Authentication & Access:

Multi-Factor Authentication (MFA)

Multi-factor authentication requires two or more of the following methods to validate a user's identity:

Something you ~~know:~~know: This often refers to something memorized, like a PIN or password.
Something you ~~have:~~have: This can be a physical or digital token. Examples include a smart card, a security token, or a trusted device, like your smartphone with an authentication app.
Something you ~~are:~~are: These are biometrics. Examples include fingerprints, retina scans, or voice recognition.

Rights, permissions, and privileges are allocated to users based on their established identity. If a user possesses rights to a resource, they are provided authorization to use or access it.

Authentication (AuthN) vs. Authorization (AuthZ)

AuthN (Authentication):

Definition: The process of verifying a user's identity, proving that they are who they claim to be.
Example: Logging into an email account with a username and password.

AuthZ (Authorization):

Definition: The process that comes after authentication. It determines the permissions or rights an authenticated user has, dictating what they can and cannot do within a system.
Example: Once logged into the email account (after authentication), a user might have the authorization to read, send, or delete emails.

Cryptosystems in Authentication

Authentication can be facilitated through various cryptographic methods:

Symmetric Cryptosystems: Both parties (e.g., sender and receiver) use the same secret key to encrypt and decrypt messages.
Asymmetric Cryptosystems: Uses a pair of keys: a public key known to everyone and a private key that remains secret. The public key is used to encrypt data, while the corresponding private key decrypts it.

Access Controls

Mandatory Access Control (MAC):

Description: Uses a system-enforced access policy where individual object owners can't set access. Operates based on labels assigned to every object and subject.
Hierarchical Environment: Classifications are assigned in a structured order, ranging from low to high security.
Compartmentalized Environment: Focuses on specific clearances over domains or compartments rather than individual objects.
Hybrid Environment: A mix of both hierarchical and compartmentalized systems where security levels possess sub-compartments.
Key Point: Every object and subject in the MAC model has one or more predefined labels, with the system determining access based on these labels.
Software Example: SELinux in Linux employs MAC by assigning labels to every file, process, port, etc., and uses these labels to enforce policy decisions.

Discretionary Access Control (DAC):

Description: Object owners have the discretion to define accessibility.
Software Example: NTFS in Windows or ext4 in Linux allow file creators to set permissions.

Non-discretionary Access Control:

Description: Enforces system-wide access restrictions.
Software Example: Windows Group Policy enforces controls like preventing all users in a specific OU from using USB storage.

Rule-based Access Control:

Description: Access is based on predefined rules.
Software Example: Cisco's Access Control Lists (ACLs) in their IOS or firewall solutions like pfSense. Additionally, Windows Group Policy can be viewed as implementing rule-based controls in the context of domain environments.

Role-Based Access Control (RBAC):

Description: Access is based on defined job roles, each associated with specific permissions.
Example: Azure roles such as "Global Admin", "Access Admin", or "Security Reader" allow individuals occupying these roles to access specific resources or perform certain tasks.
Key Point: Users in RBAC are granted access based on their job function, ensuring they have the necessary permissions to execute their roles effectively.

CIA: Come back to this to properly understand it

Certification

Definition: The systematic technical evaluation of each component within a computer system to verify its alignment with security standards.
In simpler terms: It's like checking if each piece of a puzzle fits with the security picture we want.

Accreditation

Definition: The formal endorsement of a certified configuration by a designated authority.
In simpler terms: Once the system passes its "security test" (certification), an authoritative figure gives it a formal thumbs-up.

Security Policy

The role is to inform and guide the design, development, implementation, testing, and maintenance of some particular system.

We start with our organisation security policy and that gives us the rules that we need to adhere to designing and implementing a solution to resolve a problem. It could be an organisation, it could be a governing body. PCIEDSS for example gives out information relating to credit card data for example.

Privilege & Accountability

Principle of Least Privilege (PoLP):

Definition: Ensures that users or processes are granted only the permissions they need to perform their specific job function and nothing more.
Applications:
- System Processes: Only vital processes should run in supervisory or privileged mode to reduce the risk of malicious activities.
- Role-Based Access Control (RBAC): Assigning permissions based on roles within an organization. For instance, a data analyst might have read access to a database but not write or delete permissions.

Separation of Privilege:

Definition: Requires multiple conditions or checks before a particular privilege is granted or an action is performed.
Applications:
- System Operations: Requiring two separate keys or tokens to decrypt sensitive data.
- Role Separation: An individual may have approval authority for a transaction, but a different individual must execute or finalize it. For instance, in financial institutions, a person requesting a funds transfer might not be the same person authorizing or executing it.

Remember: Accountability ensures that an audit trail exists to trace operations back to their source. If permissions are granted at a higher level we know who or what did a certain operation.