Welcome to “Security Threats: Access Control, Authorization, and Authentication.” After watching this video, you will be able to: Define each authentication factor, explain how digital accounting is used, and identify the four methods of non-repudiation. There are three processes involved in logging in to a network or account. Access Control – limiting or granting access to different areas based on user status. Authorization – giving permission to access a computer, network, app, or account. Authentication – proving it’s you with a password or other credentials. Access control prevents unauthorized viewing, modification, or copying of data. IT staff use access control to restrict what users can do, which resources they have access to, and what functions they are allowed to perform. Access is granted using the rule of least privilege where access is only granted to resources that a user needs to fulfil their role. Role-based access control (or RBAC) follows a company’s org chart. Different customer and employee roles are set up as groups on a network, and then those groups are granted certain permissions. When a new user joins the network, they are assigned to the group that fits their role. They will have the lowest level of permissions they need to do their job. Authorization is when you have permission to access a location or do an action. Before you can access an account or system, you need authorization. Access control must be set up before any authorization is granted to maintain data security. And authorization must be set up for your user account before you’re able to log in. Once you are authorized, you can then use authentication to log in. Authentication is the act of confirming the identity of a user. Authentication involves two steps: entering the correct login information and confirming that it is really you. Authentication factors used to confirm identity include: Something you know (like a username, password, PIN, or answers to security questions), Something you have (like a mobile device, security key, or security badge), And something you are (biometrics like facial recognition or a fingerprint, iris, or voice scan). Authentication methods include single-factor (or SFA), two-factor (or 2FA), muti-factor (or MFA), and single sign-on (or SSO). SSO lets you log in to multiple applications and platforms with one login. 2FA and MFA are the most secure ways to log in because they require at least two authentication factors. Access control sets boundaries, authorization gives access, and authentication confirms identity. In the Security field, it’s important to know the right balance between the three A’s: Strictly applying role-based permissions groups won’t secure data if those groups all have the same authorization levels. The same is true if groups have properly set permissions, but are not properly applied by administrators. Using strong passwords and MFA won’t secure data if all groups have the same permissions. The same problem exists if groups have properly set permissions, but passwords are weak. Using strong passwords and MFA won’t secure data if all users are assigned to the same group. The same problem exists if administrators assign users to the proper groups, but passwords are weak. Best practice should require strong authentication, strong authorization, and strong access control. Digital accounting is used in troubleshooting, security analysis, forensics, and hacking. Logs: Most software and systems generate audit logs. Audit logs capture log file events which can show who did what and how the system behaved. Tracking: Websites can track your OS, browser version, installed extensions, screen resolution, installed fonts, time zone, language, and how long you spent on a site and what you did there. Cookies: A cookie is code used to track, personalize, and save information about your browsing session. Cookies can also be used to ban you from a website if you've violated any of its conditions for use. Browsing history: is a list of recently visited websites. Anyone with access to your device can see what sites you visited. Attackers use browsing history to learn where they might impersonate their victims, and companies use it to see which sites you go to on your work computer. Non-repudiation is when you can't deny being in a specific location. It guarantees that a message sent between two parties is genuine. Like a digital signature. It includes: Video: Clear recordings of a person entering, leaving, or occupying a space Biometrics: fingerprint or iris scans can confirm whether a person physically accessed a device, network, or area. Signature: When a signature is used in conjunction with a hardware token, it becomes a digital signature. This authenticates the signer. Receipt: A digital receipt proves that a message was sent from one party to another. In this video, you learned that: Role-based access control (RBAC) uses network groups with different permissions levels. The methods of authentication are single-factor, two-factor, and multi-factor. Authentication factors are something you know, something you have, something you are, and somewhere you are. Logs, tracking, cookies, and browsing history are used to troubleshoot and to uncover user activity on devices, and non-repudiation uses video, biometrics, signature, and receipt.
