• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Security Architecture

MIS 5214 - Section 001 - David Lanter

Security Architecture

MIS 5214.702 ■ Spring 2021 ■ Wade Mackey
  • Homepage
  • Instructor
  • Syllabus
  • Schedule
    • First Half of the Semester
      • Unit 01 – Threat Environment
      • Unit 02 – System Security Plan
      • Unit 03 – Planning and Policy
      • Unit 04 – Cryptography
      • Unit 05 – Secure Networks
      • Unit 06 – Firewalls
      • Unit 07 – Mid-Term Exam
    • Second Half of the Semester
      • Unit 08 – Access Control
      • Unit 9 Host Hardening
      • Unit 10 Application Security
      • Unit 11 Data Protection
      • Unit 12 – Incident and Disaster Response
  • Deliverables
    • Assignments
    • Case Studies
      • Case Study 1 – A High Performance Computing Cluster Under Attack: The Titan Incident
      • Case Study 2 – Cyberattack: The Maersk Global Supply-Chain Meltdown
    • Participation
    • Team Project
  • Harvard Coursepack
  • Gradebook

My question to discuss with my classmates

March 3, 2021 by Wade Mackey 54 Comments

Filed Under: 08 - Access Control Tagged With:

Reader Interactions

Comments

  1. Nicholas Fabrizio says

    March 4, 2021 at 4:54 pm

    What are the three factors used when trying to authenticate an individual and provide an example for each factor?

    Log in to Reply
    • Christa Giordano says

      March 7, 2021 at 9:21 am

      Hi Nicholas,

      Three factors that are used when trying to authenticate an individual include the following:
      What you know, such as requiring a password and or the answer to a secure question
      What you have, such as a secure token.
      What you are, typically a biometric feature such as facial recognition or eye scan.

      These factors are typically used in conjunction for multi-factor authentication in the event that one (or more) of these factors is compromised. Even with multifactor authentication, it is still not 100% secure as these methods are still susceptible to trojan horse attacks (compromising the user’s computer) or man in the middle attacks utilizing a fake website between the end user and the “real” website or application the user is trying to access.

      Log in to Reply
    • To-Yin Cheng says

      March 7, 2021 at 2:15 pm

      The three factors of authentication are:
      Something you know (knowledge): password or PIN
      Something you have (possession): credit card number, RSA token, ID card
      Something you are (inherence): any biometric method like a fingerprint, voiceprint, iris scan, hand geometry
      It would be more secure if they use at least two of the authentications. It can let hacker more difficult to enter the system with unauthorized access. However, multi-factor authentication is not unhackable. It cannot prevent phishing and social engineering.

      Log in to Reply
    • Jonathan Mettus says

      March 7, 2021 at 2:22 pm

      The three factors referenced in the book are something you know, something you have, and something you are. I’d argue those aren’t the only three factors, however. For example, location or “somewhere you are” is often used is a factor. In this case, a user might be able to login to his/her corporate account only when their phone GPS has them placed in the vicinity of the office.

      Log in to Reply
  2. Megan Hall says

    March 6, 2021 at 12:35 pm

    NIST SP 800-63-3 outlines Digital Identity Guidelines to assist with implementing digital authentication in three key areas: identity proofing, authentication, and federation. Which of these three key areas do you think would be the most difficult to evaluate and implement the necessary level of assurance?

    Log in to Reply
    • Elias Harake says

      March 9, 2021 at 11:41 am

      Great questin Megan. I think that the third level is most difficult to both implement and evaluate since you would have to add additional security controls such as multi-factor authentication instead of just a password in the first level. I also think that would require more technology and more expenses such as requiring a biometric fingerprint scanner upon login.

      Log in to Reply
  3. Christopher Clayton says

    March 7, 2021 at 8:17 am

    All of us had to use the two-factor authentication in order to log in to a personal account (bank, Facebook, LinkedIn, etc). What accounts would be suitable to utilize the multifactor authentication for proper security purposes?

    Log in to Reply
    • To-Yin Cheng says

      March 7, 2021 at 2:36 pm

      Two-factor authentication is a type of multi-factor authentication. For most of the business, it should need two-factor authentication. The question you are asking I believe is what industry will need to use more than 2-factor authentication. I believe the government’s top-secret department or the Department of Defense definitely needs that authentication because it is extremely dangerous if the hackers get access to their system. Also, the financial industry and data center might need multi-factor authentication to protect their clients’ information.

      Log in to Reply
      • Christopher Clayton says

        March 7, 2021 at 3:58 pm

        Yes, I meant to clarify what type of organization or industry applies the multifactor for security benefits.

        Log in to Reply
    • Jonathan Mettus says

      March 7, 2021 at 3:25 pm

      I actually haven’t come across a personal account of mine that allows the use of more than two factors. Usually, I can use more than two kinds of factors, but only have to present two to log in. One of my big concerns is that only single-factor authentication is in place at my bank and still haven’t allowed the use of multi-factor authentication. To answer your question, things like bank accounts, IRS account, etc. are good candidates for multi-factor authentication. In those situations, there’s usually a higher burden to prove your identity upfront and those accounts have major implications on your life. If someone gets into my Twitter account, it’s not that big of a deal outside of their ability to now phish people that I know.

      Log in to Reply
    • Christa Giordano says

      March 8, 2021 at 8:40 pm

      Hi Christopher,
      While I think multifactor authentication will eventually become the norm, I definitely think there are priorities when considering when to implement multifactor authentication such as the sensitivity of the information and what impact would it have if this information was compromised. In addition to what has been stated, I think hospitals and health care providers should use multifactor authentication due to data privacy and compliance laws, protected health information, and HIPPA requirements. Airlines and other transportation authorities to safeguard safeguard flight plans, routes, and other information that could be utilized in a terrorist attack, and nuclear power plants, which could have a devastating impact if information fell into the wrong hands.

      Log in to Reply
  4. Christa Giordano says

    March 7, 2021 at 9:05 am

    Boyle Chapter 5 mentions that eventually passwords could be phased out in the near future as a security measure. What are the alternative measures that can be used and which one do you think is the most effective?

    Log in to Reply
    • Xiduo Liu says

      March 7, 2021 at 5:50 pm

      Multifactor authentication in conjunction with behavior-based authentication will become more widespread. I see machine learning will be utilized more in identifying and protecting legitimate attempts vs. illegitimate attempts.

      Log in to Reply
    • Ashleigh Williams says

      March 7, 2021 at 11:59 pm

      Multifactor authentication, biometric authentication, vpn access are few alternatives to passwords that I currently see being used today. In most cases, these methods are easier to use and preferred to passwords.

      Log in to Reply
    • Wei Liu says

      March 8, 2021 at 5:44 pm

      The use of the fingerprint as an alternative to the password has increased dramatically in recent years. Traditional fingerprint sensors were relatively expensive and very heavy. Now they are small enough to incorporate into smartphones and tablets, hidden in any button, and fast enough to check fingerprints in less than a second.

      Log in to Reply
  5. To-Yin Cheng says

    March 7, 2021 at 12:53 pm

    Since fingerprint authentication might not work for all individuals. What other biometric authentication would you recommend?

    Log in to Reply
    • Christopher Clayton says

      March 7, 2021 at 1:51 pm

      Hi To-Yin, I would recommend face recognition due to improved security and the fact that it reduces the cost of hiring security personnel. It also has a high accuracy rate in facial technologies due to infrared light cameras and 3D settings that makes it very difficult for any intruder to trick the system.

      Log in to Reply
    • Lakshmi Surujnauth says

      March 7, 2021 at 5:03 pm

      Hi To-Yin,

      Another biometric authentication that could be used is iris recognition, this works by verifying the pattern in the colored part of eye by way of a camera. While it has been dubbed the most precise form of biometric authentication with very low false acceptance rates, it comes with a hefty price tag. It would perhaps be more suited to larger companies with a mature security posture and the wherewithal to implement this type of biometric authentication.

      Log in to Reply
    • Xiduo Liu says

      March 7, 2021 at 6:05 pm

      Facial recognition, voice recognition, iris recognition, retina scan are all alternatives to fingerprint. I think orginzations should make more than one form of biometric avialable to address any accessability issue.

      Log in to Reply
    • Quynh Nguyen says

      March 7, 2021 at 7:42 pm

      What’s popular with new smart phones nowadays are facial recognition which have proven to work well for the most part and is very common in today’s world. Another biometric authentification could be eye (iris) recognition, however, this would require a very high-tech scan of the eye. There is also voice recognition, DNA match, finger geometry, hand geometry, and typing recognition.

      Log in to Reply
    • Ashleigh Williams says

      March 8, 2021 at 12:01 am

      The main alternatives to fingerprint I’d recommend are face recognition and the voice recognition. While voice recognition might be the more difficult and costly option, it is a good alternative to fingerprint and I’ve seen companies doing this already.

      Log in to Reply
  6. Jonathan Mettus says

    March 7, 2021 at 2:18 pm

    Which is a more secure way to handle password resets: phone calls to the help desk or an automated system?

    Log in to Reply
    • To-Yin Cheng says

      March 7, 2021 at 3:04 pm

      It is quite an interesting question. The phone calls to the help desk would consider the to answer the questions you know are, like your name, address, or even social security number to verify your information. I believe the help desk is more secured by verify your information first and then sent out the reset link or temporary password to the user’s email address (something you know). Users need to reset a new password once they received that email. It would consider two-factor authentication. If resetting the password by an automated system, it only needs to send out the reset email or text message with a PIN. It is less secured compare to call the help desk.

      Log in to Reply
    • Xiduo Liu says

      March 7, 2021 at 5:56 pm

      phone calls alone are not enough. Anyone can pretend to be anyone. It is a prime target for social engineering. Password reset policy should be established to eliminate the possibility for social engineering, therefore there should be at least one additional form of identification in addition to the phone calls for any password reset process.

      Log in to Reply
    • Quynh Nguyen says

      March 7, 2021 at 8:02 pm

      Definitely automated system because the help desk would mean dealing with real people that may have malicious intent. For example, calling help desk to request a password reset will notify the help desk rep that the employee has forgotten his or her password. This could give them the opportunity to use their access power to pretend to be the user and reset the password to be something of their choosing to perform unauthorized access. An automated system would also minimize the risk of human error, is more accurate, and more efficient in that there is not wait time when calling help desk. The service with automated system is instant.

      Log in to Reply
    • Lakshmi Surujnauth says

      March 7, 2021 at 8:43 pm

      Given that passwords reset via the helpdesk are costly to a company, one maybe inclined to go with the automated system. However, the latter is a security risk as users could easily share their authentication questions/answers used to reset password or the password itself, be it intentionally or accidentally, making that approach the weaker of the two. Considering this tradeoff between cost and risk, the helpdesk desk option would be the optimal choice for password resets. Of course, this wouldn’t a mere call to reset passwords, but would involve authenticating the user and securing the line with an access code sent to the user via mobile/email. The last thing an organization would want is to save a few hundred thousand in helpdesk cost, only to wind up with a data breach due to password compromise that causes them million of dollars.

      Log in to Reply
    • Mitchell Dulaney says

      March 8, 2021 at 3:02 pm

      Unfortunately, I don’t think there is a way to completely eliminate the need for help desk representatives in relation to password resets. Regardless of how complex an automated system is, there will situations where the legitimate accountholder is not able to complete a password reset using the system, and escalation to a human being would be necessary. This means malicious social engineering will always be a risk in the enterprise environment, and effective help desk training and thorough policies are needed to mitigate that risk.

      Log in to Reply
  7. Lakshmi Surujnauth says

    March 7, 2021 at 4:45 pm

    how can an organization stem the password reuse phenomenon?

    Log in to Reply
    • Quynh Nguyen says

      March 7, 2021 at 9:45 pm

      Organizations can reduce the password reuse problem by requiring passwords to be changed every 90 days and implementing a policy standard that requires the new password to be different than the previous 24 passwords. This way, employees aren’t able to keep using the same password across all accounts or go back to their old passwords the next time.

      Log in to Reply
    • Nicholas Fabrizio says

      March 8, 2021 at 9:36 am

      Organizations can help reduce employees from reusing passwords by purchasing an enterprise password management system that will allow the employees to easily create and store long complex passwords. A benefit of a password manager is that employees do not have to try and memorize or store passwords in a unsecure location (writing it down, or using an excel spreadsheet). A lot of password management systems have the ability of using multifactor authentication to help secure each individuals password vault. This system could also be used in conjunction with policies of having to reset passwords after a certain amount of time has passed or how complex the passwords need to be.

      Log in to Reply
    • Wei Liu says

      March 8, 2021 at 5:48 pm

      Password policies should require the frequent changing of passwords. User passwords should be changed perhaps every 90 days. This way, if an attacker learns a password, he or she will only be able to use it for a limited time.

      Log in to Reply
    • Charlie Corrao says

      March 9, 2021 at 3:21 pm

      Organizations can only do so much in regards to reusing passwords. For example, if you only change the special character in your password, but not anything else, that will still satisfy the requirement of a “unique” password, but is still not secure. User education is the best way to combat this. Users should learn about the dangers around reusing insecure passwords, as technical controls can only help so much.

      Log in to Reply
  8. Xiduo Liu says

    March 7, 2021 at 5:46 pm

    Organizations are starting to make two-factor authentication a standard. Usually one of the factors is the password. however, as we all aware, the password is no longer effective and at some point in the future, it will become a thing of the past. With the different factors of authentication mentioned in the text, what would be a good combination of authentication methods replacing passwords?

    Log in to Reply
    • Lakshmi Surujnauth says

      March 7, 2021 at 8:38 pm

      Hi Xiduo,

      A good combination of authentication methods that could replace passwords are access cards & biometrics (iris scanner, fingerprint, facial recognition, etc.). This represents something a user has and something a user is, respectively, and therefore a feasible alternative for replacing passwords.

      Log in to Reply
    • Mitchell Dulaney says

      March 8, 2021 at 2:58 pm

      I think a combination of a biometric scan, either fingerprint or facial recognition, and a smartcard that must be renewed periodically, would eventually catch on as a way to avoid passwords. I think the primary reason why this hasn’t happened yet is the cost to implement biometric measurement tools across the board in an enterprise environment. Fingerprint scanners on all laptops and desktops would be expensive, but perhaps as that technology becomes cheaper, or facial recognition becomes the norm on all workstations, biometrics as an authentication factor will become more popular. Forcing smartcards to be renewed periodically would be similar to forced password changes, but would reduce the memory burden on end users, and could be more secure (for example, new smart cards would be delivered by mail or the users would have to check in for their new card in-person).

      Log in to Reply
  9. Wei Liu says

    March 7, 2021 at 6:25 pm

    Can you think of some situations where mandatory and discretionary access control might fail?

    Log in to Reply
  10. Quynh Nguyen says

    March 7, 2021 at 7:44 pm

    Most companies today are switching to two-factor authentification, do you think there will ever be a need for companies to switch to three or four-factor authentication, or is that overkill?

    Log in to Reply
    • Ashleigh Williams says

      March 8, 2021 at 12:04 am

      Good question! I think as technology advances, we always outgrow the current phenomenon so to speak. We are currently seeing a trend from passwords to multi-factor authentication. I think there could come a time where there will be a shift to three or four – factor authentication or even something completely different.

      Log in to Reply
    • Charlie Corrao says

      March 8, 2021 at 4:58 pm

      I think eventually that 3 or 4-factor authentication will become the norm. Just a few years ago, two-factor authentication was not widely used, but now it is. Since then, cybercriminals have discovered ways to disrupt this process. I think biometrics will start to play a bigger role in the authentication process in people’s everyday lives. Hackers get smarter every day, so it is only a matter of time before 3 factor will become the norm.

      Log in to Reply
  11. Elias Harake says

    March 7, 2021 at 8:34 pm

    What would be some of the reasons why an entity would need to renew its digital identity? Do digital identities expire, if so, what is the usual validation term for a digital identity?

    Log in to Reply
  12. Panayiotis Laskaridis says

    March 7, 2021 at 9:46 pm

    What is your personal preference for authentication? How much convenience are you willing to sacrifice in the name of authentication?

    Log in to Reply
    • Nicholas Fabrizio says

      March 8, 2021 at 9:50 am

      That is a good question and I think it really depends on the industry. I would be willing to sacrifice convenience by having additional authentication measures in place for financial, healthcare, any industry that may contain sensitive information to help mitigate the potential of unauthorized access.

      Log in to Reply
    • Mitchell Dulaney says

      March 8, 2021 at 2:51 pm

      My personal preference would be multi-factor authentication via something I have (my phone, for example) and something I am (fingerprint scan). My organization uses a password and phone combination, but I’d prefer to cut out the password and simply scan my fingerprint alongside the phone authentication. This would be costly and difficult to implement enterprise-wide, so I understand why this isn’t the case in most organizations.

      Log in to Reply
    • Charlie Corrao says

      March 9, 2021 at 3:17 pm

      Personally, I have started to shift my mindset around authentication. Before, I found it annoying that I needed unique passwords for every website and needed to turn on 2fa. But this program has really opened my eyes to the amount of threats that I am vulnerable to without these protections. I do think at a certain point, you can take authentication precautions too far, but now I ensure passwords to sensitive things I access online (online banking etc.) are extremely secure

      Log in to Reply
  13. Mitchell Dulaney says

    March 7, 2021 at 9:51 pm

    Why don’t all organizations implement three-factor authentication for systems access? What are the costs and benefits of increasing the steps required to authenticate to an information system?

    Log in to Reply
    • Michael Doherty says

      March 7, 2021 at 11:36 pm

      this is an interesting question. I would think that the reason why companies do not implement 3FA is because of the non-techy employees who would have problems signing in everyday. I think that calls to the helpdesk would increase as users do not want to bothered by the complication of signing into the system. Increased calls could mean increased hires on the support team to help these users.

      Log in to Reply
  14. Michael Doherty says

    March 7, 2021 at 11:32 pm

    Does your company have a retention policy? Do you think your company follows it? Do you think that some documentation has been kept past the retention, if so why do you think it was kept?

    Log in to Reply
    • Christa Giordano says

      March 8, 2021 at 8:52 pm

      Hi Michael,
      I always love a records question!
      My organization has a national records retention manual with retention requirements by category. Each district (12 in all) should follow this retention guidance and only in rare circumstances should they deviate from this guidance and with the appropriate approval from senior management and our legal department. For the most part. I believe people follow guidelines for storing information in our official repositories and the shared drives. We have implemented a standard naming convention for our folders which includes the retention requirements in the name, i.e. “Audit Files close + 7 years”. which makes it easy when we perform our annual clean-up. In addition, we raise awareness through Records and Information management month in April. Some obstacles we face in this space include people being afraid to delete information, not recognizing the importance of maintaining up to date files, and some folks do not make records management a priority. The pandemic has made it challenging to comply with the destruction of physical records that are stored onsite, when we have been working remotely for almost a year.

      Log in to Reply
  15. Ashleigh Williams says

    March 7, 2021 at 11:42 pm

    What are the three steps of the identity proofing and enrollment process flow? Is one single organization expected to deliver each step of the process?

    Log in to Reply
  16. Charlie Corrao says

    March 8, 2021 at 5:00 pm

    Are there any downsides to using two factor authentication? What are some potential risks?

    Log in to Reply
    • Wei Liu says

      March 8, 2021 at 5:57 pm

      The one drawback of using two factor authentications is time. It takes time to set up and extra time to login. Also, if attackers cannot access to the account without second factor, account owner won’t be able to either. They may be unable to recovery second factor if their security key, or the phone with authenticator app, is lost, stolen, or broken.

      Log in to Reply
    • Nicholas Fabrizio says

      March 8, 2021 at 8:37 pm

      A drawback on using two factor authentication for an organization is usually they require some service or device from a third party. If this third party is having technical issues that could impact employees from being able to authenticate and gain access to the resources they need.

      Log in to Reply
  17. Christopher Clayton says

    March 9, 2021 at 9:13 am

    While the 2-factor authentication is obviously more successful in preventing unauthorized entry than single-factor, the downside is that it is not completely secure. The strength and complexity of protection will depend on what type of factor you use. Also, hackers can bypass it by being in possession of a factor of authentication, or they brute force their way in.

    Log in to Reply
    • Christopher Clayton says

      March 9, 2021 at 10:01 am

      This is a response to Charlie Corrao’s question.

      Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Weekly Discussions

  • 01 – Introduction (3)
  • 01 – Threat Environment (5)
  • 02 – System Security Plan (5)
  • 03 – Planning and Policy (7)
  • 04 – Cryptography (6)
  • 05 – Secure Networks (7)
  • 06 – Firewalls (5)
  • 08 – Access Control (7)
  • 09 – Host Hardening (4)
  • 10 – Application Security (5)
  • 11 – Data Protection (3)
  • 12 – Incident and Disaster Response (4)
Fox School of Business

Copyright © 2025 · Course News Pro on Genesis Framework · WordPress · Log in