TYU_05

advertisement
Instructor’s Manual
Chapter 5
Access Control
Answer Key
Introduction
Organizational and Human Controls
1.
a) List the AAA access controls.
Authentication, Authorizations, and Auditing.
b) Explain each in a sentence.
Authentication is the process of assessing the identity of each individual claiming
to have permission to use a resource.
Authorizations are specific permissions that a particular authenticated user should
have given his or her authenticated identity.
Auditing consists of collecting information about the activities of each individual
in log files for immediate and later analysis.
c) What are the four bases for authentication credentials?
What you know (a password or a private key)
What you have (a physical key or a smart card)
Who you are (your fingerprint)
What you do (how you specifically pronounce a passphrase)
d) What is two-factor authentication’s promise?
Two-factor authentication promises defense in depth. If one authentication
method is broken, the impostor will still not be able to authenticate him or herself.
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
e) How can a Trojan horse defeat this promise?
If a client PC is infected with a Trojan horse, the Trojan horse can send
transactions when a user has already authenticated him or herself to an ecommerce site. If a user’s computer is compromised, two-factor authentication
means nothing.
f) How can a man-in-the-middle attack defeat this promise?
Two-factor authentication can often be defeated with a man-in-the-middle attack.
If a user logs into a fake banking website, the fake site can act as a silent gobetween to the real banking website. After the user successfully authenticates, the
fake website can execute transactions of its own on the real website.
g) What is RBAC? (Do not just spell it out).
Role-based access control. Authorizations are assigned to roles instead of to
individuals.
h) Why is RBAC less expensive than access control based on individual accounts?
Role-Based Access Control is less expensive than access control based on
individuals because fewer assignments need be made (as there are far fewer roles
to designate than there are people assigned to roles).
i) Why is it less error-prone? (The answer is not specifically in the text.)
Appropriate authorizations are easier to understand for roles than for individuals.
j) Why do technologically strong access controls not provide strong access control in real
organizations?
No access control, no matter how strong, will provide strong access control in real
organizations unless the organization has well-thought-out security policies and
rigorously implements those policies. Humans are ingenious in finding ways to
harm themselves, especially when they are not monitored.
Military and National Security Organization Access Controls
2.
a) Distinguish between mandatory access controls and discretionary access controls.
In mandatory access control, departments have no ability to alter access control
rules set by higher authorities. In principle, this offers very strong security. In
practice, this is difficult to sustain because some flexibility is always needed.
In discretionary access control, the department has discretion over giving access
to individuals, within the policy standards set by higher authorities.
b) What is multilevel security?
Information is classified by level of security (e.g., confidential, secret, top secret,
etc.). It is assigned security appropriate for its level of classification.
c) What are SBU documents?
SBU documents are sensitive but unclassified.
d) Do they need to be considered in access controls?
Yes
5–2
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
e) Why are access control models needed?
To cope with complex access control issues involving multilevel security,
organizations that use multilevel security must follow complex access control
models to determine how to deal with various access situations.
Physical Access and Security
Risk Analysis
ISO/IEC 9.1: Secure Areas
3.
a) Why is having a single point of building entry important?
By limiting access points, it is easier to apply protections to people coming into
and going out of the building.
b) Why are emergency exits important?
In case of fire or other problems, people must be able to escape.
c) What should be done about them?
Emergency exists should be alarmed, monitored (preferably with cameras), and
tested frequently. In all cases, security provisions must be compatible with fire
codes. Most importantly, it is illegal to lock fire exits to bar egress.
d) List the four elements of entry authorization in CobiT.
In CobiT, building entry must be justified, authorized, logged, and monitored.
e) Why is loading dock security important?
This is a busy area with many strangers. It is a likely penetration point. In
addition, it holds expensive goods that are easy to steal.
f) What access control rules should be applied to loading docks?
Internal employees should have limited access to loading docks, which prevents
easy passing of material from inside to outside.
External employees should have no access to the building beyond the loading
dock. (They don’t need it).
Incoming shipments should be inspected and logged.
Outgoing shipments should be separated from incoming shipments to reduce risk
of theft.
g) What steps should be taken to reduce the danger of environmental damage?
Hazardous and combustible material should be located away from sensitive areas,
and there should be adequate equipment for fire fighting. Disaster response
facilities and backup media should be located safely away from the building.
h) List rules for working in secure areas.
Unsupervised work in secure areas should be avoided.
5–3
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
When no one is working in a secure area, it should be locked and checked
periodically.
Electronic devices that can record or copy mass amounts of information should be
forbidden in secure areas (e.g., cameras, cell phones, USB flash drives, external
hard drives, non-authorized PCs and laptops, and other computing devices).
Inspections of personnel entering/leaving secure areas should ensure that this rule
is followed. Inspections must follow strict notification and compliance laws.
9.2 Equipment Security
4.
a) What is siting?
Siting is a synonym for locating or placing. It is done from the root site.
b) Distinguish between UPSs and electrical generators.
Uninterruptable power supplies (UPSs) have batteries that can supply power to
equipment for a brief period of time after an outage. UPSs allow orderly
shutdown during power failures.
Electrical generators can be used as backup for longer-duration outages. These
run on gasoline.
c) If wiring cannot be run through walls, what should be done to protect the wiring?
If wiring cannot be run through walls, the wiring should be protected by running
it through conduits (preferably armored conduits) and should not be run through
public areas.
d) What should be done to protect laptops taken off premises?
Laptops should never be left unattended. If for home use, the laptop should be
stored in lockable filing cabinets, and all paperwork should be locked away when
not in active use, along with the equipment. Having insurance for the laptop is
also desirable. For all equipment taken off premises, precautions include:
Being limited to authorized personnel only.
Being logged out and back in.
Having all sensitive information removed.
e) What controls should be applied to off-site equipment maintenance?
Offsite equipment maintenance must:
Be limited to authorized personnel only.
Be logged out and back in.
Have all sensitive information removed.
f) What controls should be applied to equipment disposal or reuse?
When equipment is ready to be disposed or reused, sensitive data must be
removed. If the equipment will not be reused, the hard drive should be destroyed
or, at the very least, written over by special software that prevents data from being
recovered.
g) What controls should be placed over employees taking equipment offsite?
5–4
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
Controls over employees taking equipment offsite include:
Ensuring proper authorization to remove equipment
Limiting the personnel who are able to authorize removal
Enforcing time limits for off-site use
Logging equipment in/out
Periodic spot checks of the above rules should be conducted
Other Physical Security Issues
5.
a) What special controls are required by terrorism threats?
Due to increasing threats from terrorism, terrorist attacks must be considered in
all matters of physical security. For instance, new buildings should be set back
from streets and protected with rolling hill landscaping. In appropriate situations,
guards may be armed. Bullet-proof doors may also be needed to guard sensitive
areas.
b) Why is it necessary to prevent piggybacking?
Unless piggybacking is eliminated, physical access security is nearly impossible.
c) What advice would you give a company about CCTV?
Tell the company that CCTV tapes will wear out, high resolution cameras are
expensive and consume a great deal of disk space, low resolution cameras may be
insufficient for recognition needs, and to reduce storage they should use motion
sensing.
d) What is DumpsterTM diving?
DumpsterTM diving is an attack in which an attacker goes through a firm’s trash
bins looking for documents, backup tapes, floppy disks, and other informationcarrying media.
e) How should trash bins be protected?
Building trash bins should be located in a secure and lighted area, preferably
under CCTV surveillance. This area must be on the company premises, because
once building trash bins are moved beyond the company premises, their contents
usually are considered to be abandoned and have no legal protection.
f) What can be done to reduce the dangers of desktop PC theft and unauthorized use?
To reduce the danger of theft, individual desktop PCs in ordinary office areas can
be locked onto their desks with a cable, provided that there is something on the
desk to wrap the cable around. In addition, each PC should have a login screen
that requires a complex password and a screen saver so that an intruder cannot
simply walk up to it and use it.
5–5
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
Passwords
Password-Cracking Programs
6.
a) What are reusable passwords?
Reusable passwords are passwords that are used for weeks or months at a time.
b) Why is password cracking over a network difficult to do?
Password cracking over a network is difficult to do because the attacker will
almost always be locked out after a few attempts.
c) In what two ways can password-cracking programs be used?
Password-cracking programs can be loaded on a server (assuming the hacker can
gain access to the server) to try thousands of possible account name/password
combinations per second until one works. Also, if the attacker can gain access to
the password file from a computer, he or she can copy the file and attempt to
crack it on another machine in a less obtrusive manner.
d) Which is safer for the cracker? Why?
Stealing the password file and cracking it elsewhere is safer. There is no need to
wait around by a compromised server while the password-cracking program does
its work.
Lost Passwords
7.
a) Why is it a problem to use the same password at multiple sites?
Using the same password at multiple sites is bad because when a password is
compromised at one site, it is compromised at all sites, expanding the risk of the
compromise.
b) Why is it difficult to enforce a policy of using a different password at each site?
It is difficult to enforce a policy of using a different password at each site because
it is difficult for users to remember different passwords for different sites. Using
different passwords is even difficult if the passwords are written in a password
book.
c) Why are password duration policies important?
If passwords are not changed frequently, or if an attacker cracks the password, he
or she will be able to use it for a long period of time.
d) What are password resets?
A password reset is the action taken by a help desk employee to create a new
password for an account when the current password is lost or forgotten.
e) Why are password resets dangerous?
Password resets are dangerous because they are susceptible to social engineering
by an imposter who can convince help desk personnel to reset a password, thus
giving account access to the imposter and locking out the appropriate account
holder.
5–6
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
f) How can password resets be automated?
Password resets can be automated by using a system that asks the person
requesting a reset to answer one or more secret questions, giving answers the
authentic user gave at registration time.
g) Why are password reset questions difficult to create?
Password reset questions are difficult to create because:
Some questions themselves are security violations (such as asking for SSN
or mother’s maiden name).
Some questions are easily answered by an attacker with little knowledge
of the user (e.g., city of birth, pet’s name, etc.).
Some questions are too hard to remember or difficult to answer (e.g.,
favorite song, favorite teacher in high school, etc.).
Some questions require exact spelling, which can cause the password reset
answer to fail too often. (This is especially difficult with names.)
h) How may password resets be handled in high-risk environments?
In high-risk environments, password resets might best be handled by eliminating
remote password resets altogether and requiring the users to go to the help desk in
person and show ID.
For the DoD’s Common Access Card (CAC), each user creates a six or eight digit
PIN. A user only gets three tries to access an IT service using the CAC. After
three incorrect tries, the CAC locks itself, and unlocking requires the user to
physically go to a CAC issuance facility (which in some places only takes
appointments several days in advance).
Password Strength
Password Auditing
8.
a) What is the book’s recommended password policy for length and complexity?
The book’s recommended password policy for length and complexity is:
Be at least 8 characters long (although current DoD policy is 16
characters)
Have at least one change of case (DoD policy is two upper and two lower
case, but there’s no requirement for placement)
Have at least one digit (DoD policy is two)
Have at least one non-alphanumeric character not at the end of a password
(DoD policy is two)
Another DoD policy is that keyboard shortcuts are not to be used (such as
some combination of “asdf;lkj”)
5–7
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
b) How can password-cracking programs be used to enforce password strength policy?
Password-cracking programs can be used to enforce password strength policy by
having systems administrators run a password-cracking program against their own
servers to check for policy violations in password length and complexity.
c) Before you run a password-cracking program on your company’s computers to check
for weak passwords, what should you do?
Before running a password-cracking program on your company’s computers to
check for weak passwords, get permission! Have a memo providing permission to
do a very specific set of actions and then do not deviate from them without further
written permission.
Other Password Policies
The End of Passwords?
9.
What is the likely future of passwords?
Passwords are likely to be phased out in the fairly near future primarily because
they are such a significant weakness. Password cracking has gotten easier and
faster, and users are limited in their ability to handle truly strong passwords.
Access Cards and Tokens
Access Cards
Tokens
Proximity Access Tokens
Addressing Loss and Theft
10.
a) Distinguish between magnetic stripe cards and smart cards.
A magnetic stripe card is a simple access card that can store authentication data.
A smart card looks like a magnetic stripe card but has a built-in microprocessor
and memory. This allows smart cards to do processing for more sophisticated
authentication. Smart cards can also give out information differentially to
different applications. While magnetic stripe cards are passive, only containing
data, smart cards are active.
b) What are one-time-password tokens?
5–8
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
11.
One-time-password tokens are small devices with displays that have a number
that changes frequently. Users must type the current number into key locks or into
their computer.
c) What are USB tokens?
A USB token is a small device that plugs into a computer’s USB port to identify
the owner.
d) What is the advantage of USB tokens compared to cards?
USB tokens can be used to authenticate a user without the cost of having a smart
card reader attached to the PC. (All modern PCs have USB ports.)
e) What is the attraction of proximity tokens?
Proximity tokens are attractive because they do not require physical contact with a
reader or USB port, which is faster than directly interacting with a device.
a) Why is it important to disable lost or stolen access devices?
If you do not disable them immediately and they are stolen, they can still be used
by the thief indefinitely.
b) Give an example of two-factor authentication not mentioned in the text.
Student answers will vary.
c) What is a PIN?
A PIN is a personal identification number. It is a short number you type in
manually to authenticate yourself, often in conjunction with another
authentication factor.
d) Why can PINs be short—only four to six digits—while passwords must be much
longer?
Passwords need to be long because attackers can try millions of comparisons per
second. However, people must enter PINs manually, so attackers can only enter a
PIN every second or two. In addition, someone standing over an access door,
trying many PIN codes, would be highly conspicuous and therefore vulnerable to
detection.
Biometric Authentication
Biometrics
12.
a) What is biometric authentication?
Biometric authentication is authentication based on biological metrics.
b) On what two things about you is biometric authentication based?
Biometric authentication is based upon something you are (i.e., a physical feature)
and something you do (i.e., an action).
c) What is the major promise of biometrics?
5–9
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
The major promise of biometrics is to make reusable passwords obsolete.
Biometric Systems
13.
a) Describe the three scanner actions in the enrollment process.
First, the reader scans each person’s biometric data.
The reader then processes the enrollment scan to extract a few key features from
the mass of scanned data.
Finally, the reader sends the key feature data to the database, which stores the key
feature data as the user’s template.
b) What are key features?
Key features are specific metrics extracted from the scanning data. Two scans will
never give the same scanning data, but they should give generally the same key
features, such as the relative locations of arches and whorls in a fingerprint.
c) Why are they necessary?
Key features are necessary because raw biometric scans will be different each
time due to nuanced actions (e.g., pressure, angle of scanning, interfering
substance, etc.), but key features will be the same (or almost the same) no matter
how a finger is scanned.
d) What does the server do with the key features created by the enrollment scan?
It uses these key features as the template for that user.
e) What is a template?
A template is the file entry containing key features from the enrollment process
for a single individual.
f) What is user access data?
This is data collected during an access attempt scan, as opposed to the scanning
data during enrollment.
g) What are match indices, and how are they related to decision criteria?
A match index compares access key features with the template. Because scanning
never works exactly the same way twice, if the match index is close enough to
satisfy the system’s configurable decision criteria, the supplicant is accepted.
Biometric Errors
14.
a) In biometrics, what is a match?
In biometrics, a match occurs when a match index (a comparison of access key
features and the template) meets the decision criteria.
b) Distinguish between false acceptances and false rejections.
A false acceptance occurs when a person is improperly matched to a template.
False rejection occurs when a person is improperly not matched to a template.
c) What are false acceptance rates (FARs) and false rejection rates (FRRs)?
5–10
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
15.
16.
These are the percentages of time there is a false acceptance or a false rejection
from a scan.
d) For computer access, why is a false acceptance bad?
For computer access, false acceptance is bad because someone other than the
authorized user, possibly an imposter, will gain access to the resource.
e) Why is a false rejection bad?
False rejection is bad because a legitimate user is denied access to a resource.
f) Which is worse from a security viewpoint?
For computer access, a false acceptance is worse because it allows an
unauthorized person through the door, giving the person access to sensitive
building space.
g) Which is worse from a user acceptance viewpoint?
A false rejection, because it lets an attacker in
a) For watch lists of criminals, what is a false acceptance?
For watch lists of criminals, a false acceptance means that an innocent person is
identified as a criminal.
b) For watch lists of criminals, which is worse from a security viewpoint, a false
acceptance or a false rejection? Explain.
For a watch list of criminals, false rejection is worse from a security viewpoint
because it means a criminal was not identified.
c) For watch lists of people who should be allowed to enter a room, which is worse from
a security viewpoint, a false acceptance or a false rejection? Explain.
From a security viewpoint, a false acceptance is a worse error because it means a
non-authorized person has improperly gained access to a resource. A false
rejection would merely keep an authorized user out of the space, which is an
inconvenience, but harmless in most cases.
What is failure to enroll?
Failure to enroll is an error that occurs if a system will not enroll a user, for
example if a person does not have well-defined fingerprints.
Verification, Identification, and Watch Lists
17.
a) Distinguish between verification and identification.
Verification is an action wherein the verifier determines whether the supplicant is
the particular person he or she has claimed to be.
In identification, the verifier determines the identity of the supplicant; the
supplicant does not claim to be a particular person.
b) Which requires more matches against templates?
Identification requires more matches against templates than verification because
in verification, a supplicant is claiming a specific identity. In identification, no
identity is being claimed, so the verifier has to review the templates for all users.
5–11
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
18.
c) Which is more likely to generate a false acceptance? Why?
There is a small chance of a false acceptance every time a match is attempted.
Because identification requires checking the supplicant against every template in
a system, there is a greater chance that identification will generate a false
acceptance than verification (which compares the supplicant with only one
template).
d) Compare identification with watch list matching.
Watch list matching is a form of identification that identifies a person as being a
member of a group. For instance, the matches may be made against the templates
of people on a terrorist watch list. A match has to be attempted against each
template in the list.
e) Which is more likely to generate a false match? Why?
There is a small chance of a false acceptance with each match attempt.
Identification must attempt matches against all templates in the database. Watch
lists only require match attempts against the templates of members of the group.
Therefore, identification is likely to generate more false matches.
a) Suppose that the probability of a false acceptance is one in a million, that there are
10,000 identities in the database, and that there is a watch list with 100 people. What will
be the FAR for verification?
Verification only attempts a single match.
The probability of a false acceptance for a single match is one in a million.
Therefore, the probability of a false acceptance of verification is one in a million.
b) For identification?
Identification will attempt 10,000 matches.
The probability of a false acceptance for a single match is one in a million.
Therefore, the probability of a false acceptance of verification is 1/1,000,000
times 10,000 (i.e., 0.01).
Therefore, the probability of a false acceptance is 1%.
c) For the watch list?
A watch list will attempt 100 matches.
The probability of a false acceptance for a single match is one in a million.
Therefore, the probability of a false acceptance of verification is 1/1,000,000
times 100 (i.e., 0.0001).
Therefore, the probability of a false acceptance is 0.01%.
Biometric Deception
19.
a) Distinguish between error rates and deception in biometrics.
Error rates measure accuracy when a supplicant is not trying to deceive the
system.
5–12
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
In contrast, deception occurs when an attacker deliberately attempts to fool the
system.
b) Why may fingerprint scanning, which is often deceived, be acceptable for entry into a
supplies cabinet?
Basically because a supplies cabinet does not hold sensitive information and it is
not likely to get attacked by a sophisticated attacker.
c) When may it not be sufficient?
Fingerprint scanning may not be sufficient when it is used to control access to
very sensitive or important resources and where the impact of deception is
potentially very great.
Biometric Methods
20.
21.
a) What is the advantage of fingerprint recognition?
The main advantage of fingerprint recognition is that the technology of fingerprint
scanners is inexpensive.
b) What are the disadvantages?
The main disadvantage of fingerprint recognition is that it is easily deceived in all
but the most advanced and expensive fingerprint scanner technologies.
c) For what type of use is fingerprint recognition sufficient?
Fingerprint recognition should only be used in cases in which there is little danger
of serious deception. An example would be logging into a personal computer that
does not hold sensitive information.
d) What is the advantage of iris recognition?
It is the most precise form of biometric authentication, with very low FARs.
e) What are the disadvantages?
The main disadvantage of iris recognition is that the technology is very expensive.
f) Does iris scanning shoot light into your eye?
No.
a) What is the advantage of face recognition?
The main advantage of face recognition is that it can be used surreptitiously (i.e.,
without the subject’s knowledge).
b) What does surreptitious mean?
Surreptitious means “without the subject’s knowledge.”
c) Where is hand geometry recognition used?
Hand geometry recognition is used mostly in door access control.
d) What are the disadvantages of voiceprint recognition?
One disadvantage of voiceprint recognition is that it is easily deceived by
recordings. Another is that high false rejection rates make voice recognition
frustrating to users.
5–13
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
e) What are the most widely used forms of biometric authentication?
Fingerprint, iris, face, and hand geometry are the most widely used types of
biometric authentication today.
f) What is the most widely used form of biometrics?
The most widely used form of biometrics is fingerprint recognition, primarily
because it is cheap.
Cryptographic Authentication
Key Points from Chapters 3
Public Key Infrastructures (PKIs)
22.
a) What is the strongest form of authentication?
Cryptographic authentication is the strongest form of authentication.
b) List the functions of a PKI.
Creating public key–private key pairs.
Distributing digital certificates.
Accepting digital certificates.
Learning a certificate’s revocation status.
Provisioning new users and changing data on existing users.
Having strong initial authentication.
c) Can a firm be its own certificate authority?
Yes.
d) What is the advantage of doing so?
The advantage of being their own CA means that firms have control of trust in
their entire PKI.
e) Who creates a computer’s private key/public key pair?
Private/public key pairs are normally created on the client, versus the PKI server.
f) How do CAs distribute public keys?
In digital certificates
g) What is provisioning?
In the context of PKI, provisioning is the accepting of public keys and providing
new digital certificates to the users (a very expensive component of the PKI).
h) What is the prime authentication problem?
The prime authentication problem is that unless individuals are carefully vetted
before being allowed in a system, imposters can simply enroll through social
engineering.
5–14
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
i) What can be done to reduce this risk?
The only thing that can be done to reduce the risk of the prime authentication
problem is to have strong procedures for who may submit an account request,
who may approve it (always a different party than the applicant), what
identification is required, and how to handle exceptions. The procedure must be
carefully enforced and audited.
Authorization
The Principle of Least Permissions
23.
a) Why are authorizations needed after a person is authenticated?
Simply knowing the identity of the communicating partner is not enough. The
specific authorizations of the communicating party also need to be defined. Not
everyone who is authenticated may be allowed to do anything he or she wishes in
every directory.
b) What is another name for authorizations?
Permissions
c) What is the principle of least permissions?
The principle of least permissions is that each person should only get the
permissions that he or she absolutely needs to do his or her job. In practice, this is
very difficult to enforce, primarily because there are not enough security
personnel to keep track of transient permission requirements.
d) Why is it a good way to assign initial permissions?
Assigning as few permissions as necessary is a good way to assign permissions
initially because it reduces potential points of vulnerability, possible unauthorized
behaviors, and mitigates the damage an intruder may do.
e) What is bad about assigning all permissions and then taking away the permissions a
user does not need?
The bad thing about assigning all permissions and then taking away those that are
not needed is that it is easy for security to mistakenly NOT remove a permission
that is not required, thus allowing access beyond that which is authorized.
f) What does failing safely mean in a security system?
Failing safely in a security system means that a failure is not likely to lead to
security violations. The principal of least permissions ensures that users are not
given too many permissions if an error is made.
5–15
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
Auditing
Logging
Log Reading
24.
a) What is auditing?
Auditing records and analyzes what the person or program actually did, rather
than what was theoretically authorized.
b) Why is it necessary?
Unless authentication and authorization activities are audited frequently, improper
behavior can go on for a very long time.
c) Why is log reading important?
Logging records the actions that an account owner takes on a resource. Unless
logs are studied/read, they are useless.
d) What are the three types of actions that should be taken on log files?
They should be read regularly by someone who knows what he or she is looking
at.
External auditing should be conducted periodically.
Automatic alerts should be established to provide security administrators with
real-time feedback.
e) Why are automatic alerts desirable?
Reading log files only tells you about the past. Ideally, logging systems should
have active log-reading functions that send the security administrator real-time
alerts for certain types of events.
Central Authentication Servers
The Need for Centralized Authentication
25.
a) What are the three devices in central authentication using RADIUS servers?
The three devices in central authentication are the supplicant, authenticator, and
RADIUS central authentication server.
b) What is the role of the authenticator?
To send the supplicant’s credentials to the authentication server, and then to send
a message of authentication back to the supplicant from the authentication server
c) What is the role of the central authentication server?
To test the validity of credentials provided by the user
5–16
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
Kerberos
26.
a) In Kerberos, distinguish between the ticket granting ticket and the service ticket.
The ticket granting ticket is the supplicant’s proof that it has already authenticated
itself with the Kerberos server. The service ticket is an encrypted session key that
only the verifier can decrypt (due to sharing a key with the Kerberos server in a
separate communication).
b) What information does the service ticket give the verifier?
The service ticket gives the verifier the symmetric session key to use with the
supplicant. The session ticket may also contain permissions that the supplicant
should have on the verifier.
c) How does the supplicant get the symmetric session key?
The supplicant gets the symmetric session key from the Kerberos server when the
service ticket is sent to the verifier; the session key from the Kerberos server is
encrypted to be read only by the server and supplicant.
d) Is the verifier notified explicitly that the supplicant has been authenticated? Explain.
The verifier is not notified explicitly that the supplicant has been authenticated.
Authentication is implicit in that if the supplicant has the symmetric session key
to communicate with the verifier, it must have been authenticated with the
Kerberos server (which generated the session key and would only give it out to an
authenticated computer).
Directory Servers
What Are Directory Servers?
Hierarchical Data Organization
27.
a) How is information in directory servers organized?
The information in directory servers is organized as a directory server database
schema in a hierarchical collection of objects.
b) What are the top two levels of the organization?
Top level is the Organization. This is the name of the organization.
Below the top level are organization units (OU). There can be many OU’s.
c) Do directory servers only hold information about people?
They hold information about many other types of company resources, such as
computers.
Lightweight Data Access Protocol (LDAP)
28.
What is LDAP’s purpose?
5–17
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
LDAP’s main purpose is to retrieve data from the directory server. However, it
can also be used to update information in the directory server.
Use by Authentication Servers
29.
a) How do central authentication servers often get their authentication information?
Central authentication servers often get their authentication information from
directory servers.
b) What is the advantage of this?
It permits the directory server to be the company’s main repository for
information.
Active Directory
30.
a) What is Microsoft’s directory server product?
Microsoft’s directory server product is active directory (AD).
b) What is the smallest organizational unit in active directory?
The organizational unit
c) What two things does a domain controller contain?
The domain controller contains an active directory database and a Kerberos
authentication server program.
d) Can a domain have multiple domain controllers?
Yes.
e) What is the advantage of having multiple domain controllers?
The advantage is that having multiple domain controllers gives reliability in case
one crashes or is successfully attacked.
f) Into what larger structures are domains organized?
Trees
g) Into what larger structure can trees be organized?
Forests
h) Describe replication among domain controllers within a single AD domain.
Within a single AD domain, there is total replication between domain controllers.
i) Describe replication between a domain controller in one domain and the domain
controller in the parent domain.
There is partial replication of data to the next-higher-level database.
Trust
31.
a) Distinguish between mutual and one-way trust among AD domains.
In mutual trust, each directory server trusts the other.
5–18
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
In one-way trust, one directly server trusts the other, but there is no trust in the
opposite direction.
b) Distinguish between transitive and intransitive trust.
An example of transitive trust would be if A trusts B and B trusts C, then A trusts
C automatically. An example of intransitive trust would be if A trusts B and B
trusts C, but A does not trust C automatically.
c) What principle should companies follow in making trust assignments?
Give only as much trust as necessary.
Toward Full Identity Management
Other Directory Servers and Metadirectories
32.
a) Why are metadirectory servers needed?
To coordinate information across different types of directory servers
b) What do metadirectory servers do?
The metadirectory server allows the directory servers to exchange information
and to synchronize services in a variety of ways.
Federated Identity Management
33.
a) In federated identity management, do firms query one another’s identity management
databases?
In federated identify management, firms do not query one another’s identity
management databases. Instead, they send assertion statements that may include
authenticity, authorization, and attribute information.
b) What do they do instead?
They send assertions to each other.
c) What risk does this method avoid for the firm sending the security assertion?
This method avoids the risk of potential attacks from the other company because
the other company never gets direct access to corporate resources.
d) How are risks to Firm B reduced?
The firms first carefully negotiate a contract. The contract specifies penalties if
Firm A sends false assertions.
e) What is a security assertion?
An assertion is a statement from Firm A to Firm B that Firm B should accept as
true if Firm B trusts Firm A.
f) What three things may it contain?
Authenticity information, such as an employee is actually the employee by that
name and has been authenticated by Firm A.
5–19
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
Authorization information, stating that the employee is allowed to access Firm
B’s services
Attributes that describe features of the employee (such as spending limit, etc.).
g) What is the main standard for one firm to send security assertion to another firm?
The main standard for sending security assertions today is the Security Assertion
Markup Language (SAML).
h) What is the major benefit of using XML?
The major benefit of using XML in SAML is that it is platform-independent. This
means that it does not matter what programming language either firm uses as long
as they implement XML successfully.
Identity Management
34.
35.
a) What is identity management?
Identify management is the centralized policy-based management of all
information required for access to corporate systems by people, machines,
programs, or other resources.
b) What are the benefits of identity management?
Reduced costs by reducing the work needed to manage user access, including
provisioning, password resets, and so forth
Enforcing consistency by permitting a single change on an identity management
server to affect employee access permission on all servers in an organization
Centralized auditing of all an employee’s access permissions across a firm
Possible use of single sign-on, or at least reduced sign on
c) What is SSO?
Single sign-on allows a user to authenticate him or herself to the identity
management server once. From that point on, whenever the user asks for access to
a specific server, no additional logins are required.
d) Why is full SSO generally impossible?
It is technically impossible.
e) What is reduced sign-on?
It is single sign-on to some resources but not all resources, as in full SSO.
f) What is an identity?
An identity is the set of attributes about a person or resource that must be revealed
in a particular context.
g) Why is providing minimum identity data an important principle?
You will not accidentally reveal information about yourself that you do not have
to reveal and that may be used against you.
a) In identity management, what are provisioning, reprovisioning, and deprovisioning?
5–20
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
Provisioning entails granting authorizations and authentications carefully and then
changing them whenever roles or other conditions change. Reprovisioning occurs
when there are changes. Deprovisioning occurs when the authorizations and
authentications are no longer appropriate (e.g., when an employee leaves the
company, etc.).
b) Why is decentralized management desirable?
Decentralized management is desirable because identities should be managed by
people closest to the situation.
c) Why are self-service functions desirable?
To reduce costs of the identity management staff
d) What changes should be made through self-service functions?
Only non-sensitive information changes should be made through self-service
functions.
Trust and Risk
36.
a) In what sense is identity management really just another form of risk management?
Identity management allows risk reduction by reducing risk from individuals
accessing computer resources to acceptable levels. Risk reduction is the primary
risk management technique.
b) How can identity management reduce risk?
Identity management can reduce risk by limiting the amount of potential damage
an employee can do based on computer resource privileges, as well as allows
detection of malicious activities in real-time (via auditing).
c) How much should companies spend on identity management?
A company must balance these risk reductions with the amount of money that
identity management will cost to implement over their entire life cycle.
Conclusion
Synopsis
Thought Questions
1.
2.
Reusable passwords offer poor security. What do you think is holding back their
replacement with other approaches?
Reusable passwords are still being used primarily because they are free.
Create two good password reset questions. For each, explain why you think it is a good
question.
5–21
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
3.
4.
“Who is your favorite author?” This is a good question because it would be
difficult for an imposter to know this and the number of possible choices among
authors is significant. Of course, this implies that you have a favorite author. One
caution is that the person must spell the author’s name the same way he or she did
when first given the clue, including spacing and capitalization.
“What is your favorite movie?” This is a good question for the same reasons as
above. It also has the same caution.
“What is your favorite beverage?” This seems like a good question because it’s
easy to remember, there are many variations, and it can be as detailed or general
as an individual wants it to be.
Overall, the questions should be legal, easy to remember, but difficult enough so
that an impostor can’t make a good guess.
Someone says that they wish to protect their desktop PC from a walk-up attacker with a
password or passwords. Give them advice and reasons for your advice. This is not very
short answer.
There are several actions you can take to protect a PC from a walk-up attack.
First, your computer should be sited such that it limits the ability of a walk-up
attacker to gain access to your PC or view information on the screen. Second, the
use of passwords is much better than having no protection, but if not implemented
properly, can offer little to no protection. Specific recommendations regarding the
use of passwords include:
Make sure you use a strong password that is very difficult to crack. This means at
least 8 characters long and including upper and lower case letters, numbers, and
special characters. Ideally, this password should be randomly generated. Do not
use passwords that are dictionary words, even with the character requirements
stated above, because Hybrid Dictionary attacks will quickly crack such a
password.
Do not share your password with anyone. If you are afraid of locking yourself out,
write your password, seal it in an envelope, and store it in a safe place, such as a
locked filing cabinet.
Do not write your password down and keep it somewhere near the computer for
convenience. This is a very common error that attackers know about and exploit
frequently.
Make sure you use screensavers with password protection enabled.
Change your passwords at least every 90 days, and do not use the same password
on multiple systems or sites. The longer or more often you use a password, the
greater the chance it will be compromised.
If you can afford it, look into getting a biometric fingerprint scanner to use instead
of using passwords. You can’t forget your fingerprint. Fingerprint scanners are
not perfect, but they generally provide better protection than passwords, at a low
cost, and have the added benefit of not having to remember another password.
a) Give two situations in which the risk of deception is high.
5–22
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
5.
6.
7.
One situation would be when someone is trying to hide his or her face from
cameras used for face identification. Another example would be to impersonate
someone by using a gelatin finger on a fingerprint scanner.
b) Give two situations in which the risk of deception is low.
Use of fingerprint scanners on a personal PDA
Access to a corporate storeroom with little property of use to a hacker.
Your friend wants to secure his or her desktop PC with fingerprint scanning or password
access protection. Give your friend the information that he or she should know to make
the decision. Consider alternatives. This is not very short answer.
Fingerprint scanning is recommended because it generally reliable and better than
passwords in most cases. Passwords are the most common mechanism to secure a
PC, but it is hard to implement strong security using passwords.
What do FRRs mean when fingerprint scanning is used to secure a PC against walk-up
attacks? What might produce high FRRs? Can you think of a way that this problem could
be reduced in fingerprint scanning?
FRRs when fingerprint scanning is used to secure a PC against a walk-up attack
means that the legitimate user won’t be able to access his or her PC.
High FRRs in this case can be caused by a faulty or dirty scanner input device,
dirty hands, a cut or other blemish that obscures the fingerprint, and improper use
(e.g., poor finger placement on the reader).
High FRRs can be reduced by following some standard guidelines of use that
include consistent finger placement on the scanner, ensuring that both the finger
and reader are clean, and registering more than one finger in the system in case
one gets mangled.
Some airports are installing face recognition systems to identify terrorists and criminals.
About one in a million people passing through the airport is a terrorist. Suppose the FAR
is about 1 percent. The FRR is about 30 percent. Is this system likely to be workable?
Explain using a spreadsheet analysis with reasonable assumptions. Cut and paste the
spreadsheet analysis into your homework file instead of handing it in separately. Give a
short paragraph supporting your conclusion.
Terminal visitors
10,000,000
Terrorists
FRR
10
30%
Terrorists identified
Legitimate passengers
7
9,999,990
FAR
Passengers incorrectly identified
1%
99,999.9
5–23
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
Fraction of identified people who are
terrorists
8.
9.
10.
1/14,286
For every terrorist correctly identified, over 14,000 passengers would be
incorrectly identified for screening. It is doubtful that screeners could maintain
vigilance with this ratio of false positives to true positives.
Centralizing authentication and authorization reduces cost, improves consistency, and
permits rapid provisioning and changes. List the technologies on the way toward greater
centralization, beginning with stand-alone authenticators through corporate metadirectory
servers.
Stand-alone authenticators: The least centralized, and requires individual changes
on each and every authenticator to ensure consistency.
Central authentication servers
Directory Servers: Central repositories for information about people, software,
equipment, and databases. Used to update multiple RADIUS, Kerberos, and other
authentication servers in large networks.
Metadirectory server: Syncrhonizes authentication across disparate directory
servers (e.g., Active Directory, Sun ONE, etc).
Suppose that the probability of a false acceptance is 0.0001 per match attempt. Suppose
that there are 1,000 templates in the database. What is the probability of a false
acceptance in the case of verification? What is the probability of a false acceptance in the
case of identification? What is the probability of a false acceptance if there is a watch list
of 50 people who should be given access to a system?
The probability of a false acceptance of verification is .0001 = .01%, because only
1 match index is compared in verification.
The probability of a false acceptance of identification is 1000 x .0001 = .1 = 10%,
because all the templates are compared with the match index in identification.
The probability of false acceptance of the watch list = 50 x .0001 = .005 = .5%.
List at least six identities for yourself that require different authentication and
authorizations.
Student answers will vary. Here are some examples from graduate students:
“Access to the Graduate Lab computers at Shidler. Had to authenticate myself not
only as a student taking classes at UH, but also enrolled in a business/ITM class.
For permissions, I was given access to the graduate lab (but not the faculty
lounge).”
“UH Wireless user. Authentication is via the use of my UH id and password.
Authorizations are set by the ITS department and include access to some of my
student records and the Internet.”
“CIS PhD student. Authentication is via personal verification by the Dept Chair.
Authorizations include access to the CIS Student and CIS Program LISTSERV
accounts and the Students section of the CIS home page.”
5–24
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
11.
“Online Bank. Authentication is via a combination of a unique access number,
part of my SSN, and a unique password. Authorization includes complete user
access to my account for viewing, transfers, etc.”
“Home network administrator. Authentication after initial setup is knowing the IP
address of the router (publicly available depending on model) and the
Administrator password, which I changed upon initial install. Authorizations are
full configuration control of the router/access point.”
“Access to military bases. Authentication is based upon having a valid military ID
and, in some bases on Oahu, a valid military decal on my car. Authorizations are
access to only public areas of the base unless I have separate authorization for
controlled areas (such as the shipyard, which I don’t).”
Your company installs a face recognition system for door access. a) Its FRR is much
worse than the vendor’s claims. What might be causing this?
An FRR worse than vendor claims is not that unusual. Vendor claims are likely
exaggerated, as they base their claims upon ideal recognition conditions (e.g.,
perfect lighting, an unobscured view of the face, a small number of templates to
compare with, etc.). In reality, the company’s implementation of a face
recognition system is under conditions far from ideal, thus the lower than
expected FRR.
b) The system’s FRR increases over time. What might be causing this?
Over time, the number of templates in the system for comparison will surely
increase. Given a static false rejection probability, the FRR will increase with the
number of templates. In addition, people’s faces will change over time.
Hands-on Projects
NOTE: Screenshots for individual students will vary.
PROJECT 1
One of the most well-known password auditing programs is John the Ripper® (JtR), written by
Solar Designer (Alexander Peslyak). You can read all about it and get a free copy from
http://www.openwall.com/john/. It has been used for many years and has proven to be both
robust and easy to use.
In this project, you are going to run JtR in a command prompt (DOS). You are going to
perform both a dictionary attack and a brute-force attack on a sample password file that you will
download from www.pearsonhighered.com/boyle/.
1. Make a folder labeled “security” on your C: drive (C:\security\).
2. Download JtR from http://www.openwall.com/john/.
3. Scroll down and click on the link labeled John the Ripper 1.7.9 (Windows). Download the
latest version available.
4. Click Save.
5–25
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
5. Select your C:\security folder. (If you haven't already created this folder, you will need to do
so now.)
6. If the program doesn’t automatically open, browse to C:\security.
7. Right-click john179w2.zip. (If a later version was available, this file may have a slightly
different name.)
8. Select Extract All, and Extract.
9. Download the sample password database labeled "hackme.txt" from
www.pearsonhighered.com/boyle/. (The files may be listed under Student Project Files, Chapter
5.)
10. Extract all of the student project files (including hackme.txt) into your C:\security folder.
11. Copy the "hackme.txt" file from the student project folder to
C:\security\john179w2\john179\run. (It is important that the hackme.txt file be in the "run"
directory with the JtR executable.)
12. Click Start.
13. In the search box, type cmd
14. Press Enter. (This will open a command prompt.)
15. Type cd ..
16. Press Enter. (This will move up one directory.)
17. Type cd ..
18. Press Enter. (This will move up one directory. You should now be at the C:\)
19. Type cd security
20. Press Enter. (This will move you into the C:\security directory.)
21. Type cd john179w2
22. Press Enter. (This will move you into the C:\security\john171w2 directory.)
23. Type cd john179
24. Press Enter. (This will move you into the C:\security\john171w2\john1701 directory.)
25. Type cd run
26. Press Enter. (This will move you into the C:\security\john171w2\john1701\run directory.)
27. Type dir
28. Press Enter. (This will give you a listing of the files in the "run" directory. You can confirm
that both john.exe and hackme.txt are in this directory.
Note: You need to make sure you have a copy of the hackme.txt file in the run directory. You
need to give john.exe something to crack. After the passwords are cracked they will be stored in
a file called john.pot in the C:\security\john179w2\john179\run directory.
29. Type john.exe -wordlist=password.lst hackme.txt
30. Press Enter. (This will start a dictionary attack using a built-in dictionary (password.lst) that
came with JtR. The extension on password.lst file is ".lst" where the “l” is an L as in lemon.)
31. Type time
32. Press Enter twice. (This will provide a timestamp.)
33. Take a screenshot.
34. Type john.exe hackme.txt
35. Press Enter. (This will start a brute force attack. JtR will start trying all possible
combinations until it cracks all of the passwords. The passwords you see were cracked in
addition to the ones found during the dictionary attack.)
36. Stop the brute force attack by pressing Ctrl-C. (You can let it run for a couple of minutes.)
5–26
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
37. Take a screenshot.
38. Type notepad john.pot
39. Press Enter twice. (This will open the john.pot file where the cracked passwords are stored.)
40. Take a screenshot showing hashes and passwords you have cracked.
PROJECT 2
Let’s evaluate the strength of one of your current passwords. Just because an attacker steals your
password database does not mean he automatically knows your password. He still has to crack it.
Creating a strong password can make it impractical for an attacker to crack your password.
George Shaffer has written several online tools that help users learn more about strong
passwords. These tools can help you understand the differences between strong and weak
passwords.
1. Go to http://geodsoft.com/cgi-bin/pwcheck.pl.
2. Enter one of the passwords you use on a regular basis with a minor change.
3. Click Submit.
4. Take a screenshot.
5. Take note of the problems with your password (e.g., a number sequence and a dictionary
word).
6. Try entering a password you might actually use and you think is strong.
7. Take a screenshot of the results.
Note: Weak passwords are typically easier to remember. However, it is possible to create a
strong password that is fairly easy to remember.
8. Go to http://geodsoft.com/cgi-bin/password.pl.
9. Click Submit several times and watch the passwords at the top of the page change. These are
samples of good passwords that might be easy to remember.
10. Take a screenshot.
Hands-on Project Questions
1.
2.
3.
4.
How does the cracking program actually “crack” the password?
It compares results from word lists (or brute force attempts) with the encrypted
password, using the same encryption method. If they match, then the password is
known.
If you used a larger wordlist, would it crack the passwords faster?
Yes, if you use larger wordlists, the probability of cracking a given percentage of
passwords will increase (in general).
Can you use foreign language wordlists?
Yes, using foreign wordlists is very easy. People mistakenly believe that using
foreign wordlists protects them from password crackers. This is errant thinking.
At a fundamental level, computers only see 1s and 0s. Foreign words can just as
easily be broken down to 1s and 0s.
Do you think one of the passwords in the example would be easy for you to remember?
Student responses will vary.
5–27
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
5.
6.
7.
8.
9.
10.
Why are these good passwords?
They use a variety of changes that make them difficult to guess. They use special
characters, changes of case, numbers not at the end of the password, etc.
Why do special characters (e.g., @#$%^&*) make passwords difficult to crack?
They are rarely used so they make passwords more difficult to crack using brute
force cracking. The larger character set used, the more possible combinations the
password cracker has to calculate. Adding these special characters greatly
increases the strength of the password.
Why does a change of case help make a stronger password?
Adding a change of case greatly increases the strength of the password because it
doubles the number of possible characters you can use in your password. A
lowercase “a” and an uppercase “A” are two different characters. Each new
character doubles the number of total possible password combinations.
How did you choose the password you currently have?
It’s likely that you chose a password that is familiar to you and easy to remember.
Hackers know this.
Could others follow the same logic and choose a similar password?
Yes, most people choose passwords that are familiar to them. Many people
choose a word and then add a number to the beginning or end of the password.
Do you use the same password for multiple accounts? Why would this be a security risk?
Most people use the same password for multiple accounts. They just don’t want to
have to remember a dozen or more strong passwords. It’s a good idea to have
several different passwords to prevent all of your accounts from being
compromised from the loss of a single password.
Case Discussion Questions
1.
2.
3.
How can cross-pollination of user credentials be harmful to users and businesses?
Cross-pollination of user credentials across multiple sites can be harmful to users
and businesses because it allows an attacker to access multiple systems after
stealing the credentials from a single system. In essence, a company with the
weakest security causes failures at companies with stronger security. The linking
of credentials can weaken the overall effectiveness of a company’s security
because those credentials may be stolen from a company with weaker security.
How can businesses mitigate the negative effects of cross-pollination between
organizations?
Businesses can mitigate the negative effects of cross-pollination between
organizations by encouraging users not to reuse their credentials from other sites.
They can enforce a stronger password policy than used at other sites. They can
make sure all user passwords are encrypted.
How do weak security policies and practices affect businesses?
This is a very broad question that can be answered in many different ways. In this
5–28
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
4.
5.
6.
7.
8.
9.
10.
case, weak security policies and practices affect businesses by allowing attackers
to steal customer credentials. This, in turn, leads to direct reputational and
monetary losses.
How might the weak security practices in one organization harm other organizations?
Weak security practices in one organization can hurt another organization if both
organizations share a common connection (e.g., user base, integrated systems,
etc.). For example, suppose user credentials are stolen from a company that did
not encrypt users’ passwords. These unencrypted passwords could then be used to
gain access to user accounts at a completely different company.
How would two-factor authentication improve the security of user accounts?
Two-factor authentication can improve security by removing a single-point of
failure (i.e., a password). In this case, Apple sends users a passcode via SMS to be
used in conjunction with their password. Even if attackers were able to steal a
user’s password, they couldn’t manipulate the account without the passcode.
What are some new risks facing “hyper-extended” organizations?
Hyper-extended organizations face unique risks because it is harder to secure
them from attacks. Hyper-extended organizations do not have a “perimeter” to
defend. They also have a multitude of devices and applications. It becomes even
more difficult to protect sensitive corporate data in hyper-extended organizations.
How could an organization become more secure by reining in their protection
environment?
Organizations can become more secure if they curtail the use of security resources
to protect extraneous information assets, stored data, and devices.
What are the benefits of competitive centrally provided security services?
By delivering at least some components of information security as a set of
centralized services, a company can achieve not only increased efficiencies, but
also better risk management.
How could a business proactively embrace new technology in a secure manner?
Develop a roadmap and set realistic expectations for the business. Understand the
risks and devise a plan to mitigate the risks. Also, keep an eye on emerging
technologies that are being implemented for other reasons, but may actually help
decrease security risks.
Why should businesses shift their focus from protecting their containers to protecting
their data?
More and more, enterprise data is processed and stored in containers not
controlled by the enterprise. For instance, the data may be processed by service
provider facilities, held in a PDA used by an individual employee, or in a laptop
used by a contractor with multiple enterprise clients. Therefore, security needs to
shift the focus from protecting the container to protecting the data.
5–29
Copyright © 2015 Pearson Education, Inc.
Chapter 5: Access Control
Corporate Computer Security, 4th Edition
Randall J. Boyle and Raymond R. Panko
Perspective Questions
1.
2.
What information in this chapter was the most surprising for you?
Student answers will differ.
What material in this chapter was the most difficult for you?
Student answers will differ.
5–30
Copyright © 2015 Pearson Education, Inc.
Download