comptia it fundamentals+ (exam fc0-u61) module 5 / unit 3

Copyright © 2018 CompTIA, Inc. All rights reserved. Screenshots used for illustrative purposes are the property of the software proprietor. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed inany form or by any means, or stored in a database or retrieval system, without the prior written permission CompTIA, 3500 Lacey Road, Suite 100, Downers Grove, IL 60515-5439. CompTIA® and the CompTIA logo are registered trademarks of CompTIA, Inc., in

the U.S. and other countries. All other product and service names used may be common law or registered trademarks of their respective proprietors.

Module 5 / Unit 3 / Using Access Controls

CompTIA IT Fundamentals+(Exam FC0-U61)

CompTIA IT Fundamentals+2

•Distinguish between identification, authentication,

authorization, and accounting in access control systems

• Identify different authentication factors and understand their

use in providing strong authentication

• List best practices when choosing passwords

• Explain how encryption technologies are used for

authentication and access control

• Access control system

o Subjects and objects

o Access Control List (ACL)

• Identification—creating an account or ID that identifies the user or process on the computer system

• Authentication—proving that a subject is who or what it claims to be when it attempts to access the resource

• Authorization—determining what rights or permissions subjects should have on each resource and enforcing those rights

• Accounting—tracking authorized and unauthorized usage of a resource or use of rights by a subject

Access Controls


•Least privilege

oAssign as few rights and permission as possible

•Implicit deny

oAccess controls should deny access by default

Least Privilege and Implicit Deny


• Discretionary Access Control (DAC)

o Based on ownership

o Owner is granted full control over the resource, meaning that he or she can modify its ACL to grant rights to others

• Role-based Access Control (RBAC)

o A set of organizational roles are defined and users allocated to those roles

• Mandatory Access Control (MAC)

o Based on the idea of security clearance levels and labels

o Subjects are only permitted to access objects at their own clearance level or below

• Rule-based access control

o Any sort of access control model where access control policies are determined by system-enforced rules rather than system users

Authorization Access Models


•Accounting

oAudit trail of how rights have been exercised

oBacked by system of logging

•Non-repudiation

oPrinciple that a user cannot deny having done something

oVideo

oBiometrics

oSignature

oReceipt

Accounting and Non-repudiation


• Ensures that the identity of someone using a computer is validated by the operating system at log on

• Mandatory logon

• Windows default accounts

o Administrator—in modern Windows versions, disabled in favor of the user created during setup

o Guest—disabled by default in modern Windows versions

o A user account created during setup (becomes an administrator)

• Additional user accounts should be configured as standard users, unless there are very good reasons for creating more administrators

User Account Types


•Most user accounts get their privileges from membership of group accounts

•A user account can be a member of multiple group accounts

•Windows default group accounts

oAdministrators—user accounts belonging to this group have complete control over the computer

oStandard users—this group allows use of Microsoft Store apps and basic configuration of display and input settings, but tasks such as installing software, configuring hardware, or changing system properties are restricted

Group Accounts


•Authentication factors—methods of submitting user credentials

•Something You Know

oPassword/passphrase

oPersonal Identification Number (PIN)

oPattern lock

oPersonally Identifiable Information (PII) and security questions

Something You Know Authentication


Something You Have Authentication•Hardware tokens

oSmart card or key fob with digital certificate issued to user

oOne-time password token generators

•Software tokens

oStored on a computer or smartphone rather than a dedicated security device

oCookieCompTIA IT Fundamentals+

10

Something You Are Authentication• Biometric recognition systems

• Template scan

o Fingerprint

o Iris

o Retina

o Facial features

• Confirmation scan

• Privacy considerations

• False positives and false negatives


Somewhere You Are Authentication• Geographic location determined

by location services

o Global Positioning System (GPS)

o Indoor Positioning System (IPS)

o GeoIP

• Logical location

o Subnet or IP address range (or not on an excluded IP address list)

• Continuous authentication and access controls


•Requiring credentials from a combination of

factors is stronger than single-factor

•Must be different factors

Multifactor and Two-factor Authentication


Single Sign-On•Authenticate once to access multiple services

•Kerberos authentication to Windows domains

•Microsoft account PC sign-in gives access to cloud services too


•Protect information even if it is stolen - thief must possess the information and the encryption key

•Send data across a public network or channel while protecting confidentiality

•Authenticate sender and receiver to one another

oPlain text (or clear text)—this is an unencrypted message.

oCipher text—an encrypted message.

oCipher—this is the process (or algorithm) used to encrypt and decrypt a message.

•Cryptographic hashing, symmetric encryption, asymmetric encryption

Uses of Encryption


•Uses the same secret key for encrypting and decrypting

•Fast but difficult to distribute the key securely

•Used to encode data for storage and network transmission

•Ciphers—3DES, AES, RC (Rivest Cipher), IDEA, Blowfish/Twofish, CAST

•Key size

Symmetric Encryption


•Uses a key pair (public and private)

o Sender can tell recipients the public key—no need to keep this secret

o Recipients can use public key to encrypt a message but NOT to decrypt it again

o Only the sender can decrypt the message (using the linked private key)

•Only works well on small amounts of data but solves the problem of key distribution

•Use asymmetric encryption to encrypt a symmetric secret key and use the symmetric key to encode the larger message

•Only the recipient can decrypt the secret key and therefore the message

Asymmetric Encryption


• System for authenticating subjects—users and computers—on public networks

• Subjects are issued digital certificates by Certificate Authorities (CA), which are responsible for verifying the identity of the subject

• Digital certificate contains the subject’s public key

• If client trusts the CA—by installing its root certificate—it can trust the subject’s digital certificate

• Can also be used for smart card authentication

• Most asymmetric encryption is based on the RSA cipher

Public Key Infrastructure (PKI)


•Digital certificates are used for authentication and

confidentiality

•Digital signatures are used for authentication and

integrity

•The private key is used to encrypt a signature

while the public key is used to decrypt it

Digital Signatures


• Hashing creates a fixed length string from a variable amount of data

• Cryptographic hash functions are designed with the following properties

o It is not possible to recover any information about the original data from the hash

o No two data inputs create the same hash value (a collision)

• Sender creates a cryptographic hash of a message and encrypts the hash with an asymmetric encryption private key—this is attached to the message as a digital signature

• Recipient can use the public key to decrypt the signature and validate the hash by performing their own hash—should prove that the recipient created the message and that it has not been changed in transit

• Also used for secure password storage

• SHA-1 and SHA-2 (Secure Hash Algorithm) and MD5 (Message Digest) ciphers

Cryptographic Hashes


•Data at rest

oData in some sort of persistent storage media

oEncrypt using techniques such as whole disk encryption, mobile device encryption, database encryption, and file- or folder-level encryption

•Data in transit (or data in motion)

oData is transmitted over a network

oData can be protected by a transport encryption protocol, such as Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

•Virtual Private Networks (VPN)

Data States and VPNs


• Intercept network traffic to “sniff” passwords

• Obtain password databases or files

• Use cracking software to decrypt password hashes

o Dictionary approach

o Brute force approach

Password Cracking


•Use long passwords

•Use complexity (entropy)

oNo dictionary words

oMix alphanumeric and symbol characters

•Use a phrase that is easy to remember but difficult to guess

•Do not share passwords

•Change the password periodically

•Use a unique password for each account

Password Best Practices


Password Managers/Fillers and Resets• Policies prevent users from

writing down passwords or sharing the same password between sites

• Password fillers store multiple credentials for secure submission to websites

• Password reset mechanisms allow users to self-select a new password


ReviewImage by Wavebreak Media © 123rf.com

• Distinguish between identification, authentication, authorization, and accounting in access control systems

• Identify different authentication factors and understand their use in providing strong authentication

• List best practices when choosing passwords

• Explain how encryption technologies are used for authentication and access control


comptia it fundamentals+ (exam fc0-u61) module 5 / unit 3

Documents