Enterprise Information Security: System Access Concepts - Authentication & Authorization, Exams of Advanced Education

This document delves into the fundamental concepts of system access security, focusing on authentication and authorization. It explores various authentication factors, including knowledge, possession, and inherence, and provides examples of each. The document also discusses the vulnerabilities of passwords, including common attack strategies and countermeasures. It highlights the importance of strong password policies and the use of salt to enhance security. Additionally, it examines password cracking techniques and emphasizes the need for robust password management practices.

Typology: Exams

2024/2025

Available from 12/30/2024

solution-master
solution-master 🇺🇸

3.3

(28)

11K documents

1 / 131

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ITM 825 Enterprise Information Security
Toronto Metropolitan University
ITM 825 - Lecture 07
Dr. Atty Mashatan
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download Enterprise Information Security: System Access Concepts - Authentication & Authorization and more Exams Advanced Education in PDF only on Docsity!

ITM 825 Enterprise Information Security

Toronto Metropolitan University

ITM 825 - Lecture 07

Dr. Atty Mashatan

2

Authorization

Password-based

A widely used line of defense against intruders is a password system Virtually all multiuser systems, network-based servers, web- based ecommerce sites, and other similar services require that a user provide not only a name or identifier (ID) but also a password The ID provides security in the following ways:

  • The ID determines whether the user is authorized to gain access to a system
  • The ID determines the privileges accorded to the user
  • The ID used in what is referred to as discretionary access control (by

listing the IDs of the other users, a user may grant permission to

them to read files owned by that user)

  • Password guessing against a single user
    • An attacker may attempt to gain knowledge about an account holder and system password policies and uses that knowledge to guess the user’s password
    • Countermeasures include training in and enforcement of password policies that make passwords difficult to guess. Such policies address the secrecy, minimum length of the password, character set, prohibition against using well- known user identifiers, and length of time before the password must be changed
  • Workstation hijacking
    • In this type of attack, an attacker waits until a logged-in workstation is physically unattended
    • The standard countermeasure is automatically logging out the workstation after a period of inactivity. Intrusion detection schemes are used to detect changes in user behavior
  • Exploiting user mistakes
    • If the system assigns a password, then the user is more likely to write it down because it is difficult to remember. This situation creates the potential for an adversary to read the written password. A user may intentionally share a password to enable a colleague to share files, for example. Also, attackers are frequently successful in obtaining passwords by using social engineering tactics that trick the user or an account manager into revealing a password. Many computer systems are shipped with preconfigured passwords for system administrators. Unless these preconfigured passwords are changed, they are easily guessed
    • Countermeasures include user training, intrusion detection, and simpler passwords combined with another

authentication mechanism

Password Vulnerability

Despite many security vulnerabilities, passwords remain the most commonly used user authentication technique Reasons for the persistent popularity of passwords are: Techniques that utilize client- side hardware, such as fingerprint scanners and smart card readers, require the implementation of the appropriate user authentication software to exploit this hardware on both the client and server systems Physical tokens, such as smart cards, are expensive and/or inconvenient to carry around, especially if multiple tokens are needed Schemes that rely on a single sign- on to multiple services create a single point of security risk Automated password managers that relieve users of the burden of knowing and entering passwords have poor support for roaming and synchronization across multiple client platforms, and their usability had not been adequately researched

Salt

**-

slow hash function** User ID Salt Hash code Load Password Password File (a) Loading a new password Password File User id User ID Salt Hash code Select Salt Hashed password (b) Verifying a password Figure 10.4 UNIX Password Scheme Compare Password slow hash function