Tuesday, September 9, 2014

Chapter 3: Access Control Overview:

 A. What is Access control?
  • Access controls are security features that helps control users and systems communication and their interactions with other systems and resources.
  • Access protects the system and resources from unauthorized access.
  • Broad term that covers different mechanisms which enforces access control features on computer systems, networks, and information.
  • It is the first line of defense to guarding against unauthorized access to systems and network resources.
  • Access control allows organizations to control, restrict, monitor, and protect resource availability, integrity, and confidentiality.
B. What is an Access?
  • Access is the flow of information between a subject and an object (Harris, 157).
C. What is a Subject?
  • A subject is an active entity that request access to an object or the data within an object (Harris, 157).
  • Examples of a subject: 
    • user
    • program
    • process that access an object to accomplish a task
D. What is an Object?

  • An object is a passive entity that contains information or needed functionality (Harris, 158).
  • Therefore, when a program accesses a file, you think of the program is the subject and the file as the object.
  • Examples of Object:
    • Computer
    • Database
    • File
    • Computer program
    • Directory
    • Field contained in a table within a database
E. Security Principles:
  • What are the three main security principles?
    • Availability:
      • Information, systems, and resources must be available to users in a timely manner where productivity will not be affected.
    • Integrity:
      • Integrity entails accurate, complete, and protected from unauthorized modification.
      • Integrity protects data or resource from being altered by an unauthorized user.
    • Confidentiality
      • Confidentiality assures information is not disclosed to unauthorized individuals, programs, or processes.
D. Identification, Authentication, Authorization, and Accountability:
  • What is Identification?
    • Identification describes the method of ensuring a subject (user, program, or process) is the entity it claims to be.
    • Username or account numbers are a common way of identification. 
    • To fully be authenticated, the subject usually is required to provide a second identification such as password, passpharse, cryptographic key, personal identification number (PIN), anatomical attribute, or token. 
  • Logical Access Controls:
    • Technical tools used for identification, authentication, authorization, and accountability (Harris, 161).



  • Steps for authentication:
    • Authentication is a two-step process:
      1. Entering public information (username, employee number, account number, department ID).
      2. entering private information (static password, smart token, cognitive password, one-time password, PIN).
E. Identification and Authentication:
  • Three general factors for authentication:
    1. Authentication by knowledge 
      • Something a person knows
      • Pros: least expensive to implement
      • Cons: another person can acquire the knowledge and agin unauthorized access to resources
      • Examples:
        • Password
        • PIN
        • Mother's maiden name
        • Combination to a lock
    2. Authentication by ownership
      • Something a person has
      • Pros: common for accessing facilities, sensitive areas, or authenticate systems
      • Cons: lost or stolen resulting in unauthorized access
      • Examples:
        • Key
        • Swipe card
        • Access card
        • Badge
    3. Authentication by characteristic
      • Something a person
      • Based on a unique physical attribute
      • Biometrics
  • Strong authentication is defined as having two out of the three methods.
  • Creating or issuing secure identities:
    • Include three key aspects:
      • Uniqueness:
        • Identifiers that are specific to an individual (unique ID)
        • Examples:
          • Fingerprints
          • Retina scans
      • Nondescriptive:
        • The credentials should not indicate the purpose of the account
        • Examples:
          • User ID should not be "Administrator," "Backup_oporator," or "CEO"
      • Issuance:
        • Provided by another authority as a means of presenting identity
        • Examples:
          • ID cards
  • Summary of Identification Component Requirement:
    • When issuing identification values to users, the following should be in place:
      • Each value should be unique, for user accountability.
      • A standard naming scheme should be followed.
      • The value should be nondescriptive of the user's position or tasks
      • The value should not be shared between users. 


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)