security final ch5

Access Control

It is the set of rules and mechanisms a company uses to limit who can get to physical spaces (buildings, server rooms) and electronic resources (files, systems, databases). Think of it as the locks and keys of security.

the three pillars of access control.

• Authentication

• Authorization

• Auditing

Types of Credentials

• Knowledge

• Possession

• Biometric

• Behaviour

Two-Factor Authentication

Uses two different types of credentials together — e.g., an access card (what you have) + a PIN (what you know). This is called defence in depth — one layer failing doesn't mean total compromise.

Limitations 2factor auth

Can still be defeated by

• a Trojan horse on the user's PC (which intercepts the session after login)

• a man-in-the-middle attack via a fake website that relays credentials in real time.

Types of Access Control

• Individual Access Control

• Role-Based Access Control (RBAC)

MAC — Mandatory Access Control

Access rules are set by higher authorities and cannot be changed by departments or individuals. Very strict. Used in military/government environments. Provides the strongest security but is extremely difficult to implement and manage.

DAC — Discretionary Access Control

Departments or individuals can modify the access rules set by higher authorities within certain limits. More flexible and practical for corporate environments, but weaker than MAC.

Individual Access Control

access rules are set for each person's account one by one. Flexible but becomes unmanageable at scale — every time someone joins or leaves, every rule must be updated manually.

Role-Based Access Control (RBAC)

Access rules are assigned to roles (e.g. "Buyer", "Manager", "Engineer").

Then individual accounts are assigned to roles.

Cheaper and less error-prone — change the role, and everyone in it gets updated automatically.

Multilevel Security

Resources are rated by sensitivity level. People are given a matching clearance level. The rule is simple: you can only access resources at or below your clearance level.

Secure Areas

• Building Perimeter

Building Perimeter

• Single point of entry (one door in, one door out)

• No gaps in the building perimeter

• Reception area must be constantly staffed

Entry Controls

Delivery & Loading Areas

• No delivery/pick-up staff allowed inside

• Incoming shipments must be inspected and logged

• Outgoing and incoming shipments kept separate

Offices & Rooms

• Locate sensitive areas away from public access

• Do NOT list them on internal maps or directories

• Limited access mechanisms (locks, key cards)

Environmental Threats

• No hazardous or combustible material near sensitive areas

• Back-ups and disaster recovery must be in a different building

Working in Secure Areas

• No cameras or data recording equipment allowed

• Staff must not be left unsupervised

• Inspections of people entering and leaving

Secure Equipment

• Equipment Siting

• Cabling Security

• Offsite Maintenance

• Secure Disposal

Secure Disposal

• Remove all sensitive information before disposal or reuse

• Log all removals

• Limit time property can be offsite

• Proper authorisation required

Offsite Maintenance

• Permission required to take equipment offsite

• All sensitive data removed before leaving

Cabling Security

• Wires underground or inside walls

• Use conduits if not possible

• Wiring closets must be locked and monitored

Equipment Siting

"Siting" = placing equipment. Minimise who can access it. Protect from water, smoke, vandalism. Have uninterruptible power supplies (UPS) and generators. Test utilities frequently.

Other Physical Threats

• piggybacking / Tailgating

• Terrorism Countermeasures

• CCTV Considerations

• Dumpster Diving

Dumpster Diving

Attackers search trash bins for sensitive info (printed documents, discarded drives). Keep bins inside corporate premises and monitor until officially removed. PC locks and strong login screens also help.

CCTV Considerations

• Tapes wear out — digital storage preferred

• High-resolution cameras: better but expensive + lots of storage

• Low-resolution: may not be good enough for identifying people

• Use motion sensing to reduce storage needs

Piggybacking / Tailgating

An unauthorised person follows an authorised employee through a secure door. It's psychologically difficult to stop someone who looks like they belong. But it is worth the effort to prevent with policies and training.

terrorism Countermeasures

• Building setback from the street (blast distance)

• Armed guards

• Bullet-proof glass

password General Policies

• Regularly test the strength of internal passwords

• Never reuse the same password across multiple sites

• Use a password manager

• Enforce password expiry (rotation policies)

• Disable passwords that are no longer needed

• No shared passwords (makes auditing impossible)

Strong Password Rules

• At least 8 characters long

• Contains upper and lower case letters — change of case NOT at the beginning

• Contains a digit (0–9) — NOT at the end

• Contains another keyboard character (e.g. !@#$%) — NOT at the end

• Example of a strong password: tri6#Vial

• Completely random passwords are best but tend to get written down

Biometric Authentication

Authentication using biological measurements — things unique to your body (fingerprint, iris, face) or how you behave (the way you type, your signature, your walk). The goal is to eventually replace reusable passwords.

How a Biometric System Works

• enrolment scan

• key feature extraction

• Template Storage

False Acceptance Rate FAR

The percentage of people who are accepted by the system even though they should NOT be. An imposter is let in. This is a security violation.

False Rejection Rate FRR

The percentage of people who are rejected by the system even though they should be accepted. A legitimate user is locked out. This is an inconvenience.

Error

the system makes a mistake even when the subject is NOT trying to cheat it

Deception

The subject is actively trying to fool the system — e.g. using a gelatin copy of someone's fingerprint, or hiding their face from a camera

Verification

The person claims an identity ("I am Ahmed"). The system compares the scan to one template — the claimed person's. Fast and low false-acceptance risk.

If false acceptance prob = 1/1000 per match → overall FAR = 1/1000 = 0.1%

Identification

The person makes no claim. The system compares the scan to every template in the database to find a match. More comparisons = higher false-acceptance risk.

If prob = 1/1000 per match and there are 500 templates → FAR = 500 × 1/1000 = 50%

Watch Lists

subset of identification. The system only compares against a smaller list (e.g. 10 known terrorists). Fewer comparisons than full identification → intermediate false-acceptance risk.

If prob = 1/1000 per match and there are 10 templates in the watch list → FAR = 10 × 1/1000 = 1%

fcrackzip

is a Kali Linux tool that tries to crack the password of an encrypted zip file. It searches through a wordlist (a file of common passwords) trying each one. The most famous wordlist is rockyou.txt — a list of over 14 million real leaked passwords.