Question One
The most ideal access control for accommodating these permissions in the ACME Inc Human Resource department is the role based access control. The Role Based Access Control approach to securing access to the Human Resource management system bases access control decisions on the functions that a particular user is allowed to perform. The approach is widely used for non military enterprises with several employees with different roles and functions (Ferraiolo, Sandhu, Gavrila, Kuhn, & Chandramouli, 2001).
Role Based Access Control method of access control is ideal for these permissions since the users are categorized and assigned different roles in the organization. According to Ferrailo et al (2001), mandatory Access Controls (MAC) and Discretionary Access Control (DAC) are appropriate for scenarios with multilevel security applications and for meeting the security processing needs respectively. The RBAC offers a more reliable and feasible way of enforcing the roles and assigning users to these roles. Additionally, the RBAC method can also implement the Mandatory Access Control and Discretionary Access Control when needed (Ferrailo et al, 2001).
The least privilege principle is a practice of limiting access to the minimal level that can allow normal functioning in the organization. This principle will be applied to the different groups as shown below and it will basically translate to giving the groups the lowest level of user rights that they can have (Ferrailo et al, 2001). The access rights will also be extended to the programs and processes.
Requirement A;
Permissions/ Roles:
Requirement B;
Permissions/Roles
Requirement C;
Permissions/ Roles
Requirement D;
Group; Human Resource Help Desk
Permissions / Roles
Question Two
There are four major attack surfaces inherent in the web application for the e-commerce website. They can be broadly categorized as input fields, interfaces, services and protocols.
Services;
The first major attack surface is the outdated web server software used to update the application. This can be exploited and used as an unauthorized access point to the system. Hackers can exploit the loophole as well as internal employees with malicious intentions. They can gain access to the system and make detrimental changes such as access to credit card information and allow unauthorized purchases.
Additionally, the web site allows a customer service personnel to login and gain full access rights to the application and the database to help customers with any issues. This can be exploited by hackers or internal employees and personnel to alter or change customer data and information particularly the credit card information.
Interfaces;
The second major attack surface, is the interfaces used in the website. As indicated in the case scenario, the users are accorded access to their previous input fields which could be potential source of attack to the website. With this ability to access previous transactions, unauthorized users can gain access and retrieve the vital information such as credit card details.
Input fields
The users are allowed to make orders for particular items using a web form that will be processed by the customer service personnel. These input fields and forms can be a channel of introducing malicious codes to the system.
Question Three
A rainbow table is basically a pre-computed table used for reversing hash functions that are cryptographic. The rainbow tables are used to recover a certain length of plaintext password consisting of a certain number of characters. It is essentially used to determine the feasibility of a compromise to a system password (Oechslin, 2003). On the other hand the hash lookup table creates a lookup table that consists of password hash of user accounts. Another table consisting of hashes with guessed passwords is also maintained. The two tables are then compared to determine whether the hashed password of user accounts that are compromised matches the hashed password in the lookup table. Essentially, the two tables work in a similar concept but the difference is only in the size. The hash lookup table is smaller than the rainbow table. Additionally, the rainbow table is almost like a specific hash lookup table compression technique hence the numbers of passwords are not linear (Oechslin,, 2003).
A reduction function is a function that is used to map hashes in the tables to plain texts. Its main purpose is to return the corresponding plain texts in particular sizes for each hash (Oechslin,, 2003).
Question Four
Threat
A threat can be defined as an agent that can cause potential harm to the information systems or the resources of an organization. Threats are both from external sources as well as internal sources within the organization. They include malware, spyware, adware companies, internal grumbled employees among others. Others include viruses and worms which often cause harm to the computers systems. The key concept behind a threat is that it has the potential of causing substantial harm to the organization and its resources (Dahbur, Mohammad & Tarakji, 2011).
Vulnerability
Vulnerability is a flaw or loophole that exists in the organization which can be utilized by the attackers to cause damage to the organization and its resources. Vulnerability can exist in different ways and areas in the organization. Some of these areas include installed software, business operations and network configurations among others (Dahbur et al, 2011).
Risk
A risk results when there is an overlap of a threat and vulnerability. A risk occurs when the systems or organization resources are vulnerable to available threat attacks (Dahbur et al, 2011).
Exploit
An exploit is a channel, tool or ways in which attackers use the vulnerability in the organization to cause damage to the resources or system. Exploits could also be external or internal to the organization. An example of an exploit is a code that creates packets which overflow a buffer in software that runs in the target, this is referred to as buffer overflows. Another example is exploiting a social network in which the attacker convinces an employee in the organization to divulge confidential information such as passwords among others (Dahbur et al, 2011)..
Out of the four terms, an approaching hurricane represents a risk, Denial of service represents a threat, a hacker also represents a threat while the use of a loop table to compromise the password from a LAN manger hash represents an exploit.
Question Five
A users identity can be authenticated using three major ways commonly used in today’s information systems.
Use of passwords; this method involves assigning a user a password that us unique to them alone. The user can then provide the password whenever identification needs to be verified. Passwords could include pass codes, Personal Identification numbers (PIN) among others. A good example is authentication in an ATM machine; the user supplies their PIN number to be able to access their account and make the necessary transactions.
Use of user Names; A user is given the ability to choose a user name to be able to access a particular service. Such methods are mainly used in websites where users are often required to produce their email addresses to allow them to use web services.
Biometric identification; this involves the use of human body parts as a means of authenticating the identity of a person. The most common practice is the use of finger print patterns, eye retina among others to authenticate users.
An example of a system using two of these authentication techniques is the email account systems. A user is allowed to choose a user name and set their passwords that is matched to the . The user must then provide these two matching credentials every time they wish to access their email accounts.
On the other hand an example of situations where the three authentication techniques are used is common in the high level security instances such as military safe houses, armory, science labs, and nuclear plants among others. Here users use their pass codes after providing their user cards and provide biometric identification such as finger prints or retinal patterns read by a scanner.
Question six
Encryption of all data and transmissions provides adequate protections against passive attacks. Passive attacks are difficult to detect and hence they cannot be prevented by using mechanism such as authentication, this is where encryption plays a major role since it protects the data and transmission from passive attacks. Most importantly, encryption ensures confidentiality of data and information.
Question Seven
Salting a password involves the use of a randomly generated value stored in the database together with the string password. This is aimed at making it impossible to crack passwords using hash tables. The randomly generated value is known as the salt, and it is stored together with the password hence to crack the password both must be brute-forced (Chakrabarti & Singhal, 2007).
On the other hand, peppering a password is site-wide value that is static and stored separately from the database. It is often hardcoded in the application source code and it is intended to be secret. This option is often used so that in case there is a compromise on the password, there will be no need to brute- force the entire password table (Chakrabarti & Singhal, 2007).
Question Eight
I would use password peppering in addition to the hashed passwords because password peppering has a static value that is stored separately from the database of hashed passwords. Therefore, any compromise on the database ensures one of the values is secured. On the other hand salting involves storage of the unique values in one database with the hashed passwords which could result in loss of both in case the database is compromised.
Question Nine
Dictionary attacks are mainly perpetrated by attackers with the intention of obtaining passwords. The attackers use specific programs to loop through all the words in the dictionary and find matching hash passwords. Passwords with weak strings will be cracked easily compared with strong passwords. There are two main countermeasures to address this issues faced by web based systems (Chakrabarti & Singhal, 2007);
i) One should use strong passwords which are complex. Such passwords should not have regular words and contain a combination of lowercase and uppercase letters, special characters and numerics. This reduces the chances of an attacker cracking the password once they use malicious programs to loop through the words in the dictionary.
ii) We should store non-retrievable password hashes in user database to prevent access by the attackers. Additionally, it is advisable to include password peppering or salting in addition to the password hashes.
Question Ten
Biometric authentication has been regarded as one of the most effective and reliable authentication techniques currently. It has gained application in almost all government agencies and institutions handling military research, scientific research, and nuclear power plants among others. Some of the biometric methods introduced and used over the years have gained wide acceptance and they include (Wayman, Jain, Maltonim & Maio, 2005)
Typing patterns;
This biometric authentication type is based on typing pattern including speed, interval between letters and overall pattern while typing on the keyboard. This is used to authenticate the user and allow or deny access to the system. Typing patterns and similar behavior was successfully usded in World War 2 to authenticate agents based on their handling of equipments such as radio transmissions.
It is based on an individual’s signature and considered unforgeable. This is because what is recorded is how the signature is written and not what is written. The system records all the pressure differences and the writing speeds at the various points of the signature. This is then used as an authentication to access confidential information such as bank accounts.
Finger Print Recognition
Finger prints are unique to every individual; hence each user can be uniquely identified using their finger prints. They are also available and accessible with little physical space recognition hardware such as finger print scanner and data storage. To implement this method of authentication the users are defined in the system and each user is matched with their prints. A scanner is then placed at the entrance of the secured premise and the users can run the prints whenever they want to get in. This type of authentication is used in most high level security agencies.
Eye Scans;
The eye scanning biometric authentication involves the use of an eye scanner to scan the eye pattern, color, retinal size among other components before access is allowed. It has been implemented in few of the most high level security places. One of its major problem is the cost for installing the specialized eye scanners. Additionally, it is considered uneasy to use as most users find it unfriendly.
Hand or palm geometry
This one of the most cumbersome recognition techniques that involve the recognition of hand or palm geometry such as length and angles of individual geometry.
Facial Recognition
Facial recognition authentication used distinctive features to uniquely identify and authenticate a user. These features include the upper outlines of the eye sockets, sides of the mouth, areas around the cheekbone, and the location of the eyes and the nose. This has been used mainly in security and law enforcement agencies and police departments.
Voice recognition
Here an individual’s voice is verified against a stored voice pattern where factors such as pitch and tone are used to determine the identity. What is considered is the pattern and not what the person is saying. It is one of the commonly used techniques to restrict access to mobile gadgets, gates, garages among others.
References
Chakrabarti, S., & Singhal, M. (2007). Password-based authentication: Preventing dictionary attacks. Computer, (6), 68-74.
Dahbur, K., Mohammad, B., & Tarakji, A. B. (2011, April). A survey of risks, threats and vulnerabilities in cloud computing. In Proceedings of the 2011 International conference on intelligent semantic Web-services and applications (p. 12). ACM.
Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., & Chandramouli, R. (2001). Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), 4(3), 224-274.
Oechslin, P. (2003). Making a faster cryptanalytic time-memory trade-off. In Advances in Cryptology-CRYPTO 2003 (pp. 617-630). Springer Berlin Heidelberg.
Wayman, J., Jain, A., Maltoni, D., & Maio, D. (2005). An introduction to biometric authentication systems (pp. 1-20). Springer London.