Access control is the heart of security and also the first line of defense in asset protection. Arguable so because it has the ability to allow only authorized users, programs or processes system or resource access to a particular object on a network or stand alone system.
In discretionary access control (DAC), the custodial of the data or information determines or specifies which persons or subjects can access the data or information resource. The access control to the information asset is at the discretion of the owner (Harris, 2010).
Most DAC systems grant or deny access based on the identity of the information or data requester. Often DAC uses ACLs (access control lists) to grant or deny access to network resources. However, in mandatory access control (MAC) access to information resource is based solely on security labeling system. In which case users have security clearances and resources themselves have security labels with data classifications. MAC implementation is found in certain environments where information classification and high confidentiality are of paramount important. A good example is in the military. In MAC implementations, the system makes access decisions by comparing the subject’s clearance and need-to-know level to that of the security label (Harris, 2010). An essential feature of MAC is that the underlying operating systems enforce the system’s security policy through the use of security labels on information assets and the level of security clearance a user possesses.
In contrast to the above two models is the role based access control (RBAC) sometimes called non –discretionary model. With RBAC, access to information resources is based on the role users are assigned in the organization and nothing more. Kayem, Akl, & Martin (2010) observed that role-based access control (RBAC) is a combination of mandatory and discretionary access control; and also RBAC models are more flexible than their discretionary and mandatory counterparts because users can be assigned several roles and a role can be associated with several users.
Although the access control implementation will depend on the environment. But in a distributed environment where I have been privilege to implement RBAC, the RBAC model is the best out of the three because users’ role can be mapped to job function and authorization level. By using the authorization level, user privileges can be easily designed without having to resort to ACLs commonly used in DAC. In addition, RSAC according to Kayem et al. (2010) assigns permissions to specific operations with a specific meaning within an organization, rather than to low level files as in other models. The incident of Trojan horse infection on the network can be reduced by implementing RSAC. DAC is silent on the ways files are to be modified in network operations and this open more ground for security vulnerabilities.
I will use a centralized access control administration as a way to increase security because all access requests will go through a central authority. Visibility on access operations will be enhanced as administration is more simplify. As an administrator, I will only have to cope with a single point of failure and access performance bottlenecks on the network will be easily controlled (Smith, J.)
Reference:
Harris, S. (2010, 5th Edition). CISSP all in one exam guide. Columbus, Ohio: McGraw Hill.
Kayem, A., Akl, S., & Martin, P. (2010). Adaptive cryptographic access control. Advances in Information security, DOI 10.1007/978-1-4419-6655-1_2.
Smith, J. Access Control Systems & Methodology. Retrieved April 29, 2012, from
www.purdue.edu/securepurdue/docs/training/AccessControls.ppt
DIGITAL SECURITY AND INFORMATION ASSURANCE
This blog is created to stimulate academic discussion in partial fulfillment of the degree of Doctorate of Computer Science in DIGITAL SECURITY AND INFORMATION ASSURANCE for the Colorado Technical University, Colorado Springs, Colorado.
Courses includes - EM835 Information Accountability and Web Privacy Strategies; SC862 Digital Security; Quantitative Analysis; Software Architecture and Design - CS854;
Monday, September 3, 2012
Risk Management a must for Security
Risk management in information security program is one of the yardsticks of due diligence and care that formed the cornerstone of information security governance. One of the ways to incorporate risk management and assessment in the security program is to establish a security policy and procedure in the organization. The security policy will form the basis of risk management policy that will be tailored to address the following
* Uncovering potential dangers in the environment
* Researching and understanding the vulnerabilities, threats and risks that is
peculiar to the environment
* Performing periodic security assessments
* It is absolutely essential to perform analysis of assessment data. This can be used to establish a security baseline with necessary security controls to adequately safeguard information assets.
We need to know where we are going and where we are coming from in term of security for the security program to succeed in any organization. The benefits of risk analysis are immeasurable because it helps to us to understand what exactly is at risk in the environment; to conform to due care and comply with legal and regulatory requirements (Harris, 2010).
By performing risk analysis, we are in better position to know what security controls, countermeasures and safeguards to implement in order to re-enforce the environment security posture in view of known vulnerabilities and risks. For instance, the risk assessment could mean the patch management and anti-malware deployments should be more visible. According to Harris (2010), a risk analysis helps integrate the security program objectives with the company’s business objectives and requirements.
I will confront emerging threats by making sure that adequate security controls both technical and administrative are in place and also by fine tuning continuous education of users of the importance of information security as they perform their daily tasks. Security monitoring and awareness training will also be heightened to address all forms of social engineering and non- compliance with security policy and procedures. Without implementing adequate protection measures, enterprises are at risk of having their operations critically disrupted (Murphy & Zwieback, 2005). No amount of IDS, IPS and firewalls can offer the necessary protection if the users who are in the first line of defense fails to imbibe simple security rules.
The risk assessment will include a detail threat and vulnerability analysis, a thorough examination of countermeasure mechanisms as well as assets identification. Without these components the purpose of the risk assessment is defeated and the whole risk management program might be in jeopardy.
References:
Harris, S. (2010, 5th Edition). CISSP all in one exam guide. Columbus, Ohio: McGraw Hill.
Murphy, J. & Zwieback, D. (2005). Managing emerging security threats. Retrieved April 24, 2012, from http://www.greetsomeone.com/pdf/inkcom_managing_security_threats.pdf
* Uncovering potential dangers in the environment
* Researching and understanding the vulnerabilities, threats and risks that is
peculiar to the environment
* Performing periodic security assessments
* It is absolutely essential to perform analysis of assessment data. This can be used to establish a security baseline with necessary security controls to adequately safeguard information assets.
We need to know where we are going and where we are coming from in term of security for the security program to succeed in any organization. The benefits of risk analysis are immeasurable because it helps to us to understand what exactly is at risk in the environment; to conform to due care and comply with legal and regulatory requirements (Harris, 2010).
By performing risk analysis, we are in better position to know what security controls, countermeasures and safeguards to implement in order to re-enforce the environment security posture in view of known vulnerabilities and risks. For instance, the risk assessment could mean the patch management and anti-malware deployments should be more visible. According to Harris (2010), a risk analysis helps integrate the security program objectives with the company’s business objectives and requirements.
I will confront emerging threats by making sure that adequate security controls both technical and administrative are in place and also by fine tuning continuous education of users of the importance of information security as they perform their daily tasks. Security monitoring and awareness training will also be heightened to address all forms of social engineering and non- compliance with security policy and procedures. Without implementing adequate protection measures, enterprises are at risk of having their operations critically disrupted (Murphy & Zwieback, 2005). No amount of IDS, IPS and firewalls can offer the necessary protection if the users who are in the first line of defense fails to imbibe simple security rules.
The risk assessment will include a detail threat and vulnerability analysis, a thorough examination of countermeasure mechanisms as well as assets identification. Without these components the purpose of the risk assessment is defeated and the whole risk management program might be in jeopardy.
References:
Harris, S. (2010, 5th Edition). CISSP all in one exam guide. Columbus, Ohio: McGraw Hill.
Murphy, J. & Zwieback, D. (2005). Managing emerging security threats. Retrieved April 24, 2012, from http://www.greetsomeone.com/pdf/inkcom_managing_security_threats.pdf
Cyber attack or terrorism is real
President Bill Clinton in 1998 put it rather direct “Our foes have extended the fields of battle – from physical space to cyberspace” (O’Hara, 2004). If our former president acknowledged this fact, I strongly believe that cyber terrorism or attack is a real and an ever expanding threat against our well being and a security challenge. O’Hara (2004) pointed out that cyber warfare is now a primary tool in the information warfare arsenal to achieve non-kinetic attacks which is the type of attack not aimed at physical destruction but is designed to impact the adversary’s will to fight and decision making process.
The US federal government has acknowledged that we are susceptible to cyber terrorism because digital security controls has not been built into most of our critical systems from the design phase and in the entire system life cycle. It is now that we are catching up and the resilient of our cyber protecting mechanisms are still questionable. Cyber attacks can easily be launched provided you have a computer; internet connection and a variety of hacking and cyber warfare tools which are available on a multitude of internet sites worldwide. The price of perpetrating a cyber attack is just a fraction of the cost of the economic or physical damage such an attack can produce: cyber attack is also characterized by aggressive enemy efforts to collect intelligence on the country’s weapons, electrical grid, traffic-control systems, and even its financial markets (Lipman Report, 2010).
The damage to our critical infrastructures will be unprecedented if we are attacked by cyber criminals either sponsored by rogue states or organized criminals. Our transportation hubs, air-control systems, water treatment plants and telecommunication facilities are targets of such attacks and the impact on our lives will be so catastrophic and the economic loss will be immeasurable and may be worst than 911. Cyber warfare can negatively affect our economic prosperity in this century and beyond. Just of recent a cyber attack due to the Stuxnet worm caused international havoc and systematically shutdown the Iranian nuclear program.
The treat of cyber attacks is real if the likes of Google and Cisco networks can be hacked and attacked by the bad guys. Exploitable vulnerabilities are making our critical infrastructures unsecured to the point that hackers are just a step away of using malicious codes to take full control of even the highly classified systems. This is frightened but is the truth. It is only recently that the US federal government through the various agencies under the auspices of NIST sanctioned them to perform periodic the risk assessment of their systems and network infrastructures. The agencies are to develop remedial and mitigation plans to curtail security risks and other associated problems within a timeframe. However, if we anticipate and know of any imminent threats from cyber criminals or rouge states, we have absolute right to defend ourselves using all information security arsenals and even convectional weapons. Pre-emptive strikes should be part of our cyber security defense vocabularies and we must be capable of developing cyber offensive capabilities. Good defensive operations will point in the direction of the attacker, which then allows offensive operations to target them for retaliation (O’Hara, 2004).
Urgent proactive actions such continuous monitoring , patch management and development of multiple layers of defense as well as perimeter securities are needed to guide against cyber warfare and other malicious intents. In addition, we need to train more security professionals who can design secure systems, write safe computer codes and create the ever more sophisticated tools needed to prevent, detect and mitigate and reconstitute systems after an attack (Lipman Report, 2010). We must not be complacent with our security and develop false sense of security when are still vulnerable to incessant cyber attacks.
References
O’Hara T. (2004). Cyber warfare and cyber terrorism. Retrieved April 12, 2012, from http://www.dtic.mil/cgi-bin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA424310
The Lipman Report (2010). Threats to the information highway: Cyber warfare, cyber terrorism and cyber Crime. Retrieved April 12, 2012, from http://www.guardsmark.com/files/computer_security/TLR_Oct_10.pdf
Godwin Omolola
The US federal government has acknowledged that we are susceptible to cyber terrorism because digital security controls has not been built into most of our critical systems from the design phase and in the entire system life cycle. It is now that we are catching up and the resilient of our cyber protecting mechanisms are still questionable. Cyber attacks can easily be launched provided you have a computer; internet connection and a variety of hacking and cyber warfare tools which are available on a multitude of internet sites worldwide. The price of perpetrating a cyber attack is just a fraction of the cost of the economic or physical damage such an attack can produce: cyber attack is also characterized by aggressive enemy efforts to collect intelligence on the country’s weapons, electrical grid, traffic-control systems, and even its financial markets (Lipman Report, 2010).
The damage to our critical infrastructures will be unprecedented if we are attacked by cyber criminals either sponsored by rogue states or organized criminals. Our transportation hubs, air-control systems, water treatment plants and telecommunication facilities are targets of such attacks and the impact on our lives will be so catastrophic and the economic loss will be immeasurable and may be worst than 911. Cyber warfare can negatively affect our economic prosperity in this century and beyond. Just of recent a cyber attack due to the Stuxnet worm caused international havoc and systematically shutdown the Iranian nuclear program.
The treat of cyber attacks is real if the likes of Google and Cisco networks can be hacked and attacked by the bad guys. Exploitable vulnerabilities are making our critical infrastructures unsecured to the point that hackers are just a step away of using malicious codes to take full control of even the highly classified systems. This is frightened but is the truth. It is only recently that the US federal government through the various agencies under the auspices of NIST sanctioned them to perform periodic the risk assessment of their systems and network infrastructures. The agencies are to develop remedial and mitigation plans to curtail security risks and other associated problems within a timeframe. However, if we anticipate and know of any imminent threats from cyber criminals or rouge states, we have absolute right to defend ourselves using all information security arsenals and even convectional weapons. Pre-emptive strikes should be part of our cyber security defense vocabularies and we must be capable of developing cyber offensive capabilities. Good defensive operations will point in the direction of the attacker, which then allows offensive operations to target them for retaliation (O’Hara, 2004).
Urgent proactive actions such continuous monitoring , patch management and development of multiple layers of defense as well as perimeter securities are needed to guide against cyber warfare and other malicious intents. In addition, we need to train more security professionals who can design secure systems, write safe computer codes and create the ever more sophisticated tools needed to prevent, detect and mitigate and reconstitute systems after an attack (Lipman Report, 2010). We must not be complacent with our security and develop false sense of security when are still vulnerable to incessant cyber attacks.
References
O’Hara T. (2004). Cyber warfare and cyber terrorism. Retrieved April 12, 2012, from http://www.dtic.mil/cgi-bin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA424310
The Lipman Report (2010). Threats to the information highway: Cyber warfare, cyber terrorism and cyber Crime. Retrieved April 12, 2012, from http://www.guardsmark.com/files/computer_security/TLR_Oct_10.pdf
Godwin Omolola
Subscribe to:
Posts (Atom)