Introduction

Unit 5: Week 3: Using Access Controls

Unit 5: Week 3: Using Access Controls

Essential Questions

  • Who should have access to which information on a school or district network?
  • How can IT staff ensure that users only have access to the information they need or are allowed to access?

Big Ideas

When you log onto a network, chances are someone has set up the network to recognize who you are and what level of access you have to the information and resources shared on the network. Networking protocols include user access controls that limit what some users can do and access while providing others greater access–it just depends on who you are and what information you have been approved to access.

There are different ways to authorize someone to use a network and its assets, as well as how to log what users do. Not all organizations and districts will use the same authorization models or logging, often referred to as non-repudiation. You should know your own network protocols as well as those that are used by others.

As a student, there are limits to what information you should have access to on a school or district network, even if you might be on a student Help Desk. For example, you probably won’t be provided access to other users’ passwords or to anyone’s grade information but your own. However, you should understand the access controls on your network and what to do when there is an issue with them. You should also understand how confidential information is kept secure, often through a process of encryption.

Even if you can’t access someone else’s password or other encrypted information, because students may have limited access compared to IT employees, you might be able to walk users through the process of creating a new password. And when you do, you can provide some advice on how to make that password, or better yet a passphrase, less vulnerable to compromise.

Connection to Student Lives

or your pet’s name? Is it…password? You might be surprised how many people create and use weak passwords–sometimes using the same password over and over for different accounts. The benefit is it’s easy to remember, but an issue is that it can be easy to guess. And if you use the same password in multiple accounts, once someone figures out your password either by watching you use it, guessing, or by using password cracking software, you could be in serious threat for identity theft.

Framing Problem

Students have to understand the levels of access control (user account privileges) even if they have limited access to encrypted data, like other users’ passwords. Students should know whether they can provide support to someone with their limited privileges and when requests should be forwarded to someone with greater privileges.

Cornerstone Assessment

Students will review and practice using access controls to understand common types of user accounts on school/district resources and how those are authorized. They should be able to use common encryption methods available to their level of user access. Note: IT staff should determine when they are ready to allow students to access actual user accounts as well as how much information is appropriate for Help Desk representatives, but the students should understand the types of user accounts in the system in case they are asked to provide support to someone with greater authorization than their own. Students may want to use best practices for creating strong passwords as the focus of their project in Week 4.

DPI Standards

  • 6.00 Understand computer security
  • 6.03 Identify secure web browsing practices

CompTIA Standards

  • 6.4 Compare and contrast authentication
  • 6.5 Explain password best practices
  • 6.6 Explain common uses of encryption
  • accounting and non-repudiation concepts
  • authorization

Knowledge

  • The four main processes described in an access control system: identification, authentication, authorization, accounting
  • The principles of least privilege and implicit deny and how they are used
  • Classifications of access control or authorization models
  • What non-repudiation is, why it’s important, and methods for providing it as part of an access control system (logging, video, biometrics, signature, receipt)
  • Common types of user accounts
  • What a passphrase is and its advantages
  • Examples of different types of authentication and advantages and disadvantages (Something you have, Something you are, Somewhere you are, Multifactor and two-factor, Single sign-on (SSO))
  • Uses and types of encryption
  • Uses for cryptographic hashes
  • Best practices for creating strong passwords

Skills

  • Distinguish between identification, authentication, authorization, and accounting in access control systems.
  • Identify different authentication factors and understand their use in providing strong authentication.
  • List best practices when choosing passwords.
  • Explain how encryption technologies are used for authentication and access control.

Vocabulary

  • Accounting (Logs, Tracking, Web browser history) • Nonrepudiation (Video, Biometrics, Signature, Receipt) -
  • Authentication (Single factor, Multifactor, Examples of factors [Password, PIN, One-time password, Software token, Hardware token, Biometrics, Specific location, Security questions], Single sign-on) -
  • Authorization (Permissions, Least privilege model, Role-based access [User account types], Rule-based access, Mandatory access controls, Discretionary access controls) -
  • Data states: Data at rest (File level, Disk level, Mobile device) -
  • Data states: Data in transit (Email, HTTPS) -
  • Mobile application -
  • Password complexity -
  • Password expiration -
  • Password history -
  • Password length -
  • Password managers -
  • Password reset process -
  • Password reuse across sites -
  • Plain text vs. cipher text (and cipher) -
  • VPN (Virtual Private Network) -

Supporting Vocabulary

  • Access control system (subjects, objects, Access Control List (ACL), permissions), (identification, authentication, authorization, accounting)
  • Digital signature
  • Hash (cryptographic hash)
  • Mandatory logon
  • Passphrase vs. password
  • Password crackers
  • Principle of implicit deny
  • Secret key, private key, public key and key exchange
  • User account

Weekly Map

Monday

Introduction to problem: Levels of Access

Online Pre-assessment  (available for student practice, as well)

Team meetings to develop project plan and goals (some teams may continue their project in week 4)

Tuesday

Review content resources with whole group

Small group and independent exploration of resources

Contribute to team project

Wednesday

Hands-on exploration with IT professionals: User access controls and encryption methods

Team progress check with supervisor (using project plan)

Thursday

Hands-on exploration with IT professionals: User access controls and encryption methods

Small group and independent exploration of resources

Contribute to team project

Friday

Team progress check with supervisor or sharing of progress with whole group

Online post-assessment

Lesson Ideas

Students work in teams to review Unit 5.3 in their textbook. The students collaborate on adding to their Frayer-type digital presentation or other documentation that records and illustrates key vocabulary and concepts in the Units. Students contribute to these files throughout the semester to prepare for the CompTIA certification exam and to contribute to the Help Desk knowledge base.

Technicians guide students through common user account settings through access control while still restricting information based on the students’ level of privilege. Technicians can also share how common encryption methods are used without disclosing confidential information, such as security keys or their own network’s encryption methods.

Potential Resources

The Official CompTIA ITF+ Instructor’s Manual and Student Guide: Units 4.1 and 4.2

Frayer Diagram Template (slide deck, document, or other)

Correct Horse Battery Staple passphrase generator

Khan Academy

  • What is the Internet? A short course that covers wired and wireless networks; IP addresses and DNS; packets, routers, and reliability; HTTP and HTML; Encryption and public keys; and cybersecurity
  • The Online Data Security Unit contains information about Data Encryption Techniques and User Authentication Methods, such as Strong Passwords and Multi-Factor Authentication
  • Sal Khan explains the Math Behind Password Security

Technology Gee