SEU_CYS566_M05

Module 5: System Development and Access

Learning Outcomes

• Define the System Development Life Cycle (SDLC)

• Describe security measures for SDLC

• Examine system development management concepts and functions

• Explain user authentication and identity validation

• Differentiate between password-based and token-based user authentication

• Summarize key security issues for user authentication

Chapter 10: System Access

System Access Concepts

• Definition: The capability to restrict access to applications, devices, systems, and networks to authorized users for specific business purposes.

• Functions of System Access:

  • Authentication: Validating the identity of users or devices, essential for accessing resources.

  • Authorization: Granting access rights for users to specific resources based on roles.

  • Access Control: Granting or denying requests to use information or services.

Authorization

• Role of Security Administrator: Maintains the authorization database based on organizational security policy.

• Process:

  • Associate access rights with users.

  • Maintain records of access rights.

  • Obtain authorization from system owners.

  • Apply the principle of least privilege (minimal necessary access).

  • Specify resources based on security levels.

  • Define expiration of privileges and prevent reuse of identifiers.

User Authentication

• Complexity: User authentication is often complex; involves various methods.

• Authentication Factors (Types):

  • Knowledge Factor: Something the user knows (e.g., passwords, PINs).

  • Possession Factor: Something the user has (e.g., smart cards, OTP devices).

  • Inherence Factor: Something unique to the user (e.g., fingerprints, voice patterns).

Means of Authentication

1. Knowledge Factors:

   • Examples: Passwords, PINs.

   • Pros: Easy to implement.

   • Cons: Can be guessed or forgotten.

2. Possession Factors:

   • Examples: Smart cards, electronic keys.

   • Pros: Difficult to share.

   • Cons: Can be lost or stolen.

3. Inherence Factors:

   • Examples: Biometrics such as fingerprints or retina scans.

   • Pros: Unique to the individual.

   • Cons: False positives/negatives possible.

Multifactor Authentication

• Involves using two or more authentication methods to enhance security.

Password Vulnerabilities

• Attack Strategies:

  • Offline Dictionary Attack: Uses stolen password files to guess passwords using common words.

  • Specific Account Attacks: Targeting specific accounts with repeated password guessing.

  • Popular Password Attacks: Utilizes commonly used passwords against many accounts.

  • Workstation Hijacking: Access is gained by using unattended machines.

• Countermeasures: Include account lockout mechanisms, user training, and policies against common passwords.

Password Selection Policies

• Requirements for strong password selection should be enforced including complexity, length, and uniqueness.

• Recommendations: Providers should provide feedback on password strength and maintain a blacklist of compromised passwords.

Access Control

• Access Mechanism: Grants or denies requests to obtain and use information based on defined policies.

• Basic Elements:

  • Subject: The user or entity accessing the object.

  • Object: The resource being accessed.

  • Access Rights: The ability to perform operations such as read, write, execute, delete, or create.

Access Control Policies

• Policies dictate permitted access types, roles, and conditions.

  • Discretionary Access Control (DAC)

  • Mandatory Access Control (MAC)

  • Role-Based Access Control (RBAC)

  • Attribute-Based Access Control (ABAC)

System Development Methodology

• Overview: Establish structured methodologies and standards for effective SDLC management to ensure security and quality assurance throughout the development processes.

• Key Elements:

  • Ownership: Accountability for system development management.

  • Inventory: Central tracking of project elements and statuses.

  • Standards and Best Practices: Following industry standards during development.

Security Considerations in SDLC

• Incorporating security in all phases of SDLC critical for mitigating risks and vulnerabilities:

  • Areas include requirement gathering, design, implementation, testing, and maintenance.

Summary

• A detailed understanding of the NIST SDLC, with emphasis on security measures across its phases, is essential for effective system development management and implementing best practices.