4. Authentication & Access:

Multi-Factor Authentication (MFA)

• Something you know: This often refers to something memorized, like a PIN or password.
• Something you have: This can be a physical or digital token. Examples include a smart card, a security token, or a trusted device, like your smartphone with an authentication app.
• Something you are: These are biometrics. Examples include fingerprints, retina scans, or voice recognition.

Rights, permissions, and privileges are allocated to users based on their established identity. If a user possesses rights to a resource, they are provided authorization to use or access it.

Authentication (AuthN) vs. Authorization (AuthZ)

• AuthN (Authentication):
• Definition: The process of verifying a user's identity, proving that they are who they claim to be.
• Example: Logging into an email account with a username and password.
• AuthZ (Authorization):
• Definition: The process that comes after authentication. It determines the permissions or rights an authenticated user has, dictating what they can and cannot do within a system.
• Example: Once logged into the email account (after authentication), a user might have the authorization to read, send, or delete emails.

Cryptosystems in Authentication

• Symmetric Cryptosystems: Both parties (e.g., sender and receiver) use the same secret key to encrypt and decrypt messages.
• Asymmetric Cryptosystems: Uses a pair of keys: a public key known to everyone and a private key that remains secret. The public key is used to encrypt data, while the corresponding private key decrypts it.

Access Controls

1. Mandatory Access Control (MAC):

• Description: Uses a system-enforced access policy where individual object owners can't set access. Operates based on labels assigned to every object and subject.
• Hierarchical Environment: Classifications are assigned in a structured order, ranging from low to high security.
• Compartmentalized Environment: Focuses on specific clearances over domains or compartments rather than individual objects.
• Hybrid Environment: A mix of both hierarchical and compartmentalized systems where security levels possess sub-compartments.
• Key Point: Every object and subject in the MAC model has one or more predefined labels, with the system determining access based on these labels.
• Software Example: SELinux in Linux employs MAC by assigning labels to every file, process, port, etc., and uses these labels to enforce policy decisions.

• Description: Object owners have the discretion to define accessibility.
• Software Example: NTFS in Windows or ext4 in Linux allow file creators to set permissions.

• Description: Enforces system-wide access restrictions.
• Software Example: Windows Group Policy enforces controls like preventing all users in a specific OU from using USB storage.

• Description: Access is based on predefined rules.
• Software Example: Cisco's Access Control Lists (ACLs) in their IOS or firewall solutions like pfSense. Additionally, Windows Group Policy can be viewed as implementing rule-based controls in the context of domain environments.

• Description: Access is based on defined job roles, each associated with specific permissions.
• Example: Azure roles such as "Global Admin", "Access Admin", or "Security Reader" allow individuals occupying these roles to access specific resources or perform certain tasks.
• Key Point: Users in RBAC are granted access based on their job function, ensuring they have the necessary permissions to execute their roles effectively.

CIA: Come back to this to properly understand it

Certification

• Definition: The systematic technical evaluation of each component within a computer system to verify its alignment with security standards.
• In simpler terms: It's like checking if each piece of a puzzle fits with the security picture we want.

Accreditation

• Definition: The formal endorsement of a certified configuration by a designated authority.
• In simpler terms: Once the system passes its "security test" (certification), an authoritative figure gives it a formal thumbs-up.