word that is easily associated with the user, such as
the name of the user’s spouse, child, or pet. Nor should a password be a
series of numbers easily associated with the user, such as a phone number,
Social Security number, or birth date. On the other hand, the password
must be something the user can easily remember, which means it should be
short or easily associated withs something the user can remember.

A passphrase is a series of characters, typically longer than a password,

from which a virtual password is derived. For example, while a typical
password might be “23skedoo,” a typical passphrase might be
“MayTheForceBeWithYouAlways,” represented as “MTFBWYA.”
 Something a Supplicant Has This authentication factor relies upon something a
supplicant has and can produce when necessary. One example is dumb cards,
such as ID cards or ATM cards with magnetic stripes containing the digital (and
often encrypted) user PIN, against which the number a user input is compared.
The smart card contains a computer chip that can verify and validate a number
of pieces of information instead of just a PIN. Another common device is the
token, a card or key fob with a computer chip and a liquid crystal display that
shows a computer-generated number used to support remote login
COURSE MODULE

authentication. Tokens are synchronous or asynchronous. Once synchronous

tokens are synchronized with a server, both devices (server and token) use the
same time or a time-based database to generate a number that must be
entered during the user login phase. Asynchronous tokens, which don’t require
that the server and tokens all maintain the same time setting, use a
challenge/response system, in which the server challenges the supplicant
during login with a numerical sequence. The supplicant places this sequence into
the token and receives a response. The prospective user then enters the response
into the system to gain access.

Something a Supplicant Is or Can Produce This authentication factor relies

upon individual characteristics, such as fingerprints, palm prints, hand
topography, hand geometry, or retina and iris scans, or something a supplicant
can produce on demand, such as voice patterns, signatures, or keyboard kinetic
measurements. Some of these characteristics, known collectively as biometrics,
are covered in more depth in Chapter 7. Note: Certain critical logical or physical
areas may require the use of strong authentication— at minimum two different
authentication mechanisms drawn from two different factors of authentication,
most often something you have and something you know. For example, access to
a bank’s ATM services requires a banking card plus a PIN. Such systems are called
two-factor authentication, because two separate mechanisms are used. Strong
authentication requires that at least one of the mechanisms be something other
than what you know.

Authorization

Authorization is the matching of an authenticated entity to a list of information

assets and corresponding access levels. This list is usually an ACL or access control
matrix.

In general, authorization can be handled in one of three ways:

 Authorization for each authenticated user, in which the system performs an

authentication process to verify each entity and then grants access to
resources for only that entity. This quickly becomes a complex and
resource-intensive process in a computer system.
  Authorization for members of a group, in which the system
matches authenticated entities to a list of group
memberships, and then grants access to resources based on
the group’s access rights. This is the most common
authorization method.
 Authorization across multiple systems, in which a central
authentication and authorization system verifies entity
COURSE MODULE
identity and grants it a set of credentials.

Authorization credentials (sometimes called authorization tickets)

are issued by an authenticator and are honoured by many or all
systems within the authentication domain. Sometimes called single
sign-on (SSO) or reduced sign-on, authorization credentials are
becoming more common and are frequently enabled using a
shared directory structure such as the Lightweight
Directory Access Protocol (LDAP).

Accountability

Accountability, also known as auditability, ensures that all actions

on a system—authorized or unauthorized—can be attributed to an
authenticated identity. Accountability is most often accomplished
by means of system logs and database journals, and the auditing
of these records. Systems logs record specific information, such as
failed access attempts and systems modifications. Logs have many
uses, such as intrusion detection, determining the root cause of a
system failure, or simply tracking the use of a particular resource.

Pl
gagagaDSFS
Network to anotheented in packet-filtering fir