CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [24]
Be wary of popular names or current trends that make certain passwords predictable. For example, during the first release of Star Wars, two of the most popular passwords used on college campuses were C3PO and R2D2. This created a security problem for campus computer centers.
Whenever an issue arises between identification and authentication, identify proofing is often called upon. As mentioned earlier in this chapter, the identification process starts when a user ID or logon name is typed into a sign-on screen. Authentication is accomplished by challenging the claim about who is accessing the resource.
Identification proofing is invoked when a person claims they are the user, but cannot be authenticated—such as when they lose their password. Since they can’t provide the password, they are typically asked to provide another value—such as mother’s maiden name—to prove their identity.
Real World Scenario
Multi-Factor Authentication and Security
The owner of your company is becoming increasingly concerned about computer security and the laxness of users. She reports that users are regularly leaving the office at the end of the day without signing out of their accounts. The company is attempting to win a contract that involves working with the government and that will require additional security measures. What would you suggest to the owner?
The best suggestion is to consider implementing a multi-factor authentication system. This system could consist of a smart card and a logon/password process. Most smart card readers can be configured to require that the card remain inserted in the reader while the user is logged on. If the smart card is removed, say at the end of the day, the workstation will automatically log the user out. By requiring a logon/password process, you can still provide security if the smart card is stolen.
This solution provides reasonable security, and it doesn’t significantly increase security costs. The government will probably require additional access control, such as perimeter alarms and physical access control to sensitive areas. However, these measures won’t force users to log out when they leave their workstations.
An inherent problem with many identify proofing implementations is that they ask questions which someone other than the user could easily guess or learn the value of (what color are your eyes). To increase the difficulty of someone fraudulently proofing, you should only use questions that are more difficult to guess, or implement biometrics such as voice identification. Under no circumstance should the person proofing be allowed access immediately—instead their access information should be sent to their email account of record.
Distinguishing between Security Topologies
The security topology of your network defines the network design and implementation from a security perspective. Unlike a network topology, here we’re concerned with access methods, security, and technologies used. Security topology covers four primary areas of concern:
■ Design goals
■ Security zones
■ Technologies
■ Business requirements
Setting Design Goals
When setting design goals for a security topology, you must deal with issues of confidentiality, integrity, availability, and accountability, all four of which are discussed continually throughout this book as they apply to various topics. Addressing these four issues as an initial part of your network design will help you ensure tighter security. You’ll often see confidentiality, integrity, and availability referred to as the CIA of network security, but the accountability component is equally important—design goals must identify who is responsible for the various aspects of computer security. The next few sections introduce these four security components.
Confidentiality