Both are needed and are incredibly important but I would argue that physical security is more important. If someone is able to get into your facility and get access to a networking closet, or just a network jack massive damages could occur. If a hacker has physical access to the device they will be able to compromise it is often the mentality taken which is why physical security should not be overlooked.
What is the name of a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server ?
Hi Natlie,
Personally, I think using biometrics combining with other access control for multi-factor authentication make efficiency and increase more security. For example, organization can apply user PIN (something you know) with fingerprint (something you are). In this way, it makes more difficult for authorized person to illicit access to physical resources.
I think that it can be, however I think that there should be certain circumstances where biometrics should be used. I wouldn’t use biometrics to access some game on my phone, but I would use it for something that requires more security.
Hi Neung,
There are many privacy issues with biometric data which may lead security breaches. Like any collection of data has risk of getting hacked, biometric database may be breached too, and all biometric information can be stolen. Since people cannot change their fingerprints or iris scan, once biometric data is stollen, it may no longer be under control of the owners. The other risk is that biometric data can be duplicated and used to access any device or information.
Hypothetically speaking, if you were tasked with securing an information system that contained critical information to your organization and is known to be a significant target for hackers and less-than-moral employees, what physical or digital access controls would you put in place to help mitigate and discourage these threats?
Hi Imran,
In regard to physical security, I would design layered defense to protect access control systems. For instance, I would put multifactor access control in place such as enforcing biometrics accompanying with identification card. Also, CCVT cameras and security guards may deter unauthorized people. Additionally, mantraps, combinations safes and doors or electronic card systems should be designed to protect physical access to information systems from unauthorized or malicious people. Regarding logical access control to IS, role-based access control can be used which restricts accesses to computer resources based on need-to-know principle so that only identified authorized individual can access.
What would be your solution to the perpetual password problem that users like myself often run into? I have too many passwords to remember and as they get more and more complex it is nearly impossible.
Hi Alex,
Biometric technology may be an alternative for passwords and seems promising to create a password less world. However, some privacy issues remain with them too. If strong methods are developed regarding how to store and access biometric data securely, this technology will be a remedy for password problems like creating weak passwords, various passwords to remember, and the cost of creating new ones. I believe, the proper environment will be available to ensure personal data protection in the near future so that biometric data can be used by people securely.
No, I don’t think so. Adding too many authentication components where they are not necessary can be risky, not only because it tends to push users away, but also because that it is another security aspect that needs to be monitored and protected. There are definitely times when 2FA is necessary, like when dealing with sensitive information, but I think it’s best to keep authentication level on par with the information it is protecting.
When a password document is found to be downloaded, what emergency measures should be taken to prevent hackers from accessing the data? (hackers need time to crack password documents)
The first step would be to go to your incident response plan and begin properly documenting all aspects of the incident that has occurred. As for the remediation step, would include immediately issuing a mandatory password change for all users. If 2 factor authentication is not used it may also be a good time to think about implementing it to heighten the security posture.
As an IT Auditor, what would be the starting point for auditing the IAM department of an organizations and standards would you specifically refer when conducting the audit?
Often times people will write passwords down and level them on their desk if they are forced to change passwords often. Where does this issue fall int, physical security or IAM?
In my opinion, in this case companies should also force employee to not write them down and make janitors check the desk when they are cleaning. Even writing down in notes apps on their phone is better than writing down on papers as at least it is protected by their phone password.
Should the company force employees to use the chosen authentication method? Or should company offer different way of authentication method like physical key or biometric and let employees choose?
What do you think provides more security as regards to access control and authentication, CSPs or physical systems?
Both are needed and are incredibly important but I would argue that physical security is more important. If someone is able to get into your facility and get access to a networking closet, or just a network jack massive damages could occur. If a hacker has physical access to the device they will be able to compromise it is often the mentality taken which is why physical security should not be overlooked.
What is the name of a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server ?
What are the ways of solving access control dilemma-balancing security and convenience?
Do you think biometrics is an efficient tool to use for multi-factor authentication?
Hi Natlie,
Personally, I think using biometrics combining with other access control for multi-factor authentication make efficiency and increase more security. For example, organization can apply user PIN (something you know) with fingerprint (something you are). In this way, it makes more difficult for authorized person to illicit access to physical resources.
I think that it can be, however I think that there should be certain circumstances where biometrics should be used. I wouldn’t use biometrics to access some game on my phone, but I would use it for something that requires more security.
How attackers can compromise systems via biometric authentication?
Hi Neung,
There are many privacy issues with biometric data which may lead security breaches. Like any collection of data has risk of getting hacked, biometric database may be breached too, and all biometric information can be stolen. Since people cannot change their fingerprints or iris scan, once biometric data is stollen, it may no longer be under control of the owners. The other risk is that biometric data can be duplicated and used to access any device or information.
Hypothetically speaking, if you were tasked with securing an information system that contained critical information to your organization and is known to be a significant target for hackers and less-than-moral employees, what physical or digital access controls would you put in place to help mitigate and discourage these threats?
Hi Imran,
In regard to physical security, I would design layered defense to protect access control systems. For instance, I would put multifactor access control in place such as enforcing biometrics accompanying with identification card. Also, CCVT cameras and security guards may deter unauthorized people. Additionally, mantraps, combinations safes and doors or electronic card systems should be designed to protect physical access to information systems from unauthorized or malicious people. Regarding logical access control to IS, role-based access control can be used which restricts accesses to computer resources based on need-to-know principle so that only identified authorized individual can access.
What would be your solution to the perpetual password problem that users like myself often run into? I have too many passwords to remember and as they get more and more complex it is nearly impossible.
Hi Alex,
Biometric technology may be an alternative for passwords and seems promising to create a password less world. However, some privacy issues remain with them too. If strong methods are developed regarding how to store and access biometric data securely, this technology will be a remedy for password problems like creating weak passwords, various passwords to remember, and the cost of creating new ones. I believe, the proper environment will be available to ensure personal data protection in the near future so that biometric data can be used by people securely.
Should 2FA be mandatory for any authentication process?
No, I don’t think so. Adding too many authentication components where they are not necessary can be risky, not only because it tends to push users away, but also because that it is another security aspect that needs to be monitored and protected. There are definitely times when 2FA is necessary, like when dealing with sensitive information, but I think it’s best to keep authentication level on par with the information it is protecting.
When a password document is found to be downloaded, what emergency measures should be taken to prevent hackers from accessing the data? (hackers need time to crack password documents)
The first step would be to go to your incident response plan and begin properly documenting all aspects of the incident that has occurred. As for the remediation step, would include immediately issuing a mandatory password change for all users. If 2 factor authentication is not used it may also be a good time to think about implementing it to heighten the security posture.
As an IT Auditor, what would be the starting point for auditing the IAM department of an organizations and standards would you specifically refer when conducting the audit?
Hi, Shendarkar
I think the start point is reviewing the policy of IAM department and review the file restriction setting.
Often times people will write passwords down and level them on their desk if they are forced to change passwords often. Where does this issue fall int, physical security or IAM?
In my opinion, in this case companies should also force employee to not write them down and make janitors check the desk when they are cleaning. Even writing down in notes apps on their phone is better than writing down on papers as at least it is protected by their phone password.
Should the company force employees to use the chosen authentication method? Or should company offer different way of authentication method like physical key or biometric and let employees choose?