4.5 (2) IDENTIFICATION AND AUTHENTICATION (common vulnerabilities that may…
4.5 (2) IDENTIFICATION AND AUTHENTICATION
If users are not properly identified and authenticated, particularly in today’s open-system–networked environments, organizations have a higher exposure to risk of unauthorized access.
See figure 5.9
common vulnerabilities that may be exploited to gain unauthorized system access include:
• Weak authentication methods (e.g., no enforcement of password minimum length, complexity and change frequency)
• Use of simple or easily guessed passwords
potential for users to bypass the authentication mechanism
lack of confidentiality and integrity
for the stored authentication information
lack of encryption for authentication and protection
of information transmitted over a network
user’s lack of knowledge on the risk associated with sharing authentication elements
(e.g., passwords and security tokens)
I&A are separate systems. They differ in respect to:
• Methods, peripherals and techniques supporting them
• Requirements in terms of secrecy and management
• Attributes—authentication does not have attributes in itself, while an identity may have a defined validity in time and other information attached to it.
LOGON IDS AND PASSWORDS
where the authentication is based on something you know.
computer can maintain an internal list of valid logon IDs and a corresponding set of access rules for each logon ID.
access rules are
related to the computer resources.
access rules are usually specified at the OS level (controlling access to files) or within individual application systems (controlling access to menu functions and types of data or transactions)
Features of passwords
Special treatment should be applied to supervisor or administrator accounts.
accountability, the administrator password should be known only by one individual.
On the other hand, the organization should be able to access the system in an emergency situation when the administrator is not available.
To enable this, practices, such as keeping the administrator password in a sealed envelope, kept in a locked cabinet and available only to top managers should be implemented.
sometimes referred to as a firecall ID.
password for a logon ID should only be known by the individual user
Password management is stronger if a history of previously used passwords is maintained by the system and their reuse prohibited for a period, such as no reuse of the last 12 passwords.
should be changed on a regular basis (e.g., every 30 days).
best method is to force the change by
notifying the user prior to the password expiration date.
frequency depends on many factors including
and technologies used
the nature of the organization
criticality of the
information access level
should not be kept on index or card files or written on pieces of paper taped somewhere near the computer or inside a person’s desk
logon IDs, passwords should not be displayed in any
should be hashed (a type of one-way encryption) and stored using a sufficiently strong algorithm.
security administrator —the only person with sufficient privileges to reset the password and/or unlock the logon ID
If the wrong password is entered a predefined number of times, the logon ID should be automatically locked out.
New accounts without an initial password
assignment should be suspended.
ID and password should be communicated in a controlled manner to ensure that only the appropriate user receives this information
Initial password assignments should be randomly generated.
passwords may be allocated by the security administrator or generated by the system itself.
should be easy for the user
to remember but difficult for an intruder to determine