In the field of information technology, there are two kinds of professionals. Those that seek to make information more accessible through applications and services, and those that strive to protect that same information. Information security professionals protect information by first striving to identify the individuals access the system and then controlling and cataloging that access. Additionally, these same professionals strive to prevent unwanted system access by mitigating security risks and defending the system against common attacks.
<!--more-->
Authentication
Authentication is the act of verifying the identity of a computing entity. This might be a user, another computer, or an application running on the same computer. The most obvious form of authentication concerning an enterprise is what user is trying to access the system. Standard user authentication includes knowledge-based authenticators such as passwords, token-based authentication which relies on devices such as key cards, and biometric authentication which uses human-specific indicators such as thumbprints and retina-scans. A well-secured system will implement at two of the three types of authentication (Smith & Marchesini, 2008).
Authorization
Simply determining the identity of the user is not enough. In order to grant the proper access to resources, the system must determine what the user is authorized to do. Authorization is the collection of permissions and restrictions that defines the user's interaction with the system (Santos, 2008). It is important to note that authorization includes not only a list of what is allowed, but what is explicitly denied. Explicit denials ensure that other rules do not unintentionally grant a user access to a resource that was not intended.
Accounting
Accounting is the collection of details regarding a user's usage of the system. It is common to track when a user connected to the system and for how long, in addition to the files or services the user accessed. Although this information may be used for billing, it is more commonly used in a security context to both audit and report on user activities within the system (Santos, 2008). Although security professionals strive to create rules that allow the proper level of access for all users, accounting ensures that mistakes are caught and fixed as quickly as possible.
Common Security Attacks
Common security attacks include malicious code, brute force password attacks, and denial of service (DoS). Malicious code is one of the most common attacks on the Internet currently. This attack takes the form of viruses, worms, and Trojan horses. Malicious code attempts to exploit known vulnerabilities in user systems and install functional code that can be used against the system or other networked computers. Once the malicious code has entered the system, it can begin doing the job it was programmed to do. This may include keystroke logging, file erasure, or becoming part of a bot network to perform other kinds of attacks (Whitman & Mattord, 2009).
Brute force password attacks are one kind of attack a network of bots may instigate. This kind of attack attempts to crack into a system by connecting over and over again using different user credentials. These attacks are very rudimentary and can be easily foiled. That being said, the ongoing attempts of a brute force password attack can result in a denial of service situation for the system. In this attack, the services provided by the system are made unavailable to legitimate users while the system tries to cope with the attack. This could be the continued locking out of accounts caused by a brute force password attack, or the inability of domain name servers to respond because of a lack of system resources (Whitman & Mattord, 2009).
Countermeasures
The mitigation of security threats can only be accomplished through planning. This includes the development of enterprise, issue, and system-specific security policies. Companies developing their own software should do so with security in mind. Whether the software is intended for internal or external use is not an issue. Internal threats to security are just as dangerous as threats from the outside. Finally, training and education is necessary to keep users informed of possible security threats. Social engineering is one method that attackers use to gain vital information regarding the systems they are trying to exploit. Training users how to detect social engineering attempts can go a long way toward reducing the security risk of the system (Whitman & Mattord, 2009).
References
Santos, O. (2008). End-to-end network security: Defense in-depth. Indianapolis, IN: Cisco Press.
Smith, S. & Marchesini, J. (2008). The craft of system security. Upper Saddle River, NJ: Addison-Wesley.
Whitman, M. E. & Mattord, H. J. (2009). Principles of information security (3rd ed.). Boston: Thomson Course Technology.