- Confidentiality: Information about system or its users cannot be learned by an

attacker
- Integrity: The system continues to operate properly, only reaching states that would
occur if there were no attacker
- Availability: Actions by an attacker do not prevent users from having access to use of
the system

- Security policy: A set of rules and practices that specify how a system or org provides security services
to protect sensitive and critical system resources.
- Implementation actions:
♣ Prevention ♣ Response
♣ Detection ♣ Recovery
Something the Something the Something the
Something the
individual individual individual does
individual is
knows: possesses: (dynamic
(static
password, PIN, smartcard, biometrics):
biometrics):
answers to electronic voice pattern,
fingerprint,
prearranged keycard, handwriting,
questions. retina, face.
physical key. typing rhythm.
1- Offline dictionary attack:
- hacker gain access to the system
password file.
2- Specific account attack:
- Compares the password hashes
- The attacker targets a specific account
against hashes of commonly used
and submits password guesses until
passwords.
the correct password is discovered.
- If a match is found, the attacker can
gain access by that ID/password
combination
3- Popular password attack: 4- Password guessing against
- A variation of the preceding
attack is to use a popular
single user:
The attacker attempts to gain
password and try it against a
wide range of user IDs. knowledge about the account holder
and system password policies and uses
- because users choose a password
that knowledge to guess the password.
that is easily remembered.
 6. Exploiting user mistakes:
- If the system assigns a password, then the
user write it down because it is difficult to
5- Workstation hijacking: remember. This will creates the potential for
The attacker waits until a an adversary to read the written password.
logged-in workstation is - user may share a password.
unattended. - social engineering.
- When preconfigured passwords are
unchanged, they are easily guessed.
7. Exploiting multiple
password use:
• Attack happens when different
network devices share the same or
a similar password for a given user.
8. Electronic monitoring :
- If a password is communicated across
a network to log on to a remote
system, it is vulnerable to
eavesdropping.
 - Rule enforcement:
specific rules that passwords must adhere to
- Password cracker:
compile a large dictionary of passwords not to use
- Bloom filter:
- used to build a table based on dictionary using hashes
- check desired password against this table

❖ In a Trojan horse attack, an application or physical device

masquerades as an authentic application or device for the
purpose of capturing a user password, passcode, or
biometric.
❖ Classified into three categories:
• Static
• Dynamic password generator
• Challenge-response

o Facial characteristics
o Fingerprints
o Hand geometry
o Retinal pattern
o Iris
o Signature
o Voice
❖ Enrollment: creates an association between a user and the
user’s biometric characteristics.
❖ Verification: Depending on the application, user
authentication involves verifying that a claimed user is the
actual user. (true\false)
❖ Identification: Depending on the application, user
authentication involves identifying an unknown user. (User’s
identity or “user unidentified)

local Authentication
a user attempts to access a
system that is locally present,
such as a stand-alone office
PC or an ATM machine.
Remote User Authentication
• Authentication over a network, the
Internet, or communications link, is
more complex.
• Additional security threats:
1. Eavesdropping.
2. Capturing a password.
3. Replaying an authentication
sequence that has been observed.
❖ Owner: This may be the creator of a resource, such as a file.
❖ Group: In addition to the privileges assigned to an owner, a named group of users
may also be granted access rights, such that membership in the group is sufficient to
exercise these access rights.
❖ World: The least amount of access is granted to users who are able to access the
system but are not included in the categories owner and group for this resource.

❖ Subject: entity that can
access objects.
❖ process representing
user/application.
❖ often have 3 classes:
owner, group, world.
❖ Object: access controlled ❖ Access right: way
resource. in which subject
❖ e.g. files, directories, records, accesses an object.
programs etc. ❖ e.g. read, write,
❖ number/type depend on execute, delete,
environment. create, search.
❖ Attribute-based access control(ABAC): based on the
attributes of the user, the resources and the current
environment

❖ Discretionary access control (DAC)

❖ Mandatory access control (MAC)
❖ Role-based access control (RBAC)
❖ Attribute-based access control(ABAC)