Mutual authentication: Here both the server and client computers authenticate each other. This type of authentication is more secure than one-way authentication, where only the client is authenticated.
Multifactor authentication: Here two or more number of authentication methods are used for granting access to a resource. Usually, it combines a password with that of a biometric authentication.
Biometric authentication: Biometric authentication uses measurable physical attributes of a human being such as signature, fingerprint. A biometric authentication depends on the physical characteristic of a human being. It is not something that can be remembered. Usually, bio authentication is very secure, though not widely used due to cost constraints. Biometrics is the ability measure physical characteristics of a human such as fingerprints, speech etc. These measured values are then used for authentication purpose. Given below are few of the measurable quantities:
Fingerprint: Scans and matches finger print to a securely stored value.
Voiceprint: Identifies a person by measuring speech pattern.
Iris profile: Identifies a person by using Iris part of the eye.
Signature: Matches an individual’s signature with the stored value.
CHAP: It is an authentication type that uses three-way handshake. The p asswords are transmitted in encrypted form ensuring security. Compare this with PAP, which transmits passwords in clear text.
Least privilege. Least privilege is a technical control. It specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks or functions. Rights and permissions are commonly assigned on servers, but rarely on mobile devices such as tablets and smart-phones.
5.3 Implement appropriate security controls when performing account management
Mitigates issues associated with users with multiple account/roles
An administrator need two accounts one is a standard account which has normal privileges that every other employee has this account should be used to perform every day work (regular work by employee) and other is an administrative account which should be configured to have only special privileges needed to perform assigned administrative function this should not be used to perform regular work.
This forces user to employ the correct account for the task given at hand. This also limits the amount of time the administrative account is in use and prevents it from being used when administrative access is a risk for example when administrator account is used to access internet, open email or for general file transfer.
For users having multiple roles each role should have its own administrative user account. This could mean a user can have single standard account and one or more administrative accounts. This puts extra burden on the user to keep authentication distinct. Use of multifactor authentication will improve security and will prevent single password from being defined for each account.
Account policy enforcement : Passwords used should be strong which consists of eight or more characters which include at least 3 types of characters (uppercase, lowercase, letters, numerals ans keyboard symbols) its should not contain common words, users real name, user name or email address. These features can be implemented as a requirement through account policy enforcement
Password Complexity: Password policy contains requirement for minimum password length, maximum password age, minimum password age, password history retention and some sort of complexity requirement. Passwords are considered strong if consists of eight or more characters which include at least 3 types of characters (uppercase, lowercase, letters, numerals ans keyboard symbols) its should not contain common words, users real name, user name or email address.
Expiration: Password should automatically expire after a fixed period of time forcing the user to change it. Commonly this duration is 90 days.
Recovery: Password recovery option is not good for security. When a password is forgotten, it should be changed. Ability to recover a password requires that password storage mechanism should be reversible.
Length: Password length is an important factor to determine password strength. Passwords of 7 character can be cracked in with in few hours, 8 to 9 character password can be cracked with in few days to weeks. Passwords of 10 or more characters can tough to crack.
Disablement: Disablement or account expiration is an often unused feature it automatically disables an user account at a specific time on specific day. This features can be used for temporary workers or interns whose employment will expire at a specific known date. These accounts can be re enabled and new expiration date can be set.
Lockout: If a user tries to login into an account with wrong password after a set number of login attempts with wrong password account is locked. This is set as 3 to 5 failed attempts in 15 minutes. Only administrator can unlock the account.
Group Based Privileges : It is assignment of a privileges or access to a resource to all members of a group as a collective. This grants every member of the group the same level of access to specific object. Group based privileges are common in many operating systems including Linux and Windows. Each object has 3 types of permissions those for owner, those for group of the owner, and other users. When using group privileges, it is important to consider whether it violates the principle of least privilege.
6.1 Summarize general cryptography concepts
Non-repudiation : Non-repudiation ensures that the sender, as well as the receiver cannot refute having sent or received a message. For example, you receive an email from your perspective employer. By using an unsigned email, it might so happen that your employer later denies having sent any such email. Non-repudiation ensures that neither the sender nor the receiver can deny the transmission or the reception of a message respectively. It prevents either the sender or the receiver of messages from denying having sent or received a message
Digital Signatures and Encryption
Digital signature ensures that the sender cannot repudiate having sent the message at a future date.
Encryption ensures that the message cannot be read by any person who do not have matching key to decode the coded message
Hashing ensures that the message is not tampered with, during transit or storage. Note that Hashing not necessarily encode or encrypt a message.
Secret-key encryption : Secret-key encryption is also known as single-key or symmetric encryption. It involves the use of a single key that is shared by both the sender and the receiver of the message. Typically, the sender encrypts the message with a key and transmits the message to the recipient. The recipient then decrypts it by using a copy of the same key used to encrypt it. The disadvantages of using symmetric encryption over asymmetric encryption are given below:
Inability to support non-repudiation: Since both the sender and receiver use the same key, it is difficult to determine who is the sender, should a dispute arise.
Impractical for web commerce: Imagine thousands of customers buying goods and services over the Internet. If symmetric encryption standard is used, one unique private key-pair needs to be used for each user. It is therefore, impractical.
Another major difficulty is with the transmission of private key. With symmetric encryption, the private key needs to be transmitted to the other party for decryption, which may pose security risk.