Need Help With Two Research Discussion Boards You have to read the attached file to understanding. Please go over the attached file. It will explain you wh

Click here to Order a Custom answer to this Question from our writers. It’s fast and plagiarism-free.

Need Help With Two Research Discussion Boards You have to read the attached file to understanding. Please go over the attached file. It will explain you what Authentication is for first discussion board. You also have to read that file to understand what’s Access Control and Authorization is for Second Discussion board. That attached file will help to understand the concept behind this discussion board.

 1. First Discussion Board 

Authentication Discussion
Information Systems need strong security controls to ensure users and data are protected to meet the CIA Triad. The security requirements listed in FIPS 200 (Minimum Security Requirements for Federal Information and Information Systems) include Identification and Authentication. Systems users, processes/applications, and devices must be identified and verified prior to their access to organizational resources.  
Authentication is the verification of credentials to confirm the user or other entity is valid. Verification of systems users and processes delegated by users is essential as well as limiting functions and actions a user is permitted to perform within the system. Research best practices and approaches to properly authenticate a user for access to a system resource. Select at least two specific techniques(e.g. password authentication, two factor authentication, biometrics,…) and describe the technique along with the strengths and limitations. Respond to other student posts providing additional insights, feedback and/or examples as applicable. 

2. Second Discussion board:

Access Control and Authorization Discussion

Describe access control mechanisms in place to protect files on an enterprise system. Specifically, drill down to permissions associated with read, write, modify, delete, or change ownership as applicable. Consider how roles and groups may enhance the administration and enforcement of access control policies. 

Engage with at least one other colleague by responding to their posts with additional information, feedback and examples as applicable. Step 1: Explore Authentication

Begin by developing a thorough understanding of authentication and the role it plays in maintaining the security posture of an organization. Authentication schemes include both static and dynamic processes and use a variety of techniques, including password-based, token-based, biometric-based, and two-factor (2FA). It is also important to understand the role of protocols, hashing and authentication servers play in this layer of defense.

Authentication

Print

To permit a user to access a resource,  you need to be sure the user is as claimed. This is known as authentication.

There are three general means for authenticating a user’s identity:

· through something the user knows (e.g., password, PIN,  answers to questions)

· through something the user has, known as a token (e.g., smart card, ATM card)

· through biometrics inherent to the user (biological data, e.g., fingerprints, retina, iris, face, typing rhythm)

Password-Based Authentication

Password-based authentication is most common technique because it is the cheapest to implement since it doesn’t require extra hardware. But password-based authentication can be susceptible to a variety of attacks. 

The National Institute of Standards and Technology (NIST) provides the standards for passwords. The NIST framework for secure passwords is updated to stay current, including the following recommendations (NIST, 2017):

· Compare passwords to dictionaries and commonly used passwords.

· Screening user passwords against lists of commonly used or compromised passwords can identify vulnerabilities and threats from dictionary attacks.

· Eliminate or reduce complexity rules for passwords.

· The standards no longer emphasize the need for complexity via passwords containing mixtures of uppercase letters, symbols, and numbers.

· Allow all printable characters, including spaces.

· Don’t base password expiration on time password has been in use.

· This is the biggest change from earlier guidelines for password protection and is based on studies showing that frequent changes in passwords at the enterprise level are counterproductive to good security practices. 

· Increase the maximum password length to 64 characters.

· This change supports the use of passphrases.

· Enable copy and paste functionality in password fields.

· This change allows for the use of password managers.

Weaknesses

There are many reasons why many passwords are weak. Most users have multiple passwords they must keep track of, and inertia naturally can lead to weak passwords. Some users aren’t even aware that someone might be able to guess a password. In addition, consider the unintended sharing of passwords (e.g., passwords on sticky notes) or one-time sharing that can lead to vulnerabilities. Some organizations lack policies, procedures, and enforcement tools regarding passwords. Also, many users are not even aware of a company’s password policies and why they matter. 

Below are some common methods of attack against passwords.

Attacks Against Passwords

· Brute-Force

· Dictionary

· Password Guessing

· Keylogger Attack

Brute-force attacks use a program (available online) or a script to log in, trying many possible password combinations.

back to tab

Click on each method in the left column to get more information about weaknesses.

Password Managers and Recovery

Businesses and enterprises use password managers to maintain large amounts of account information and passwords. A password manager is a software application used to store user passwords in an encrypted format and manage them. The master file of log-ins and passwords is secured and only accessible via a master password, usually assigned to the system administrator. The implementation of password managers allows for the use of strong passwords, and since the encrypted information can be stored in cloud storage, these programs add security and portability for mobile devices and remote workers. 

Vulnerabilities in Password Management Features

· Auto Fill Features

· Password Resetting

Many applications allow a username and password to be saved so the user can simply click once and log in to an application. This is especially dangerous in unsecured settings. Unless the computer is protected from a physical security breach, consider turning off or restricting the auto-fill function.

back to tab

There are many options for password managers, which vary based on how they encrypt data, how data is stored, and other features. Additional features may include auto-fill forms and password generators.  Common types of password managers include web-based, cloud-based, portable, and desktop. The choice of the ideal password manager needs to account for enterprise needs for efficiency and security. 

Password recovery is another important tool that offers quick mitigation to common problems with lost or forgotten passwords, without the need for to lock and unlock accounts and reset passwords.

Policies and Training

Password policies and procedures, when communicated and enforced, can reduce risks and increase web and system security. Strong, consistently implemented password policies and procedures are not just a good idea to prevent security breaches—they are the minimum standard for security that an organization should implement and continually maintain.

Organizations should provide extensive employee training about password protection, security hazards, and potential company exposure, as well as penalties for employees violating company policies and procedures. The policy and procedures should apply to even web developers, server administrators, and others who might get comfortable and not regularly change passwords with high accessibility. These precautions alone might not stop the cyber attackers from storming the gates, but they should reduce the chances of them breaking through.

Token-Based Authentication

Smart cards are tokens that have a lot of intelligence built into them. These are used in highly sensitive places such as Department of Defense (DoD) and DoD contractor sites. Smart cards can also perform authentication locally, which avoids many of the drawbacks of remote authentication such as vulnerability to eavesdropping and replay attacks. Tokens can, however, be lost or stolen, denying access when the user needs it. Tokens also require additional equipment, thus increasing the cost.

Biometrics-Based Authentication

Biometrics include fingerprints, retinal or iris scans, facial recognition, and vocal recordings. All biometric authentication hinges on an accurate measure of some distinct and individual trait of the user that can be stored in a tamperproof but accessible system. Like tokens, biometrics have higher security strengths than passwords, but the costs of the technology and incompatibility with most legacy applications place a financial burden on companies.

Biometrics-based authentication is broken into two types: static and dynamic biometrics verification. Voice patterns, typing rhythm, and breathing are examples of dynamic biometrics, while fingerprint, retina, face, and iris biometrics are static. Of all the biometric technologies, fingerprints are the most popular, especially in law enforcement and criminal justice. Fingerprint verification is available for personal verification on mobile devices as well (e.g., laptops, peripherals, flash drives).

So why aren’t these methods in more common use? Besides the costs, some people are averse to allowing the taking of biometric patterns, and no biometrics can be used with 100 percent of the population. Fingerprints are subject to false results due to injuries, burns, dry skin and thinning of fingerprints as people age. Voice authentication assumes a person will not be ill or have issues affecting the voice, and for people who cannot speak, it is not an option. Eye scans require an extremely close view and can easily be thrown off by eyewear (glasses or contacts) or medication and even fooled by photographs. Similarly, facial recognition struggles with faces presented at different angles, with different expressions, or changes related to age and weight.

Another challenge for biometric authentication is the number of false positives and false negatives a biometric technology may generate. The false responses are the result of recognition error in comparing the stored sample and the person showing up at the biometric device. The device may think the person matches a sample it has retrieved from storage exactly, when this is not the case. That is a false positive or false match, where the authentication device believes the stored sample and the presented sample represent the same person. A false negative or false nonmatch occurs when the device determines the sample in storage and the biometric sample of the person tested do not represent the same person, when it actually does. 

Multifactor Authentication

There are several ways that authentication techniques can be combined for additional security. Authentication that include multiple levels is called multifactor. For example, two-factor authentication might include a token and a password. A simple version of this is a code that is sent to the user’s cell phone when logging in with a password. The user needs to enter both the password and the code for the authentication to succeed. The cell phone is the token employed.

Kerberos is a client-server protocol for authentication that allows for both the user and the server to verify the other party’s identity over nonsecure connections. A symmetric key based on the user password provides a secure mechanism for the session key to be used by the client and server.  On the server side, a Ticket Granting Service (TGS) issues a security token, called a Ticket-Granting-Ticket (TGT), so that the client can access services.  Kerberos has proven resistant to eavesdropping and replay attacks. 

Challenge-Handshake Authentication Protocol (CHAP) is an identity verification protocol that also is based on a shared secret. Unlike Kerberos, CHAP does not rely on sending a secret between parties; validation is accomplished when the identity-verifying party (the authenticator) sends a challenge message to the access-requesting party, who responds using a one-way hash function. This hash incorporates the inputs from the challenge and the shared secret, and the authenticator has the same one-way hash to compare against, providing a pass/fail check (connection).

Step 2: Authentication Discussion

 

· Information Systems need strong security controls to ensure users and data are protected to meet the CIA Triad. The security requirements listed in FIPS 200 (Minimum Security Requirements for Federal Information and Information Systems) include Identification and Authentication. Systems users, processes/applications, and devices must be identified and verified prior to their access to organizational resources.  

· Authentication is the verification of credentials to confirm the user or other entity is valid. Verification of systems users and processes delegated by users is essential as well as limiting functions and actions a user is permitted to perform within the system. Research best practices and approaches to properly authenticate a user for access to a system resource. Select at least two specific techniques (e.g. password authentication, two factor authentication, biometrics,…) and describe the technique along with the strengths and limitations. Respond to other student posts providing additional insights, feedback and/or examples as applicable. 

1. (Discussion Board here)

Step 3: Explore Access Control and Authorization

Next, it is important to gain a deeper understanding of Access Control systems and Authorization.  Authorization is granted by Access Control mechanisms that function to allow/prevent users and entities from accessing organizational resources. Access control mechanisms can either deny or allow access to a resource in a specific way. If you are allowed to access the resource, you are authorized, So; often, the terms authorization and access control are used interchangeably.

Access Control

Access control is the process by which permissions are granted for given resources, which is an underpinning of computer security.

The principal objectives of computer security are to enable legitimate users to access resources only in a legitimate manner and to prevent unauthorized users from gaining access to resources. Because different types of users need different levels of access to different kinds of resources, a strong and carefully developed access control system is critical to an organization’s security.

For example, an organization must consider what type of access employees, contractors, vendors, third-party stakeholders, and partners each need to different systems in its enterprise. Since the corporate and governmental environment is constantly changing, an organization must also be able to respond to new regulations, new resources, new technologies, and new partners.

Authorization decisions in access control are based on the identity of a subject, so ensuring that identity is essential before a subject can access an object or system. The authentication process verifies an identity; thus, access control depends on authentication.

An organization’s access control system should be structured on the following access control principles:

· The principle of least privilege states that the default should give users no access, and levels of access should be specifically given to user groups as needed. (If the user or group has not been granted access to a resource, that person or group will not be allowed access to that resource).

· The need to know principle states that users should only be given access to the resources they need to perform their job functions.

· Using the separation of duties principle, users are not allowed full access in multiple areas that might jeopardize data or the system (e.g., the person authorizing financial payments is not the same person who audits the company books).

Access Control Categories

There are four access control categories: 

Access Control System

DACs are controls managed by the owner of a resource or object. The owner determines who has what type of access. DACs represent an early form of access control and are employed in many common operating systems including Linux/UNIX, Solaris, Windows, and MAC OSs. NIST provides guidelines on implementing DAC for trusted systems, including techniques and mechanisms, user groups and roles, access control by user, and integrity modeling (NIST, 1987).

MACs are those controls determined by the system itself, based on organizational or enterprise-wide policy. As opposed to the use of owner discretion in DACs, MACs require the system to manage access control in accordance with the policy of the organization.

According to NIST, MAC is “a means of restricting access to objects based on the sensitivity (as represented by a security label) of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity” (NIST Joint Task Force Transformation Initiative, 2015).

MACs are used in enterprises that steward very sensitive data, such as the Department of Defense. In MACs, objects are assigned classification within a hierarchy from least to most limited in access, such as (1) unclassified, (2) secret, and (3) top secret. Subjects are then cleared to view documents at a particular level of security or below. For example, a file classified as top-secret can be viewed by a user cleared at the top-secret level or above, but not by a user cleared at the secret level. A user cleared at top-secret level can also view a document cleared at the secret level, assuming that the user’s need to know principle is fulfilled.

RBACs base the access control on the roles a subject is assigned within an organization. RBAC models are versatile and becoming more popular; NIST has led an effort to standardize the model (NIST, 2018). For example, an individual can be both a system administrator and an application developer, in which case this person would have both roles and the permissions to perform both the roles. When a role is taken away, it is important to remove all the privileges a person has based on that role. 

Recently, in connection with internet services, a new model of access control called attribute-based access control (ABAC) is becoming popular. This model bases access control decisions on policies around attributes. ABAC allows access to be based on three different attribute types: user attributes, attributes associated with the application or system to be accessed, and current environmental conditions (Hu et al., 2019). 

Access Control Lists and Capability Lists

There are two general techniques to implement access control decisions: 

· An access control list for a given resource lists which subjects (individuals or groups) can access the resource (object) in what way.

· A capability list for a given subject lists what objects the subject can access in what way.

Both these lists can represent the same information. However, there are advantages and disadvantages to both these methods. The access control model used is determined based on the needs of the organization. A risk assessment should be performed to determine any applicable threats. Then, organizational leadership can use the resulting information to assess which model can best protect against the threats identified. As part of the risk assessment, access control systems should be verified and tested to identify software issues, misconfigurations, and faulty policies. NIST provides guidelines on the verification and testing processes. 

AAA Framework

Authentication and access control are often discussed and enforced using the AAA framework: authorization, authentication, and auditing. The AAA framework is a methodology for controlling access to organizational resources, enforcing policies, and auditing usage. 

Once a user’s credentials are submitted, an AAA server verifies them against an authorization database to allow or prevent access to network resources. Network administrators use an AAA server to determine who and what can connect to the network (authentication) and what users and entities can do within the network (authorization for specific access rights such as create, delete, and modify permissions).

Auditing, also often known as accounting, consists of a broad set of activities. Auditing allows systems administrators to monitor users’ interactions with network resources through logs. Logs are typically configured to track session and usage data and to flag anomalous behavior. They are also frequently used to support business processes including capacity planning, trend analysis, and budget allocation. Auditing supports an organization’s technical, managerial, and operational needs by providing data that is used to gauge the overall organizational health and to support compliance with internal and external policies and regulations.

Authorization

Authorization is the process by which access rights are defined and managed. Authorization is used by security professionals and network administrators to control user and client privileges and to limit who has access to system resources (e.g., applications, data, files, services).

Authorization occurs after authentication; this means that the user’s identity has already been verified at the time of authorization. Once the user is verified, the authorization mechanism verifies that user’s access rules and either grants or refuses resource access. Access control policies contain authorization rules, which are set by network administrators based on the user’s role in the organization. These policies determine who has access to perform given functions and how permissions apply for any special-access requirements (e.g., security clearances). 

The AAA Process

Operating systems depend on authorization processes to manage applications. For example, Microsoft Windows operating systems use Active Directory (AD) for their security policy integration. Windows also establishes authentication and authorization services for internet-based applications (.NET) by integrating an open-source server-side web application framework (ASP.NET) to produce dynamic web pages.  Operating systems also use access control authorization to control access to file systems. Windows uses their New Technology File System (NTFS) to maintain access control lists (ACL)—i.e., sets of rules—for all resources.

Another example of authorization processes’ importance is in firewalls. Since firewalls are designed to apply different security levels to separate components of a network, they can use an authorization policy that allows traffic through based on the ACL. The ACL’s rules are composed of a condition clause, formed by a series of predicates over some packet header fields, and an action clause, which determines the action to be enforced (i.e., allowing or denying the traffic). 

Authorization and Risk Management

NIST defines authorization as “the official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls” (NIST, 2010, p. B-1).

Authorization is done in the fifth Risk Management Framework (RMF) step, after information system categorization, controls selection, controls implementation, and assessment. It is accomplished by finalizing the assessment report and the system security plan and completing the plan of action and milestones (POA&M). The POA&M then goes to the authorizing official (AO) for approval, which includes the AO accepting residual risk. The result of an authorization is an approval to operate (ATO).

Authorization is an RMF concept. Many federal agencies have used RMF since its inception in 2010. For ATO in Department of Defense (DoD) agencies, until directed to use RMF in 2014, Certification and Accreditation (C&A) indicated acceptance of risk under the DoD Information Assurance Certification and Accreditation Process (DIACAP) (DoD, 2007). There is significant difference in the two processes, particularly in the sixth RMF step: continuous monitoring (CM). CM provides AOs with increasing confidence in their authorizations by continuously reassessing and accepting risk that is ideally decreasing. Conversely, if the risks increase, the information system (IS) may lose its ATO.

Risk assessments during CM are based on security impact analyses to “determine the extent to which proposed or actual changes to the information system or its environment of operation can affect or have affected the security state of the system” (NIST, 2010, p. 38). In this way, the AO implements the RMF concept of ongoing authorization.

We can also look at authorization as a grant to a subject (i.e., user) of access to services and other objects in an information system. Authorization is part of the design of system architecture to meet access requirements and is thereby inherent in a system’s information management model (IMM) (NSA, 2002). Authorization is implemented through ACLs, in which subjects are authorized to exercise rights objects (e.g., read, write, execute, list, delete, change).

Step 4: Access Control and Authorization

Describe access control mechanisms in place to protect files on an enterprise system. Specifically, drill down to permissions associated with read, write, modify, delete, or change ownership as applicable. Consider how roles and groups may enhance the administration and enforcement of access control policies. 

Engage with at least one other colleague by responding to their posts with additional information, feedback and examples as applicable.

2. ( Discussion Board here )

Place your order now for a similar assignment and have exceptional work written by one of our experts, guaranteeing you an A result.

Need an Essay Written?

This sample is available to anyone. If you want a unique paper order it from one of our professional writers.

Get help with your academic paper right away

Quality & Timely Delivery

Free Editing & Plagiarism Check

Security, Privacy & Confidentiality