Please enable JavaScript.
Coggle requires JavaScript to display documents.
4.5 (2) IDENTIFICATION AND AUTHENTICATION (common vulnerabilities that may…
4.5 (2) IDENTIFICATION AND AUTHENTICATION
If users are not properly identified and authenticated, particularly in today’s open-system–networked environments, organizations have a higher exposure to risk of unauthorized access.
See figure 5.9
common vulnerabilities that may be exploited to gain unauthorized system access include:
• Weak authentication methods (e.g., no enforcement of password minimum length, complexity and change frequency)
• Use of simple or easily guessed passwords
• The
potential for users to bypass the authentication mechanism
• The
lack of confidentiality and integrity
for the stored authentication information
• The
lack of encryption for authentication and protection
of information transmitted over a network
• The
user’s lack of knowledge on the risk associated with sharing authentication elements
(e.g., passwords and security tokens)
I&A are separate systems. They differ in respect to:
• Meaning
• Methods, peripherals and techniques supporting them
• Requirements in terms of secrecy and management
• Attributes—authentication does not have attributes in itself, while an identity may have a defined validity in time and other information attached to it.
Components
LOGON IDS AND PASSWORDS
where the authentication is based on something you know.
computer can maintain an internal list of valid logon IDs and a corresponding set of access rules for each logon ID.
access rules are
related to the computer resources.
access rules are usually specified at the OS level (controlling access to files) or within individual application systems (controlling access to menu functions and types of data or transactions)
Features of passwords
should be easy for the user
to remember but difficult for an intruder to determine
passwords may be allocated by the security administrator or generated by the system itself.
Initial password assignments should be randomly generated.
ID and password should be communicated in a controlled manner to ensure that only the appropriate user receives this information
New accounts without an initial password
assignment should be suspended.
If the wrong password is entered a predefined number of times, the logon ID should be automatically locked out.
security administrator —the only person with sufficient privileges to reset the password and/or unlock the logon ID
should be hashed (a type of one-way encryption) and stored using a sufficiently strong algorithm.
logon IDs, passwords should not be displayed in any
form.
should not be kept on index or card files or written on pieces of paper taped somewhere near the computer or inside a person’s desk
should be changed on a regular basis (e.g., every 30 days).
frequency depends on many factors including
criticality of the
information access level
the nature of the organization
IS architecture
and technologies used
best method is to force the change by
notifying the user prior to the password expiration date.
Password management is stronger if a history of previously used passwords is maintained by the system and their reuse prohibited for a period, such as no reuse of the last 12 passwords.
password for a logon ID should only be known by the individual user
Special treatment should be applied to supervisor or administrator accounts.
accountability, the administrator password should be known only by one individual.
On the other hand, the organization should be able to access the system in an emergency situation when the administrator is not available.
To enable this, practices, such as keeping the administrator password in a sealed envelope, kept in a locked cabinet and available only to top managers should be implemented.
sometimes referred to as a firecall ID.