According to NIST access control is the policy-driven control of access to systems, data, and dialogues. There are many ways to control access, including physical barriers, passwords, and biometrics. However, what I learned is that access control is not Cryptography and many access controls don’t use it. It was important for me to know that access controls have three functions, which include authentication, authorization, and auditing. However, Authentication is the most complex part of the AAA access.
Good point, Percy. Also, auditing is a very important aspect of the access control function because it enables the organization to analyze in real time ( or saved for later analysis) the log files of individual activities. Auditing reduces or minimizes violations of authentication and authorization policies in an organization.
Yes, Innocent its true auditing reduces violations because you can monitor malicious activities and take necessary steps of precaution. For instance, up approved changes in configuration can be identified and fixed.
One key takeaway from this chapter is that organizations should have clear policies which prohibits shared accounts creation because of the following problems or risk to the business. Shared accounts leads to shared passwords which are rarely changed and the longer a password goes unchanged, the longer a hacker can use the password if s/he has cracked it. Secondly, since everyone knows the shared passwords, people are likely to give it out to people who should not have it, and if the account is used inappropriately, it may be difficult to tell from the audit logs which specific user committed the attack or crime.
Hi,Innocent
There are two ways for hackers to steal passwords. One is to implant malicious software and perform multiple calculations inside the terminal site to try to crack the password. The other is to steal and crack password files with encrypted information. Cracked accounts will be hijacked.
One key point that I learnt from this chapter is that among three forms of access controls in the corporate security industry, role-based access control is the most demand type of access control system due to its easy to use, cheaper and less error-prone features.
• The access authority is assigned based on the individual role within an organization which makes it cheaper than assigning access control rules separately to the individual accounts.
• This type of access control makes it easier for an organization to apply access control rules because the system administrator is the only person who is mandated to assign access to various job titles.
• Also, role-based access control mitigates the risks of errors because most privileges are determined by the limitation of your job responsibilities.
You’re right, RBAC improves operational performance as transactions are automated, and employees do not waste time using unnecessary applications to fulfill their responsibilities.
Role-based access control minimizes the risk of security breaches and data leakage because few people within the organization are granted access to sensitive data. Also, RBAC provides an improved security of systems. When the system is designed and deployed, access and privilege for users is determined based on their role within the firm ( aka “need-to-know” basis). Once these roles are established, the desired level of security can be easily maintained for hundreds of other employees.
One key point that I took from this chapter is about the password policy. Password policy setting is one of common controls of access control. Weak password allows hackers unauthorized access to the system by brute force attacks or dictionary attacks. Organization should establish password policy considering various configuration such as password length (at least 8 characters long), password complexity, and password age. In addition, organization should review inactive users and disable that users password. Moreover, organization should use shared accounts.
Hello,
As I was reading through your thoughts on the fifth chapter of the Corporate Computer Security textbook, I noted how you connected what we’ve learned in class as well as in other courses to the reading in order to further your understanding of that particular section. It is critical that organizations fortify their their password policies to meet a specified technical standard. Depending on the sensitivity of what the password is protecting, there might also be a need for additional factors of authentication aside from the “something you know” category.
As I was reading through the fifth chapter of the Corporate Computer Security textbook, which emphasized the reasons behind and most common methods of physical and digital access control for information systems, I found that I had most enjoyed learning the finer details of bio-metric authentication. Some of the more humorous and fascinating authentication methods I’ve read about included the recognition of “gait (way of walking)” and vein placement in the hand. I think the primary reason I found these so interesting was because I might have seen these ‘something you are’ authentication methods in a few Mission Impossible movies, where Tom Cruise somehow manages to perfectly disguise and mimic himself as a villain.
Hi Jordan,
I agree that the bio-metric authentication is the efficient method to secure access control in the organization. Bio-metric can prove something you are like fingerprints, iris scan, or face recognition.
I agree that this is an interesting aspect of biometrics, and I can’t help but wonder if the collection of these types of information can eventually lead to the possibility for some type of real life shape-shifting, which does sound absolutely insane. We can see how deep fakes are used in media and can easily be passed off as the real thing, so I feel as though it’s only a matter of time before these practices can be used in real life, especially since users are willing to utilize biometric features to avoid memorizing numerous passwords and that data becomes more available and vulnerable to breaches and identity theft.
The password length is more important than its complexity. If you increase the password length, you are making the password exponentially harder to crack, I think about a minimum of 16 characters should be a good enough. One way to make it easier is maybe to use a phase and a systematic way to remember it. More, a master password program like password safe (pwsafe,org) than can be installed on your computer.
Also, 2FA is now a must like push/phone call. NIST 800-63B (Digital Authentication Guideline) discourage the practice on SMS-based as 2FA,
Access control as a whole is very important topic that must be consistently reviewed and updated amongst organizations. Personally, I always thought that biometrics was very appealing as it is difficuly for a hacker to falsify their identity on something that they don’t have. It’s important that organizations follow NIST standards to ensure that their security systems are abiding by the necessary rules and regulations set in place.
Boyle and Panko, Chapter 5: Access Controls focuses on the third aspect of the C.I.A. triad: Accessibility, and the controls that organizations can put in place to make the accessibility of information assets more secure. The main control/policy that we’re all familiar with is the password policy. I feel like more and more account managers across the web are becoming more stringent and tough with their password policies; even to the point where I forget the password I just created because of the complexity of it. However, companies like LastPass make remembering password for different accounts exponentially easier by requiring on one password to unlock the portfolio of passwords. In addition, the use of dual factor authentication make the accessibility of accounts much more secure.
I think you made a great point in mentioning the emphasis of CIA triad. It’s definitely evident every day how organizations are enforcing stronger password policies amongst others.
Boyle and Panko Chapter 5 Access Control describes how to correctly authenticate in Access Control, such as multi-factor authentication, physical Access, and security. The main one is the way of access and protection. The importance of password policies, do not use the same password on different sites. When the attacker makes several unsuccessful password attempts, the account is locked. An attacker, however, may choose to physically access the machine and steal the password document with a crack, or gain access to a site and use the computer inside the system to calculate the password for multiple attempts. This is the main way that permissions or passwords are stolen.
I think a good password policy is to have users make passphrases. By making the password longer it drives the complexity up and makes it much more difficult to crack. Making sure employees are using strong password phrases is an economical way of increasing the overall security of the firm.
For the password problem, it doesn’t work like there is a password document to steal. Passwords are usually stored as hash in the database. When someone enters the password, the computer will make a calculation and compare the result with the database. It is a very complex calculation so that the reverse calculation should not be able to done for a short time. Also, it shouldn’t be too easy to steal the password document as they are clearly one of the most important asset of the company and they will be stored and locked so that even you are on-site, without proper procedure, the access will be difficult.
What I found interesting in Chapter 5 was the section on biometric authentication and the methods used to confirm identity. While most of us are familiar with using biometrics to access our phones, applications, etc., what is interesting, if not alarming, to think about is the permanence of your biometric data and the inability to change it, should it fall into the wrong hands. Passwords and PINs may be changed over time, but we’re stuck with our fingerprints, irises, faces, hands, etc. for the most part, so while biometrics is a quick and easy way to confirm identity, it’s also important to be mindful of where and when we use our biometrics and consider the repercussions should our biological data become compromised.
Good point on the increasing use of biometric solutions for authentication. Humans being lazy by nature prefer to use biometric passwords rather than memorizing a PIN, as seen by the increasing use of finger print authentication in Laptops and mobile devices. And as you rightly pointed, once these biometric are compromised, there is no way of changing them as they represent a permanent feature about an individual. Hence, even though biometric might offer stronger authentication than some other authentication mechanisms, it is important to assess the risks associated with their compromise as well as not depend upon only them for authentication. .
What is find interesting with Chapter 5 access control, is that its the bridge between physical security and computer security. If physical security is compromised and the hacker can have physical access to the computer itself then its almost certain your systems will be compromised. Understanding the importance of securing the building as well as access to data centers, networking closets, and even stored computers is crucial because if bypassed nothing can stop the computer from being compromised in some way. I think another key point form this chapter was using centralized authentication servers with proper meta directory servers to manage access throughout the company and ensure proper replication of changes through the network. Incorporating SSO also improves the rule of using just enough details to achieve an identity through minimum context.
One important advantage of identity and access management as highlighted in this chapter is the use of Single Sing on (SSO). To leverage SSO, it is important to understand the role directory servers play in the access management process. Not only it reduces a lot of overhead and manual labor for organization, it provides a central repository for storing information about people, administrators, applications etc. However, for security reasons companies don’t rely on use of Directory servers from just one vendor e.g. Microsoft, Novell, Solaris. Even though meta directory servers can replicate information into these disparate systems, the synchronization is still limited. This is one of the challenges for IT industry in syncing Ads of different vendors.
The key takeaway for me is about equipment security. For some old companies, when they were founded, there were not network equipments like routers or servers. When the new era comes and they have to adapt those equipments, they might not be aware enough to those equipments’ security, which our work came in. For equipment security, there are mainly seven controls which are equipment siting and protection, supporting utilities, cabling security, security during offsite equipment maintenance, security of equipment off premises, secure disposal or reuse of equipment and removal of property. Either of these could help those companies to solve their problem.
According to NIST access control is the policy-driven control of access to systems, data, and dialogues. There are many ways to control access, including physical barriers, passwords, and biometrics. However, what I learned is that access control is not Cryptography and many access controls don’t use it. It was important for me to know that access controls have three functions, which include authentication, authorization, and auditing. However, Authentication is the most complex part of the AAA access.
Good point, Percy. Also, auditing is a very important aspect of the access control function because it enables the organization to analyze in real time ( or saved for later analysis) the log files of individual activities. Auditing reduces or minimizes violations of authentication and authorization policies in an organization.
Yes, Innocent its true auditing reduces violations because you can monitor malicious activities and take necessary steps of precaution. For instance, up approved changes in configuration can be identified and fixed.
One key takeaway from this chapter is that organizations should have clear policies which prohibits shared accounts creation because of the following problems or risk to the business. Shared accounts leads to shared passwords which are rarely changed and the longer a password goes unchanged, the longer a hacker can use the password if s/he has cracked it. Secondly, since everyone knows the shared passwords, people are likely to give it out to people who should not have it, and if the account is used inappropriately, it may be difficult to tell from the audit logs which specific user committed the attack or crime.
Hi,Innocent
There are two ways for hackers to steal passwords. One is to implant malicious software and perform multiple calculations inside the terminal site to try to crack the password. The other is to steal and crack password files with encrypted information. Cracked accounts will be hijacked.
One key point that I learnt from this chapter is that among three forms of access controls in the corporate security industry, role-based access control is the most demand type of access control system due to its easy to use, cheaper and less error-prone features.
• The access authority is assigned based on the individual role within an organization which makes it cheaper than assigning access control rules separately to the individual accounts.
• This type of access control makes it easier for an organization to apply access control rules because the system administrator is the only person who is mandated to assign access to various job titles.
• Also, role-based access control mitigates the risks of errors because most privileges are determined by the limitation of your job responsibilities.
Hi Zeynep,
You’re right, RBAC improves operational performance as transactions are automated, and employees do not waste time using unnecessary applications to fulfill their responsibilities.
Role-based access control minimizes the risk of security breaches and data leakage because few people within the organization are granted access to sensitive data. Also, RBAC provides an improved security of systems. When the system is designed and deployed, access and privilege for users is determined based on their role within the firm ( aka “need-to-know” basis). Once these roles are established, the desired level of security can be easily maintained for hundreds of other employees.
One key point that I took from this chapter is about the password policy. Password policy setting is one of common controls of access control. Weak password allows hackers unauthorized access to the system by brute force attacks or dictionary attacks. Organization should establish password policy considering various configuration such as password length (at least 8 characters long), password complexity, and password age. In addition, organization should review inactive users and disable that users password. Moreover, organization should use shared accounts.
Hello,
As I was reading through your thoughts on the fifth chapter of the Corporate Computer Security textbook, I noted how you connected what we’ve learned in class as well as in other courses to the reading in order to further your understanding of that particular section. It is critical that organizations fortify their their password policies to meet a specified technical standard. Depending on the sensitivity of what the password is protecting, there might also be a need for additional factors of authentication aside from the “something you know” category.
As I was reading through the fifth chapter of the Corporate Computer Security textbook, which emphasized the reasons behind and most common methods of physical and digital access control for information systems, I found that I had most enjoyed learning the finer details of bio-metric authentication. Some of the more humorous and fascinating authentication methods I’ve read about included the recognition of “gait (way of walking)” and vein placement in the hand. I think the primary reason I found these so interesting was because I might have seen these ‘something you are’ authentication methods in a few Mission Impossible movies, where Tom Cruise somehow manages to perfectly disguise and mimic himself as a villain.
Hi Jordan,
I agree that the bio-metric authentication is the efficient method to secure access control in the organization. Bio-metric can prove something you are like fingerprints, iris scan, or face recognition.
I agree that this is an interesting aspect of biometrics, and I can’t help but wonder if the collection of these types of information can eventually lead to the possibility for some type of real life shape-shifting, which does sound absolutely insane. We can see how deep fakes are used in media and can easily be passed off as the real thing, so I feel as though it’s only a matter of time before these practices can be used in real life, especially since users are willing to utilize biometric features to avoid memorizing numerous passwords and that data becomes more available and vulnerable to breaches and identity theft.
The password length is more important than its complexity. If you increase the password length, you are making the password exponentially harder to crack, I think about a minimum of 16 characters should be a good enough. One way to make it easier is maybe to use a phase and a systematic way to remember it. More, a master password program like password safe (pwsafe,org) than can be installed on your computer.
Also, 2FA is now a must like push/phone call. NIST 800-63B (Digital Authentication Guideline) discourage the practice on SMS-based as 2FA,
Access control as a whole is very important topic that must be consistently reviewed and updated amongst organizations. Personally, I always thought that biometrics was very appealing as it is difficuly for a hacker to falsify their identity on something that they don’t have. It’s important that organizations follow NIST standards to ensure that their security systems are abiding by the necessary rules and regulations set in place.
Boyle and Panko, Chapter 5: Access Controls focuses on the third aspect of the C.I.A. triad: Accessibility, and the controls that organizations can put in place to make the accessibility of information assets more secure. The main control/policy that we’re all familiar with is the password policy. I feel like more and more account managers across the web are becoming more stringent and tough with their password policies; even to the point where I forget the password I just created because of the complexity of it. However, companies like LastPass make remembering password for different accounts exponentially easier by requiring on one password to unlock the portfolio of passwords. In addition, the use of dual factor authentication make the accessibility of accounts much more secure.
Hi Alexander,
I think you made a great point in mentioning the emphasis of CIA triad. It’s definitely evident every day how organizations are enforcing stronger password policies amongst others.
Best,
Natalie Dorely
Boyle and Panko Chapter 5 Access Control describes how to correctly authenticate in Access Control, such as multi-factor authentication, physical Access, and security. The main one is the way of access and protection. The importance of password policies, do not use the same password on different sites. When the attacker makes several unsuccessful password attempts, the account is locked. An attacker, however, may choose to physically access the machine and steal the password document with a crack, or gain access to a site and use the computer inside the system to calculate the password for multiple attempts. This is the main way that permissions or passwords are stolen.
I think a good password policy is to have users make passphrases. By making the password longer it drives the complexity up and makes it much more difficult to crack. Making sure employees are using strong password phrases is an economical way of increasing the overall security of the firm.
Hi Junjie,
For the password problem, it doesn’t work like there is a password document to steal. Passwords are usually stored as hash in the database. When someone enters the password, the computer will make a calculation and compare the result with the database. It is a very complex calculation so that the reverse calculation should not be able to done for a short time. Also, it shouldn’t be too easy to steal the password document as they are clearly one of the most important asset of the company and they will be stored and locked so that even you are on-site, without proper procedure, the access will be difficult.
What I found interesting in Chapter 5 was the section on biometric authentication and the methods used to confirm identity. While most of us are familiar with using biometrics to access our phones, applications, etc., what is interesting, if not alarming, to think about is the permanence of your biometric data and the inability to change it, should it fall into the wrong hands. Passwords and PINs may be changed over time, but we’re stuck with our fingerprints, irises, faces, hands, etc. for the most part, so while biometrics is a quick and easy way to confirm identity, it’s also important to be mindful of where and when we use our biometrics and consider the repercussions should our biological data become compromised.
Hello Sarah,,
Good point on the increasing use of biometric solutions for authentication. Humans being lazy by nature prefer to use biometric passwords rather than memorizing a PIN, as seen by the increasing use of finger print authentication in Laptops and mobile devices. And as you rightly pointed, once these biometric are compromised, there is no way of changing them as they represent a permanent feature about an individual. Hence, even though biometric might offer stronger authentication than some other authentication mechanisms, it is important to assess the risks associated with their compromise as well as not depend upon only them for authentication. .
What is find interesting with Chapter 5 access control, is that its the bridge between physical security and computer security. If physical security is compromised and the hacker can have physical access to the computer itself then its almost certain your systems will be compromised. Understanding the importance of securing the building as well as access to data centers, networking closets, and even stored computers is crucial because if bypassed nothing can stop the computer from being compromised in some way. I think another key point form this chapter was using centralized authentication servers with proper meta directory servers to manage access throughout the company and ensure proper replication of changes through the network. Incorporating SSO also improves the rule of using just enough details to achieve an identity through minimum context.
One important advantage of identity and access management as highlighted in this chapter is the use of Single Sing on (SSO). To leverage SSO, it is important to understand the role directory servers play in the access management process. Not only it reduces a lot of overhead and manual labor for organization, it provides a central repository for storing information about people, administrators, applications etc. However, for security reasons companies don’t rely on use of Directory servers from just one vendor e.g. Microsoft, Novell, Solaris. Even though meta directory servers can replicate information into these disparate systems, the synchronization is still limited. This is one of the challenges for IT industry in syncing Ads of different vendors.
The key takeaway for me is about equipment security. For some old companies, when they were founded, there were not network equipments like routers or servers. When the new era comes and they have to adapt those equipments, they might not be aware enough to those equipments’ security, which our work came in. For equipment security, there are mainly seven controls which are equipment siting and protection, supporting utilities, cabling security, security during offsite equipment maintenance, security of equipment off premises, secure disposal or reuse of equipment and removal of property. Either of these could help those companies to solve their problem.