...IS3230 Access Security Paul Delgado Thomas Cuneo Saul Flores 6/25/15 Week 2 Discussion Chapter 3 Competitive Use of Information talks about the advantage of having sacred valuable information, because if a company or an organization has access to formulas, recipes, and trade secrets from a competitor, it would be key to putting together a strategy to eliminate the competition. Warfare as a Model for Business talks about the competition, for example liking Starbucks or coffee bean. Do you like eBay or amazon, do you like coke or Pepsi. Here is a reference to the section: The basic idea of warfare as a model for business is to view your competitors as opposing armies, and market share/customers as the battle field. You win by taking and holding profitable market share. As a company, you have to learn about your weaknesses and advantages to progress. This helps avoid damaging battles. This section also talks about the famous Sun Tzu. Sun Tzu was an ancient military general and strategist. His book The Art of War, is one of the definitive treatises on warfare. In his book there are six principles that apply very well to a business setting. Capture your market without destroying it—Sun Tzu called this “Win all without fighting.” You must capture market to be profitable, but if the act of capturing it ruins the profitability of the market the fight wasn’t worth the effort. A price war, as discussed above, illustrates this concept well. It is not worth starting a price war if the...
Words: 858 - Pages: 4
...information An “Internal” category for information that should stay within the organization A category such as Confidential or Restricted for information that is particularly sensitive. The classification level assigned to data will guide data owners, data custodians, business and technical project teams, and any others who may obtain or store data, in the security protections and access authorization mechanisms appropriate for that data. Such categorization encourages the discussion and subsequent full understanding of the nature of the data being displayed or manipulated. Data is classified as one of the following: Public (low level of sensitivity) Access to “Public” institutional data may be granted to any requester. Public data is not considered confidential. Examples of Public data include published directory information and academic course descriptions. The integrity of Public data must be protected, and the appropriate owner must authorize replication of the data. Even when data is considered Public, it cannot be released (copied or replicated) without appropriate approvals. Sensitive (moderate level of sensitivity) Access to “Sensitive” data must be requested from, and authorized by, the Data Owner who is responsible for the data. Data may be accessed by persons as part of their job responsibilities. The integrity of this data is of primary importance, and the confidentiality of this data must be protected. Examples of Sensitive data include purchasing data, financial...
Words: 800 - Pages: 4
...Access Control: Final Exam Review: What is subject to an access control scenario? Policies Subject Objects What are the elements of a well-defined access control system? Policies Procedures Tools What is the purpose of access control? To regulate interactions between a subject (usually, but not always, a human user) and an object, like a network, device, or data itself. What components can be used to measure the confidence in any authentication system? Thetype of correlation and the number of authentication factors in place. What holds true while hardening an organizational network through security controls? 100percent of access control threats cannot be eliminated What should be considered while implementing a layered access security approach? Use of case studies to learn from what others have done and apply those lessons to your own situation (risk assessments) Which attack strategies has the highest success rate of making a particular system vulnerable? Denial of Service (DoS) attacks What is the preferred method to reduce risks while managing access security controls within the system/application domain? Checking and applying updates and new patches on a regular basis True or False: When considering access control security options to mitigate vulnerabilities within the infrastructure, it is unnecessary to place access controls on each asset. True Defense-in-depth is the concept and strategy of implementing multiple...
Words: 1028 - Pages: 5
...role. 3. Provide at least 3 examples of Network Architecture Controls that help enforce data access policies at the LAN-to-WAN Domain level? 1. Smart Cards – A token CAC card that is used in tandem with a password 2. Passwords – User defined passwords that coincide with password standards. 3. Cognitive password – Pre-answered questions that hopefully only the user knows the answer to. 4. When a computer is physically connected to a network port, manual procedures and/or an automated method must exist to perform what type of security functions at the Network Port and Data Switch level for access control? Name and define at least three. Verify authorized access to the asset Verify the user is who they say they are through authentication Verify the configuration of the computer is compliant with local security standards.. 5. What is a Network Access Control (NAC) System? Explain its benefits in securing access control to a network. A NAC is the use of certain policy of the network information structure that temporarily limits access the certain recourses while authenticating the user. 6. Explain the purpose of a Public Key Infrastructure (PKI) and give an example of how you would implement it in a large organization whose major concern is the proper distribution of certificates across many sites. PKI - a framework consisting of programs, procedures and security...
Words: 536 - Pages: 3
...Richman Investment’s Remote Access Security Policy 1) Wireless Access At Richman Investment’s when the network is accessed remotely via wireless appropriate wireless security standards will be used. • Wired Equivalency Protocol (WEP) will be used as standard on Wi-Fi connections. • A WEP encryption key will be used. • The network will be configured not to advertise its presence. • The power of access points will be turned down to a minimum that still allows the access point to function. • Due to the possibility of cracking Wireless Encryption Protocol using sniffing software such as AirSnort all wireless access points will be outside the firewall. • Wi-Fi Protected Access (WPA) will be used where it is available. 2) Secure Access via VPN Access from remote users to the corporate network will be via secure IPSEC VPN or SSL VPN connections only. This is necessary to secure the connection from the remote device to the corporate network. 3) Prevention of Data Loss All laptops and PDA’s that are taken off site will have the following security configured, to prevent data loss in the event of theft. • The hardware password will be enabled if available. • All corporate data on the laptop or PDA will be encrypted using appropriate encryption software. • Sensitive documents will be accessed remotely and not downloaded to the laptop or PDA. 4) Remote Device Protection To prevent remote PC’s, laptops, PDA’s etc from compromising...
Words: 349 - Pages: 2
...Payable | F | N | F | F | N | N | T/BP | F | What were the incompatible functions in Jennifer’s access account, and why do you think such an incompatibility existed? In Jennifer’s access account there were two incompatible functions. She was assigned access to both the receiving and shipping departments. This would have allowed her to make entries into the systems that may not have been accurate. With Jennifer’s primary job as Sales, and secondary as an Accounts Payable clerk, her system access needs to be modified in accordance with her duties. By correcting her access to read only for the Receiving and Shipping departments, she can now see the activity and provide updates to customers that may inquiry her about a shipment, and still perform her duties in Sales and Accounts Payable. Based on the initial duties matrix, it appears that everyone had been granted access to every department. This incompatibility that began with entering the users into the system, is what can lead to incorrect and accidental entries into a specific departments system. What were the potential conflicts and incompatible functions in Lloyd’s access account authorizations? The potential conflicts and incompatible functions in Lloyd’s access was having access to all departments. As the purchasing agent, Lloyd would need to update Receiving and Accounts Payable as orders dictate. Lloyd having Read Only access to Shipping and Sales can allow him to keep ahead as orders are entered into the system. What...
Words: 364 - Pages: 2
...vulnerabilities from Lab #1 – (List at least 3 and No More than 5, High/Medium/Low Nessus Risk Factor Definitions for Vulnerabilities) a. Denial of Service Attack of organized e-mail server. Vulnerability: High b. Loss of Production data. Vulnerability: medium c. Unauthorized access to organization owned Workstation. Vulnerability: High d. Workstation browser has software vulnerability. Vulnerability: High e. User downloads as unknown e-mail attachment. Vulnerability: low 2. For the above identified threats and vulnerabilities, which of the following COBIT P09 Risk Management control objectives are affected? PO9.1 IT Risk Management Framework- A PO9.2 Establishment of Risk Content – B PO9.3 Event Identification- A & B PO9.4 Risk Assessment- C, D, & E PO9.5 Risk Response- None PO9.6 Maintenance and Monitoring of a Risk Action Plan- None 3. From the identified threats & vulnerabilities from Lab#1 – (List at Least 3 and No More than 5), specify whether the threat or vulnerability impacts confidentiality, integrity, availability: a. Denial of Service attack of organized e-mail server: Integrity, Availability b. Loss of Production Data: Confidentiality, availability c. Unauthorized access to organization owned Workstation: Integrity d. Workstation browser has software vulnerability: confidentiality, availability e. User downloads as unknown e-mail attachment: integrity 4. For each of the threats and vulnerabilities from Lab #1 (List at Least 3 and No More than...
Words: 305 - Pages: 2
...IS3230 Wk10 | | ICT Development Index (IDI) | | Javier Feliciano Fady Girgius Christopher Penney Michael McClinton | 11/26/2012 | | The ICT Development Index (IDI) The Information and Communication Technology (ICT) Development Index or IDI is a composite index combining 11 indicator into one benchmarks measure that serves to monitor and compare developments in ICT across many countries. Developed in the year 2008 by ITU was presented in the 2009 edition of Measuring the Information Society (ITU, 2009) and established in response to the request to develop a regularly published single index. The IDI is divided in to the following 3 components (indicators): 1. Access – this component defines readiness, and includes five infrastructure and access indicators (fixed-telephony, mobile telephony, international Internet bandwidth, households with computers, and households with Internet). 2. Use – this component captures ICT intensity and includes 3 ICT intensity and usage indicators (Internet users, fixed broadband, and mobile broadband). 3. Skills – this component the capability or skills as indispensable input indicators. It includes 3 proxy indicators ( adult literacy, gross secondary enrollment and gross tertiary enrolment). The Main Objectives of the IDI The main objective of the IDI is to measure: * The level and evolution over time of ICT developments in countries and relative to other countries. * Progress in ICT development...
Words: 413 - Pages: 2
...Course: IS3230 Lab 1 1. Discretionary Access Control Lists form the primary means by which authorization is determined. An ACL is conceptually a list of <account, access-rights> pairs. 2. Sometimes an entire group needs access or permissions, and by giving the group permission any new person will automatically be given the permissions needed, with no need to add each person individually. 3. Modify, Read & Execute, Read, Write, List contents. 4. Read only, sometimes users need to be able to get information from the network, but without them being able to modify anything. 5. Some password policies are, password length, character diversity, time required to change password. 6. The only time it’s a good idea is when an application needs to read stored passwords. Normally they are encrypted, so storing passwords using reversible encryption should be done on a per-user basis. 7. Local group policies govern smaller groups on the network such as a hand full of machines or users. A domain group policy affects every workstation or user on the domain. 8. Local GPO, GPO linked to sites, GPO linked to domains, and GPO linked to organizational units. 9. Administrative Templates are a large repository of registry-based changes (in fact, over 1300 individual settings) that can be found in any GPO on Windows 2000, Windows XP, and Windows Server 2003. The Administrative Templates are Unicode-formatted text files with the extension .ADM and are used to create the Administrative...
Words: 335 - Pages: 2
...1. What does DACL stand for and what does it mean. It stands for Discretionary Access Control List (special permissions). 2. Why would you add permissions to a group instead of the individual? What policy definition do you think is required to support this type of access control implementation? To make your life easier and to add permissions to groups because many users require same permissions. The GPO policy would be required in order to use this function. 3. List the 5 different access control permissions that can be enabled on user folders and data within a Microsoft windows server. The 5 permissions are : Read/Execute, Full control, Deny, Modify, and Write. Modify will add Write by default. 4. What is the lowest level of permission you can enable for a user who must view the contents of a folder and its files? Why is this type of permission necessary? Read, it is required to see the contents of the folder but does not allow any other capabilities. 5. What are other available password policy options that could be enforced within a Microsoft windows server to improve security? The available policies are: Password history, maximum password age, minimum password age, password complexity, and store password using encryption. 6. Is using the option to ‘Store Passwords using reversible encryption’ a good security practice? Why or why not? When should you enable the option to ‘Store Passwords using reversible encryption’? No, they store the password...
Words: 406 - Pages: 2
...points that the company should follow. Their main purpose was to make textbooks affordable and available for online access to all students and save them paying lots of money for hard copy books. After many professors and college teachers adopted this way of textbook access, it shows how successful their planning is and work on it to make it more convenient. 2. What competitive advantages does Flat World Knowledge possess? Flat World Knowledge possesses many competitive advantages. One of them is the ability to offer a huge variety of textbooks in an online version with unlimited access to all of the students. Doing so will exclude the factor of lack of supply of the textbook at the book store and eliminate waiting time to have the book. In addition, the fact that they are providing these textbooks at a reduced cost from the actual manufacture cost gave FWK a huge advantage against their competitors in the textbook market. 3. What are Flat World Knowledge’s key strengths, weaknesses, opportunities, and threats? Talking about FWK strengths is represented by its easy access, up-to-date revisions, personalized learning strategies and cheap access. With respect to its weakness, we should mention that FWK will no longer have free access to the books online due to the 30 million dollar investment. With respect to the opportunities, students find online access as more convenient and such a cheap alternative. Also it makes it better with the variety of versions...
Words: 680 - Pages: 3
...Services Security aDepartment of Computer Science and Mathematics, Lebanese American University, Beirut, Lebanon b Department of Computer Engineering, Khalifa University of Science, Technology & Research, Abu Dhabi, UAE CDepartment of Computer Science, Kuwait University, Kuwait b Azzam Mourada, Hadi Otrok , Hamdi YahyaouiC and Lama Baajoura Abstract-We introduce in this paper an abstract language on top of XACML (eXtensible Access Control Markup Language) for web services security. It is based on the automatic generation of XACML security policies from abstract XACML profile(s). Our proposed approach allows first to specify the XACML profiles, which are then translated using our intended compiler into XACML security policies. The main contributions of our approach are: (1) Describing dynamic security policies using an abstract and user friendly profile language on top of XACML, (2) generating automatically the the XACML policies and (3) separating the business and security concerns of composite web services, and hence developing them separately. Our solution address the problems related to the complexity and difficulty of specifying security policies in XACML and other standard languages. We tested the feasibility of our approach by developing the library system (LB) that is composed of several Web services and applying/realizing our approach to enforce security. Keywords. Web Services Security; XACML; Security Policies; RBAC. The Security Assertion...
Words: 2085 - Pages: 9
...SSCP Study Notes 1. Access Controls 2. Administration 3. Audit and Monitoring 4. Risk, Response, and Recovery 5. Cryptography 6. Data Communications 7. Malicious Code Modified version of original study guide by Vijayanand Banahatti (SSCP) Table of Content 1.0 ACCESS CONTROLS…………………………………………………………...... 03 2.0 ADMINISTRATION ……………………………………………………………... 07 3.0 AUDIT AND MONITORING…………………………………………………...... 13 4.0 RISK, RESPONSE, AND RECOVERY………………………………………....... 18 5.0 CRYPTOGRAPHY……………………………………………………………....... 21 6.0 DATA COMMUNICATIONS…………………………………………………...... 25 7.0 MALICIOUS CODE……………………………………………………………..... 31 REFERENCES………………………………………………………………………........ 33 1.0 ACCESS CONTROLS Access control objects: Any objects that need controlled access can be considered an access control object. Access control subjects: Any users, programs, and processes that request permission to objects are access control subjects. It is these access control subjects that must be identified, authenticated and authorized. Access control systems: Interface between access control objects and access control subjects. 1.1 Identification, Authentication, Authorization, Accounting 1.1.1 Identification and Authentication Techniques Identification works with authentication, and is defined as a process through which the identity of an object is ascertained. Identification takes place by using some form of authentication. Authentication Types Example Something you know...
Words: 17808 - Pages: 72
... Access Control Policy Student Name: Christopher Waller University of Phoenix IT/244 Intro to IT Security Instructor’s Name: Romel Llarena Date: May 13, 2012 Access Control Policy Due in Week Seven: Outline the Access Control Policy. Describe how access control methodologies work to secure information systems 1 Authentication Describe how and why authentication credentials are used to identify and control access to files, screens, and systems. Include a discussion of the principles of authentication such as passwords, multifactor authentication, biometrics, and single-sign-on. Authentication credentials really help control access to sensitive data or systems by making it literally to get unauthorized access to them. Passwords and usernames are a good way to start because if you use those rights then these are hard to bypass, but multifactor authentication is a more efficient way for secure access. Triple authentication requires something you have, something you know, and something you are such as a keycard, password and a fingerprint. 2 Access control strategy 1 Discretionary access control Describe how and why discretionary access control will be used. Include an explanation of how the principle of least privilege applies to assure confidentiality. Explain who the information owner is that has the responsibility for the information and has the discretion to dictate access to that information...
Words: 526 - Pages: 3
...regulatory requirements. In the past, access control was used as a means of protecting information against access by unauthorized users. Access control did not prove very effective and this has led to the adoption of encryption where information is transformed into some form that cannot be understood by unauthorized users. Decryption is the process by which the transformed text is retransformed into a form that can be understood. This paper will seek to analyze a database encryption solution that will protect critical data against internal and external threats and at the same time meet regulatory requirements. 2. Choosing the Point of Encryption Encryption can be done at different places within an enterprise. Encryption is used to minimize the number of people who access the encryption keys. Before encryption, implementation decisions needs to be made (Mattsson, (2005, p.2). The most important thing is choosing the point of implementation. This helps in determining the work that needs to be done so that integration is effective and also determining the security model. Data needs to be protected both when at rest and during movement between applications and the database. 2. 1. Database-Layer Encryption In this case, an enterprise is able to protect data as it is being written and read from a database. Database layer encryption is done at the column level within a database table. It can be coupled with access controls and database security so as to prevent theft of critical data...
Words: 1274 - Pages: 6
