1
In this unit we are continuing our discussion of IT security measures. 2
One of the best security practices in Information Security is that users should have access only to the resources and systems they need, nothing more and nothing less. Information Systems nowadays are very complex systems in which the question is not whether but where vulnerabilities are. This, coupled with the fact that the most common cause of security breaches in IT systems is the human factor, either intentional or unintentional, makes it wise to give a user access only to what he or she needs. This kind of policy can help to avoid unnecessary threats. One method of control is physically restricting access to hardware to authorized personnel only. Another is creating a permission policy which gives access to systems, applications and data only to the users who need them, regardless of whether we are using our own infrastructure or a cloud based system. 3
To establish a successful access control policy, an IT system needs a way of authenticating its users and proving their identity. This process is not the same as authorization although they are linked. First, the system must know who is trying to access it (that is authentication). Then it must decide which resources the person is authorized to use. The most comprehensive authentication systems in IT are based on 4 things: something you have (for example a card or key), something that you know (a password), something that you do (for example a signature) and something about you (a biometric scan), but they can be very cumbersome for users, so, depending n the level of security required, a subset of them can be used. 4
Passwords are one of the most frequently used ways of authenticating users. A password is a string of characters used to authenticate user identity or approve access to specific data. Obviously, passwords should be kept secret from those not allowed access. Personal passwords should be used and shared passwords should be avoided. Passwords can be attacked by brute force (trying millions of random combinations of characters with a computer), by dictionary attack (combining words extracted from a digital dictionary) or by social engineering. That is why they should be long enough and should not include personal information such as birthday dates or family names. A good practice is to use a combination of uppercase and lowercase letters, digits and symbols. Another tactic to choose a password is to think of a phrase and take the first letter of each word. Passwords generated in this way are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. 5
Passwords should be changed from time to time. The frequency of this change should increase when the access rights of the password holder are high. Password content and password ageing requirements can be defined and enforced in company wide user management policies. It is not a very good idea for a person to use the same password for different systems, as if the password to one account becomes known, all the user s accounts are at risk. However, nowadays we tend to have dozens of different accounts and having individual passwords for all of them is difficult to accomplish. Common practices in access control interfaces are: not displaying the password on the display screen while it is being entered to avoid over-the-shoulder password theft, limiting the number of allowed failures within a given time period, or blocking the system for an increasing period of time after each failure to avoid brute force or dictionary attacks. To end this brief look at passwords, we want to stress that, to be effective, a password must never be revealed to other persons. 6
Recognizing personal characteristics is a very powerful tool for access control identification, as it can be very reliable. Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals. Biometric identifiers are often categorized as physiological versus behavioral characteristics. Physiological characteristics are related to the shape of the body; they include, for example, fingerprints, palm veins, face recognition, DNA, palm prints, hand recognition, hand geometry, iris recognition or retina scan. Behavioral characteristics are related to the pattern of behavior of a person, including, but not limited to, typing rhythm, gait and voice/speech recognition. The latter s main use is automated transcription but it can also be used for access control. 7
8