bcs-ismp-bk-en-GB March 30, 2010 - 08:51 122
Information Security Management Principles
USER ACCESS CONTROLS
LEARNING OUTCOMES
The measures taken to provide Information Assurance within an organisa-
tion are often referred to as controls. This section describes the basic building
blocks upon which many other controls are predicated – the access controls.
Without these, most of the other possible strategies would count for noth-
ing. This section provides an overview that is essential knowledge for every
Information Assurance practitioner.
The intention of this section is to provide the reader with the basic know-
ledge to understand how people and organisations should be managed
within a culture of assurance.
Authentication and authorisation mechanisms
The process of authentication and authorisation is generally referred to by
the acronym ‘ID&A’, which stands for ‘identification and authentication’.
Firstly, the user has to tell the system who they claim to be (identification) by
entering a unique username. The system will then challenge them to prove
that identity by providing some form of knowledge that can only be known,
or possessed, by the individual that they have claimed to be. The system
compares the data it receives against a known value it holds and, if they
agree, it provides access to the system.
Traditionally, the second value has been a password, which the user is sup-
posed to remember and not tell anyone else. The reality is that some people
do write them down on a Post-it note that they keep near their machine,
or they choose something that is easy to guess, like a date of birth, name
of spouse/child/pet, car registration, sports team, etc. Many Information
Assurance professionals believe that too much faith is placed in the ability
of passwords to control effectively the access to systems.
The traditional defence against password guessing has been
to allow the user three tries and to lock them out if they fail
three times to enter the correct password. Unfortunately this
provides a form of Denial of Service (DoS) attack – allowing an
attacker to disrupt the availability of a system by deliberately
locking out users. In addition there are well-known techniques
to capture passwords travelling across a network or to grab
copies of the file on the authentication server that holds all
the values for comparison. Copies of programs that will attack
and ‘crack’ these are easy to find on the internet, meaning that this form of
attack is relatively easy to conduct. People are also very easily fooled into
giving out their passwords through social engineering attacks, mentioned
earlier, for example where they believe they are talking on the telephone to
someone in IT support. A survey a few years ago discovered that 40 per cent
102
Get Information Security Management Principles now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
