Instructor’s Manual Chapter 5 Access Control Answer Key Introduction Organizational and Human Controls 1. a) List the AAA access controls. Authentication, Authorizations, and Auditing. b) Explain each in a sentence. Authentication is the process of assessing the identity of each individual claiming to have permission to use a resource. Authorizations are specific permissions that a particular authenticated user should have given his or her authenticated identity. Auditing consists of collecting information about the activities of each individual in log files for immediate and later analysis. c) What are the four bases for authentication credentials? What you know (a password or a private key) What you have (a physical key or a smart card) Who you are (your fingerprint) What you do (how you specifically pronounce a passphrase) d) What is two-factor authentication’s promise? Two-factor authentication promises defense in depth. If one authentication method is broken, the impostor will still not be able to authenticate him or herself. Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko e) How can a Trojan horse defeat this promise? If a client PC is infected with a Trojan horse, the Trojan horse can send transactions when a user has already authenticated him or herself to an ecommerce site. If a user’s computer is compromised, two-factor authentication means nothing. f) How can a man-in-the-middle attack defeat this promise? Two-factor authentication can often be defeated with a man-in-the-middle attack. If a user logs into a fake banking website, the fake site can act as a silent gobetween to the real banking website. After the user successfully authenticates, the fake website can execute transactions of its own on the real website. g) What is RBAC? (Do not just spell it out). Role-based access control. Authorizations are assigned to roles instead of to individuals. h) Why is RBAC less expensive than access control based on individual accounts? Role-Based Access Control is less expensive than access control based on individuals because fewer assignments need be made (as there are far fewer roles to designate than there are people assigned to roles). i) Why is it less error-prone? (The answer is not specifically in the text.) Appropriate authorizations are easier to understand for roles than for individuals. j) Why do technologically strong access controls not provide strong access control in real organizations? No access control, no matter how strong, will provide strong access control in real organizations unless the organization has well-thought-out security policies and rigorously implements those policies. Humans are ingenious in finding ways to harm themselves, especially when they are not monitored. Military and National Security Organization Access Controls 2. a) Distinguish between mandatory access controls and discretionary access controls. In mandatory access control, departments have no ability to alter access control rules set by higher authorities. In principle, this offers very strong security. In practice, this is difficult to sustain because some flexibility is always needed. In discretionary access control, the department has discretion over giving access to individuals, within the policy standards set by higher authorities. b) What is multilevel security? Information is classified by level of security (e.g., confidential, secret, top secret, etc.). It is assigned security appropriate for its level of classification. c) What are SBU documents? SBU documents are sensitive but unclassified. d) Do they need to be considered in access controls? Yes 5–2 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko e) Why are access control models needed? To cope with complex access control issues involving multilevel security, organizations that use multilevel security must follow complex access control models to determine how to deal with various access situations. Physical Access and Security Risk Analysis ISO/IEC 9.1: Secure Areas 3. a) Why is having a single point of building entry important? By limiting access points, it is easier to apply protections to people coming into and going out of the building. b) Why are emergency exits important? In case of fire or other problems, people must be able to escape. c) What should be done about them? Emergency exists should be alarmed, monitored (preferably with cameras), and tested frequently. In all cases, security provisions must be compatible with fire codes. Most importantly, it is illegal to lock fire exits to bar egress. d) List the four elements of entry authorization in CobiT. In CobiT, building entry must be justified, authorized, logged, and monitored. e) Why is loading dock security important? This is a busy area with many strangers. It is a likely penetration point. In addition, it holds expensive goods that are easy to steal. f) What access control rules should be applied to loading docks? Internal employees should have limited access to loading docks, which prevents easy passing of material from inside to outside. External employees should have no access to the building beyond the loading dock. (They don’t need it). Incoming shipments should be inspected and logged. Outgoing shipments should be separated from incoming shipments to reduce risk of theft. g) What steps should be taken to reduce the danger of environmental damage? Hazardous and combustible material should be located away from sensitive areas, and there should be adequate equipment for fire fighting. Disaster response facilities and backup media should be located safely away from the building. h) List rules for working in secure areas. Unsupervised work in secure areas should be avoided. 5–3 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko When no one is working in a secure area, it should be locked and checked periodically. Electronic devices that can record or copy mass amounts of information should be forbidden in secure areas (e.g., cameras, cell phones, USB flash drives, external hard drives, non-authorized PCs and laptops, and other computing devices). Inspections of personnel entering/leaving secure areas should ensure that this rule is followed. Inspections must follow strict notification and compliance laws. 9.2 Equipment Security 4. a) What is siting? Siting is a synonym for locating or placing. It is done from the root site. b) Distinguish between UPSs and electrical generators. Uninterruptable power supplies (UPSs) have batteries that can supply power to equipment for a brief period of time after an outage. UPSs allow orderly shutdown during power failures. Electrical generators can be used as backup for longer-duration outages. These run on gasoline. c) If wiring cannot be run through walls, what should be done to protect the wiring? If wiring cannot be run through walls, the wiring should be protected by running it through conduits (preferably armored conduits) and should not be run through public areas. d) What should be done to protect laptops taken off premises? Laptops should never be left unattended. If for home use, the laptop should be stored in lockable filing cabinets, and all paperwork should be locked away when not in active use, along with the equipment. Having insurance for the laptop is also desirable. For all equipment taken off premises, precautions include: Being limited to authorized personnel only. Being logged out and back in. Having all sensitive information removed. e) What controls should be applied to off-site equipment maintenance? Offsite equipment maintenance must: Be limited to authorized personnel only. Be logged out and back in. Have all sensitive information removed. f) What controls should be applied to equipment disposal or reuse? When equipment is ready to be disposed or reused, sensitive data must be removed. If the equipment will not be reused, the hard drive should be destroyed or, at the very least, written over by special software that prevents data from being recovered. g) What controls should be placed over employees taking equipment offsite? 5–4 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Controls over employees taking equipment offsite include: Ensuring proper authorization to remove equipment Limiting the personnel who are able to authorize removal Enforcing time limits for off-site use Logging equipment in/out Periodic spot checks of the above rules should be conducted Other Physical Security Issues 5. a) What special controls are required by terrorism threats? Due to increasing threats from terrorism, terrorist attacks must be considered in all matters of physical security. For instance, new buildings should be set back from streets and protected with rolling hill landscaping. In appropriate situations, guards may be armed. Bullet-proof doors may also be needed to guard sensitive areas. b) Why is it necessary to prevent piggybacking? Unless piggybacking is eliminated, physical access security is nearly impossible. c) What advice would you give a company about CCTV? Tell the company that CCTV tapes will wear out, high resolution cameras are expensive and consume a great deal of disk space, low resolution cameras may be insufficient for recognition needs, and to reduce storage they should use motion sensing. d) What is DumpsterTM diving? DumpsterTM diving is an attack in which an attacker goes through a firm’s trash bins looking for documents, backup tapes, floppy disks, and other informationcarrying media. e) How should trash bins be protected? Building trash bins should be located in a secure and lighted area, preferably under CCTV surveillance. This area must be on the company premises, because once building trash bins are moved beyond the company premises, their contents usually are considered to be abandoned and have no legal protection. f) What can be done to reduce the dangers of desktop PC theft and unauthorized use? To reduce the danger of theft, individual desktop PCs in ordinary office areas can be locked onto their desks with a cable, provided that there is something on the desk to wrap the cable around. In addition, each PC should have a login screen that requires a complex password and a screen saver so that an intruder cannot simply walk up to it and use it. 5–5 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Passwords Password-Cracking Programs 6. a) What are reusable passwords? Reusable passwords are passwords that are used for weeks or months at a time. b) Why is password cracking over a network difficult to do? Password cracking over a network is difficult to do because the attacker will almost always be locked out after a few attempts. c) In what two ways can password-cracking programs be used? Password-cracking programs can be loaded on a server (assuming the hacker can gain access to the server) to try thousands of possible account name/password combinations per second until one works. Also, if the attacker can gain access to the password file from a computer, he or she can copy the file and attempt to crack it on another machine in a less obtrusive manner. d) Which is safer for the cracker? Why? Stealing the password file and cracking it elsewhere is safer. There is no need to wait around by a compromised server while the password-cracking program does its work. Lost Passwords 7. a) Why is it a problem to use the same password at multiple sites? Using the same password at multiple sites is bad because when a password is compromised at one site, it is compromised at all sites, expanding the risk of the compromise. b) Why is it difficult to enforce a policy of using a different password at each site? It is difficult to enforce a policy of using a different password at each site because it is difficult for users to remember different passwords for different sites. Using different passwords is even difficult if the passwords are written in a password book. c) Why are password duration policies important? If passwords are not changed frequently, or if an attacker cracks the password, he or she will be able to use it for a long period of time. d) What are password resets? A password reset is the action taken by a help desk employee to create a new password for an account when the current password is lost or forgotten. e) Why are password resets dangerous? Password resets are dangerous because they are susceptible to social engineering by an imposter who can convince help desk personnel to reset a password, thus giving account access to the imposter and locking out the appropriate account holder. 5–6 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko f) How can password resets be automated? Password resets can be automated by using a system that asks the person requesting a reset to answer one or more secret questions, giving answers the authentic user gave at registration time. g) Why are password reset questions difficult to create? Password reset questions are difficult to create because: Some questions themselves are security violations (such as asking for SSN or mother’s maiden name). Some questions are easily answered by an attacker with little knowledge of the user (e.g., city of birth, pet’s name, etc.). Some questions are too hard to remember or difficult to answer (e.g., favorite song, favorite teacher in high school, etc.). Some questions require exact spelling, which can cause the password reset answer to fail too often. (This is especially difficult with names.) h) How may password resets be handled in high-risk environments? In high-risk environments, password resets might best be handled by eliminating remote password resets altogether and requiring the users to go to the help desk in person and show ID. For the DoD’s Common Access Card (CAC), each user creates a six or eight digit PIN. A user only gets three tries to access an IT service using the CAC. After three incorrect tries, the CAC locks itself, and unlocking requires the user to physically go to a CAC issuance facility (which in some places only takes appointments several days in advance). Password Strength Password Auditing 8. a) What is the book’s recommended password policy for length and complexity? The book’s recommended password policy for length and complexity is: Be at least 8 characters long (although current DoD policy is 16 characters) Have at least one change of case (DoD policy is two upper and two lower case, but there’s no requirement for placement) Have at least one digit (DoD policy is two) Have at least one non-alphanumeric character not at the end of a password (DoD policy is two) Another DoD policy is that keyboard shortcuts are not to be used (such as some combination of “asdf;lkj”) 5–7 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko b) How can password-cracking programs be used to enforce password strength policy? Password-cracking programs can be used to enforce password strength policy by having systems administrators run a password-cracking program against their own servers to check for policy violations in password length and complexity. c) Before you run a password-cracking program on your company’s computers to check for weak passwords, what should you do? Before running a password-cracking program on your company’s computers to check for weak passwords, get permission! Have a memo providing permission to do a very specific set of actions and then do not deviate from them without further written permission. Other Password Policies The End of Passwords? 9. What is the likely future of passwords? Passwords are likely to be phased out in the fairly near future primarily because they are such a significant weakness. Password cracking has gotten easier and faster, and users are limited in their ability to handle truly strong passwords. Access Cards and Tokens Access Cards Tokens Proximity Access Tokens Addressing Loss and Theft 10. a) Distinguish between magnetic stripe cards and smart cards. A magnetic stripe card is a simple access card that can store authentication data. A smart card looks like a magnetic stripe card but has a built-in microprocessor and memory. This allows smart cards to do processing for more sophisticated authentication. Smart cards can also give out information differentially to different applications. While magnetic stripe cards are passive, only containing data, smart cards are active. b) What are one-time-password tokens? 5–8 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko 11. One-time-password tokens are small devices with displays that have a number that changes frequently. Users must type the current number into key locks or into their computer. c) What are USB tokens? A USB token is a small device that plugs into a computer’s USB port to identify the owner. d) What is the advantage of USB tokens compared to cards? USB tokens can be used to authenticate a user without the cost of having a smart card reader attached to the PC. (All modern PCs have USB ports.) e) What is the attraction of proximity tokens? Proximity tokens are attractive because they do not require physical contact with a reader or USB port, which is faster than directly interacting with a device. a) Why is it important to disable lost or stolen access devices? If you do not disable them immediately and they are stolen, they can still be used by the thief indefinitely. b) Give an example of two-factor authentication not mentioned in the text. Student answers will vary. c) What is a PIN? A PIN is a personal identification number. It is a short number you type in manually to authenticate yourself, often in conjunction with another authentication factor. d) Why can PINs be short—only four to six digits—while passwords must be much longer? Passwords need to be long because attackers can try millions of comparisons per second. However, people must enter PINs manually, so attackers can only enter a PIN every second or two. In addition, someone standing over an access door, trying many PIN codes, would be highly conspicuous and therefore vulnerable to detection. Biometric Authentication Biometrics 12. a) What is biometric authentication? Biometric authentication is authentication based on biological metrics. b) On what two things about you is biometric authentication based? Biometric authentication is based upon something you are (i.e., a physical feature) and something you do (i.e., an action). c) What is the major promise of biometrics? 5–9 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko The major promise of biometrics is to make reusable passwords obsolete. Biometric Systems 13. a) Describe the three scanner actions in the enrollment process. First, the reader scans each person’s biometric data. The reader then processes the enrollment scan to extract a few key features from the mass of scanned data. Finally, the reader sends the key feature data to the database, which stores the key feature data as the user’s template. b) What are key features? Key features are specific metrics extracted from the scanning data. Two scans will never give the same scanning data, but they should give generally the same key features, such as the relative locations of arches and whorls in a fingerprint. c) Why are they necessary? Key features are necessary because raw biometric scans will be different each time due to nuanced actions (e.g., pressure, angle of scanning, interfering substance, etc.), but key features will be the same (or almost the same) no matter how a finger is scanned. d) What does the server do with the key features created by the enrollment scan? It uses these key features as the template for that user. e) What is a template? A template is the file entry containing key features from the enrollment process for a single individual. f) What is user access data? This is data collected during an access attempt scan, as opposed to the scanning data during enrollment. g) What are match indices, and how are they related to decision criteria? A match index compares access key features with the template. Because scanning never works exactly the same way twice, if the match index is close enough to satisfy the system’s configurable decision criteria, the supplicant is accepted. Biometric Errors 14. a) In biometrics, what is a match? In biometrics, a match occurs when a match index (a comparison of access key features and the template) meets the decision criteria. b) Distinguish between false acceptances and false rejections. A false acceptance occurs when a person is improperly matched to a template. False rejection occurs when a person is improperly not matched to a template. c) What are false acceptance rates (FARs) and false rejection rates (FRRs)? 5–10 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko 15. 16. These are the percentages of time there is a false acceptance or a false rejection from a scan. d) For computer access, why is a false acceptance bad? For computer access, false acceptance is bad because someone other than the authorized user, possibly an imposter, will gain access to the resource. e) Why is a false rejection bad? False rejection is bad because a legitimate user is denied access to a resource. f) Which is worse from a security viewpoint? For computer access, a false acceptance is worse because it allows an unauthorized person through the door, giving the person access to sensitive building space. g) Which is worse from a user acceptance viewpoint? A false rejection, because it lets an attacker in a) For watch lists of criminals, what is a false acceptance? For watch lists of criminals, a false acceptance means that an innocent person is identified as a criminal. b) For watch lists of criminals, which is worse from a security viewpoint, a false acceptance or a false rejection? Explain. For a watch list of criminals, false rejection is worse from a security viewpoint because it means a criminal was not identified. c) For watch lists of people who should be allowed to enter a room, which is worse from a security viewpoint, a false acceptance or a false rejection? Explain. From a security viewpoint, a false acceptance is a worse error because it means a non-authorized person has improperly gained access to a resource. A false rejection would merely keep an authorized user out of the space, which is an inconvenience, but harmless in most cases. What is failure to enroll? Failure to enroll is an error that occurs if a system will not enroll a user, for example if a person does not have well-defined fingerprints. Verification, Identification, and Watch Lists 17. a) Distinguish between verification and identification. Verification is an action wherein the verifier determines whether the supplicant is the particular person he or she has claimed to be. In identification, the verifier determines the identity of the supplicant; the supplicant does not claim to be a particular person. b) Which requires more matches against templates? Identification requires more matches against templates than verification because in verification, a supplicant is claiming a specific identity. In identification, no identity is being claimed, so the verifier has to review the templates for all users. 5–11 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko 18. c) Which is more likely to generate a false acceptance? Why? There is a small chance of a false acceptance every time a match is attempted. Because identification requires checking the supplicant against every template in a system, there is a greater chance that identification will generate a false acceptance than verification (which compares the supplicant with only one template). d) Compare identification with watch list matching. Watch list matching is a form of identification that identifies a person as being a member of a group. For instance, the matches may be made against the templates of people on a terrorist watch list. A match has to be attempted against each template in the list. e) Which is more likely to generate a false match? Why? There is a small chance of a false acceptance with each match attempt. Identification must attempt matches against all templates in the database. Watch lists only require match attempts against the templates of members of the group. Therefore, identification is likely to generate more false matches. a) Suppose that the probability of a false acceptance is one in a million, that there are 10,000 identities in the database, and that there is a watch list with 100 people. What will be the FAR for verification? Verification only attempts a single match. The probability of a false acceptance for a single match is one in a million. Therefore, the probability of a false acceptance of verification is one in a million. b) For identification? Identification will attempt 10,000 matches. The probability of a false acceptance for a single match is one in a million. Therefore, the probability of a false acceptance of verification is 1/1,000,000 times 10,000 (i.e., 0.01). Therefore, the probability of a false acceptance is 1%. c) For the watch list? A watch list will attempt 100 matches. The probability of a false acceptance for a single match is one in a million. Therefore, the probability of a false acceptance of verification is 1/1,000,000 times 100 (i.e., 0.0001). Therefore, the probability of a false acceptance is 0.01%. Biometric Deception 19. a) Distinguish between error rates and deception in biometrics. Error rates measure accuracy when a supplicant is not trying to deceive the system. 5–12 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko In contrast, deception occurs when an attacker deliberately attempts to fool the system. b) Why may fingerprint scanning, which is often deceived, be acceptable for entry into a supplies cabinet? Basically because a supplies cabinet does not hold sensitive information and it is not likely to get attacked by a sophisticated attacker. c) When may it not be sufficient? Fingerprint scanning may not be sufficient when it is used to control access to very sensitive or important resources and where the impact of deception is potentially very great. Biometric Methods 20. 21. a) What is the advantage of fingerprint recognition? The main advantage of fingerprint recognition is that the technology of fingerprint scanners is inexpensive. b) What are the disadvantages? The main disadvantage of fingerprint recognition is that it is easily deceived in all but the most advanced and expensive fingerprint scanner technologies. c) For what type of use is fingerprint recognition sufficient? Fingerprint recognition should only be used in cases in which there is little danger of serious deception. An example would be logging into a personal computer that does not hold sensitive information. d) What is the advantage of iris recognition? It is the most precise form of biometric authentication, with very low FARs. e) What are the disadvantages? The main disadvantage of iris recognition is that the technology is very expensive. f) Does iris scanning shoot light into your eye? No. a) What is the advantage of face recognition? The main advantage of face recognition is that it can be used surreptitiously (i.e., without the subject’s knowledge). b) What does surreptitious mean? Surreptitious means “without the subject’s knowledge.” c) Where is hand geometry recognition used? Hand geometry recognition is used mostly in door access control. d) What are the disadvantages of voiceprint recognition? One disadvantage of voiceprint recognition is that it is easily deceived by recordings. Another is that high false rejection rates make voice recognition frustrating to users. 5–13 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko e) What are the most widely used forms of biometric authentication? Fingerprint, iris, face, and hand geometry are the most widely used types of biometric authentication today. f) What is the most widely used form of biometrics? The most widely used form of biometrics is fingerprint recognition, primarily because it is cheap. Cryptographic Authentication Key Points from Chapters 3 Public Key Infrastructures (PKIs) 22. a) What is the strongest form of authentication? Cryptographic authentication is the strongest form of authentication. b) List the functions of a PKI. Creating public key–private key pairs. Distributing digital certificates. Accepting digital certificates. Learning a certificate’s revocation status. Provisioning new users and changing data on existing users. Having strong initial authentication. c) Can a firm be its own certificate authority? Yes. d) What is the advantage of doing so? The advantage of being their own CA means that firms have control of trust in their entire PKI. e) Who creates a computer’s private key/public key pair? Private/public key pairs are normally created on the client, versus the PKI server. f) How do CAs distribute public keys? In digital certificates g) What is provisioning? In the context of PKI, provisioning is the accepting of public keys and providing new digital certificates to the users (a very expensive component of the PKI). h) What is the prime authentication problem? The prime authentication problem is that unless individuals are carefully vetted before being allowed in a system, imposters can simply enroll through social engineering. 5–14 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko i) What can be done to reduce this risk? The only thing that can be done to reduce the risk of the prime authentication problem is to have strong procedures for who may submit an account request, who may approve it (always a different party than the applicant), what identification is required, and how to handle exceptions. The procedure must be carefully enforced and audited. Authorization The Principle of Least Permissions 23. a) Why are authorizations needed after a person is authenticated? Simply knowing the identity of the communicating partner is not enough. The specific authorizations of the communicating party also need to be defined. Not everyone who is authenticated may be allowed to do anything he or she wishes in every directory. b) What is another name for authorizations? Permissions c) What is the principle of least permissions? The principle of least permissions is that each person should only get the permissions that he or she absolutely needs to do his or her job. In practice, this is very difficult to enforce, primarily because there are not enough security personnel to keep track of transient permission requirements. d) Why is it a good way to assign initial permissions? Assigning as few permissions as necessary is a good way to assign permissions initially because it reduces potential points of vulnerability, possible unauthorized behaviors, and mitigates the damage an intruder may do. e) What is bad about assigning all permissions and then taking away the permissions a user does not need? The bad thing about assigning all permissions and then taking away those that are not needed is that it is easy for security to mistakenly NOT remove a permission that is not required, thus allowing access beyond that which is authorized. f) What does failing safely mean in a security system? Failing safely in a security system means that a failure is not likely to lead to security violations. The principal of least permissions ensures that users are not given too many permissions if an error is made. 5–15 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Auditing Logging Log Reading 24. a) What is auditing? Auditing records and analyzes what the person or program actually did, rather than what was theoretically authorized. b) Why is it necessary? Unless authentication and authorization activities are audited frequently, improper behavior can go on for a very long time. c) Why is log reading important? Logging records the actions that an account owner takes on a resource. Unless logs are studied/read, they are useless. d) What are the three types of actions that should be taken on log files? They should be read regularly by someone who knows what he or she is looking at. External auditing should be conducted periodically. Automatic alerts should be established to provide security administrators with real-time feedback. e) Why are automatic alerts desirable? Reading log files only tells you about the past. Ideally, logging systems should have active log-reading functions that send the security administrator real-time alerts for certain types of events. Central Authentication Servers The Need for Centralized Authentication 25. a) What are the three devices in central authentication using RADIUS servers? The three devices in central authentication are the supplicant, authenticator, and RADIUS central authentication server. b) What is the role of the authenticator? To send the supplicant’s credentials to the authentication server, and then to send a message of authentication back to the supplicant from the authentication server c) What is the role of the central authentication server? To test the validity of credentials provided by the user 5–16 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Kerberos 26. a) In Kerberos, distinguish between the ticket granting ticket and the service ticket. The ticket granting ticket is the supplicant’s proof that it has already authenticated itself with the Kerberos server. The service ticket is an encrypted session key that only the verifier can decrypt (due to sharing a key with the Kerberos server in a separate communication). b) What information does the service ticket give the verifier? The service ticket gives the verifier the symmetric session key to use with the supplicant. The session ticket may also contain permissions that the supplicant should have on the verifier. c) How does the supplicant get the symmetric session key? The supplicant gets the symmetric session key from the Kerberos server when the service ticket is sent to the verifier; the session key from the Kerberos server is encrypted to be read only by the server and supplicant. d) Is the verifier notified explicitly that the supplicant has been authenticated? Explain. The verifier is not notified explicitly that the supplicant has been authenticated. Authentication is implicit in that if the supplicant has the symmetric session key to communicate with the verifier, it must have been authenticated with the Kerberos server (which generated the session key and would only give it out to an authenticated computer). Directory Servers What Are Directory Servers? Hierarchical Data Organization 27. a) How is information in directory servers organized? The information in directory servers is organized as a directory server database schema in a hierarchical collection of objects. b) What are the top two levels of the organization? Top level is the Organization. This is the name of the organization. Below the top level are organization units (OU). There can be many OU’s. c) Do directory servers only hold information about people? They hold information about many other types of company resources, such as computers. Lightweight Data Access Protocol (LDAP) 28. What is LDAP’s purpose? 5–17 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko LDAP’s main purpose is to retrieve data from the directory server. However, it can also be used to update information in the directory server. Use by Authentication Servers 29. a) How do central authentication servers often get their authentication information? Central authentication servers often get their authentication information from directory servers. b) What is the advantage of this? It permits the directory server to be the company’s main repository for information. Active Directory 30. a) What is Microsoft’s directory server product? Microsoft’s directory server product is active directory (AD). b) What is the smallest organizational unit in active directory? The organizational unit c) What two things does a domain controller contain? The domain controller contains an active directory database and a Kerberos authentication server program. d) Can a domain have multiple domain controllers? Yes. e) What is the advantage of having multiple domain controllers? The advantage is that having multiple domain controllers gives reliability in case one crashes or is successfully attacked. f) Into what larger structures are domains organized? Trees g) Into what larger structure can trees be organized? Forests h) Describe replication among domain controllers within a single AD domain. Within a single AD domain, there is total replication between domain controllers. i) Describe replication between a domain controller in one domain and the domain controller in the parent domain. There is partial replication of data to the next-higher-level database. Trust 31. a) Distinguish between mutual and one-way trust among AD domains. In mutual trust, each directory server trusts the other. 5–18 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko In one-way trust, one directly server trusts the other, but there is no trust in the opposite direction. b) Distinguish between transitive and intransitive trust. An example of transitive trust would be if A trusts B and B trusts C, then A trusts C automatically. An example of intransitive trust would be if A trusts B and B trusts C, but A does not trust C automatically. c) What principle should companies follow in making trust assignments? Give only as much trust as necessary. Toward Full Identity Management Other Directory Servers and Metadirectories 32. a) Why are metadirectory servers needed? To coordinate information across different types of directory servers b) What do metadirectory servers do? The metadirectory server allows the directory servers to exchange information and to synchronize services in a variety of ways. Federated Identity Management 33. a) In federated identity management, do firms query one another’s identity management databases? In federated identify management, firms do not query one another’s identity management databases. Instead, they send assertion statements that may include authenticity, authorization, and attribute information. b) What do they do instead? They send assertions to each other. c) What risk does this method avoid for the firm sending the security assertion? This method avoids the risk of potential attacks from the other company because the other company never gets direct access to corporate resources. d) How are risks to Firm B reduced? The firms first carefully negotiate a contract. The contract specifies penalties if Firm A sends false assertions. e) What is a security assertion? An assertion is a statement from Firm A to Firm B that Firm B should accept as true if Firm B trusts Firm A. f) What three things may it contain? Authenticity information, such as an employee is actually the employee by that name and has been authenticated by Firm A. 5–19 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Authorization information, stating that the employee is allowed to access Firm B’s services Attributes that describe features of the employee (such as spending limit, etc.). g) What is the main standard for one firm to send security assertion to another firm? The main standard for sending security assertions today is the Security Assertion Markup Language (SAML). h) What is the major benefit of using XML? The major benefit of using XML in SAML is that it is platform-independent. This means that it does not matter what programming language either firm uses as long as they implement XML successfully. Identity Management 34. 35. a) What is identity management? Identify management is the centralized policy-based management of all information required for access to corporate systems by people, machines, programs, or other resources. b) What are the benefits of identity management? Reduced costs by reducing the work needed to manage user access, including provisioning, password resets, and so forth Enforcing consistency by permitting a single change on an identity management server to affect employee access permission on all servers in an organization Centralized auditing of all an employee’s access permissions across a firm Possible use of single sign-on, or at least reduced sign on c) What is SSO? Single sign-on allows a user to authenticate him or herself to the identity management server once. From that point on, whenever the user asks for access to a specific server, no additional logins are required. d) Why is full SSO generally impossible? It is technically impossible. e) What is reduced sign-on? It is single sign-on to some resources but not all resources, as in full SSO. f) What is an identity? An identity is the set of attributes about a person or resource that must be revealed in a particular context. g) Why is providing minimum identity data an important principle? You will not accidentally reveal information about yourself that you do not have to reveal and that may be used against you. a) In identity management, what are provisioning, reprovisioning, and deprovisioning? 5–20 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Provisioning entails granting authorizations and authentications carefully and then changing them whenever roles or other conditions change. Reprovisioning occurs when there are changes. Deprovisioning occurs when the authorizations and authentications are no longer appropriate (e.g., when an employee leaves the company, etc.). b) Why is decentralized management desirable? Decentralized management is desirable because identities should be managed by people closest to the situation. c) Why are self-service functions desirable? To reduce costs of the identity management staff d) What changes should be made through self-service functions? Only non-sensitive information changes should be made through self-service functions. Trust and Risk 36. a) In what sense is identity management really just another form of risk management? Identity management allows risk reduction by reducing risk from individuals accessing computer resources to acceptable levels. Risk reduction is the primary risk management technique. b) How can identity management reduce risk? Identity management can reduce risk by limiting the amount of potential damage an employee can do based on computer resource privileges, as well as allows detection of malicious activities in real-time (via auditing). c) How much should companies spend on identity management? A company must balance these risk reductions with the amount of money that identity management will cost to implement over their entire life cycle. Conclusion Synopsis Thought Questions 1. 2. Reusable passwords offer poor security. What do you think is holding back their replacement with other approaches? Reusable passwords are still being used primarily because they are free. Create two good password reset questions. For each, explain why you think it is a good question. 5–21 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko 3. 4. “Who is your favorite author?” This is a good question because it would be difficult for an imposter to know this and the number of possible choices among authors is significant. Of course, this implies that you have a favorite author. One caution is that the person must spell the author’s name the same way he or she did when first given the clue, including spacing and capitalization. “What is your favorite movie?” This is a good question for the same reasons as above. It also has the same caution. “What is your favorite beverage?” This seems like a good question because it’s easy to remember, there are many variations, and it can be as detailed or general as an individual wants it to be. Overall, the questions should be legal, easy to remember, but difficult enough so that an impostor can’t make a good guess. Someone says that they wish to protect their desktop PC from a walk-up attacker with a password or passwords. Give them advice and reasons for your advice. This is not very short answer. There are several actions you can take to protect a PC from a walk-up attack. First, your computer should be sited such that it limits the ability of a walk-up attacker to gain access to your PC or view information on the screen. Second, the use of passwords is much better than having no protection, but if not implemented properly, can offer little to no protection. Specific recommendations regarding the use of passwords include: Make sure you use a strong password that is very difficult to crack. This means at least 8 characters long and including upper and lower case letters, numbers, and special characters. Ideally, this password should be randomly generated. Do not use passwords that are dictionary words, even with the character requirements stated above, because Hybrid Dictionary attacks will quickly crack such a password. Do not share your password with anyone. If you are afraid of locking yourself out, write your password, seal it in an envelope, and store it in a safe place, such as a locked filing cabinet. Do not write your password down and keep it somewhere near the computer for convenience. This is a very common error that attackers know about and exploit frequently. Make sure you use screensavers with password protection enabled. Change your passwords at least every 90 days, and do not use the same password on multiple systems or sites. The longer or more often you use a password, the greater the chance it will be compromised. If you can afford it, look into getting a biometric fingerprint scanner to use instead of using passwords. You can’t forget your fingerprint. Fingerprint scanners are not perfect, but they generally provide better protection than passwords, at a low cost, and have the added benefit of not having to remember another password. a) Give two situations in which the risk of deception is high. 5–22 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko 5. 6. 7. One situation would be when someone is trying to hide his or her face from cameras used for face identification. Another example would be to impersonate someone by using a gelatin finger on a fingerprint scanner. b) Give two situations in which the risk of deception is low. Use of fingerprint scanners on a personal PDA Access to a corporate storeroom with little property of use to a hacker. Your friend wants to secure his or her desktop PC with fingerprint scanning or password access protection. Give your friend the information that he or she should know to make the decision. Consider alternatives. This is not very short answer. Fingerprint scanning is recommended because it generally reliable and better than passwords in most cases. Passwords are the most common mechanism to secure a PC, but it is hard to implement strong security using passwords. What do FRRs mean when fingerprint scanning is used to secure a PC against walk-up attacks? What might produce high FRRs? Can you think of a way that this problem could be reduced in fingerprint scanning? FRRs when fingerprint scanning is used to secure a PC against a walk-up attack means that the legitimate user won’t be able to access his or her PC. High FRRs in this case can be caused by a faulty or dirty scanner input device, dirty hands, a cut or other blemish that obscures the fingerprint, and improper use (e.g., poor finger placement on the reader). High FRRs can be reduced by following some standard guidelines of use that include consistent finger placement on the scanner, ensuring that both the finger and reader are clean, and registering more than one finger in the system in case one gets mangled. Some airports are installing face recognition systems to identify terrorists and criminals. About one in a million people passing through the airport is a terrorist. Suppose the FAR is about 1 percent. The FRR is about 30 percent. Is this system likely to be workable? Explain using a spreadsheet analysis with reasonable assumptions. Cut and paste the spreadsheet analysis into your homework file instead of handing it in separately. Give a short paragraph supporting your conclusion. Terminal visitors 10,000,000 Terrorists FRR 10 30% Terrorists identified Legitimate passengers 7 9,999,990 FAR Passengers incorrectly identified 1% 99,999.9 5–23 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Fraction of identified people who are terrorists 8. 9. 10. 1/14,286 For every terrorist correctly identified, over 14,000 passengers would be incorrectly identified for screening. It is doubtful that screeners could maintain vigilance with this ratio of false positives to true positives. Centralizing authentication and authorization reduces cost, improves consistency, and permits rapid provisioning and changes. List the technologies on the way toward greater centralization, beginning with stand-alone authenticators through corporate metadirectory servers. Stand-alone authenticators: The least centralized, and requires individual changes on each and every authenticator to ensure consistency. Central authentication servers Directory Servers: Central repositories for information about people, software, equipment, and databases. Used to update multiple RADIUS, Kerberos, and other authentication servers in large networks. Metadirectory server: Syncrhonizes authentication across disparate directory servers (e.g., Active Directory, Sun ONE, etc). Suppose that the probability of a false acceptance is 0.0001 per match attempt. Suppose that there are 1,000 templates in the database. What is the probability of a false acceptance in the case of verification? What is the probability of a false acceptance in the case of identification? What is the probability of a false acceptance if there is a watch list of 50 people who should be given access to a system? The probability of a false acceptance of verification is .0001 = .01%, because only 1 match index is compared in verification. The probability of a false acceptance of identification is 1000 x .0001 = .1 = 10%, because all the templates are compared with the match index in identification. The probability of false acceptance of the watch list = 50 x .0001 = .005 = .5%. List at least six identities for yourself that require different authentication and authorizations. Student answers will vary. Here are some examples from graduate students: “Access to the Graduate Lab computers at Shidler. Had to authenticate myself not only as a student taking classes at UH, but also enrolled in a business/ITM class. For permissions, I was given access to the graduate lab (but not the faculty lounge).” “UH Wireless user. Authentication is via the use of my UH id and password. Authorizations are set by the ITS department and include access to some of my student records and the Internet.” “CIS PhD student. Authentication is via personal verification by the Dept Chair. Authorizations include access to the CIS Student and CIS Program LISTSERV accounts and the Students section of the CIS home page.” 5–24 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko 11. “Online Bank. Authentication is via a combination of a unique access number, part of my SSN, and a unique password. Authorization includes complete user access to my account for viewing, transfers, etc.” “Home network administrator. Authentication after initial setup is knowing the IP address of the router (publicly available depending on model) and the Administrator password, which I changed upon initial install. Authorizations are full configuration control of the router/access point.” “Access to military bases. Authentication is based upon having a valid military ID and, in some bases on Oahu, a valid military decal on my car. Authorizations are access to only public areas of the base unless I have separate authorization for controlled areas (such as the shipyard, which I don’t).” Your company installs a face recognition system for door access. a) Its FRR is much worse than the vendor’s claims. What might be causing this? An FRR worse than vendor claims is not that unusual. Vendor claims are likely exaggerated, as they base their claims upon ideal recognition conditions (e.g., perfect lighting, an unobscured view of the face, a small number of templates to compare with, etc.). In reality, the company’s implementation of a face recognition system is under conditions far from ideal, thus the lower than expected FRR. b) The system’s FRR increases over time. What might be causing this? Over time, the number of templates in the system for comparison will surely increase. Given a static false rejection probability, the FRR will increase with the number of templates. In addition, people’s faces will change over time. Hands-on Projects NOTE: Screenshots for individual students will vary. PROJECT 1 One of the most well-known password auditing programs is John the Ripper® (JtR), written by Solar Designer (Alexander Peslyak). You can read all about it and get a free copy from http://www.openwall.com/john/. It has been used for many years and has proven to be both robust and easy to use. In this project, you are going to run JtR in a command prompt (DOS). You are going to perform both a dictionary attack and a brute-force attack on a sample password file that you will download from www.pearsonhighered.com/boyle/. 1. Make a folder labeled “security” on your C: drive (C:\security\). 2. Download JtR from http://www.openwall.com/john/. 3. Scroll down and click on the link labeled John the Ripper 1.7.9 (Windows). Download the latest version available. 4. Click Save. 5–25 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko 5. Select your C:\security folder. (If you haven't already created this folder, you will need to do so now.) 6. If the program doesn’t automatically open, browse to C:\security. 7. Right-click john179w2.zip. (If a later version was available, this file may have a slightly different name.) 8. Select Extract All, and Extract. 9. Download the sample password database labeled "hackme.txt" from www.pearsonhighered.com/boyle/. (The files may be listed under Student Project Files, Chapter 5.) 10. Extract all of the student project files (including hackme.txt) into your C:\security folder. 11. Copy the "hackme.txt" file from the student project folder to C:\security\john179w2\john179\run. (It is important that the hackme.txt file be in the "run" directory with the JtR executable.) 12. Click Start. 13. In the search box, type cmd 14. Press Enter. (This will open a command prompt.) 15. Type cd .. 16. Press Enter. (This will move up one directory.) 17. Type cd .. 18. Press Enter. (This will move up one directory. You should now be at the C:\) 19. Type cd security 20. Press Enter. (This will move you into the C:\security directory.) 21. Type cd john179w2 22. Press Enter. (This will move you into the C:\security\john171w2 directory.) 23. Type cd john179 24. Press Enter. (This will move you into the C:\security\john171w2\john1701 directory.) 25. Type cd run 26. Press Enter. (This will move you into the C:\security\john171w2\john1701\run directory.) 27. Type dir 28. Press Enter. (This will give you a listing of the files in the "run" directory. You can confirm that both john.exe and hackme.txt are in this directory. Note: You need to make sure you have a copy of the hackme.txt file in the run directory. You need to give john.exe something to crack. After the passwords are cracked they will be stored in a file called john.pot in the C:\security\john179w2\john179\run directory. 29. Type john.exe -wordlist=password.lst hackme.txt 30. Press Enter. (This will start a dictionary attack using a built-in dictionary (password.lst) that came with JtR. The extension on password.lst file is ".lst" where the “l” is an L as in lemon.) 31. Type time 32. Press Enter twice. (This will provide a timestamp.) 33. Take a screenshot. 34. Type john.exe hackme.txt 35. Press Enter. (This will start a brute force attack. JtR will start trying all possible combinations until it cracks all of the passwords. The passwords you see were cracked in addition to the ones found during the dictionary attack.) 36. Stop the brute force attack by pressing Ctrl-C. (You can let it run for a couple of minutes.) 5–26 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko 37. Take a screenshot. 38. Type notepad john.pot 39. Press Enter twice. (This will open the john.pot file where the cracked passwords are stored.) 40. Take a screenshot showing hashes and passwords you have cracked. PROJECT 2 Let’s evaluate the strength of one of your current passwords. Just because an attacker steals your password database does not mean he automatically knows your password. He still has to crack it. Creating a strong password can make it impractical for an attacker to crack your password. George Shaffer has written several online tools that help users learn more about strong passwords. These tools can help you understand the differences between strong and weak passwords. 1. Go to http://geodsoft.com/cgi-bin/pwcheck.pl. 2. Enter one of the passwords you use on a regular basis with a minor change. 3. Click Submit. 4. Take a screenshot. 5. Take note of the problems with your password (e.g., a number sequence and a dictionary word). 6. Try entering a password you might actually use and you think is strong. 7. Take a screenshot of the results. Note: Weak passwords are typically easier to remember. However, it is possible to create a strong password that is fairly easy to remember. 8. Go to http://geodsoft.com/cgi-bin/password.pl. 9. Click Submit several times and watch the passwords at the top of the page change. These are samples of good passwords that might be easy to remember. 10. Take a screenshot. Hands-on Project Questions 1. 2. 3. 4. How does the cracking program actually “crack” the password? It compares results from word lists (or brute force attempts) with the encrypted password, using the same encryption method. If they match, then the password is known. If you used a larger wordlist, would it crack the passwords faster? Yes, if you use larger wordlists, the probability of cracking a given percentage of passwords will increase (in general). Can you use foreign language wordlists? Yes, using foreign wordlists is very easy. People mistakenly believe that using foreign wordlists protects them from password crackers. This is errant thinking. At a fundamental level, computers only see 1s and 0s. Foreign words can just as easily be broken down to 1s and 0s. Do you think one of the passwords in the example would be easy for you to remember? Student responses will vary. 5–27 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko 5. 6. 7. 8. 9. 10. Why are these good passwords? They use a variety of changes that make them difficult to guess. They use special characters, changes of case, numbers not at the end of the password, etc. Why do special characters (e.g., @#$%^&*) make passwords difficult to crack? They are rarely used so they make passwords more difficult to crack using brute force cracking. The larger character set used, the more possible combinations the password cracker has to calculate. Adding these special characters greatly increases the strength of the password. Why does a change of case help make a stronger password? Adding a change of case greatly increases the strength of the password because it doubles the number of possible characters you can use in your password. A lowercase “a” and an uppercase “A” are two different characters. Each new character doubles the number of total possible password combinations. How did you choose the password you currently have? It’s likely that you chose a password that is familiar to you and easy to remember. Hackers know this. Could others follow the same logic and choose a similar password? Yes, most people choose passwords that are familiar to them. Many people choose a word and then add a number to the beginning or end of the password. Do you use the same password for multiple accounts? Why would this be a security risk? Most people use the same password for multiple accounts. They just don’t want to have to remember a dozen or more strong passwords. It’s a good idea to have several different passwords to prevent all of your accounts from being compromised from the loss of a single password. Case Discussion Questions 1. 2. 3. How can cross-pollination of user credentials be harmful to users and businesses? Cross-pollination of user credentials across multiple sites can be harmful to users and businesses because it allows an attacker to access multiple systems after stealing the credentials from a single system. In essence, a company with the weakest security causes failures at companies with stronger security. The linking of credentials can weaken the overall effectiveness of a company’s security because those credentials may be stolen from a company with weaker security. How can businesses mitigate the negative effects of cross-pollination between organizations? Businesses can mitigate the negative effects of cross-pollination between organizations by encouraging users not to reuse their credentials from other sites. They can enforce a stronger password policy than used at other sites. They can make sure all user passwords are encrypted. How do weak security policies and practices affect businesses? This is a very broad question that can be answered in many different ways. In this 5–28 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko 4. 5. 6. 7. 8. 9. 10. case, weak security policies and practices affect businesses by allowing attackers to steal customer credentials. This, in turn, leads to direct reputational and monetary losses. How might the weak security practices in one organization harm other organizations? Weak security practices in one organization can hurt another organization if both organizations share a common connection (e.g., user base, integrated systems, etc.). For example, suppose user credentials are stolen from a company that did not encrypt users’ passwords. These unencrypted passwords could then be used to gain access to user accounts at a completely different company. How would two-factor authentication improve the security of user accounts? Two-factor authentication can improve security by removing a single-point of failure (i.e., a password). In this case, Apple sends users a passcode via SMS to be used in conjunction with their password. Even if attackers were able to steal a user’s password, they couldn’t manipulate the account without the passcode. What are some new risks facing “hyper-extended” organizations? Hyper-extended organizations face unique risks because it is harder to secure them from attacks. Hyper-extended organizations do not have a “perimeter” to defend. They also have a multitude of devices and applications. It becomes even more difficult to protect sensitive corporate data in hyper-extended organizations. How could an organization become more secure by reining in their protection environment? Organizations can become more secure if they curtail the use of security resources to protect extraneous information assets, stored data, and devices. What are the benefits of competitive centrally provided security services? By delivering at least some components of information security as a set of centralized services, a company can achieve not only increased efficiencies, but also better risk management. How could a business proactively embrace new technology in a secure manner? Develop a roadmap and set realistic expectations for the business. Understand the risks and devise a plan to mitigate the risks. Also, keep an eye on emerging technologies that are being implemented for other reasons, but may actually help decrease security risks. Why should businesses shift their focus from protecting their containers to protecting their data? More and more, enterprise data is processed and stored in containers not controlled by the enterprise. For instance, the data may be processed by service provider facilities, held in a PDA used by an individual employee, or in a laptop used by a contractor with multiple enterprise clients. Therefore, security needs to shift the focus from protecting the container to protecting the data. 5–29 Copyright © 2015 Pearson Education, Inc. Chapter 5: Access Control Corporate Computer Security, 4th Edition Randall J. Boyle and Raymond R. Panko Perspective Questions 1. 2. What information in this chapter was the most surprising for you? Student answers will differ. What material in this chapter was the most difficult for you? Student answers will differ. 5–30 Copyright © 2015 Pearson Education, Inc.