Securing and Protecting Information Essay
With the advances in technology, authentication has become part of our everyday lives, whether scanning your badge at work, signing for a credit card purchase, or logging into your Facebook/Twitter accounts. Authentication is the act of validating your identity while requesting access to software, purchases, or entry to a secured facility. There are four types of authentication; something you know, something you have, something you are, and something you can produce.
When a service requests two or more types of authentication, it is called strong authentication, such as inserting an identification card and providing a password to access a computer workstation. Something you know refers to the use of passwords, passphrases, and codes or PINs. When creating a password, the user must make the decision to create a string of alphanumeric and special characters with differing cases. The longer and more complicated a password the user creates drastically reduces the risk of cracking or brute force attacks.
The same password must also be something easily remembered by the user to dissuade it from being written down and stored onsite or left at the workstation. A solution to this is creating a passphrase, a common phrase or date abbreviated and linked together with special characters to create a personal passphrase difficult to crack but easy to remember. An example of this would be a favorite television show with the day and time it airs. A common rule is to create a string at least eight character longs with at least one number and one special character, which this example adheres.
The something you have method requires the user to carry and use an access control item. A common one used with the military and federal government is a smart card linked to a PIN called a Common Access Card, an identification card with a user photo, scan able bar code, and imbedded chip. This unique card is used for varying levels of granted access to buildings, hardware devices, and software. Another device is the cryptographic token, a computer chip with a display contained within the card.
The chip “contains a built-in seed number that uses a formula or a clock to calculate a number that can be used to perform a remote login authentication. Tokens may be either synchronous or asynchronous” (Whitman & Mattord, 2010). When a synchronous token is synchronized to the server, each device uses the time of authentication to create a generated number used for entry to the system during log in. The asynchronous tokens use a challenge-response system where the server creates a challenge with a number. When the user enters the challenge into the token, a response number is calculated.
This response number is entered into the device and entry is authorized. The advantage of this situation is that server synchronization does not occur, preventing errors due to mistiming. The something you are method references to your physical characteristics, your fingerprints, retina, facial recognition, and other defining features used to verify authentication. Out of the options available, only three are classified as truly unique identifiers, fingerprints, blood vessel pattern of the retina, and the random patterns of the iris.
To further the defenses, these characteristics are encrypted and stored so each subsequent scan can be identified and compared. The obvious downside to this security feature is that a person’s features can change over time or with illness and injury causing some difficulty in some instances. The something you can produce authentication is based around the user as well using signatures, voice activation, and the lesser-known keystroke pattern recognition. Though signatures are common for authentication, they can vary greatly with each transaction, change over time, and can be easily bypassed for instances of credit cards and similar areas.
During these times, the signature is not necessarily used to authenticate but rather kept on file for proof of purchase. Voice recognition focuses on the analog waveforms of speech, comparing them to the stored version in the system. Keystroke recognition follows the user’s precision and timing while typing in a set sequence of provided keystrokes. Authorization ?Authorization begins with the user and their identity in the system; this is managed on three different angles for creating a system.
The first is for individual user authentication where the access is granted for each account and entity. The drawback for this design is the numerous amount of users and levels of access that must be cataloged and maintained, quickly causing a large and cumbersome database to manage. The second type is for groups, where the authentication level is set per group of peers requesting access. This is historically the most common design chosen by companies to set limits at levels based on position. The third is maintained for multiple systems by the single sign on design.
Access is granted for the user across multiple levels of the system through their initial sign on. This option is starting to take hold as a more common approach as companies develop and grow, requiring authorization across entire entities. Prevention ?Each system needs constant maintenance after inception. Tracking account and system action is kept with system logs, records of data for each system logging user access attempts, modifications. These data sheets help in the identification of attacks, system failures, and system and process performance.
During development, this crucial tracking item to ensure that the system is working as designed and to help trouble shoot common errors or access failures may be experienced. This will also aid during the implementation process to ensure the system is able to handle the workload and meet sufficient minimum requirements to function for the user and the stakeholders alike. Under the title of accountability also lies access controls, making sure the proper user has the proper access with an access control policy.
This statement will outline granted access to entities and groups within the network, job roles, intended use, and administrator duties. The statement also includes direction for a developing network where employee positions and duties will change, along with updates to hardware and software configurations. ?Wi-Fi Protected Access (WPA) is the group of protocols securing wireless networks, especially important in business today with so many wireless transactions and remote users necessary just to conduct daily operations. This standard was eventually updated to the WPA2 to meet the needs of today’s consumer.
Unique keys are issued to registered users of the authenticated server’s strictly controlling access. Pre-shared keys are available to allow multiple instances, but this is not as secured as the original one to one codes. On top of WPA is Wi-Max, another improvement specifically for smart phones and modems. Wi-Max describes a certificate of approval for selected devices that are screened as meeting the requirements suggested by industry standards. The Wi-Fi protection extends to include verifying authentication standards set by the company for biometrics, approved passwords, and smart cards. Port scanners were created to identify active computers within the network along with the respective active ports and running services.
Although generic scans can be used, detailed reports are also an option for the system revealing open nodes the administrator might not even be aware of. A more specific approach is the use of a vulnerability scanner. These tools scan the network and return detailed information identifying usernames, groups, open sharing, and possible configuration vulnerabilities. Essential to the network, these specific port scanners assist in maintaining a secure network exposing possible areas of attack. Data backup is performed as a preventative measure to keep the integrity of the system alive with uncorrupted and recent data. A thorough backup plan addresses every component of information and software redundancy along with a structured plan for employees, identifying roles and plans in case of disaster recovery. Ideally, an offsite backup location is held by the company in a temperate and calm environment, limiting the possibility of disaster striking both locations at the same time. A large drawback for this option is the necessary resources to maintain the personnel, payroll, land, and housing.
Onsite backups are more commonplace for the smaller run businesses due to that limitation. ?“Each type of backup has advantages and disadvantages. Which type is best for the organization depends on the amount of data you routinely process and store, how frequently your data changes, how often you expect to have a restore from a backup, and a number of other factors” (Conklin, White, Williams, Davis, & Cothren, 2012). A full backup recreates and stores a copy of every piece of information and software the company holds within their database.
Obviously, this is a very time dependent due to the massive amounts of data involved, and may not be performed very often. In this case, a differential back up is used as maintenance, essentially refreshing the data compiled since the last full backup was completed. Though quicker, time is still necessary to load the last full backup and apply the update. The incremental backup is performed as a piggyback to the differential. This time only the files that have changed will be copied over and can be applied directly to the differential. Lastly, the delta backup is performed and is the quickest.
Now, only the changed file would be copied and changed, though it does create a more complex method in identifying the folders in both locations. ?Overall, the options for security authentication and authorization are numerous; unfortunately, this number is also matched to the large amount of tools available to the attacker. When creating and implementing a new system, great thought and detail is given to the entire structure now, and also thinking ahead as to what future attacks or disasters may come. Using strong authentication, network tools, and backups, the administrator has a chance at living with a very secure system.
In most instances it all comes down to the level of the individual, from the employee that forgets to install a new software patch to the social engineering attacker who happens to catch someone off guard and obtain just the right piece of information. ?
Conklin, A. , White, G. , Williams, D. , Davis, R. , & Cothren, C. (2012). Principles of Computer Security: Comp TIA Security + and Beyond (third ed. ). Boston, MA: McGraw-Hill Company. Whitman, M. , & Mattord, H. (2010). Management of Information Security (third ed. ). Pittsburgh, PA: Cengage Learning.