The question that I may be willing to discuss with my classmates with regard to to security and managing facility access is how to select the right access control system, one that meets your business’ specific needs. This is so because there are many different types of access control systems available in the market today, such as standalone systems for one to four doors, mid-size systems that use single-factor authentication such as a keypad or proximity card, or large-scale systems that enable organizations to provide access to employees at multiple facilities in different states while using a single credential.
Hey Madalyn, some dangers that come with using biometric data as a method of authentication are deception and unreliability. Fingerprint scanners using unsophisticated methods are frequently subject to deception, and facial recognition and voice recognition yield high error rates.
Biometrics are inherently public, so someone could duplicate some traits from another person. For example, a criminal could lift a person’s fingerprint from a glass tabletop. Then, they can use this information to gain access to a device or account.
While biometric data is quite useful at times, and the third type of authentication factor, it does come with some downsides just like any other security implementation / mechanism. Biometric data is somewhat more challenging to duplicate or steal, but nonetheless, fingerprints can still be stolen off a surface if the attacker is near the target. Biometric data is also still stored in a database, which can be broken into like any other database. The most obvious one as well is false positives; while biometric data is highly accurate in most cases, there are still false positives.
Biometrics was the most interesting to me while reading the chapter for this week. The downfall of utilizing biometric data as authentication is a cybercriminal being able to track someone with or without their knowledge by using biometric data from public cameras. Additionally, voice recordings that are leaked from the device can put someone at risk as well.
Hi Madalyn
I like your question simply because accurate collection of biometric data is essential for its security as a method of authentication. From a practical standpoint, incorrectly capturing data can result in access problems down the line.
Pros of logging would be increased visibility for cyber defense. Critical logs an organization should enable include firewall, auditing, host-based (Windows Event and Auditd), and web servers. These are key areas an organization must have visibility. Enabling logging assists security professionals with investigations, e-discovery, and even network troubleshooting.
The most notable cons of logging are the increased costs and employee overhead resulting from ingesting and storing logs. Organizations acquire gigs of log data that an analyst must parse through. If there is no SIEM in place to help centralize and automate, logging becomes unfeasible for analysis.
Pros of log files are that they help organizations track the relevant data that they would want to be retained, assuming they have established logging in a reasonable way. They also help ensure that organizations in compliance with the relevant regulations to the business type and location. Most obviously, log files are used as needed for analyzing whatever type of data deemed important at that time; for example, an organization can observe network traffic logs to understand what types of attacks it may be being targeted by.
Hello Zijian,
There are multiple tools that can help audit the passwords such as RainbowCrack, Cain and Abel, and Wfuzz. This tools can be used to check for any weak or common password used by the user.
There are multiple ways to audit a password. Some password cracking / audit tools are included in penetration testing products like Kali Linux through software like Cain and Abel, John the Ripper for network authentication mainly, and for web applications through OWASP ZAP or Burp Suite. Administrators can also enforce security controls in an environment like Windows AD which force users to establish a password that meets certain minimum criteria, which help the strength of a password to an extent. The same can be done in Linux by editing the pam or /etc/login.defs files.
As Chapter 5 mentions, one of the ways. to audit a password is to look at the credentials as a hacker. Would you be able to crack the code? The password strengths must be implemented and utilized. Password lengths must be at least 12 characters long, one uppercase and lowercase, numbers, and special character. You can utilize special software and tools such as active directory weak password finder or RaindbowCrack, Wfuzz.
One important aspect of making sure your organization has strong passwords is by implementing a password policy. You should add rules so passwords need to meet a minimum length and complexity. You can also implement policies where passwords have to be a certain percentage different from the previous passwords.
Hello Patrick,
One of the risk associated with using a single account for multiple users is that the accountability could not be established. If there happens to be a unauthorized activity on the network or process supported by that system then there would be no ways to identify who has performed that unauthorized activity.
Shared Accounts Compromises one of the Components of AAA
(Authentication, Authorization and Accounting)
– Every user should be accountable for their actions. So having separate accounts and passwords are essential. Logging individual user activity tracks and record the users behavior and determines if they were performing malicious task. If shared passwords were being used it disqualifies the accountability aspect and no one would be held accountablity if a malious incident occurred.
AAL3 is ideal because it provides the highest level of confidence that the user is who they say they are. This is typically achieved through proof of possession of a key through a cryptographic protocol.
AAL1 is the worst (single factor) and AAL2 is between AAL1 and AAL3.
Facial recognition data is publicly available online through pictures, so this authentication method could be compromised. Facial recognition is quick and easy although you may need to remove your mask.
It’s also a probabilistic authentication method rather than deterministic. This means that it scans your face and determines with a certain percent accuracy that you are who you are claiming to be. Deterministic authentication methods are tokens and passwords – it has to be an exact 100% match to work.
If multifactor authentication is deemed ineffective, what other known authentication alternatives/controls are available or recommended to get a more secure outcome
kofi bonsu says
The question that I may be willing to discuss with my classmates with regard to to security and managing facility access is how to select the right access control system, one that meets your business’ specific needs. This is so because there are many different types of access control systems available in the market today, such as standalone systems for one to four doors, mid-size systems that use single-factor authentication such as a keypad or proximity card, or large-scale systems that enable organizations to provide access to employees at multiple facilities in different states while using a single credential.
Madalyn Stiverson says
What’s the danger of using biometric data as a method of authentication?
Patrick Jurgelewicz says
Hey Madalyn, some dangers that come with using biometric data as a method of authentication are deception and unreliability. Fingerprint scanners using unsophisticated methods are frequently subject to deception, and facial recognition and voice recognition yield high error rates.
Kyuande Johnson says
Biometrics are inherently public, so someone could duplicate some traits from another person. For example, a criminal could lift a person’s fingerprint from a glass tabletop. Then, they can use this information to gain access to a device or account.
Antonio Cozza says
While biometric data is quite useful at times, and the third type of authentication factor, it does come with some downsides just like any other security implementation / mechanism. Biometric data is somewhat more challenging to duplicate or steal, but nonetheless, fingerprints can still be stolen off a surface if the attacker is near the target. Biometric data is also still stored in a database, which can be broken into like any other database. The most obvious one as well is false positives; while biometric data is highly accurate in most cases, there are still false positives.
Victoria Zak says
Hi Madalyn,
Biometrics was the most interesting to me while reading the chapter for this week. The downfall of utilizing biometric data as authentication is a cybercriminal being able to track someone with or without their knowledge by using biometric data from public cameras. Additionally, voice recordings that are leaked from the device can put someone at risk as well.
kofi bonsu says
Hi Madalyn
I like your question simply because accurate collection of biometric data is essential for its security as a method of authentication. From a practical standpoint, incorrectly capturing data can result in access problems down the line.
Dhaval Patel says
What are some of the pros and cons of log files, and what might be considered best practices for log file retention?
Kelly Sharadin says
Hi Dhaval,
Pros of logging would be increased visibility for cyber defense. Critical logs an organization should enable include firewall, auditing, host-based (Windows Event and Auditd), and web servers. These are key areas an organization must have visibility. Enabling logging assists security professionals with investigations, e-discovery, and even network troubleshooting.
The most notable cons of logging are the increased costs and employee overhead resulting from ingesting and storing logs. Organizations acquire gigs of log data that an analyst must parse through. If there is no SIEM in place to help centralize and automate, logging becomes unfeasible for analysis.
Antonio Cozza says
Pros of log files are that they help organizations track the relevant data that they would want to be retained, assuming they have established logging in a reasonable way. They also help ensure that organizations in compliance with the relevant regulations to the business type and location. Most obviously, log files are used as needed for analyzing whatever type of data deemed important at that time; for example, an organization can observe network traffic logs to understand what types of attacks it may be being targeted by.
zijian ou says
How to audit password?
Vraj Patel says
Hello Zijian,
There are multiple tools that can help audit the passwords such as RainbowCrack, Cain and Abel, and Wfuzz. This tools can be used to check for any weak or common password used by the user.
Kyuande Johnson says
There are a list of tools that can be utilize when auditing passwords
Examples:
– Rainbow Crack
– Wfuzz
– Cain and Abel
– THC Hydra
– Ncrack
Antonio Cozza says
There are multiple ways to audit a password. Some password cracking / audit tools are included in penetration testing products like Kali Linux through software like Cain and Abel, John the Ripper for network authentication mainly, and for web applications through OWASP ZAP or Burp Suite. Administrators can also enforce security controls in an environment like Windows AD which force users to establish a password that meets certain minimum criteria, which help the strength of a password to an extent. The same can be done in Linux by editing the pam or /etc/login.defs files.
Victoria Zak says
Hi Zijian,
As Chapter 5 mentions, one of the ways. to audit a password is to look at the credentials as a hacker. Would you be able to crack the code? The password strengths must be implemented and utilized. Password lengths must be at least 12 characters long, one uppercase and lowercase, numbers, and special character. You can utilize special software and tools such as active directory weak password finder or RaindbowCrack, Wfuzz.
Madalyn Stiverson says
Hi Zijian,
One important aspect of making sure your organization has strong passwords is by implementing a password policy. You should add rules so passwords need to meet a minimum length and complexity. You can also implement policies where passwords have to be a certain percentage different from the previous passwords.
Michael Jordan says
Do you think that the lack of identity proofing and authentication for using many public online services is more of a good thing or a bad thing?
Patrick Jurgelewicz says
What risks exist when several people in a group share a single account?
Vraj Patel says
Hello Patrick,
One of the risk associated with using a single account for multiple users is that the accountability could not be established. If there happens to be a unauthorized activity on the network or process supported by that system then there would be no ways to identify who has performed that unauthorized activity.
Kyuande Johnson says
Shared Accounts Compromises one of the Components of AAA
(Authentication, Authorization and Accounting)
– Every user should be accountable for their actions. So having separate accounts and passwords are essential. Logging individual user activity tracks and record the users behavior and determines if they were performing malicious task. If shared passwords were being used it disqualifies the accountability aspect and no one would be held accountablity if a malious incident occurred.
Kelly Sharadin says
What AAL level would you assign Passwordless authentication?
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless
Madalyn Stiverson says
Hi Kelly,
AAL3 is ideal because it provides the highest level of confidence that the user is who they say they are. This is typically achieved through proof of possession of a key through a cryptographic protocol.
AAL1 is the worst (single factor) and AAL2 is between AAL1 and AAL3.
Vraj Patel says
What would be the best time frame to review the audit logs that are being generated for the authentication and authorization processes?
Antonio Cozza says
How does one determine the strength of identity proofing, and which level of IAL is used?
Kyuande Johnson says
What type of access control provides the strongest level of protection?
Victoria Zak says
What are the pros and cons of facial recognition utilized as an authentication?
Madalyn Stiverson says
Hi Victoria,
Facial recognition data is publicly available online through pictures, so this authentication method could be compromised. Facial recognition is quick and easy although you may need to remove your mask.
It’s also a probabilistic authentication method rather than deterministic. This means that it scans your face and determines with a certain percent accuracy that you are who you are claiming to be. Deterministic authentication methods are tokens and passwords – it has to be an exact 100% match to work.
Lauren Deinhardt says
What do you believe is the most effective form of authentication on its own? (i.e. what you know, what you are, what you have).
Olayinka Lucas says
If multifactor authentication is deemed ineffective, what other known authentication alternatives/controls are available or recommended to get a more secure outcome