This chapter mainly focuses on Access control and identity management system. In this digital era, access control and identity management have become a core factor for all businesses, including the finance sector, educational sector. All sectors are switching to the digital process as it very difficult to manage digital security if all sectors are not cohesive. Authentication, authorization and auditing is the main function of Access control. As mentioned password policies, physical security access control, biometric authentication mechanisms, and two-factor authentication play an important role in authentication, and how they help prevent Trojan and MITM attack conditions. Multifactor authentication uses two or more types of authentication, however this can be defeated by a Trojan horse virus on the user’s system.
Good point about this being a digital era, seems as time goes on the in person and on paper transactions are becoming less of a thing, making access controls and identity management so much more important for businesses
Access control is part of a security program, formally defined as policy-driven control of access to systems, data, and dialogues. Methods of access control include physical barriers, passwords, and biometrics. Access control has three functions: authentication, authorization, and auditing (collectively referred to as AAA). Authentication is the assessment of the identity of each individual claiming the right to use a resource. Authorization is the right to use a specific resource for a specific user. Auditing is the collection of documentation about individual activity in log files. Auditing is to ensure that authentication and authorization policies are not compromised. important method of violation.
Authentication is the most important and complex part, the methods of verifying identity include passwords, secret keys, physical keys, smart cards, biometric passwords, etc. Organizational and human controls are important, ensuring passwords are not compromised and using two-factor authentication is an important approach. I think a very important point is physical access and security. Choosing a good location for a building can reduce the occurrence of natural disasters or man-made damage (looting, arson, etc.).
Hey Lin,
I found your post to be an interesting read. I do agree with you about the importance of authentication and the usage of 2fa. Must always emphasize the importance of password security, as well as the physical security. Where you decide to put a building is key. There are many aspects of physical security that go into placing a building.
This chapter focuses a lot on access control. From AAA controls, to lock picking and on passwords. Some key points that I took from this chapter are about passwords. Focusing on using passwords at multiple sites, in 2005 a study by Cyota found that 44 percent of people used the same password at many different websites. 37 percent of online banking customers used the same password on less secure sites. I found it interesting the amount of people in online banking use the same password for other less secure sites. I guess people don’t want to protect their money. I do assume that percentage has gone up since 2005. I also thought it was interesting to find out how much it costs to reset a password for a company. For example Wellpoint company received 14,000 calls per month from employees regarding a password reset. The companies labor costs to reset the password ranged from 25 dollars to 200 if the employee has access to multiple systems. With such high costs of lost passwords, companies now benefit from the automated password reset system and in the process save a ton of money.
This reading is driven by the Access control policy implemented as a control measures in place to ensure the authentication and validation of a user to the system through the use of technology base security mechanism such as biometrics for authentication to obtain the what you know, what you have, who you are, and what you do characteristics and features uniquely known to the user and converted into digital codes the system recognizes. Password, Two-Factor and Multi-factor authentication are known to support the integrity of the access control policy management.
Section 5.3, concerning the password reuse phenomenon, helped me better understand why certain institutions such as Temple, require their students and employees to change their passwords every so often. While it may not always be feasible, it is recommended that user passwords be changed every 90 days. This way, if an attacker learns a password, he or she will only be able to use it for a limited time. I admit that it can be difficult to remember your passwords when you are changing them so often; the solution to this – password management programs. Not to mention, they can automatically generate really strong passwords that are hard to crack.
I agree that using a password manager is a very good idea. I think that this should be a must for users in an environment that requires password changes every 90 days. As you’ve mentioned it is difficult for employees to remember their passwords. When you have employees change their passwords too frequently you will run into the issue of them forgetting or worse, writing their passwords down somewhere. This is a common occurrence in places that have short password expiration policies. As you’ve pointed out, the use of a password manager can help alleviate this issue.
In section 5.3, It was interesting to find out that the widely used passwords are no longer considered safe by a majority of security professionals. . Passwords are inconvenient and create numerous ways for cybercriminals to acquire your data and begin profiting. The most common way hackers make money off this information is by selling it on the dark web for a quick buck. Before they do this, they attempt to drain every account of any monetary value by making purchases, stealing funds, liquidating gift cards, or taking personal info (Social Security Number, address, emails, etc.). There are even advanced attacks on logins that aim to shut down entire companies or initiate ransomware. The most known version of password hacking is credential stuffing, which takes advantage of reused credentials by automating login attempts against systems using known emails and password pairs. Once they have one login, they are guaranteed to get into other sites. At the root of all these problems lies a system that depends on authentication through a password which is why there are many experts part of the anti-password movement.
Hi Shubham
I agree with you, an attacker can crack the password using password cracking programs on the server that can try thousands of different combinations in a second until the password is cracked.
I felt the auditing section, one of the AAA’s of access control, was a very important part of this chapter. As the reading suggests, “Reading log files is difficult and time consuming. Consequently, they are often ignored”. This statement makes sense because often times logging is in fact turned on – however, the logging is misconfigured to track an excessive amount of meaningless entries or false positives. A good way to filter out some of this junk data is to configure the logging for a specific event. For example, a logging rule could be implemented to identify network login attempts outside of the normal 8 am – 5 pm workday. This configuration could be strengthened even more by logging incorrect login attempts outside of the 8 am – 5 pm workday. Also, as the reading suggests, these incorrect login attempts should trigger alerts directed at the system admin for follow-up as an additional layer of security to ensure the transaction is reviewed and followed up on in a more timely manner.
Yes I thought this was an important note as well. The issue of parsing through many log files is very real. There can be alert fatigue that sets in for the response team and critical alerts may be ignored or just plain missed. In addition to setting rules like you’ve mentioned, another good was to simplify looking through alerts is the use of a logging tool like a well known SIEM. This way the tool can categorize alerts in a more efficient way so there is less to manage day to day.
I found the Identity Management section (5.11.3) interesting. In particular, I hadn’t considered the importance of self-service functions as it relates to minimizing sensitive data being shared in a system. I’ve viewed self-service features more as an efficiency rather than a means to minimize the sharing of sensitive data. I now see the additional value in minimizing how much data is shared by following this model.
Another takeaway from this section was encouraging decentralization in identity management. The authors note that identities should be managed by people closest to the situation. This was interesting to consider as I’ve often had to centralize the control of technologies in my work. It makes sense to encourage decentralization as those closest to user identities can help to manage and validate them.
At my company we’ve been working to decentralize identity management across the enterprise. During my first couple of years working it was difficult to gain an understanding of how user/group role permissions were configured and what the users could do in the system because the owners didn’t have enough in depth knowledge from system to system. As we’ve become less less centralized, at least as an auditor, it’s encouraging to see the identity managers have in depth knowledge of user/group role capabilities as well as how their system works.
The part that I found the most interesting is quite a few firms are phasing out the use of passwords entirely. It is true that the more complex passwords are, the more likely users are going to forget/write down the passwords somewhere. However, it seems that introducing something like an access card or token creates a different problem. Yes, the user won’t be able to have their password compromised but having something that you must physically carry and remember to have on you can create the issue of losing items. If someone has someone else’s access car then they may be able to impersonate their login, depending on what other mitigations are in place. I think the most important thing would be to ensure the company is using multi-factor authentication to safeguard against these issues.
I’m really hoping for the removal of password-based authentication being removed in the upcoming next few years. Personally, being able to access a system via smart card and authenticating with a website just by inserting into a card reader is convenient as long as you don’t lose the card. The problem I have primarily with password-based security is that it becomes difficult to store passwords once there is an abundance of them. The average user usually just writes down their passwords where they can be stolen, or they just use one password with a different number over the course of a few months. Passwords are definitely one of the bigger risks in cybersecurity especially when the End User may not be technologically savant. Smart cards, biometric readers, and etc provide a layer of security that is automated and doesn’t require the end user to become the layer of security. Not to say that the end user cannot be secure – but rather it only takes one end user to fail.
I found the “In the News” block under section 5.1.9 a pretty interesting read this week, especially the last paragraph, titled “Forcing Your Finger.” I was always under the impression that authorities were not allowed to force access a suspect’s device due to self-incrimination, which the last sentence states, but apparently only in the case of pass codes and not in the case of biometric scanning. This doesn’t really make sense to me, and I’m pretty curious how Massachusetts was able to find a loophole for this, and I’m also curious if this applies to using facial recognition to unlock devices (which has all but replaced fingerprint scanning to access phones). Upon further research, it appears that forcing a suspect to unlock their device via biometric scanning is now protected by the 5th Amendment, as well, but it’s interesting that there was a moment in time where authorities could use that to their advantage.
This chapter focused on the most importance of data security: access control.. Access control is not about password or either cryptography because policy is the central to access control.. Identify management is the most focus on how to set up policies to access control. There are 3 functions in access control and each of them plays its essential role in access control. They are authentication, authorization, and audit. The best way to create access control rules is based on roles because it’s cheap to assign. I totally agree that, but type of data will be another thought to create access control based on availability to perform tasks. Most of companies will implement discretionary access control because it is easy to implement than mandatory access control.
In this particular chapter I found section 5.5 to be very interesting, it explains Biometrics in regards to access control, I find this to be interesting because as it explains, we can forget passwords, ID cards etc, or they could be stolen or compromised, but Biometrics deals with parts of our physical make up and in that, make forgetting or having our access stolen a lot more difficult. I believe the more Biometrics involved, the more secure, whether its accessing the physical building, or a data sever, if someone needs to use the physical part of their body to get access, its going to make it tougher on the potential intruder
I found the section on physical security to be interesting. We often get so wrapped up in the technical security of our logical systems that we forget about the seemingly more obvious physical security. This section discusses controlling physical entry points, It talks about the goal of a single entry point into a building and the importance of alarming and monitoring emergency exits. The section then dives deeper into the security of equipment, including the importance of maintaining power supply, ensuring the security of devices when they are being repaired off-site, etc.
I agree, a lot of cyber does revolve around physical controls and many would go to overlook this when entering the field. But if we look towards security objectives and understanding the system environment, we can start determining how to implement physical security and why it should be implemented. Especially for systems that are regarded as HIGH impact; necessary precautions to prevent inside tampering is a must.
I retained from this chapter that securing the network is nothing if we cannot secure what’s around the network (perimeter, entire buildings, office areas, equipment rooms…). Although people are more concerned with intruders, we need to consider that building safety and security must be one of our top priorities in information system. Some areas that are considered as sensitive areas must be given more attention and should have keys like access cards, keys or other type of locks.
Chapter 5 is about Access Control, moreover unit 5.7 mentions Authorization. The chapter proclaims that there are three elements to access control, which are; authentication, authorization, and Auditing. After a user gains access to a service the following step would be determining the types of resources that end user has access to. This is a big part of authorization! I really appreciated the following point that the author has mentioned as well; “Not everyone who is authenticated may be allowed to do anything he or she wishes in every directory.” Another point that I’d like to mention from this section is the principle of least permissions. I have been interested in Information security for a while now, and it has been repeatedly mentioned that it is imperative that each user gets the necessary permissions they would needs to do their job and nothing more.
As policies and requirements get stronger day by day, Boyle explains the importance of access control functionalities. Some of the security solutions recommended by the chapter include:
– physical building security as initial control (entry points, guards, and monitoring devices)
– passwords for identification and authentication (reset questions, complex passwords)
– access cards and physical tokens to limit privileges
– biometric authentication as additional layer of security (fingerprints, face recognition)
– digital certificates as cryptographic authentication
-detect actions and ensure policy by audit
Mohammed Syed says
This chapter mainly focuses on Access control and identity management system. In this digital era, access control and identity management have become a core factor for all businesses, including the finance sector, educational sector. All sectors are switching to the digital process as it very difficult to manage digital security if all sectors are not cohesive. Authentication, authorization and auditing is the main function of Access control. As mentioned password policies, physical security access control, biometric authentication mechanisms, and two-factor authentication play an important role in authentication, and how they help prevent Trojan and MITM attack conditions. Multifactor authentication uses two or more types of authentication, however this can be defeated by a Trojan horse virus on the user’s system.
Jason Burwell says
Hello Mohammed,
Good point about this being a digital era, seems as time goes on the in person and on paper transactions are becoming less of a thing, making access controls and identity management so much more important for businesses
Yangyuan Lin says
Access control is part of a security program, formally defined as policy-driven control of access to systems, data, and dialogues. Methods of access control include physical barriers, passwords, and biometrics. Access control has three functions: authentication, authorization, and auditing (collectively referred to as AAA). Authentication is the assessment of the identity of each individual claiming the right to use a resource. Authorization is the right to use a specific resource for a specific user. Auditing is the collection of documentation about individual activity in log files. Auditing is to ensure that authentication and authorization policies are not compromised. important method of violation.
Authentication is the most important and complex part, the methods of verifying identity include passwords, secret keys, physical keys, smart cards, biometric passwords, etc. Organizational and human controls are important, ensuring passwords are not compromised and using two-factor authentication is an important approach. I think a very important point is physical access and security. Choosing a good location for a building can reduce the occurrence of natural disasters or man-made damage (looting, arson, etc.).
Corey Arana says
Hey Lin,
I found your post to be an interesting read. I do agree with you about the importance of authentication and the usage of 2fa. Must always emphasize the importance of password security, as well as the physical security. Where you decide to put a building is key. There are many aspects of physical security that go into placing a building.
Corey Arana says
This chapter focuses a lot on access control. From AAA controls, to lock picking and on passwords. Some key points that I took from this chapter are about passwords. Focusing on using passwords at multiple sites, in 2005 a study by Cyota found that 44 percent of people used the same password at many different websites. 37 percent of online banking customers used the same password on less secure sites. I found it interesting the amount of people in online banking use the same password for other less secure sites. I guess people don’t want to protect their money. I do assume that percentage has gone up since 2005. I also thought it was interesting to find out how much it costs to reset a password for a company. For example Wellpoint company received 14,000 calls per month from employees regarding a password reset. The companies labor costs to reset the password ranged from 25 dollars to 200 if the employee has access to multiple systems. With such high costs of lost passwords, companies now benefit from the automated password reset system and in the process save a ton of money.
Oluwaseun Soyomokun says
This reading is driven by the Access control policy implemented as a control measures in place to ensure the authentication and validation of a user to the system through the use of technology base security mechanism such as biometrics for authentication to obtain the what you know, what you have, who you are, and what you do characteristics and features uniquely known to the user and converted into digital codes the system recognizes. Password, Two-Factor and Multi-factor authentication are known to support the integrity of the access control policy management.
Elizabeth Gutierrez says
Section 5.3, concerning the password reuse phenomenon, helped me better understand why certain institutions such as Temple, require their students and employees to change their passwords every so often. While it may not always be feasible, it is recommended that user passwords be changed every 90 days. This way, if an attacker learns a password, he or she will only be able to use it for a limited time. I admit that it can be difficult to remember your passwords when you are changing them so often; the solution to this – password management programs. Not to mention, they can automatically generate really strong passwords that are hard to crack.
Ryan Trapp says
I agree that using a password manager is a very good idea. I think that this should be a must for users in an environment that requires password changes every 90 days. As you’ve mentioned it is difficult for employees to remember their passwords. When you have employees change their passwords too frequently you will run into the issue of them forgetting or worse, writing their passwords down somewhere. This is a common occurrence in places that have short password expiration policies. As you’ve pointed out, the use of a password manager can help alleviate this issue.
Shubham Patil says
In section 5.3, It was interesting to find out that the widely used passwords are no longer considered safe by a majority of security professionals. . Passwords are inconvenient and create numerous ways for cybercriminals to acquire your data and begin profiting. The most common way hackers make money off this information is by selling it on the dark web for a quick buck. Before they do this, they attempt to drain every account of any monetary value by making purchases, stealing funds, liquidating gift cards, or taking personal info (Social Security Number, address, emails, etc.). There are even advanced attacks on logins that aim to shut down entire companies or initiate ransomware. The most known version of password hacking is credential stuffing, which takes advantage of reused credentials by automating login attempts against systems using known emails and password pairs. Once they have one login, they are guaranteed to get into other sites. At the root of all these problems lies a system that depends on authentication through a password which is why there are many experts part of the anti-password movement.
Yangyuan Lin says
Hi Shubham
I agree with you, an attacker can crack the password using password cracking programs on the server that can try thousands of different combinations in a second until the password is cracked.
Bryan Garrahan says
I felt the auditing section, one of the AAA’s of access control, was a very important part of this chapter. As the reading suggests, “Reading log files is difficult and time consuming. Consequently, they are often ignored”. This statement makes sense because often times logging is in fact turned on – however, the logging is misconfigured to track an excessive amount of meaningless entries or false positives. A good way to filter out some of this junk data is to configure the logging for a specific event. For example, a logging rule could be implemented to identify network login attempts outside of the normal 8 am – 5 pm workday. This configuration could be strengthened even more by logging incorrect login attempts outside of the 8 am – 5 pm workday. Also, as the reading suggests, these incorrect login attempts should trigger alerts directed at the system admin for follow-up as an additional layer of security to ensure the transaction is reviewed and followed up on in a more timely manner.
Ryan Trapp says
Hi Bryan,
Yes I thought this was an important note as well. The issue of parsing through many log files is very real. There can be alert fatigue that sets in for the response team and critical alerts may be ignored or just plain missed. In addition to setting rules like you’ve mentioned, another good was to simplify looking through alerts is the use of a logging tool like a well known SIEM. This way the tool can categorize alerts in a more efficient way so there is less to manage day to day.
Matthew Bryan says
I found the Identity Management section (5.11.3) interesting. In particular, I hadn’t considered the importance of self-service functions as it relates to minimizing sensitive data being shared in a system. I’ve viewed self-service features more as an efficiency rather than a means to minimize the sharing of sensitive data. I now see the additional value in minimizing how much data is shared by following this model.
Another takeaway from this section was encouraging decentralization in identity management. The authors note that identities should be managed by people closest to the situation. This was interesting to consider as I’ve often had to centralize the control of technologies in my work. It makes sense to encourage decentralization as those closest to user identities can help to manage and validate them.
Bryan Garrahan says
At my company we’ve been working to decentralize identity management across the enterprise. During my first couple of years working it was difficult to gain an understanding of how user/group role permissions were configured and what the users could do in the system because the owners didn’t have enough in depth knowledge from system to system. As we’ve become less less centralized, at least as an auditor, it’s encouraging to see the identity managers have in depth knowledge of user/group role capabilities as well as how their system works.
Ryan Trapp says
The part that I found the most interesting is quite a few firms are phasing out the use of passwords entirely. It is true that the more complex passwords are, the more likely users are going to forget/write down the passwords somewhere. However, it seems that introducing something like an access card or token creates a different problem. Yes, the user won’t be able to have their password compromised but having something that you must physically carry and remember to have on you can create the issue of losing items. If someone has someone else’s access car then they may be able to impersonate their login, depending on what other mitigations are in place. I think the most important thing would be to ensure the company is using multi-factor authentication to safeguard against these issues.
Michael Duffy says
I’m really hoping for the removal of password-based authentication being removed in the upcoming next few years. Personally, being able to access a system via smart card and authenticating with a website just by inserting into a card reader is convenient as long as you don’t lose the card. The problem I have primarily with password-based security is that it becomes difficult to store passwords once there is an abundance of them. The average user usually just writes down their passwords where they can be stolen, or they just use one password with a different number over the course of a few months. Passwords are definitely one of the bigger risks in cybersecurity especially when the End User may not be technologically savant. Smart cards, biometric readers, and etc provide a layer of security that is automated and doesn’t require the end user to become the layer of security. Not to say that the end user cannot be secure – but rather it only takes one end user to fail.
Alexander William Knoll says
I found the “In the News” block under section 5.1.9 a pretty interesting read this week, especially the last paragraph, titled “Forcing Your Finger.” I was always under the impression that authorities were not allowed to force access a suspect’s device due to self-incrimination, which the last sentence states, but apparently only in the case of pass codes and not in the case of biometric scanning. This doesn’t really make sense to me, and I’m pretty curious how Massachusetts was able to find a loophole for this, and I’m also curious if this applies to using facial recognition to unlock devices (which has all but replaced fingerprint scanning to access phones). Upon further research, it appears that forcing a suspect to unlock their device via biometric scanning is now protected by the 5th Amendment, as well, but it’s interesting that there was a moment in time where authorities could use that to their advantage.
Hang Nu Song Nguyen says
This chapter focused on the most importance of data security: access control.. Access control is not about password or either cryptography because policy is the central to access control.. Identify management is the most focus on how to set up policies to access control. There are 3 functions in access control and each of them plays its essential role in access control. They are authentication, authorization, and audit. The best way to create access control rules is based on roles because it’s cheap to assign. I totally agree that, but type of data will be another thought to create access control based on availability to perform tasks. Most of companies will implement discretionary access control because it is easy to implement than mandatory access control.
Jason Burwell says
Chapter 5 deals with Access Control
In this particular chapter I found section 5.5 to be very interesting, it explains Biometrics in regards to access control, I find this to be interesting because as it explains, we can forget passwords, ID cards etc, or they could be stolen or compromised, but Biometrics deals with parts of our physical make up and in that, make forgetting or having our access stolen a lot more difficult. I believe the more Biometrics involved, the more secure, whether its accessing the physical building, or a data sever, if someone needs to use the physical part of their body to get access, its going to make it tougher on the potential intruder
Amelia Safirstein says
I found the section on physical security to be interesting. We often get so wrapped up in the technical security of our logical systems that we forget about the seemingly more obvious physical security. This section discusses controlling physical entry points, It talks about the goal of a single entry point into a building and the importance of alarming and monitoring emergency exits. The section then dives deeper into the security of equipment, including the importance of maintaining power supply, ensuring the security of devices when they are being repaired off-site, etc.
Michael Duffy says
Hi Amelia,
I agree, a lot of cyber does revolve around physical controls and many would go to overlook this when entering the field. But if we look towards security objectives and understanding the system environment, we can start determining how to implement physical security and why it should be implemented. Especially for systems that are regarded as HIGH impact; necessary precautions to prevent inside tampering is a must.
Ornella Rhyne says
I retained from this chapter that securing the network is nothing if we cannot secure what’s around the network (perimeter, entire buildings, office areas, equipment rooms…). Although people are more concerned with intruders, we need to consider that building safety and security must be one of our top priorities in information system. Some areas that are considered as sensitive areas must be given more attention and should have keys like access cards, keys or other type of locks.
Joshua Moses says
Chapter 5 is about Access Control, moreover unit 5.7 mentions Authorization. The chapter proclaims that there are three elements to access control, which are; authentication, authorization, and Auditing. After a user gains access to a service the following step would be determining the types of resources that end user has access to. This is a big part of authorization! I really appreciated the following point that the author has mentioned as well; “Not everyone who is authenticated may be allowed to do anything he or she wishes in every directory.” Another point that I’d like to mention from this section is the principle of least permissions. I have been interested in Information security for a while now, and it has been repeatedly mentioned that it is imperative that each user gets the necessary permissions they would needs to do their job and nothing more.
Miray Bolukbasi says
As policies and requirements get stronger day by day, Boyle explains the importance of access control functionalities. Some of the security solutions recommended by the chapter include:
– physical building security as initial control (entry points, guards, and monitoring devices)
– passwords for identification and authentication (reset questions, complex passwords)
– access cards and physical tokens to limit privileges
– biometric authentication as additional layer of security (fingerprints, face recognition)
– digital certificates as cryptographic authentication
-detect actions and ensure policy by audit