Chapter Overview
Everything you need to know โ at a glance
๐ง Master Mnemonic โ Cover ALL topics
"I Always Authorize Basic People's Silly Actions"
One word per major topic in this
chapter
Identification
Authentication (3 factors)
Authorization & ACLs
Biometrics (ERR/FAR/FRR)
Passwords & OTP
SSO & Kerberos
Access Control Models (DAC/MAC/RBAC)
1
Identification
WHO are you claiming to be? (Username)
2
Authentication
PROVE it. (Password, token, fingerprint)
3
Authorization
What are you ALLOWED to do? (Permissions)
๐ฏ Core Concept
Access Control = managing the flow of information between Subjects (active entities
that request access) and Objects (passive entities that contain information). The goal:
enforce CIA โ Confidentiality, Integrity, Availability.
What is Access Control?
A security technique that regulates who or what can view or use resources.
Specifies what users can do, which resources they can access, and what operations they can
perform.
Definition
3 Authentication Factors
Something you know โ password/PIN
Something you have โ token/smart card
Something you are โ biometrics
Key Exam Topic
Something you have โ token/smart card
Something you are โ biometrics
3 Access Control Models
DAC โ Owner decides (Discretionary)
MAC โ Labels decide (Mandatory)
RBAC โ Role decides (Non-Discretionary)
Must Know
MAC โ Labels decide (Mandatory)
RBAC โ Role decides (Non-Discretionary)
AAA Protocols
RADIUS (UDP, passwords only), TACACS+ (TCP, full encryption, true AAA), and
Diameter (RADIUS evolved, IETF standard).
Protocols
Identification, Authentication & Authorization
The three distinct and sequential functions of access control
๐ง Remember the order
"I Am Authorized" โ IAA in sequence
Identification โ "I am Alice" (claim)
Authentication โ "Here's my proof" (verify)
Authorization โ "Here's what Alice can do" (permit)
๐ค Identification
Claim your identity
Username, ID
Username, ID
โ
๐ Authentication
Prove your identity
Password, token, biometric
Password, token, biometric
โ
โ
Authorization
Access granted
Based on permissions
Based on permissions
Identification
Definition
Identification = establishing the identity of a subject (user, program, process). Uses public info like
a username.
๐ Good Identification Requirements
- Unique โ each value must be unique for user accountability
- Standard Naming โ a consistent naming scheme should be followed
- Non-descriptive โ should NOT reveal the user's position or role
Authentication โ The 3 Factors
๐ง 3 Factors Mnemonic
"Know. Own. Are."
Know โ Something you KNOW (password, PIN, passphrase)
Own โ Something you HAVE (token, smart card)
Are โ Something you ARE (biometrics: fingerprint, iris)
Factor 1: Knowledge
Something you KNOW. Passwords, passphrases, PINs. Most
common but weakest โ can be guessed, stolen, or shared.
Type 1
Factor 2: Ownership
Something you HAVE. Tokens, smart cards, key fobs. RSA
SecurID is the classic example. Generates OTPs.
Type 2
Factor 3: Characteristics
Something you ARE. Biometrics โ digitized physical features
(fingerprint, iris) or behaviors (signature, keystroke).
Type 3
MFA โ Multi-Factor Auth
Using 2 or more factors together = strong authentication.
Must combine DIFFERENT types (e.g., password + token = 1+2). Two of the same type = NOT MFA.
Best Practice
Biometrics
Types, error rates, and the Crossover Error Rate (CER)
๐ก What is Biometrics?
Verifies identity by analyzing a unique person attribute or behavior โ what a person IS. Most expensive
and most accurate form of authentication, but has user acceptance challenges.
๐งฌ Physiological (Physical)
๐ค Face recognition
๐ Fingerprint
โ Hand geometry
๐ Iris / Retina scan
๐งฌ DNA
โจ๏ธ Behavioral (Actions)
โจ๏ธ Keystroke dynamics
โ๏ธ Signature dynamics
๐ค Voice recognition
Biometric Error Rates โ The Key Exam Concept
๐ง Error Types Mnemonic
"Type 1 = Rejects the Right one. Type 2 = Accepts the Wrong one."
Type II (False Acceptance) is the MORE
DANGEROUS error โ you don't want impostors getting in!
Type I Error
๐ซโ
False Rejection Rate (FRR)
Rejects an AUTHORIZED user. Annoying but not dangerous. System is too strict.
Type II Error
โ
๐ซ
False Acceptance Rate (FAR)
Accepts an UNAUTHORIZED user. Very dangerous! System is too
lax. The error to AVOID.
CER / ERR
โ๏ธ
Crossover Error Rate
Point where FRR = FAR. Lower CER = More accurate system. Used
to compare biometric systems.
โ ๏ธ Exam Trap: Which error is worse?
Type II (False Acceptance Rate) is always the more critical error to minimize โ accepting an impostor is
a security breach. Type I just inconveniences a legitimate user.
Passwords & One-Time Passwords
Most common auth method, its weaknesses, and OTP solutions
๐ Passwords
Most common identification/authentication scheme. Considered a weak security mechanism
on its own โ always implement strong password protections and complexity requirements.
Password Attack Techniques
๐ง Password Attacks Mnemonic
"Every Angry Burglar Digs Social holes"
Electronic monitoring (sniffing)
Access the password file
Brute Force Attacks
Dictionary Attacks
Social Engineering
Electronic Monitoring
Sniffing network traffic to capture passwords in transit. Defeated by
encryption (TLS/HTTPS).
Passive Attack
Password File Access
Gaining access to the stored password file (e.g., /etc/shadow on Linux).
Defeated by hashing and salting.
File Attack
Brute Force
Trying every possible combination. Takes time but guarantees success.
Defeated by lockout policies and long passwords.
Exhaustive
Dictionary Attack
Uses a list of common words and passwords. Much faster than brute force.
Defeated by random/complex passwords.
Wordlist
One-Time Passwords (OTP)
โ
OTP Advantage
OTPs (Dynamic Passwords) are NOT vulnerable to electronic eavesdropping, sniffing, or password guessing
โ because each password is used exactly once.
| OTP Type | How it works | Example |
|---|---|---|
| Synchronous (Time-Based) | Token generates OTP in sync with the server clock. No challenge needed โ just match the current time window. | Google Authenticator, RSA SecurID |
| Asynchronous (Challenge-Based) | Server sends a random challenge value โ user enters it into the token โ token generates OTP โ user sends OTP back to server. | Challenge-Response tokens |
Authorization
Access criteria, key concepts, ACLs, and common pitfalls
Definition
Authorization = determining whether a proven identity has the RIGHT to access requested resources. Based
on level of trust + need to know.
Access Criteria โ How Access is Granted
๐ง Access Criteria Mnemonic
"Really Good Locations Tend To Work"
Roles โ job function (manager, cashier)
Groups โ multiple users needing same access
Location โ where access comes from (local vs remote)
Time โ restrict access to certain hours
Transaction Types โ what functions can be performed on data
Wโ(see table below)
| Criteria | Description | Example |
|---|---|---|
| Roles | Access based on job function | Managers vs. Clerks vs. Cashiers |
| Groups | Multiple users needing the same access | HR Group, IT Group |
| Location | Restrict remote access to sensitive systems | No remote admin to servers |
| Time | Restrict access to certain hours | Database only accessible 8amโ6pm |
| Transaction Types | Control what functions can be run on data | Read-only during audit period |
Critical Authorization Concepts
Authorization Creep
When employees accumulate permissions over time without old ones being
removed. A major security risk โ regularly review and revoke unneeded access.
Risk
Default to Zero
Start with ZERO access and only grant what is needed. Opposite of "allow by
default." This is the secure baseline principle.
Principle
Need to Know
Users get access ONLY to information they absolutely require for their job
duties. Even if they have a clearance, they must have a need to know.
Principle
Access Control Lists (ACL)
A list of subjects (users) that are authorized to access a particular object
(resource). Bound to the OBJECT. Tells the object who can access it.
Tool
Single Sign-On (SSO)
One login for everything โ benefits, risks, and technologies
What is SSO?
Single Sign-On allows user credentials to be entered ONE time, granting access to ALL authorized
resources across primary and secondary network domains. Also called "reduced sign-on." Used in federated
identity management systems.
๐ง SSO Technologies Mnemonic
"Kerberos Sits Securely, Drawing Diagrams"
Kerberos
Sesame
Security Domains
Directory Services
Dumb Terminals
โ ๏ธ SSO Cons
Single Point of Compromise โ one stolen credential = access
to everything
Legacy Interoperability โ older systems may not work with SSO
software
Implementation Difficulties โ unusual systems may not
interface well
โ
SSO Pros
Efficient logon โ user logs in only once for all authorized
systems
Stronger passwords โ one password to remember โ users choose
harder ones
Centralized administration โ consistent policy application
across the org
โ ๏ธ Key SSO Risk โ Single Point of Failure
The biggest downside: one compromised login = attacker accesses ALL of the user's authorized resources.
This is the critical exam trade-off for SSO.
Access Control Models
DAC, MAC, and RBAC โ know them cold
๐ง 3 Models Mnemonic
"Decide by: Discretion, Mandatory labels, or Roles"
DAC โ Owner decides (Discretionary)
MAC โ System labels decide (Mandatory)
RBAC โ Job role decides (Non-Discretionary)
| Model | Full Name | Who Controls Access? | Best Used When | Key Trait |
|---|---|---|---|---|
| DAC | Discretionary AC | The OWNER of the resource decides who can access it | Flexibility needed; small environments | Most flexible, least secure |
| MAC | Mandatory AC | The SYSTEM enforces based on security labels & clearances | Military/government where confidentiality is critical | Most rigid, most secure |
| RBAC | Role-Based AC | Centrally-administered ROLES determine access | Organizations with high staff turnover | Best for orgs โ easy to manage |
DAC โ Discretionary
The OWNER of the resource decides who gets access. Like owning a file and
deciding who can read it. Used in most OS file systems (Windows, Linux). Most flexible but can
lead to inconsistent security.
Owner Controls
MAC โ Mandatory
Uses a SECURITY LABELING SYSTEM. Users have clearances; resources have
classification labels (Top Secret, Secret, etc.). System enforces โ users cannot override. Used
in the military.
System Controls
RBAC โ Role-Based
Access determined by JOB ROLE, not individual identity. Centrally
administered. Best for high-turnover organizations โ change the role, permissions follow
automatically.
Role Controls
Access Control Techniques
Rule-based, constrained interfaces, and access control matrix
๐ง 3 Techniques Mnemonic
"Rules Constrain Matrices"
Rule-Based Access Control
Constrained User Interfaces
Matrix (Access Control Matrix)
Rule-Based AC
Uses specific rules defining what CAN and CANNOT happen between subject and
object. Not necessarily identity-based. Classic example: FIREWALLS.
Traditionally used in MAC systems.
Firewall = Rule-Based
Constrained User Interfaces
Restricts user access by hiding or disabling options they're not allowed to
use. Three types: Menus & Shells, Database Views, Physically Constrained
Interfaces (e.g., ATM keypad).
UI Restriction
Access Control Matrix
A table mapping subjects ร objects showing what actions each subject can take
on each object. Two views: Capability Table (bound to subject) and
ACL (bound to object).
Subject ร Object Table
Access Control Matrix โ The Two Views
| View Type | Bound To | How to Think About It |
|---|---|---|
| Capability Table | SUBJECT (User) | Read down a ROW โ shows everything THIS USER can access. "Here are Alice's capabilities." |
| Access Control List (ACL) | OBJECT (Resource) | Read down a COLUMN โ shows everyone who can access THIS RESOURCE. "Here's who can access File1." |
Centralized vs Decentralized Administration
โ
Centralized
One entity oversees all corporate resource access
Consistent & uniform method of controlling access rights
Protocols used: RADIUS, TACACS+, Diameter
โ ๏ธ Decentralized
Control given to people closer to the resources
No consistent control โ lacks proper consistency
Harder to enforce organization-wide policy
RADIUS, TACACS & Diameter
AAA protocols โ know the differences cold
๐ง RADIUS vs TACACS+ Key Differences Mnemonic
RADIUS = "Rapid but Partial" ยท TACACS+ = "Total Armored Control"
RADIUS โ UDP, encrypts password only, combines auth+authz
TACACS+ โ TCP, encrypts everything, separates
auth+authz+accounting
| Feature | RADIUS | TACACS+ | Diameter |
|---|---|---|---|
| Full Name | Remote Authentication Dial-In User Service | Terminal Access Controller Access Control System | Diameter (IETF RFC 3588) |
| Transport Protocol | UDP (ports 1812, 1813) | TCP (port 49) | TCP/SCTP |
| Encryption | Only encrypts the password field | Encrypts the entire packet (except TACACS header) | Full encryption |
| AAA | Combines Authentication + Authorization (together) | Separates Auth, Authz, and Accounting (true AAA) | True AAA, extensible |
| Best For | Simple username/password auth; ISP dial-up | Environments needing full security & granular control | Modern apps needing extensible AAA |
| Who Uses It | Most ISPs โ authenticates customers before internet access | Enterprise networks โ Cisco AAA architecture | Mobile networks, modern AAA apps |
๐ก RADIUS Expanded: R-A-D-I-U-S
Remote Authentication Dial-In
User Service โ open protocol, client/server architecture, UDP-based,
only encrypts password. Appropriate for simple accept/deny decisions.
๐ก TACACS+ Advantage
TACACS+ separates authentication from authorization so they can be implemented on DIFFERENT security
servers. Provides true AAA architecture and encrypts all data โ superior to RADIUS for enterprise
security.
๐ก Diameter = RADIUS 2.0
Diameter was built to overcome RADIUS limitations. It's an IETF standard (RFC 3588). Applications
requiring AAA can define extensions on top of the Diameter base protocol.
Accountability & Best Practices
Audit trails, monitoring, and access control hygiene
What is Accountability?
Accountability is tracked by recording user, system, and application activities. Audit information MUST
be regularly reviewed. It answers: WHO did WHAT, WHEN?
๐ง Audit Review Types Mnemonic
"Even Real Auditors Validate Attacks"
Event-Oriented Audit Review
Real-Time & Near Real-Time Review
Audit Reduction Tools
Variance Detection Tools
Attack Signature Tools
Keystroke Monitoring
Records every keystroke made by a user during an active session. Very
effective for detecting malicious insiders. Has privacy implications โ must be
disclosed in policy.
Monitoring
Scrubbing
Removing specific incriminating or unpleasant data from within audit logs. A
malicious act performed by someone trying to cover their tracks.
Threat to Logs
Access Control Best Practices Checklist
๐ง Best Practices Mnemonic
"Don't Ever Suspend Rogue People โ Audit Protects"
Deny anonymous account access
Enforce strict access criteria
Suspend inactive accounts
Replace default passwords
Password rotation โ enforce it
Audit and review regularly
Protect audit logs from modification
Flashcards
Click each card to reveal the answer โ test yourself!
Loading...
Click to flip and reveal answer โป
Loading...
1 / 20
Knowledge Quiz
10 questions covering the full chapter โ no peeking!
Your Final Score
0/10