This on Access Control provides a comprehensive overview of the pivotal role access controls play in maintaining the integrity of information systems. The authors articulate the importance of controlling access to information resources, emphasizing the necessity of implementing robust access control mechanisms to safeguard against unauthorized access and potential data breaches.
The chapter thoroughly examines the three types of access control: discretionary, mandatory, and role-based. Discretionary Access Control (DAC), as explained by Boyle and Panko, is largely user-centric, with the rights of access primarily determined by the owner of the information. This is contrasted with Mandatory Access Control (MAC), which is policy-centric and ensures that access rights are strictly enforced according to predefined policy rules. Role-Based Access Control (RBAC), the third type, is function-centric, where access is granted based on the user’s role within the organization.
They also delved into the principles of least privilege and separation of duties, highlighting their significance in minimizing the risk of unauthorized access and enhancing overall system security. The authors underscore that these principles should be the cornerstone of any effective access control strategy.
In conclusion, this reading provides a compelling exploration of access control, emphasizing its critical role in securing information systems. Their work serves as an essential guide for understanding and implementing effective access control mechanisms.
Your summary of the chapter is an excellent insight into the importance of proper access control implementations as well as the importance of securing organizations through other means like separation of duties and least privilege. I find that separation of duties is especially important for an organization of any size. Allowing one person to have access to every resource or relying on one individual for many tasks poses a single point of failure where if that one person is unavailable, many aspects of the business could be in trouble. Additionally, if the one individual’s account is hacked, the malicious actor now has access to every resource.
The human controls aspects stood out for me as I read through different system access controls and really didn’t think about the human aspect of it all, especially with business partners, disgruntled employees etc. that can just bypass all the access controls that are in place. These access controls have three functions, which are known as the AAA which are authentication, authorization and auditing. In authentication there are four bases which are
· What you know – password or key
· What you have – physical key or smart card
· Who you are- Fingerprint or biometrics
· What you do _ how you specifically pronounce a passphrase
Moving on to a more tangible control, the chapter went over ISO/IEC 27002 Security Clause 11. This security clause has two main security categories. 11.1 which is Secure Areas, securing physical areas which can be buildings, equipment rooms, office areas etc. This section also has six controls. These controls are:
· Physical security perimeter
· Physical entry Controls
· Securing offices, rooms and facilities
· Protection against external and environmental threats
ISO/IEC 11.2 deals with site security and focuses on equipment security. The controls are as follows:
· Equipment siting and protection- sensitive equipment should be placed in secure areas. You want them to be able to avoid vandalism, smoke, water etc. that could damage them.
· Supporting Utilities- Utilities such as water, electric and HVAC all need to be adequate and tested regularly. Battery backup without interruption should be supplied.
· Cabling security- Conduits, wiring closets etc. should be present so cables aren’t cut or intruded to read contents of packets.
· Security during off-site equipment maintenance – keep equipment maintained and a log back on and off, sensitive info removed when off-site.
· Removal of Property- Property removal needs to be authorized.
· Security of Equipment Off-Premises – equipment should have secured storage
· Secure Disposal or Reuse of Equipment – Data must be removed prior to disposal and a drive-wiping program should be used to permit data to be recovered.
· Clear Desk and Clear Screen- No sensitive information left on desk, follow legal storage requirements.
Even if you do follow the ISO/IEC 27002 you still need to be aware of other threats which include: terrorism and piggybacking, dumpsters and desktop PC security.
As I started out with the human aspect I will end with the human aspect as the chapter went over the prime authentication problem states, “Unless individuals are carefully vetted before being allowed into the system, imposters can simply enroll through social engineering”.
Hi Jeff,
Amazing insight 👏. The triple A really makes alot of sense. I.am most excited by the accountability side of the the triple A which gives more credence to the concept of non-repudiation.Its like having undeniable footprints of all your activities within your access right.
Morealso,something comes to mind on the authentication matrix. In some literatures there is most times a 4th or 5th leg to the authentication question which includes ‘location’ to the already existing authentication matrix. Hence ,we have ‘ where are you?’ Ie Location.
This chapter is super loaded. Summarily, it discussed that access control is a policy-based management system that protects systems, data, and communication from unauthorized access. It begins with physical security measures, such as building access control, and extends to internal areas and disposal processes. Traditional password-based authentication is vulnerable to attacks, necessitating robust password policies and reset systems. Enhanced security can be achieved through access cards, tokens, and biometric authentication, despite some issues with biometrics like error rates and deception. Cryptographic authentication, which requires a Public Key Infrastructure (PKI), is also used. Authorization should follow the principle of least permissions, with auditing playing a vital role in ensuring policy compliance. Centralized access permissions through identity management and secure data exchange via federated identity management are also crucial. To enhance security, identity attributes should be limited to necessary contexts. Single sign-on can simplify access, although reduced sign-on is typically implemented. AAA protections (Authentication, Authorization, and Accounting) are key to reducing risks, but their implementation costs must be weighed against potential benefits.
You have provided a concise summary of the chapter, capturing the key elements of access control. You effectively highlight the comprehensive nature of access control, spanning physical security measures, traditional password-based authentication, and advanced methods like biometrics and cryptographic authentication. The emphasis on the principle of least permissions and the role of auditing in policy compliance is well noted.
Additionally, the mention of identity management, federated identity management, and the need to limit identity attributes in specific contexts adds depth to the understanding of access control. The acknowledgement of the trade-off between the implementation costs of AAA protections and their potential benefits shows a practical awareness of real-world considerations. Overall, this is a clear and insightful summary of the chapter.
Hi Ikenna,
The cryptographic encryption is a beautiful icing on the IAM (Identity Access Management).
Have you imagine what it would look like after going through the rigours of the IAM just for all the inputs to be intercepted in transit? Hence, the issues of stolen Identity. Additional layer of cryptographic encryption is something highly recommended.
This chapter emphasized the importance of access control in maintaining both technical and physical network security by making sure that no unauthorized users may access data, files, devices, or places. Based on user identity and defined groups, it is a method for limiting access to certain information or the use of specific control features.
The risk associated with passwords rises with advances in network technology and processing capacity because password crackers on servers enable attackers to break passwords more quickly. Alternative technologies like passes, tokens, or biometrics will take the place of passwords. By taking the distinctive qualities of biometrics, translating them into digital codes, and then merging them even more, it increases security. It is not limited to a user’s voice, face, iris pattern, fingerprint, or hand geometry. It also includes actions that users take, such as typing, walking, and writing etc
I find your perspective on the rise in alternative authentication methods eventually taking over passwords to be interesting. Through these authentication methods, users not only have more convenient means to access resources, but also they can be more secure by comparison to passwords as often times many individuals reuse passwords across everything they do. However, I am also of the opinion that the implementation of MFA/2FA is the best way to authenticate users not just through one means of authentication. Requiring both a password/passcode and some other means of identification (location, one-time code, biometric) is significantly more secure than one single form of authentication.
Hi Sam,
This chapter really seem very interesting. Reading through your comment amd your emphasis on physical and network access controls quickly bring to mind the 20 control families of NIST SP 800-53A Rev 5, Which starts with 1. Access Control to 20. Supplychain management.
Your comment brings to mind the rich role the entire subfamilies of the Access controls (AC) and Physical Environment (PE) mechanism will play in this subject. Thanks for the insight.
Great summary, I like how you pointed out the that the authorization is not limited as the technology now can take the biometrics, translate them into digital codes and then merging them even more. In addition to that gesters such as walking etc. but it makes me think if this is enough with the technology that the attackers use and how they are still able to penetrate vulnerabilities. What made me think about least permissions, which means that each person should only get the permissions that he or she absolutely needs to do his or her job, is that this is an active trait my company uses now in conjunction with the biometrics, translating them into codes and there are still instances that attackers are able to penetrate employees’ vulnerabilities.
I also agree that this reading did a good job showing the importance in technical and physical network in regards to access control. Part of what makes corporate networks so effective is that there is a clear distinction between roles and abilities within those roles. Has there ever been a case where someone was in a network and granted themselves admin privileges even though the network rules didn’t initially allow it? I know that with some networks, all users have privileges and have those shown to cause more issues in regards to breaches?
This chapter of the book outlines the purpose of access control as well as the different kinds of access control implementations including physical and computer security, password protection, access cards and tokens, biometric authentication, PKI, authorizations, auditing, and other management tools for authentication and identity management. One part of this chapter that I found particularly interesting is the section on Biometric Authentication.
Biometric authentication is authentication based on a biological factor of a user: something that you are. This can be done through fingerprinting, iris pattern, facial recognition, hand geometry, or even through another physical action unique to you such as the way you write, type, walk, etc. This type of authentication requires an enrollment scan which extracts a large amount of data so that key features are then used rather than the whole data to identify a user. These key features are then stored in a database and identified uniquely to a user as their base template. When a user wants to access a resource using this method of authentication, they would need to be scanned again and compared to the baseline template in the database. This comparison is then matched to a match index, which quantifiably identifies the difference between the template and the scan’s result which then is compared to the decision criteria for rejection or acceptance.
This method of authentication does come with downsides, however, as there are issues with the error rate (false positive) rate of rejection and the deception rate (false negative) rate of acceptance. Both are issues to organizations as not having access with what should be proper credentials and having access with what should be no proper credentials are both issues associated with biometric authentication. Additionally, users that are not enrolled in the system will require time to properly enroll and authenticate for future allowance.
Hi Kenneth, Thank you for sharing your insights. I appreciate how you explained the mechanism behind biometric authentication. Most people perceive biometric authentication as foolproof and immune to deception, But as you mentioned, false acceptance or rejections can occur, and there’s always the risk of someone attempting to deceive the system by copying a fingerprint and trying to use it to authenticate. Also, the cost of implementation with some of these biometric technologies such as the iris scan could discourage organizations from using them.
Chapter 5 talks about the varying types of access control and how they work. I am always fascinated by the “In The News” section. I read how MoviePass was able to change the password of their subscribers to slow down traffic to the site or use a “trip wire” to limit ticket sells from the discount site.
Two things caught my eye this week. The section on physical security I like because I believe it is not talked about enough. While the section does point out the importance of network security, there is an expressed emphasis of having control of building access. Understanding that there is a need to limit access with a single point of entry but also realize where the “weak spots” in your building are and where an attacker could potentially gain access.
The second thing that I want to discuss is the section on Auditing. This section gave me an informative explanation on auditing as well as logging. Logging is often the first step in an investigation and provides us with some idea of what, when, and where. The main emphasis was that logs must be read regularly and randomly are useless.
Well said, Erskine. The importance of logging and auditing as critical components of security strategy cannot be overstated. Auditing plays a key role in maintaining the security and integrity of information systems by providing visibility into system activities and enabling proactive threat detection and response. Effective auditing requires regular log review and integration with incident response processes, and adherence to best practices for log retention and storage.
Erskine, That’s a great take on Chapter 5! Focusing on physical security is refreshing, recognizing it’s just as important as network security. Your point about “weak spots” in building access reflects a well-rounded understanding of security measures. Audit logging is another critical takeaway – understanding the importance of reviewing logs regularly is crucial for security. This shows you grasped the chapter’s concepts and their practical applications.
Hi Erskine, I like how you mention that the focus on physical security in Chapter 5 highlights a crucial yet often neglected aspect of security strategies. It reminds us that safeguarding against physical breaches is as important as digital protection. Furthermore, the discussion on the importance of auditing and regular log reviews reinforces the idea that security is a comprehensive endeavor. Integrating physical security measures with diligent auditing practices forms a robust defense against both physical and digital threats, underscoring the necessity of a holistic approach to security.
This chapter defines access control as the policy-driven control of access to systems, data, and dialogues. The section that stood out to me the most was the various aspects of password security, including the use of reusable passwords versus one-time passwords, the vulnerabilities associated with password-cracking programs, the importance of strong password policies, and the risks of password misuse. Below is a quick summary –
Reusable Passwords vs. One-Time Passwords: Reusable passwords are commonly used for extended periods, while one-time passwords are used only once for enhanced security.
Password-Cracking Programs: Attackers can attempt to crack passwords by installing password-cracking programs on servers or copying password files for offline cracking.
Importance of Strong Password Policies: Companies need to establish strong password policies to mitigate the risks associated with reusable passwords. This includes regular auditing to ensure compliance with password policies and the use of strong, hard-to-crack passwords.
Password Use and Misuse: Passwords should not be reused across multiple sites to prevent widespread compromise if one password is compromised. Password management programs can help manage multiple passwords, but they can be cumbersome to use. Password duration policies should require frequent password changes, and shared accounts should be prohibited due to security risks and difficulties in accountability.
Companies should emphasize the importance of implementing robust password policies and practices to enhance security and protect against unauthorized access and data breaches.
This chapter I found part 5.9, which is titled Central Authentication Servers, particularly interesting. The section discusses the importance and functioning of Central Authentication Servers, emphasizing their role in managing access and authorizations across multiple servers within an organization. It discusses how centralized authentication servers are vital for reducing costs, ensuring consistent authentication across the network, and enabling immediate company-wide changes. A key point of interest is the use of the RADIUS standard for central authentication servers, which simplifies the authentication process by having a central server verify credentials sent by a supplicant through an authenticator, which then either grants or denies access based on the server’s response. I found this interesting because I remember studying RADIUS when preparing for the security+ exam, but didn’t really understand it well.
The perspective on RADIUS was very interesting. This book excels at using diagrams to illustrate how these various complex systems operate. What I thought of when looking at RADIUS systems however was also how they could possibly be interrupted or exploited. I wonder how the use of something like a DOS attack could interrupt the RADIUS protocol and what organizations can do to mitigate that risk or prepare for it,, as the book says, systems are only as good as their weakest link
This chapter of Boyle and Panko covers various levels of access control, ranging from physical to digital access methods. What I found interesting about this chapter was how diverse and thorough but also malleable security must be to meet the needs of an organization while also meeting the challenges of an evolving threat sector. The inclusion of means up to armed guards but also fraud detection protocols to avoid issues such as password cracking or phishing really illustrated how necessary it is to have a robust security system in place both on-site and online to protect an organization. It was also interesting to see how these determinations are made, and when and how organizations choose to authorize or ignore different security measures or risks
Great summary, yes, the human factor is one that stood out for me as well, especially the guard. I can’t tell you how many times employees have let other employees and random citizens into our building by holding door and not showing ID. It only takes one incident for security to tighten up. Unfortunately, there was one time when an employee let and ex-employee back into, the building as was threating the whole building, security had the whole building on lockdown, emergency service were called etc. luckily nothing terrible happened but gives you a perspective on how important authorization and authentication is when you experience in real life other than remote.
I agree with your takeaway the security must be diverse, thorough, as well as malleable. Security access control must be able to adapt and combat emerging threats. When we talk about security in IT, we think digital which is important, but the focus on physical is just as key. Your closing highlights how organizations really have to access their risk appetite to determine what is worth the risk.
In this chapter, the author emphasizes the critical role of access control in safeguarding assets, which involves protecting sensitive information(confidentiality), maintaining system integrity, and ensuring asset availability. Access control plays a big role in the CIA triad as it touches all three fundamental aspects of cybersecurity.
Access controls begin with Physical security ensuring physical access to resources is only available to authorized individuals and the surrounding environment is secured from both natural and man-made events.
The three principles of access controls are AAA (authentication, authorization, and auditing) where authentication involves assessing the identity of the person requesting access to a resource, authorization is giving the correct permission to a resource whether is read or right, and auditing is collecting information about an individual’s activities in log files for analysis. Without auditing, errors will go unnoticed. The chapter explores various access control models such as RBAC, DAC, and MAC, which aid in ensuring individuals have appropriate access rights. Managing user privileges and enforcing the principle of least privilege are pivotal aspects of access control.
Access control mechanisms have evolved over the years, from traditional passwords to biometrics and the use of tokens. The author discusses weaknesses associated with common access control methods. For instance, Passwords are prone to exploitation because people use weak passwords and reuse them across multiple systems, so when an attacker gains access to one they can try to access other systems as well. Biometric authentication, though seems secure, has its challenges such as susceptibility to deception, high error rates, and implementation costs.
As threats are evolving so is the technology, the challenges posed by single-factor authentication led to the development and implementation of two-factor authentication which requires a user to authenticate with at least two factors. These two factors can be something you know (PIN, Password), something you are(biometric), something you have(token), or something you do(signature).
I think in the future, we’re likely to see more businesses and organizations embracing technologies like single sign-on (SSO) and federation. Currently, many businesses rely on trusted third parties like Facebook and LinkedIn to authenticate users. These trends suggest a growing recognition of the benefits of streamlined authentication processes and improved user experiences. As digital interactions become more integrated and complex, SSO and federation offer efficient solutions for managing user access across various platforms, making them key components of future online identity management strategies.
Great job in pointing out the CIA and how access control plays a big role in the tirade as it touches all three fundamental aspects of cybersecurity. I also feel that this chapter really started to bridge the gap between last semesters protection of information assets by showing how access control ties into the tirade. Like you also point out how threats and technology are involving I can say that is very true as it’s been twenty years since I read on authentication and how that has changed throughout the years and is now even more rapidly changing currently. For example, Kerberos, which Microsoft uses to link hosts togethers and how it is more than an authentication server, and how it provides keying information to parties that need to communicate with one another it also can provide authorization information as well.
Absolutely, this chapter underscores access control’s pivotal role in safeguarding assets, encompassing confidentiality, integrity, and availability. It delves into physical security measures and the AAA principles (authentication, authorization, auditing) crucial for controlling access. Access control models like RBAC, DAC, and MAC are explored, emphasizing the importance of managing user privileges and adhering to the principle of least privilege to ensure appropriate access rights and mitigate security risks. Great job Mariam.
My favorite part of this chapter on access controls was in 5.5 in regards to biometric system’s presence as an authenticating factor for which a lot of organizations choose in addition to or as a replacement for the rather dated and problematic passwords system. Whether the system is a simple finger print scan or something more advanced biometric presence is a great additional layer of security that keeps access to the appropriate parties. There is always something to consider when adding more layers though such as ease of access, scalability, and in this case the false acceptance and false rejection rates. Although some biometrics such as facial or voice recognition are easily deceived and should not be used alone but with additional layers reinforcing it.
For starters, I appreciate the distinction this chapter made between authentication and authorization. In terms of authorization, it focuses on assessing the identity, in other words, it validates identity. An authorization is the set of permissions that an authenticated user has depending on the level of their identity. A number that shocked me was how 52 percent of users use the same password for numerous sites and even worse than that-70 percent of users still used the same password for a year after there would be a data breach. I can see both sides of the perspective here. On one end, it’s a horrible idea to use the same password, as if a hacker were able to obtain it, they would have access to multiple accounts. On the other hand, I can understand how it would be tedious to keep track of so many different kinds of passwords. There are optional ways to tackle this for example, there are apps that allow you to keep the passwords for your accounts on there, but those also run the risk of going through a breach.
Hi Hashem, Your analysis brought up a very important point regarding passwords. It’s indeed difficult for individuals to manage multiple passwords across different sites, often leading them to use a single password for convenience. You mentioned password managers and the risk of them being breached, I have read an article where LAPS one of the password manager providers was attacked however hackers were not able to view users’ passwords. Passwords are very convenient however they come with so many risks, I think technologies like MFA can help slow down the attackers and add another layer of security.
Boyle and Panko’s Chapter 5 discusses the fundamental principles and mechanisms for managing access to computer systems and resources. The chapter explains the core concepts of access control, which dictate who can access resources and under what conditions. It also explores various access control models, including discretionary, mandatory, and role-based, each with unique rules for access management. The chapter provides an in-depth analysis of access control mechanisms, such as access control lists, capabilities, and access matrices, which enforce the defined access control policies. It emphasizes the importance of formulating and implementing access control policies that set access rules based on user identity, roles, and permissions. Boyle and Panko stress the significance of access control strategies such as the principle of least privilege, which restricts users’ access to the minimum resources required for their tasks, thereby enhancing security.
Additionally, they highlight the need to implement robust authentication mechanisms and separate duties to mitigate security risks effectively. Chapter 5 addresses challenges in access control, including balancing security with usability and managing access control in distributed systems. It also examines insider threats and the complexities of securing resources against unauthorized access.
Overall, Boyle and Panko provide a comprehensive overview of access control, covering its principles, mechanisms, and strategies for safeguarding computer systems and resources from unauthorized access and potential security breaches.
This week’s reading gave a clear understanding of how an organization’s network should be controlled. It is important for users to be advised to use a strong password they can easily remember, and a password that can’t be guessed. Using password alone is not enough to secure the network, so Multi Factor Authentication (MFA) should be used. MFA is a security measure that double checks users identity before they can access an organization’s resources. MFA will help prevent against unauthorized access even if the right password is being used.
Michael Obiukwu says
This on Access Control provides a comprehensive overview of the pivotal role access controls play in maintaining the integrity of information systems. The authors articulate the importance of controlling access to information resources, emphasizing the necessity of implementing robust access control mechanisms to safeguard against unauthorized access and potential data breaches.
The chapter thoroughly examines the three types of access control: discretionary, mandatory, and role-based. Discretionary Access Control (DAC), as explained by Boyle and Panko, is largely user-centric, with the rights of access primarily determined by the owner of the information. This is contrasted with Mandatory Access Control (MAC), which is policy-centric and ensures that access rights are strictly enforced according to predefined policy rules. Role-Based Access Control (RBAC), the third type, is function-centric, where access is granted based on the user’s role within the organization.
They also delved into the principles of least privilege and separation of duties, highlighting their significance in minimizing the risk of unauthorized access and enhancing overall system security. The authors underscore that these principles should be the cornerstone of any effective access control strategy.
In conclusion, this reading provides a compelling exploration of access control, emphasizing its critical role in securing information systems. Their work serves as an essential guide for understanding and implementing effective access control mechanisms.
Kenneth Saltisky says
Hi Michael,
Your summary of the chapter is an excellent insight into the importance of proper access control implementations as well as the importance of securing organizations through other means like separation of duties and least privilege. I find that separation of duties is especially important for an organization of any size. Allowing one person to have access to every resource or relying on one individual for many tasks poses a single point of failure where if that one person is unavailable, many aspects of the business could be in trouble. Additionally, if the one individual’s account is hacked, the malicious actor now has access to every resource.
Jeffrey Sullivan says
The human controls aspects stood out for me as I read through different system access controls and really didn’t think about the human aspect of it all, especially with business partners, disgruntled employees etc. that can just bypass all the access controls that are in place. These access controls have three functions, which are known as the AAA which are authentication, authorization and auditing. In authentication there are four bases which are
· What you know – password or key
· What you have – physical key or smart card
· Who you are- Fingerprint or biometrics
· What you do _ how you specifically pronounce a passphrase
Moving on to a more tangible control, the chapter went over ISO/IEC 27002 Security Clause 11. This security clause has two main security categories. 11.1 which is Secure Areas, securing physical areas which can be buildings, equipment rooms, office areas etc. This section also has six controls. These controls are:
· Physical security perimeter
· Physical entry Controls
· Securing offices, rooms and facilities
· Protection against external and environmental threats
ISO/IEC 11.2 deals with site security and focuses on equipment security. The controls are as follows:
· Equipment siting and protection- sensitive equipment should be placed in secure areas. You want them to be able to avoid vandalism, smoke, water etc. that could damage them.
· Supporting Utilities- Utilities such as water, electric and HVAC all need to be adequate and tested regularly. Battery backup without interruption should be supplied.
· Cabling security- Conduits, wiring closets etc. should be present so cables aren’t cut or intruded to read contents of packets.
· Security during off-site equipment maintenance – keep equipment maintained and a log back on and off, sensitive info removed when off-site.
· Removal of Property- Property removal needs to be authorized.
· Security of Equipment Off-Premises – equipment should have secured storage
· Secure Disposal or Reuse of Equipment – Data must be removed prior to disposal and a drive-wiping program should be used to permit data to be recovered.
· Clear Desk and Clear Screen- No sensitive information left on desk, follow legal storage requirements.
Even if you do follow the ISO/IEC 27002 you still need to be aware of other threats which include: terrorism and piggybacking, dumpsters and desktop PC security.
As I started out with the human aspect I will end with the human aspect as the chapter went over the prime authentication problem states, “Unless individuals are carefully vetted before being allowed into the system, imposters can simply enroll through social engineering”.
Michael Obiukwu says
Hi Jeff,
Amazing insight 👏. The triple A really makes alot of sense. I.am most excited by the accountability side of the the triple A which gives more credence to the concept of non-repudiation.Its like having undeniable footprints of all your activities within your access right.
Morealso,something comes to mind on the authentication matrix. In some literatures there is most times a 4th or 5th leg to the authentication question which includes ‘location’ to the already existing authentication matrix. Hence ,we have ‘ where are you?’ Ie Location.
Ikenna Alajemba says
This chapter is super loaded. Summarily, it discussed that access control is a policy-based management system that protects systems, data, and communication from unauthorized access. It begins with physical security measures, such as building access control, and extends to internal areas and disposal processes. Traditional password-based authentication is vulnerable to attacks, necessitating robust password policies and reset systems. Enhanced security can be achieved through access cards, tokens, and biometric authentication, despite some issues with biometrics like error rates and deception. Cryptographic authentication, which requires a Public Key Infrastructure (PKI), is also used. Authorization should follow the principle of least permissions, with auditing playing a vital role in ensuring policy compliance. Centralized access permissions through identity management and secure data exchange via federated identity management are also crucial. To enhance security, identity attributes should be limited to necessary contexts. Single sign-on can simplify access, although reduced sign-on is typically implemented. AAA protections (Authentication, Authorization, and Accounting) are key to reducing risks, but their implementation costs must be weighed against potential benefits.
Samuel Omotosho says
Hi Ikenna,
You have provided a concise summary of the chapter, capturing the key elements of access control. You effectively highlight the comprehensive nature of access control, spanning physical security measures, traditional password-based authentication, and advanced methods like biometrics and cryptographic authentication. The emphasis on the principle of least permissions and the role of auditing in policy compliance is well noted.
Additionally, the mention of identity management, federated identity management, and the need to limit identity attributes in specific contexts adds depth to the understanding of access control. The acknowledgement of the trade-off between the implementation costs of AAA protections and their potential benefits shows a practical awareness of real-world considerations. Overall, this is a clear and insightful summary of the chapter.
Great work!
Michael Obiukwu says
Hi Ikenna,
The cryptographic encryption is a beautiful icing on the IAM (Identity Access Management).
Have you imagine what it would look like after going through the rigours of the IAM just for all the inputs to be intercepted in transit? Hence, the issues of stolen Identity. Additional layer of cryptographic encryption is something highly recommended.
Samuel Omotosho says
This chapter emphasized the importance of access control in maintaining both technical and physical network security by making sure that no unauthorized users may access data, files, devices, or places. Based on user identity and defined groups, it is a method for limiting access to certain information or the use of specific control features.
The risk associated with passwords rises with advances in network technology and processing capacity because password crackers on servers enable attackers to break passwords more quickly. Alternative technologies like passes, tokens, or biometrics will take the place of passwords. By taking the distinctive qualities of biometrics, translating them into digital codes, and then merging them even more, it increases security. It is not limited to a user’s voice, face, iris pattern, fingerprint, or hand geometry. It also includes actions that users take, such as typing, walking, and writing etc
Kenneth Saltisky says
Hi Samuel,
I find your perspective on the rise in alternative authentication methods eventually taking over passwords to be interesting. Through these authentication methods, users not only have more convenient means to access resources, but also they can be more secure by comparison to passwords as often times many individuals reuse passwords across everything they do. However, I am also of the opinion that the implementation of MFA/2FA is the best way to authenticate users not just through one means of authentication. Requiring both a password/passcode and some other means of identification (location, one-time code, biometric) is significantly more secure than one single form of authentication.
Michael Obiukwu says
Hi Sam,
This chapter really seem very interesting. Reading through your comment amd your emphasis on physical and network access controls quickly bring to mind the 20 control families of NIST SP 800-53A Rev 5, Which starts with 1. Access Control to 20. Supplychain management.
Your comment brings to mind the rich role the entire subfamilies of the Access controls (AC) and Physical Environment (PE) mechanism will play in this subject. Thanks for the insight.
Jeffrey Sullivan says
Great summary, I like how you pointed out the that the authorization is not limited as the technology now can take the biometrics, translate them into digital codes and then merging them even more. In addition to that gesters such as walking etc. but it makes me think if this is enough with the technology that the attackers use and how they are still able to penetrate vulnerabilities. What made me think about least permissions, which means that each person should only get the permissions that he or she absolutely needs to do his or her job, is that this is an active trait my company uses now in conjunction with the biometrics, translating them into codes and there are still instances that attackers are able to penetrate employees’ vulnerabilities.
Hashem Alsharif says
Hello Samuel,
I also agree that this reading did a good job showing the importance in technical and physical network in regards to access control. Part of what makes corporate networks so effective is that there is a clear distinction between roles and abilities within those roles. Has there ever been a case where someone was in a network and granted themselves admin privileges even though the network rules didn’t initially allow it? I know that with some networks, all users have privileges and have those shown to cause more issues in regards to breaches?
Kenneth Saltisky says
This chapter of the book outlines the purpose of access control as well as the different kinds of access control implementations including physical and computer security, password protection, access cards and tokens, biometric authentication, PKI, authorizations, auditing, and other management tools for authentication and identity management. One part of this chapter that I found particularly interesting is the section on Biometric Authentication.
Biometric authentication is authentication based on a biological factor of a user: something that you are. This can be done through fingerprinting, iris pattern, facial recognition, hand geometry, or even through another physical action unique to you such as the way you write, type, walk, etc. This type of authentication requires an enrollment scan which extracts a large amount of data so that key features are then used rather than the whole data to identify a user. These key features are then stored in a database and identified uniquely to a user as their base template. When a user wants to access a resource using this method of authentication, they would need to be scanned again and compared to the baseline template in the database. This comparison is then matched to a match index, which quantifiably identifies the difference between the template and the scan’s result which then is compared to the decision criteria for rejection or acceptance.
This method of authentication does come with downsides, however, as there are issues with the error rate (false positive) rate of rejection and the deception rate (false negative) rate of acceptance. Both are issues to organizations as not having access with what should be proper credentials and having access with what should be no proper credentials are both issues associated with biometric authentication. Additionally, users that are not enrolled in the system will require time to properly enroll and authenticate for future allowance.
Mariam Hazali says
Hi Kenneth, Thank you for sharing your insights. I appreciate how you explained the mechanism behind biometric authentication. Most people perceive biometric authentication as foolproof and immune to deception, But as you mentioned, false acceptance or rejections can occur, and there’s always the risk of someone attempting to deceive the system by copying a fingerprint and trying to use it to authenticate. Also, the cost of implementation with some of these biometric technologies such as the iris scan could discourage organizations from using them.
Erskine Payton says
Chapter 5 talks about the varying types of access control and how they work. I am always fascinated by the “In The News” section. I read how MoviePass was able to change the password of their subscribers to slow down traffic to the site or use a “trip wire” to limit ticket sells from the discount site.
Two things caught my eye this week. The section on physical security I like because I believe it is not talked about enough. While the section does point out the importance of network security, there is an expressed emphasis of having control of building access. Understanding that there is a need to limit access with a single point of entry but also realize where the “weak spots” in your building are and where an attacker could potentially gain access.
The second thing that I want to discuss is the section on Auditing. This section gave me an informative explanation on auditing as well as logging. Logging is often the first step in an investigation and provides us with some idea of what, when, and where. The main emphasis was that logs must be read regularly and randomly are useless.
Chidiebere Okafor says
Well said, Erskine. The importance of logging and auditing as critical components of security strategy cannot be overstated. Auditing plays a key role in maintaining the security and integrity of information systems by providing visibility into system activities and enabling proactive threat detection and response. Effective auditing requires regular log review and integration with incident response processes, and adherence to best practices for log retention and storage.
Kelly Conger says
Erskine, That’s a great take on Chapter 5! Focusing on physical security is refreshing, recognizing it’s just as important as network security. Your point about “weak spots” in building access reflects a well-rounded understanding of security measures. Audit logging is another critical takeaway – understanding the importance of reviewing logs regularly is crucial for security. This shows you grasped the chapter’s concepts and their practical applications.
Nicholas Nirenberg says
Hi Erskine, I like how you mention that the focus on physical security in Chapter 5 highlights a crucial yet often neglected aspect of security strategies. It reminds us that safeguarding against physical breaches is as important as digital protection. Furthermore, the discussion on the importance of auditing and regular log reviews reinforces the idea that security is a comprehensive endeavor. Integrating physical security measures with diligent auditing practices forms a robust defense against both physical and digital threats, underscoring the necessity of a holistic approach to security.
Chidiebere Okafor says
This chapter defines access control as the policy-driven control of access to systems, data, and dialogues. The section that stood out to me the most was the various aspects of password security, including the use of reusable passwords versus one-time passwords, the vulnerabilities associated with password-cracking programs, the importance of strong password policies, and the risks of password misuse. Below is a quick summary –
Reusable Passwords vs. One-Time Passwords: Reusable passwords are commonly used for extended periods, while one-time passwords are used only once for enhanced security.
Password-Cracking Programs: Attackers can attempt to crack passwords by installing password-cracking programs on servers or copying password files for offline cracking.
Importance of Strong Password Policies: Companies need to establish strong password policies to mitigate the risks associated with reusable passwords. This includes regular auditing to ensure compliance with password policies and the use of strong, hard-to-crack passwords.
Password Use and Misuse: Passwords should not be reused across multiple sites to prevent widespread compromise if one password is compromised. Password management programs can help manage multiple passwords, but they can be cumbersome to use. Password duration policies should require frequent password changes, and shared accounts should be prohibited due to security risks and difficulties in accountability.
Companies should emphasize the importance of implementing robust password policies and practices to enhance security and protect against unauthorized access and data breaches.
Nicholas Nirenberg says
This chapter I found part 5.9, which is titled Central Authentication Servers, particularly interesting. The section discusses the importance and functioning of Central Authentication Servers, emphasizing their role in managing access and authorizations across multiple servers within an organization. It discusses how centralized authentication servers are vital for reducing costs, ensuring consistent authentication across the network, and enabling immediate company-wide changes. A key point of interest is the use of the RADIUS standard for central authentication servers, which simplifies the authentication process by having a central server verify credentials sent by a supplicant through an authenticator, which then either grants or denies access based on the server’s response. I found this interesting because I remember studying RADIUS when preparing for the security+ exam, but didn’t really understand it well.
Andrew Young says
The perspective on RADIUS was very interesting. This book excels at using diagrams to illustrate how these various complex systems operate. What I thought of when looking at RADIUS systems however was also how they could possibly be interrupted or exploited. I wonder how the use of something like a DOS attack could interrupt the RADIUS protocol and what organizations can do to mitigate that risk or prepare for it,, as the book says, systems are only as good as their weakest link
Andrew Young says
This chapter of Boyle and Panko covers various levels of access control, ranging from physical to digital access methods. What I found interesting about this chapter was how diverse and thorough but also malleable security must be to meet the needs of an organization while also meeting the challenges of an evolving threat sector. The inclusion of means up to armed guards but also fraud detection protocols to avoid issues such as password cracking or phishing really illustrated how necessary it is to have a robust security system in place both on-site and online to protect an organization. It was also interesting to see how these determinations are made, and when and how organizations choose to authorize or ignore different security measures or risks
Jeffrey Sullivan says
Great summary, yes, the human factor is one that stood out for me as well, especially the guard. I can’t tell you how many times employees have let other employees and random citizens into our building by holding door and not showing ID. It only takes one incident for security to tighten up. Unfortunately, there was one time when an employee let and ex-employee back into, the building as was threating the whole building, security had the whole building on lockdown, emergency service were called etc. luckily nothing terrible happened but gives you a perspective on how important authorization and authentication is when you experience in real life other than remote.
Erskine Payton says
Hello Andrew.
I agree with your takeaway the security must be diverse, thorough, as well as malleable. Security access control must be able to adapt and combat emerging threats. When we talk about security in IT, we think digital which is important, but the focus on physical is just as key. Your closing highlights how organizations really have to access their risk appetite to determine what is worth the risk.
Mariam Hazali says
Chapter 5: Access Control
In this chapter, the author emphasizes the critical role of access control in safeguarding assets, which involves protecting sensitive information(confidentiality), maintaining system integrity, and ensuring asset availability. Access control plays a big role in the CIA triad as it touches all three fundamental aspects of cybersecurity.
Access controls begin with Physical security ensuring physical access to resources is only available to authorized individuals and the surrounding environment is secured from both natural and man-made events.
The three principles of access controls are AAA (authentication, authorization, and auditing) where authentication involves assessing the identity of the person requesting access to a resource, authorization is giving the correct permission to a resource whether is read or right, and auditing is collecting information about an individual’s activities in log files for analysis. Without auditing, errors will go unnoticed. The chapter explores various access control models such as RBAC, DAC, and MAC, which aid in ensuring individuals have appropriate access rights. Managing user privileges and enforcing the principle of least privilege are pivotal aspects of access control.
Access control mechanisms have evolved over the years, from traditional passwords to biometrics and the use of tokens. The author discusses weaknesses associated with common access control methods. For instance, Passwords are prone to exploitation because people use weak passwords and reuse them across multiple systems, so when an attacker gains access to one they can try to access other systems as well. Biometric authentication, though seems secure, has its challenges such as susceptibility to deception, high error rates, and implementation costs.
As threats are evolving so is the technology, the challenges posed by single-factor authentication led to the development and implementation of two-factor authentication which requires a user to authenticate with at least two factors. These two factors can be something you know (PIN, Password), something you are(biometric), something you have(token), or something you do(signature).
I think in the future, we’re likely to see more businesses and organizations embracing technologies like single sign-on (SSO) and federation. Currently, many businesses rely on trusted third parties like Facebook and LinkedIn to authenticate users. These trends suggest a growing recognition of the benefits of streamlined authentication processes and improved user experiences. As digital interactions become more integrated and complex, SSO and federation offer efficient solutions for managing user access across various platforms, making them key components of future online identity management strategies.
Jeffrey Sullivan says
Great job in pointing out the CIA and how access control plays a big role in the tirade as it touches all three fundamental aspects of cybersecurity. I also feel that this chapter really started to bridge the gap between last semesters protection of information assets by showing how access control ties into the tirade. Like you also point out how threats and technology are involving I can say that is very true as it’s been twenty years since I read on authentication and how that has changed throughout the years and is now even more rapidly changing currently. For example, Kerberos, which Microsoft uses to link hosts togethers and how it is more than an authentication server, and how it provides keying information to parties that need to communicate with one another it also can provide authorization information as well.
Ikenna Alajemba says
Absolutely, this chapter underscores access control’s pivotal role in safeguarding assets, encompassing confidentiality, integrity, and availability. It delves into physical security measures and the AAA principles (authentication, authorization, auditing) crucial for controlling access. Access control models like RBAC, DAC, and MAC are explored, emphasizing the importance of managing user privileges and adhering to the principle of least privilege to ensure appropriate access rights and mitigate security risks. Great job Mariam.
Alex Ruiz says
My favorite part of this chapter on access controls was in 5.5 in regards to biometric system’s presence as an authenticating factor for which a lot of organizations choose in addition to or as a replacement for the rather dated and problematic passwords system. Whether the system is a simple finger print scan or something more advanced biometric presence is a great additional layer of security that keeps access to the appropriate parties. There is always something to consider when adding more layers though such as ease of access, scalability, and in this case the false acceptance and false rejection rates. Although some biometrics such as facial or voice recognition are easily deceived and should not be used alone but with additional layers reinforcing it.
Hashem Alsharif says
For starters, I appreciate the distinction this chapter made between authentication and authorization. In terms of authorization, it focuses on assessing the identity, in other words, it validates identity. An authorization is the set of permissions that an authenticated user has depending on the level of their identity. A number that shocked me was how 52 percent of users use the same password for numerous sites and even worse than that-70 percent of users still used the same password for a year after there would be a data breach. I can see both sides of the perspective here. On one end, it’s a horrible idea to use the same password, as if a hacker were able to obtain it, they would have access to multiple accounts. On the other hand, I can understand how it would be tedious to keep track of so many different kinds of passwords. There are optional ways to tackle this for example, there are apps that allow you to keep the passwords for your accounts on there, but those also run the risk of going through a breach.
Mariam Hazali says
Hi Hashem, Your analysis brought up a very important point regarding passwords. It’s indeed difficult for individuals to manage multiple passwords across different sites, often leading them to use a single password for convenience. You mentioned password managers and the risk of them being breached, I have read an article where LAPS one of the password manager providers was attacked however hackers were not able to view users’ passwords. Passwords are very convenient however they come with so many risks, I think technologies like MFA can help slow down the attackers and add another layer of security.
Kelly Conger says
Boyle and Panko’s Chapter 5 discusses the fundamental principles and mechanisms for managing access to computer systems and resources. The chapter explains the core concepts of access control, which dictate who can access resources and under what conditions. It also explores various access control models, including discretionary, mandatory, and role-based, each with unique rules for access management. The chapter provides an in-depth analysis of access control mechanisms, such as access control lists, capabilities, and access matrices, which enforce the defined access control policies. It emphasizes the importance of formulating and implementing access control policies that set access rules based on user identity, roles, and permissions. Boyle and Panko stress the significance of access control strategies such as the principle of least privilege, which restricts users’ access to the minimum resources required for their tasks, thereby enhancing security.
Additionally, they highlight the need to implement robust authentication mechanisms and separate duties to mitigate security risks effectively. Chapter 5 addresses challenges in access control, including balancing security with usability and managing access control in distributed systems. It also examines insider threats and the complexities of securing resources against unauthorized access.
Overall, Boyle and Panko provide a comprehensive overview of access control, covering its principles, mechanisms, and strategies for safeguarding computer systems and resources from unauthorized access and potential security breaches.
Akintunde Akinmusire says
This week’s reading gave a clear understanding of how an organization’s network should be controlled. It is important for users to be advised to use a strong password they can easily remember, and a password that can’t be guessed. Using password alone is not enough to secure the network, so Multi Factor Authentication (MFA) should be used. MFA is a security measure that double checks users identity before they can access an organization’s resources. MFA will help prevent against unauthorized access even if the right password is being used.