The point I have taken from this chapter is biometric authentication.
Biometrics refers to a technology that uses human biological characteristics for identity authentication. To be more specific, biometric identification technology is the close combination of computers with high-tech methods such as optics, acoustics, biosensors, biostatistics, and the human body’s inherent physiological characteristics and behavioral characteristics to identify personal identity.
The biometric system is a feature template that samples biological features, extracts their unique features, converts them into digital codes, and further combines them. When people interact with the recognition system for identity authentication, the recognition system obtains their characteristics. It compares them with the characteristic templates in the data to determine whether they match and then decide to accept or reject the person.
Hi Zibai, a biometric system is really a new way to enhance security and provide an extra layer of defense to the security. it is a feature template that samples biological features, extracts the unique feature, and converts them into digital codes.
Hi Zibai,
I agree that this is an interesting aspect of biometrics. We can see many fakes and can easily disguise them as real things. Therefore, I think it is only a matter of time before these practices are applied to real life. Users are willing to use biometric technology to avoid the function of remembering many passwords, and Data becomes more available and vulnerable to breaches and identity theft.
Access control is the policy-driven control of access to systems, data, and dialogues. The one key point I noticed is about password, which is the most common access control in daily life.
The attacker can use password-cracking programs on the server to crack passwords. These programs can try thousands of possible account name or password combinations per second automatically until the passwords was crack. Another way to crack passwords is copy the password file to get physical access.
Organizations usually implement a strong password policies to defend threats. For example, set complexity requirements; prevent users from choosing previously used passwords; change passwords periodically and perhaps frequently. The strong password policy is the front line of defense to protect organizations’ assets, which can increase computer security by encouraging users to create reliable, secure passwords and then store and utilize them properly.
Hi Xinyi, I agree passwords are extremely important in access controls. As technology advances and simple passwords become easily cracked, MFA is often leveraged. By using a combination of what you have, what you know, and what you are, it offers a heavier layer of protection against unauthorized users.
Access control is the policy-driven control of access to systems, data, and dialogues. This chapter talks about various ways to control access, including physical barriers, passwords, and biometrics. Access controls have three functions which are authentication, authorizations, and auditing (AAA). This chapter mainly focuses on authentication such as what you know, what you have, who you are, and what you do. One authentication method that was interesting to read about is multilevel security. Military and national security organizations have a multilevel security that rate documents by sensitivity. There are several levels of classification such as secret, top secret, sensitive but unclassified, and public. Individuals should be granted appropriate clearances before they can access classified information. Individuals who have earned a confidential clearance are authorized to see confidential documents, but they are not trusted to look at secret or top secret information any more than any member of the general public.
Hello Ranu,
In most organizations, access control is an essential part of security. They help to authenticate and authorize individuals to access information that they are allowed to view or use. Without them, unauthorized access to physical or logical systems cannot be restricted. It is important to conduct regular governance, risk, and compliance reviews to ensure that appropriate access controls work. Thank you for highlighting such an important topic.
By definition, access control is a policy driven control of access to systems, data and conversations. There are many ways to control access, including physical barriers, passwords and biometrics. Access control is a technology used in almost all systems, including computer system and non computer system. Access control is a technology that restricts the access to some information items or the use of some control functions according to the user’s identity and a definition group. For example, the principle of uninac network access control system is based on this technology. Access control is usually used by system administrators to control users’ access to servers, directories, files and other network resources.
The one thing that I find interesting is two factor authentication may not be useful in certain situations. According to the chapter, Bruce Schneier has noted that Trojan Horses and min in the middle attacks can negate the strength of two-factor authentication. First, if a client PC is infected with a Trojan Horse, the Trojan hose can send transactions when a user has already authenticated himself or herself to an e-commerce site. If a user’s computer is compromised, two-factor authentication means nothing. Second, two-factor authentication often can be defeated with a man-in-the-middle attack. If a user logs into a fake banking website, the fake site can act as a silent go-between to the real banking website. After the user successfully authenticated, the fake website can execute transactions of its own on the real website. Therefore many companies have multi factor authentication process to prevent these situations.
These are good points as well often see two factor being used more commonly with financial sites, education and healthcare. They are being leveraged due to their security but like you said these cans till be thwarted. It is important for people to make sure they go to the correct website, rather than click unknown email links and verifying these sites with the certification that is shown in the URL on new devices. If soon these become unusable, do you have a suggestion to what would be next?
Access control techniques used to prevent unauthorized access to any resource so that a computer system can be used within legal limits. A technique that restricts access to certain items of information or the use of certain control functions by referring to the identity of a user and the defined group to which the user belongs. For example, the principle of the UNINAC network access control system is based on this technique. The main purpose of access control is to restrict the access of the subject to the object, so as to ensure that the data resources can be effectively used and managed within the legal scope. In order to achieve the above purpose, access control needs to accomplish two tasks: to identify and confirm the user who accesses the system, and to determine what type of access the user can make to a system resource. Access control consists of three elements: subject, object and control strategy.
One key takeaway from this week’s chapter about access control, is the portion on directory servers, specifically the active directory domains (AD). Most organizations use some form of AD to manage identity and to provide authentication information. The AD is also used to mange the role and group the end user is a part of. Managing the AD is extremely important in security. Hackers will often attack the AD and attempt to gain access. Once there, if they can escalate privileges, they could alter any user’s data and manage the role and groups of the organization. AD’s must be protected at all times within many layers of defense. The AD often goes through auditing more frequently and you can buy special software or tools to help monitor and manage the AD to help prevent security issues.
I agree with your assessment that Active Directory is a heavily used identity and authorization security platform. A high risk function within AD is access to domain controllers. With the right identity and group architecture, access to the domain controllers can be limited, to break glass accounts used only to grant or revoke access to lower privileged administrative accounts..
From this chapter, we learn that access control is a method to allow or deter groups from getting information from a system. Some of these controls include a password system, biometric authentication, and even physical barriers. I’ve been more and more interested in specifically multi-factor authentication methods when using passwords. Most sites with password systems implement at least two-factor authentication, but even that is vulnerable. Two methods were described in the chapter on how 2FA can be defeated. If a user is logged on a client PC, and that PC gets a Trojan horse, that Trojan horse can do all sorts of damage to a network because the user was logged in. The other method described was a man-in-the-middle attack. This attack can be a spoofed login portal to gain information, and then the attacker can use that information to then log in to the real site and potentially cause damage. This is why the key takeaway from this chapter is using multi-factor authentication to have many ways to log in that is personal to you.
2FA is almost becoming too cumbersome but it is necessary in order to verify the end user. At work, we discontinued the use of SMS and went to push notifications instead. It was found the SMS messages were able to be intercepted and MiTM attacks could take place. Hopefully MFA with push notifications is around for a while and we won’t have to do too much in order to verify our ID in the future.
Something I learned from this week’s reading was how military and National Security Organizations apply access controls. Documents in the military and NSOs can be accessed based on a person’s security clearance. There are four levels of security clearance, public, sensitive but unclassified, secret and top secret. Based on the level of security associated with the document, individuals may or may not be able to access documents either physically or electronically. There are two types of access controls, mandatory and discretionary. Mandatory are controls where no departmental or personal individuals have the ability to alter access control rules set by higher authority. In the case of the US government, the president determines what information is secret and top secret and no agency of the US government can override that determination. Discretionary access controls are rules that can be set at a departmental or personal level. Basically the documents and people are classified according to clearance levels, only those with the same or higher level clearance can access documents at the same level.
Great post! I really like that your take away led you to this area. I especially like the part about the President designating what is secret vs tope secret. although it begs the question: What of those “top secret” things that even the President is not privy to? Who designates that as “need to know only” from the President?
Two-factor authentication helps companies manage their users securely while they log in to their accounts. Although the admin can require users to set up a complicated password, including numeric, text form, and specific symbol, the two-factor authentication consolidates the defense. For example, the user needs to enter both password and PIN to log in to the system. Some apps require the user to log in to another device by scanning the QR code, or the user will receive a one-time code, which will expire in one minute. In doing this, the companies can reduce the number of unauthorized users to log in to the system. If the attacker uses man-in-the-middle, the two-factor authentication cannot defensively execute login, especially, the banking industry. Thus, it can improve the security, but it may be defeated with occurring the man-in-the-middle attack.
I agree that two-factor authentication should be a mandatory step for accounts nowadays. I don’t believe I’ve ever seen a QR code method, but that sounds unique enough as you need your phone to scan and generate the code. I think QR codes are unique in and of themselves as no two codes are the same.
Access control is defined as policy-driven control of access to systems, data, and dialogues. It can include physical barriers, passwords, and biometrics. Access controls have three functions, which are authentication, authorization, and auditing.
Authentication is the process of evaluating and confirming the identity of an individual that has permission to use that resource. Individuals requesting access will be the supplicant and the person providing the admission would be the verifier. Some forms of credentials used for identification can be a password, biometrics, and more.
Since technology is becoming more advanced, different forms of authentication must be used to assess the identity of the individual such as access cards, tokens, biometric authentication, and cryptographic authentication. One that is increasingly popular, and I personally use is multifactor authentication. The chapter describes it’s not as strong as it may seem because it doesn’t protect against phishing sites/man-in-the-middle attack/ and trojan horses. I think that’s interesting because each form of authentication may have some downfalls, authentication will have to continuously advance along with technology,
Hi, Mei. Technology is changing every day. The authentication needs to make more complicated so that people cannot break the system easily. If a company combines these different forms of authentication, such as access cards and fingerprints, the attackers will not be too easy to get into the system by using either one access method.
The central authentication servers section stood out to me. Many large companies use what is called a AAA server. The triple A’s stand for authentication, authorization, and accounting. This is a network server used for access control. Authentication identifies the user by username and password. Authorization implements policies that determine which resources and services a valid user may access. Accounting keeps track of time and data resources used for billing and analysis.Often times a RADIUS server does this job. This is generally performed by a RADIUS server. When a RADIUS server is used, the device the user connects to is called the authenticator. When a user sends credentials to any authenticator, the authenticator passes the credentials on to the RADIUS server. The RADIUS server checks the credentials and sends a message back to the authenticator. This message tells the authenticator whether the user’s credentials were verified.
The biggest takeaway from this chapter for me was the biometric security. While there are many ways to provide users access, this feature is one of few that is virtually impossible to lose. Passwords can be forgotten and cards, badges or wearable devices can be lost, but a retina scan, fingerprint, or FaceID scan can be accessed at any time and is rare in producing a failed result. As we have seen as the years have gone on more devices are being equipped with these features in the sense that they simplify the amount of things needed to be remembered all the while not forfeiting strength of security. This is an example through the consumer side, however this can be implemented into organizations to secure buildings, physical server rooms and even computer documents.
Great post. As biometric technology continues to grow, I would imagine biometric authentication will become more accurate and reduce the percentage of false acceptance and false rejection rate. In my mind, false acceptance rate is the most dangerous aspect of this technology. A way to differentiate a real fingerprint versus a fingerprint lifted from an object will big a huge milestone for biometric systems.
One of the key points I learned from this chapter is that of the three forms of access control in the corporate security industry, role-based access control is the most common type of demand for access control systems because it is easy to use, cheap, and less error-prone. Access permissions are assigned based on individual roles in the organization, which is cheaper than assigning access control rules to individual accounts individually. This type of access control makes it easier for organizations to apply access control rules, because only the system administrator is the person authorized to assign access rights to various positions. In addition, role-based access control can reduce the risk of errors, because most privileges are determined by restrictions on job responsibilities.
Hi wenyao,
I agree with you that role-based access control is efficient and cost-effective. Once the user is assigned the appropriate role, the user has all the operation permissions of this role. The advantage of this is that there is no need to assign permissions every time a user is created, as long as the user is assigned the corresponding role, and the role’s permission change is much less than the user’s permission change, which will simplify the user’s permission Management, reduce system overhead.
The key points that I take from this chapter is password part. The password is the most common control in the access control, Due to the large number of threats that face reusable passwords, companies need to have strong password policies. Good password policies help stop attackers from taking advantages of the inherent weaknesses associated with using reusable passwords. Security professionals need to test both how passwords are being used and the strength of the passwords themselves. Regular auditing will verify that password policies are being followed and that the organization is protected. Password Duration Policies also should require the frequent changing of passwords. User passwords should be changed perhaps every 90 days. This way, if an attacker learns a password, he or she will only be able to use it for a limited time. Crucial passwords should be changed more frequently. In addition, users should be forbidden from reusing
an older password for the account to prevent a user from cycling through a handful of passwords.
Passwords are the most common type of access control and because of this, policies around password management is vital to an organization. There are two types of passwords: reusable and one-time. A reusable password can be used for weeks or months whereas a one-time password is used once. Password Policies can stop attackers from exploiting the weaknesses of a reusable password. Additionally, password requirements can help create strong passwords that cannot be easily cracked. The book provides an example of strong password requirements such as minimum length with at least 8 characters long, and at least one upper case, lower case, digital and non-alphanumeric character. Furthermore, reusable passwords should be required to be changed every 90 days. This help mitigate risk if passwords were compromised.
Hi, Anthony, I totally agree with your points. The password duration Policies also should require the frequent changing of passwords. User passwords should be changed perhaps every 90 days. because in this way, if an attacker learns a password, he or she will only be able to use it for a limited time.
This chapter highlights various access controls methods. An access control method that stood out to me was Biometrics. Biometric Authentication refers to security processes that verify a user’s identity through unique biological traits such as retinas, irises, voices, facial characteristics, and fingerprints. Biometrics is by far the most effective form of authentication due to the information being only related to a single individual. Most authentication systems using biometrics pair it with a Something you know (Password or PIN)
One of the most up and coming method of authentication is biometrics. With the increased hacking of passwords and vulnerabilities, biometrics seems to be a clear way to future. Based on biological measurements , biometrics are difficult, albeit not impossible to replicate, forget or destroy. While it is important to obtain a “template” of your biometrics, it is important to only rely on key features to build that template (eg relative locations of fingerprints, loops, arches etc). Issues with this type of authentication are error and deception rate. Error rate relies on FAR or False Acceptance rate which is the rate of false acceptances of the total access attempts. FRR is False rejection rate in which the actual person is rejected. Failure to Enroll is another caveat of biometrics. This occurs when a system will not enroll a user which happens when there is difficulty obtaining fingerprints due to other circumstances.
The point I have taken from this chapter is biometric authentication.
Biometrics refers to a technology that uses human biological characteristics for identity authentication. To be more specific, biometric identification technology is the close combination of computers with high-tech methods such as optics, acoustics, biosensors, biostatistics, and the human body’s inherent physiological characteristics and behavioral characteristics to identify personal identity.
The biometric system is a feature template that samples biological features, extracts their unique features, converts them into digital codes, and further combines them. When people interact with the recognition system for identity authentication, the recognition system obtains their characteristics. It compares them with the characteristic templates in the data to determine whether they match and then decide to accept or reject the person.
Hi Zibai, a biometric system is really a new way to enhance security and provide an extra layer of defense to the security. it is a feature template that samples biological features, extracts the unique feature, and converts them into digital codes.
Hi Zibai,
I agree that this is an interesting aspect of biometrics. We can see many fakes and can easily disguise them as real things. Therefore, I think it is only a matter of time before these practices are applied to real life. Users are willing to use biometric technology to avoid the function of remembering many passwords, and Data becomes more available and vulnerable to breaches and identity theft.
Access control is the policy-driven control of access to systems, data, and dialogues. The one key point I noticed is about password, which is the most common access control in daily life.
The attacker can use password-cracking programs on the server to crack passwords. These programs can try thousands of possible account name or password combinations per second automatically until the passwords was crack. Another way to crack passwords is copy the password file to get physical access.
Organizations usually implement a strong password policies to defend threats. For example, set complexity requirements; prevent users from choosing previously used passwords; change passwords periodically and perhaps frequently. The strong password policy is the front line of defense to protect organizations’ assets, which can increase computer security by encouraging users to create reliable, secure passwords and then store and utilize them properly.
Hi Xinyi, I agree passwords are extremely important in access controls. As technology advances and simple passwords become easily cracked, MFA is often leveraged. By using a combination of what you have, what you know, and what you are, it offers a heavier layer of protection against unauthorized users.
Access control is the policy-driven control of access to systems, data, and dialogues. This chapter talks about various ways to control access, including physical barriers, passwords, and biometrics. Access controls have three functions which are authentication, authorizations, and auditing (AAA). This chapter mainly focuses on authentication such as what you know, what you have, who you are, and what you do. One authentication method that was interesting to read about is multilevel security. Military and national security organizations have a multilevel security that rate documents by sensitivity. There are several levels of classification such as secret, top secret, sensitive but unclassified, and public. Individuals should be granted appropriate clearances before they can access classified information. Individuals who have earned a confidential clearance are authorized to see confidential documents, but they are not trusted to look at secret or top secret information any more than any member of the general public.
Hello Ranu,
In most organizations, access control is an essential part of security. They help to authenticate and authorize individuals to access information that they are allowed to view or use. Without them, unauthorized access to physical or logical systems cannot be restricted. It is important to conduct regular governance, risk, and compliance reviews to ensure that appropriate access controls work. Thank you for highlighting such an important topic.
By definition, access control is a policy driven control of access to systems, data and conversations. There are many ways to control access, including physical barriers, passwords and biometrics. Access control is a technology used in almost all systems, including computer system and non computer system. Access control is a technology that restricts the access to some information items or the use of some control functions according to the user’s identity and a definition group. For example, the principle of uninac network access control system is based on this technology. Access control is usually used by system administrators to control users’ access to servers, directories, files and other network resources.
The one thing that I find interesting is two factor authentication may not be useful in certain situations. According to the chapter, Bruce Schneier has noted that Trojan Horses and min in the middle attacks can negate the strength of two-factor authentication. First, if a client PC is infected with a Trojan Horse, the Trojan hose can send transactions when a user has already authenticated himself or herself to an e-commerce site. If a user’s computer is compromised, two-factor authentication means nothing. Second, two-factor authentication often can be defeated with a man-in-the-middle attack. If a user logs into a fake banking website, the fake site can act as a silent go-between to the real banking website. After the user successfully authenticated, the fake website can execute transactions of its own on the real website. Therefore many companies have multi factor authentication process to prevent these situations.
These are good points as well often see two factor being used more commonly with financial sites, education and healthcare. They are being leveraged due to their security but like you said these cans till be thwarted. It is important for people to make sure they go to the correct website, rather than click unknown email links and verifying these sites with the certification that is shown in the URL on new devices. If soon these become unusable, do you have a suggestion to what would be next?
Access control techniques used to prevent unauthorized access to any resource so that a computer system can be used within legal limits. A technique that restricts access to certain items of information or the use of certain control functions by referring to the identity of a user and the defined group to which the user belongs. For example, the principle of the UNINAC network access control system is based on this technique. The main purpose of access control is to restrict the access of the subject to the object, so as to ensure that the data resources can be effectively used and managed within the legal scope. In order to achieve the above purpose, access control needs to accomplish two tasks: to identify and confirm the user who accesses the system, and to determine what type of access the user can make to a system resource. Access control consists of three elements: subject, object and control strategy.
One key takeaway from this week’s chapter about access control, is the portion on directory servers, specifically the active directory domains (AD). Most organizations use some form of AD to manage identity and to provide authentication information. The AD is also used to mange the role and group the end user is a part of. Managing the AD is extremely important in security. Hackers will often attack the AD and attempt to gain access. Once there, if they can escalate privileges, they could alter any user’s data and manage the role and groups of the organization. AD’s must be protected at all times within many layers of defense. The AD often goes through auditing more frequently and you can buy special software or tools to help monitor and manage the AD to help prevent security issues.
I agree with your assessment that Active Directory is a heavily used identity and authorization security platform. A high risk function within AD is access to domain controllers. With the right identity and group architecture, access to the domain controllers can be limited, to break glass accounts used only to grant or revoke access to lower privileged administrative accounts..
From this chapter, we learn that access control is a method to allow or deter groups from getting information from a system. Some of these controls include a password system, biometric authentication, and even physical barriers. I’ve been more and more interested in specifically multi-factor authentication methods when using passwords. Most sites with password systems implement at least two-factor authentication, but even that is vulnerable. Two methods were described in the chapter on how 2FA can be defeated. If a user is logged on a client PC, and that PC gets a Trojan horse, that Trojan horse can do all sorts of damage to a network because the user was logged in. The other method described was a man-in-the-middle attack. This attack can be a spoofed login portal to gain information, and then the attacker can use that information to then log in to the real site and potentially cause damage. This is why the key takeaway from this chapter is using multi-factor authentication to have many ways to log in that is personal to you.
2FA is almost becoming too cumbersome but it is necessary in order to verify the end user. At work, we discontinued the use of SMS and went to push notifications instead. It was found the SMS messages were able to be intercepted and MiTM attacks could take place. Hopefully MFA with push notifications is around for a while and we won’t have to do too much in order to verify our ID in the future.
Something I learned from this week’s reading was how military and National Security Organizations apply access controls. Documents in the military and NSOs can be accessed based on a person’s security clearance. There are four levels of security clearance, public, sensitive but unclassified, secret and top secret. Based on the level of security associated with the document, individuals may or may not be able to access documents either physically or electronically. There are two types of access controls, mandatory and discretionary. Mandatory are controls where no departmental or personal individuals have the ability to alter access control rules set by higher authority. In the case of the US government, the president determines what information is secret and top secret and no agency of the US government can override that determination. Discretionary access controls are rules that can be set at a departmental or personal level. Basically the documents and people are classified according to clearance levels, only those with the same or higher level clearance can access documents at the same level.
Great post! I really like that your take away led you to this area. I especially like the part about the President designating what is secret vs tope secret. although it begs the question: What of those “top secret” things that even the President is not privy to? Who designates that as “need to know only” from the President?
Two-factor authentication helps companies manage their users securely while they log in to their accounts. Although the admin can require users to set up a complicated password, including numeric, text form, and specific symbol, the two-factor authentication consolidates the defense. For example, the user needs to enter both password and PIN to log in to the system. Some apps require the user to log in to another device by scanning the QR code, or the user will receive a one-time code, which will expire in one minute. In doing this, the companies can reduce the number of unauthorized users to log in to the system. If the attacker uses man-in-the-middle, the two-factor authentication cannot defensively execute login, especially, the banking industry. Thus, it can improve the security, but it may be defeated with occurring the man-in-the-middle attack.
Hi Cami,
I agree that two-factor authentication should be a mandatory step for accounts nowadays. I don’t believe I’ve ever seen a QR code method, but that sounds unique enough as you need your phone to scan and generate the code. I think QR codes are unique in and of themselves as no two codes are the same.
Access control is defined as policy-driven control of access to systems, data, and dialogues. It can include physical barriers, passwords, and biometrics. Access controls have three functions, which are authentication, authorization, and auditing.
Authentication is the process of evaluating and confirming the identity of an individual that has permission to use that resource. Individuals requesting access will be the supplicant and the person providing the admission would be the verifier. Some forms of credentials used for identification can be a password, biometrics, and more.
Since technology is becoming more advanced, different forms of authentication must be used to assess the identity of the individual such as access cards, tokens, biometric authentication, and cryptographic authentication. One that is increasingly popular, and I personally use is multifactor authentication. The chapter describes it’s not as strong as it may seem because it doesn’t protect against phishing sites/man-in-the-middle attack/ and trojan horses. I think that’s interesting because each form of authentication may have some downfalls, authentication will have to continuously advance along with technology,
Hi, Mei. Technology is changing every day. The authentication needs to make more complicated so that people cannot break the system easily. If a company combines these different forms of authentication, such as access cards and fingerprints, the attackers will not be too easy to get into the system by using either one access method.
The central authentication servers section stood out to me. Many large companies use what is called a AAA server. The triple A’s stand for authentication, authorization, and accounting. This is a network server used for access control. Authentication identifies the user by username and password. Authorization implements policies that determine which resources and services a valid user may access. Accounting keeps track of time and data resources used for billing and analysis.Often times a RADIUS server does this job. This is generally performed by a RADIUS server. When a RADIUS server is used, the device the user connects to is called the authenticator. When a user sends credentials to any authenticator, the authenticator passes the credentials on to the RADIUS server. The RADIUS server checks the credentials and sends a message back to the authenticator. This message tells the authenticator whether the user’s credentials were verified.
The biggest takeaway from this chapter for me was the biometric security. While there are many ways to provide users access, this feature is one of few that is virtually impossible to lose. Passwords can be forgotten and cards, badges or wearable devices can be lost, but a retina scan, fingerprint, or FaceID scan can be accessed at any time and is rare in producing a failed result. As we have seen as the years have gone on more devices are being equipped with these features in the sense that they simplify the amount of things needed to be remembered all the while not forfeiting strength of security. This is an example through the consumer side, however this can be implemented into organizations to secure buildings, physical server rooms and even computer documents.
Hi Austin,
Great post. As biometric technology continues to grow, I would imagine biometric authentication will become more accurate and reduce the percentage of false acceptance and false rejection rate. In my mind, false acceptance rate is the most dangerous aspect of this technology. A way to differentiate a real fingerprint versus a fingerprint lifted from an object will big a huge milestone for biometric systems.
One of the key points I learned from this chapter is that of the three forms of access control in the corporate security industry, role-based access control is the most common type of demand for access control systems because it is easy to use, cheap, and less error-prone. Access permissions are assigned based on individual roles in the organization, which is cheaper than assigning access control rules to individual accounts individually. This type of access control makes it easier for organizations to apply access control rules, because only the system administrator is the person authorized to assign access rights to various positions. In addition, role-based access control can reduce the risk of errors, because most privileges are determined by restrictions on job responsibilities.
Hi wenyao,
I agree with you that role-based access control is efficient and cost-effective. Once the user is assigned the appropriate role, the user has all the operation permissions of this role. The advantage of this is that there is no need to assign permissions every time a user is created, as long as the user is assigned the corresponding role, and the role’s permission change is much less than the user’s permission change, which will simplify the user’s permission Management, reduce system overhead.
The key points that I take from this chapter is password part. The password is the most common control in the access control, Due to the large number of threats that face reusable passwords, companies need to have strong password policies. Good password policies help stop attackers from taking advantages of the inherent weaknesses associated with using reusable passwords. Security professionals need to test both how passwords are being used and the strength of the passwords themselves. Regular auditing will verify that password policies are being followed and that the organization is protected. Password Duration Policies also should require the frequent changing of passwords. User passwords should be changed perhaps every 90 days. This way, if an attacker learns a password, he or she will only be able to use it for a limited time. Crucial passwords should be changed more frequently. In addition, users should be forbidden from reusing
an older password for the account to prevent a user from cycling through a handful of passwords.
Passwords are the most common type of access control and because of this, policies around password management is vital to an organization. There are two types of passwords: reusable and one-time. A reusable password can be used for weeks or months whereas a one-time password is used once. Password Policies can stop attackers from exploiting the weaknesses of a reusable password. Additionally, password requirements can help create strong passwords that cannot be easily cracked. The book provides an example of strong password requirements such as minimum length with at least 8 characters long, and at least one upper case, lower case, digital and non-alphanumeric character. Furthermore, reusable passwords should be required to be changed every 90 days. This help mitigate risk if passwords were compromised.
Hi, Anthony, I totally agree with your points. The password duration Policies also should require the frequent changing of passwords. User passwords should be changed perhaps every 90 days. because in this way, if an attacker learns a password, he or she will only be able to use it for a limited time.
This chapter highlights various access controls methods. An access control method that stood out to me was Biometrics. Biometric Authentication refers to security processes that verify a user’s identity through unique biological traits such as retinas, irises, voices, facial characteristics, and fingerprints. Biometrics is by far the most effective form of authentication due to the information being only related to a single individual. Most authentication systems using biometrics pair it with a Something you know (Password or PIN)
One of the most up and coming method of authentication is biometrics. With the increased hacking of passwords and vulnerabilities, biometrics seems to be a clear way to future. Based on biological measurements , biometrics are difficult, albeit not impossible to replicate, forget or destroy. While it is important to obtain a “template” of your biometrics, it is important to only rely on key features to build that template (eg relative locations of fingerprints, loops, arches etc). Issues with this type of authentication are error and deception rate. Error rate relies on FAR or False Acceptance rate which is the rate of false acceptances of the total access attempts. FRR is False rejection rate in which the actual person is rejected. Failure to Enroll is another caveat of biometrics. This occurs when a system will not enroll a user which happens when there is difficulty obtaining fingerprints due to other circumstances.