After reading this chapter, I realized that the company must develop a security plan for each sensitive resource. Because passwords alone are not enough to ensure the security of enterprise data. In addition to the importance of creating strong passwords, different password policies are required for running on a computer to crack its password, or on a downloaded password file. On the other hand, as enterprises find that more and more authentication technologies must be used, authentication methods with appropriate strength can be selected given the risks associated with enterprise resources. While two-factor authentication provides defense in depth, two-factor authentication can often be defeated by man-in-the-middle attacks. For example, victims often log on to fake banking websites to leak information and cause losses.
On the other hand, I learned that enabling access control has three functions, authentication, authorization and auditing. Authentication is the process of assessing the identity of each individual claiming the right to use a resource. Authorizations are specific permissions that a specific authenticated user should have given his or her authenticated identity. Detect violations of authentication and authorization policies through auditing.
Hi Dan,
I agree the company must develop a security plan because the ultimate goal of security management planning is to create a security policy that will implement and enforce. The beauty of security policy is that it provides a clear direction for all employees in the organizational structure.
Hello Dan,
I like your post very well because you were able to explain how your company was able to develop authentic security plan for each sensitive resource. But the core access control is a method of electronically limiting entry to certain locations in order to improve security and better manage employee and visitor access at single or multiple sites. Hence, access control has developed beyond this traditional security viewpoint. For example, modern systems increase operational efficiencies and reduce costs by enabling integration with a large variety of workforce products and solutions.
Access control is modernizing security for businesses everywhere. As companies develop and expand its frontiers, it becomes vitally important for them to develop complex security systems that are still easy to use. Access control can solve these issues and streamline daily processes that often cause unnecessary headaches in the workplace. Hence, access control is often regarded as the policy-driven control of access to systems, data, and dialogues. The one noticeable major point I found in the article is password, that seems to be the most prevalent access control in daily life and this means that the hacker can use password-cracking applications on the server to find out passwords. These applications could make use of thousands of possible account name or password combinations within some seconds till the passwords is being cracked. Another notable method used by hackers to crack passwords is simply to copy the password file to get physical access. organization’s information. More often than not organizations basically implement a strong password policies to fend off any unnecessary threats within its environment. And that being said, set complexity requirements; prevent users from using previously used passwords; change passwords periodically and sometimes frequently. The strong password policy is the front line of defense to defend organizations’ assets, which can boost computer security by motivating users to create reliable password , secure passwords that be stored and utilize them properly. to achieve confidentiality, integrity and availability within an organizational business environment.
One thing I took away from this chapter is that two-factor authentication may not be as secure as made out to be. Yes, it is more secure than a password alone, but a trojan horse or man-in-the-middle attack can harm the strength of two-factor authentication. This is to say defense in dept is an important concept and applying different layers of access can help. Providing role-based access controls can limit what individuals can do and placing physical access restrictions provides assurance that only authorized individuals will have access to say a data center or high-security buildings. As mentioned, passwords alone are not enough, and biometric authentication is an up-and-coming form of password replacements, as it allows you to gain access to biological measurements. I recall a few years back Microsoft had said they were planning to move to a full biometric authentication as it is more secure and removes the hassle of remembering and updating your passwords, however, the error rate and deception rate remain a concern.
The principle of least privilege is a key component of access control. You should only have access to a system or data if it is critical to your job function. If someone requests additional access, the request should be considered carefully.
Authentication is one method of assuring only those who should have access to a system are gaining access. By utilizing mfa – something you know, something you are, something you have – you can increase the difficulty for a hacker to wrongfully gain access to your network.
Regulators are hitting organizations extremely hard on least privileged accounts needing to have MFA. Having MFA implemented will help further protect data from the risks associated with compromised credentials. Additionally, least privileged accounts help companies bolster their defenses by supporting the CIA triad and reducing the attack surface, which will decrease the company’s risk.
After reading this chapter, I think two-factor authentication is critical. Two-factor authentication can be explained as something you know (a password) and something you have (a smartphone or other authorized device). In most realistic situations, you will log into a website using a regular login and then enter a verification code when prompted. The verification code can be generated in various ways (more on this later) and changed every 30 seconds. By enabling dual authentication on sites that support it, hackers will not log in using only your username and password. To access the current captcha, they will need access to your dual-authentication database.
Hello Zijian,
Two-factor authentication is for sure one of the best ways to secure the user accounts. Time-based one-time password (TOTP) does seems to be best method to use as the code would expire if its not used in predefined time. Along with that there are also another methods as well such as using an authenticator app (Duo Mobile) for the multi-factor authentication.
One takeaway I took from this chapter is the rise of biometric authentication methods, and the complexities that come with them. As consumers, we tend to be most familiar with fingerprint and facial recognition. Fingerprint recognition is simple and inexpensive, however it can be defeated by a determined enough hacker; therefore it is sufficient for low-risk applications. Facial recognition is similar in its ease of use, yet can yield high error rates even without deception. Iris recognition tends to be the gold standard of biometric authentication as the iris is the most unique part of a body and therefore the authentication yields low false acceptance rates, but unfortunately this technology is very expensive.
Another interesting concept is how to deal with false acceptance rates and false rejection rates. Typically, a false acceptance means a security violation while a false rejection is an inconvenience; however in the example of a terrorist watchlist, a false rejection would be the security violation. This reminds me of doors locking off a server room, where open-on-failure could mean a trespasser can gain access, but closing-on-failure could trap a person inside a building in an emergency. It is important to consider error rates and how to best deal with them in different circumstances.
I agree with what you said, as a consumer, what you know best is fingerprint and facial recognition. While the false acceptance rate produced by iris authentication is low, the technology is very expensive. Not all companies can afford the cost of this measure, which requires a lot of cost and effort to maintain.
One key point that I took away from this chapter is the ongoing and likely progressing rise in using other authentication methods besides simple passwords, whether solo or combined (MFA). MFA that uses one-time codes sent to an email or cell phone is becoming an established baseline, but even this technology is not used everywhere and is becoming vulnerable to experienced hackers with a deep desire to get into specific systems. But, MFA using something like RSA SecurID or biometric authentications are inherently more secure than previously mentioned authentication methods, and even though they are not widely used, they are currently accessible on the public market. This chapter prompted me to think a little more about the future of authentication methods such as RSA SecurID and biometric authentication, and how large the potential for economic growth and technological development is in this area in order to service organizations with moderate to high security categorizations for their buildings and systems.
Hey Michael, I was also surprised at the notion of a future without passwords. Password authentication is the most common form of authentication we are used to as consumers, and I know I am personally a bit uncomfortable with companies possibly removing passwords altogether. Just as passwords can be cracked, devices can be stolen and emails can be hacked, so I believe MFA is the best current alternative, rather than forgoing passwords altogether.
Password management continues to be a difficult concept for many organizational employees. Weak passwords containing less than 12 characters or that utilize dictionary or common words can lead to domain compromise if an attacker has the time and resources to crack passwords (and they often do). To help mitigate password attacks, organizations must implement and enforce multi-factor authentication via a single sign-on portal. Additionally, routine auditing can assist in detecting brute force attempts and may even help identify weak passwords within the domain.
I agree weak passwords are one of the easiest ways an environment could be compromised. Adding two-factor authentication can greatly increase the security, however, as we read in the chapter enforcing two-factor may not be enough. A key point you mentioned is that multi-factor should be enforced, a prior employer of mine implemented MFA, but it was an optional measure we didn’t have to use it if we didn’t want to and so the lack of enforcement opened up vulnerabilities.
The three main elements of access control are AAA – which are authentication, authorization, and auditing. It is always important to adhere to the principle of least “permissions” / privilege when considering authorization. People should not be authorized to do more than solely what they need to do to accomplish their role in the organization. When followed, this principle will lead to failing safely if a failure occurs – security will not be affected as a result of the failure despite potential inconveniences. Auditing has much to do with logging and monitoring data, as well as legal requirements depending on the organization which may force log files and records to be retained for a certain time period. Central authentication is mainly done via RADIUS servers, but also by Kerberos in Windows environments.
I agree with your viewpoint that the principle of least privilege should always be adhered to when considering authorization. I think one factor in why Active Directory is so widely used is because the configuration for least privilege authorization for users and groups in a network is a lot easier to configure and manage than in other software, especially those that use discretionary access control.
Accordingly to the reading, the Access Control is being defined as a policy-driven control to access the system, data, and dialogues. There are multiple ways to implement an access control such as physical or logical (passwords and biometric). Access Controls have three functions that are Authentication, Authorization, and Auditing. Authentication is identifying the person that is requesting the information to ensure that person has permission to access that information and providing the access based on that. Authorization is the level of permission the user should have to access the information. Auditing logs the users’ activities in a real time which can be reviewed for any policy violation of the authentication or authorizations process.
This chapter highlights various access controls methods. An access control method that stood out to me was Biometrics. Biometric Authentication refers to security processes that verify a user’s identity through unique biological traits such as retinas, irises, voices, facial characteristics, and fingerprints. Biometrics is by far the most effective form of authentication due to the information being only related to a single individual. Most authentication systems using biometrics pair it with a Something you know (Password or PIN)
Upon completion of this chapter,the underlisted came to mind. Multi-factor authentication is a security feature that increases the likelihood of virtual attacks trying to gain unauthorized access to sensitive information. It is beneficial for protecting those using weak passwords.
The authentication feature allows the user to access a particular application, account, or website only after providing two or more verification evidence. In short terms, it ensures that the person trying to log into a budget is the owner of that account.
Advantages of multi-factor authentication
1. Adds extra layer of security to the password.
2. Safeguards confidential information.
3. Meets regulatory requirements.
Disadvantages of multi-factor authentication
1. Locks the user out of the application or the account.
2. Cumbersome task.
3. Relies on third parties.
4. Not fully secure.
Thanks for your post, Olayinka. I like how you described the benefits and issues with using MFA, in this case. When it comes down to it, cybersecurity serves the business and requires a balance between security and functionality. When implemented access control mechanisms such as MFA, it is important to consider both sides of the scale.
One key takeaway from this reading is the basis of the 4 methods of authentication. Authentication can occur by a user demonstrating knowledge (i.e. a password/passphrase), possession (i.e. RSA Token/key/FOB), who they are (i.e. biometrics, such as a retina scan), and what a user does ( such as how a passphrase is specifically pronounced). Overall, industry best practices encourage/enforce the usage of 2 factor/multi factor authentication, which uses a combination of the aforementioned authentication formats.
After reading the chapter for this week, biometrics really interested me. Biometrics is a based biological authentication such as fingerprints, face, and even your hand. Some of us may use a face recognition or our thumb print to get into our personal devices.
As I posted for in the news this week, biometrics ties back to Microsoft pushing for passwordless. One of the factors Microsoft is utilizing is face recognition or even an individual’s thumbprint instead of trying to remember your password.
The chapter made a good point. In the chapter, it says “if a person swipes his or her finger at different angles, raw scan files will be very different, but key features such as relative locations of loops, arches, and whorls in fingerprints will be the same or almost the same no matter how a finger is scanned.” Since Microsoft is pushing for passwordless and biometrics doesn’t fall through or if there was an error, will we have passwords to fall back on?
Dan Xu says
After reading this chapter, I realized that the company must develop a security plan for each sensitive resource. Because passwords alone are not enough to ensure the security of enterprise data. In addition to the importance of creating strong passwords, different password policies are required for running on a computer to crack its password, or on a downloaded password file. On the other hand, as enterprises find that more and more authentication technologies must be used, authentication methods with appropriate strength can be selected given the risks associated with enterprise resources. While two-factor authentication provides defense in depth, two-factor authentication can often be defeated by man-in-the-middle attacks. For example, victims often log on to fake banking websites to leak information and cause losses.
On the other hand, I learned that enabling access control has three functions, authentication, authorization and auditing. Authentication is the process of assessing the identity of each individual claiming the right to use a resource. Authorizations are specific permissions that a specific authenticated user should have given his or her authenticated identity. Detect violations of authentication and authorization policies through auditing.
zijian ou says
Hi Dan,
I agree the company must develop a security plan because the ultimate goal of security management planning is to create a security policy that will implement and enforce. The beauty of security policy is that it provides a clear direction for all employees in the organizational structure.
kofi bonsu says
Hello Dan,
I like your post very well because you were able to explain how your company was able to develop authentic security plan for each sensitive resource. But the core access control is a method of electronically limiting entry to certain locations in order to improve security and better manage employee and visitor access at single or multiple sites. Hence, access control has developed beyond this traditional security viewpoint. For example, modern systems increase operational efficiencies and reduce costs by enabling integration with a large variety of workforce products and solutions.
kofi bonsu says
Access control is modernizing security for businesses everywhere. As companies develop and expand its frontiers, it becomes vitally important for them to develop complex security systems that are still easy to use. Access control can solve these issues and streamline daily processes that often cause unnecessary headaches in the workplace. Hence, access control is often regarded as the policy-driven control of access to systems, data, and dialogues. The one noticeable major point I found in the article is password, that seems to be the most prevalent access control in daily life and this means that the hacker can use password-cracking applications on the server to find out passwords. These applications could make use of thousands of possible account name or password combinations within some seconds till the passwords is being cracked. Another notable method used by hackers to crack passwords is simply to copy the password file to get physical access. organization’s information. More often than not organizations basically implement a strong password policies to fend off any unnecessary threats within its environment. And that being said, set complexity requirements; prevent users from using previously used passwords; change passwords periodically and sometimes frequently. The strong password policy is the front line of defense to defend organizations’ assets, which can boost computer security by motivating users to create reliable password , secure passwords that be stored and utilize them properly. to achieve confidentiality, integrity and availability within an organizational business environment.
Dhaval Patel says
One thing I took away from this chapter is that two-factor authentication may not be as secure as made out to be. Yes, it is more secure than a password alone, but a trojan horse or man-in-the-middle attack can harm the strength of two-factor authentication. This is to say defense in dept is an important concept and applying different layers of access can help. Providing role-based access controls can limit what individuals can do and placing physical access restrictions provides assurance that only authorized individuals will have access to say a data center or high-security buildings. As mentioned, passwords alone are not enough, and biometric authentication is an up-and-coming form of password replacements, as it allows you to gain access to biological measurements. I recall a few years back Microsoft had said they were planning to move to a full biometric authentication as it is more secure and removes the hassle of remembering and updating your passwords, however, the error rate and deception rate remain a concern.
Madalyn Stiverson says
The principle of least privilege is a key component of access control. You should only have access to a system or data if it is critical to your job function. If someone requests additional access, the request should be considered carefully.
Authentication is one method of assuring only those who should have access to a system are gaining access. By utilizing mfa – something you know, something you are, something you have – you can increase the difficulty for a hacker to wrongfully gain access to your network.
Victoria Zak says
Madalyn,
Regulators are hitting organizations extremely hard on least privileged accounts needing to have MFA. Having MFA implemented will help further protect data from the risks associated with compromised credentials. Additionally, least privileged accounts help companies bolster their defenses by supporting the CIA triad and reducing the attack surface, which will decrease the company’s risk.
zijian ou says
After reading this chapter, I think two-factor authentication is critical. Two-factor authentication can be explained as something you know (a password) and something you have (a smartphone or other authorized device). In most realistic situations, you will log into a website using a regular login and then enter a verification code when prompted. The verification code can be generated in various ways (more on this later) and changed every 30 seconds. By enabling dual authentication on sites that support it, hackers will not log in using only your username and password. To access the current captcha, they will need access to your dual-authentication database.
Vraj Patel says
Hello Zijian,
Two-factor authentication is for sure one of the best ways to secure the user accounts. Time-based one-time password (TOTP) does seems to be best method to use as the code would expire if its not used in predefined time. Along with that there are also another methods as well such as using an authenticator app (Duo Mobile) for the multi-factor authentication.
Patrick Jurgelewicz says
One takeaway I took from this chapter is the rise of biometric authentication methods, and the complexities that come with them. As consumers, we tend to be most familiar with fingerprint and facial recognition. Fingerprint recognition is simple and inexpensive, however it can be defeated by a determined enough hacker; therefore it is sufficient for low-risk applications. Facial recognition is similar in its ease of use, yet can yield high error rates even without deception. Iris recognition tends to be the gold standard of biometric authentication as the iris is the most unique part of a body and therefore the authentication yields low false acceptance rates, but unfortunately this technology is very expensive.
Another interesting concept is how to deal with false acceptance rates and false rejection rates. Typically, a false acceptance means a security violation while a false rejection is an inconvenience; however in the example of a terrorist watchlist, a false rejection would be the security violation. This reminds me of doors locking off a server room, where open-on-failure could mean a trespasser can gain access, but closing-on-failure could trap a person inside a building in an emergency. It is important to consider error rates and how to best deal with them in different circumstances.
Dan Xu says
Hi Patrick,
I agree with what you said, as a consumer, what you know best is fingerprint and facial recognition. While the false acceptance rate produced by iris authentication is low, the technology is very expensive. Not all companies can afford the cost of this measure, which requires a lot of cost and effort to maintain.
Michael Jordan says
One key point that I took away from this chapter is the ongoing and likely progressing rise in using other authentication methods besides simple passwords, whether solo or combined (MFA). MFA that uses one-time codes sent to an email or cell phone is becoming an established baseline, but even this technology is not used everywhere and is becoming vulnerable to experienced hackers with a deep desire to get into specific systems. But, MFA using something like RSA SecurID or biometric authentications are inherently more secure than previously mentioned authentication methods, and even though they are not widely used, they are currently accessible on the public market. This chapter prompted me to think a little more about the future of authentication methods such as RSA SecurID and biometric authentication, and how large the potential for economic growth and technological development is in this area in order to service organizations with moderate to high security categorizations for their buildings and systems.
Patrick Jurgelewicz says
Hey Michael, I was also surprised at the notion of a future without passwords. Password authentication is the most common form of authentication we are used to as consumers, and I know I am personally a bit uncomfortable with companies possibly removing passwords altogether. Just as passwords can be cracked, devices can be stolen and emails can be hacked, so I believe MFA is the best current alternative, rather than forgoing passwords altogether.
Kelly Sharadin says
Password management continues to be a difficult concept for many organizational employees. Weak passwords containing less than 12 characters or that utilize dictionary or common words can lead to domain compromise if an attacker has the time and resources to crack passwords (and they often do). To help mitigate password attacks, organizations must implement and enforce multi-factor authentication via a single sign-on portal. Additionally, routine auditing can assist in detecting brute force attempts and may even help identify weak passwords within the domain.
Dhaval Patel says
Hi Kelly,
I agree weak passwords are one of the easiest ways an environment could be compromised. Adding two-factor authentication can greatly increase the security, however, as we read in the chapter enforcing two-factor may not be enough. A key point you mentioned is that multi-factor should be enforced, a prior employer of mine implemented MFA, but it was an optional measure we didn’t have to use it if we didn’t want to and so the lack of enforcement opened up vulnerabilities.
Antonio Cozza says
The three main elements of access control are AAA – which are authentication, authorization, and auditing. It is always important to adhere to the principle of least “permissions” / privilege when considering authorization. People should not be authorized to do more than solely what they need to do to accomplish their role in the organization. When followed, this principle will lead to failing safely if a failure occurs – security will not be affected as a result of the failure despite potential inconveniences. Auditing has much to do with logging and monitoring data, as well as legal requirements depending on the organization which may force log files and records to be retained for a certain time period. Central authentication is mainly done via RADIUS servers, but also by Kerberos in Windows environments.
Michael Jordan says
Antonio,
I agree with your viewpoint that the principle of least privilege should always be adhered to when considering authorization. I think one factor in why Active Directory is so widely used is because the configuration for least privilege authorization for users and groups in a network is a lot easier to configure and manage than in other software, especially those that use discretionary access control.
-Mike
Vraj Patel says
Accordingly to the reading, the Access Control is being defined as a policy-driven control to access the system, data, and dialogues. There are multiple ways to implement an access control such as physical or logical (passwords and biometric). Access Controls have three functions that are Authentication, Authorization, and Auditing. Authentication is identifying the person that is requesting the information to ensure that person has permission to access that information and providing the access based on that. Authorization is the level of permission the user should have to access the information. Auditing logs the users’ activities in a real time which can be reviewed for any policy violation of the authentication or authorizations process.
Kyuande Johnson says
This chapter highlights various access controls methods. An access control method that stood out to me was Biometrics. Biometric Authentication refers to security processes that verify a user’s identity through unique biological traits such as retinas, irises, voices, facial characteristics, and fingerprints. Biometrics is by far the most effective form of authentication due to the information being only related to a single individual. Most authentication systems using biometrics pair it with a Something you know (Password or PIN)
Olayinka Lucas says
Upon completion of this chapter,the underlisted came to mind. Multi-factor authentication is a security feature that increases the likelihood of virtual attacks trying to gain unauthorized access to sensitive information. It is beneficial for protecting those using weak passwords.
The authentication feature allows the user to access a particular application, account, or website only after providing two or more verification evidence. In short terms, it ensures that the person trying to log into a budget is the owner of that account.
Advantages of multi-factor authentication
1. Adds extra layer of security to the password.
2. Safeguards confidential information.
3. Meets regulatory requirements.
Disadvantages of multi-factor authentication
1. Locks the user out of the application or the account.
2. Cumbersome task.
3. Relies on third parties.
4. Not fully secure.
Lauren Deinhardt says
Thanks for your post, Olayinka. I like how you described the benefits and issues with using MFA, in this case. When it comes down to it, cybersecurity serves the business and requires a balance between security and functionality. When implemented access control mechanisms such as MFA, it is important to consider both sides of the scale.
Lauren Deinhardt says
One key takeaway from this reading is the basis of the 4 methods of authentication. Authentication can occur by a user demonstrating knowledge (i.e. a password/passphrase), possession (i.e. RSA Token/key/FOB), who they are (i.e. biometrics, such as a retina scan), and what a user does ( such as how a passphrase is specifically pronounced). Overall, industry best practices encourage/enforce the usage of 2 factor/multi factor authentication, which uses a combination of the aforementioned authentication formats.
Victoria Zak says
After reading the chapter for this week, biometrics really interested me. Biometrics is a based biological authentication such as fingerprints, face, and even your hand. Some of us may use a face recognition or our thumb print to get into our personal devices.
As I posted for in the news this week, biometrics ties back to Microsoft pushing for passwordless. One of the factors Microsoft is utilizing is face recognition or even an individual’s thumbprint instead of trying to remember your password.
The chapter made a good point. In the chapter, it says “if a person swipes his or her finger at different angles, raw scan files will be very different, but key features such as relative locations of loops, arches, and whorls in fingerprints will be the same or almost the same no matter how a finger is scanned.” Since Microsoft is pushing for passwordless and biometrics doesn’t fall through or if there was an error, will we have passwords to fall back on?