The Single Most Important Cybersecurity Vulnerability Facing IT Managers Today - Essay Example

Access Control Vulnerabilities and Solution to them Name: Institution: Access Control Vulnerabilities and Solution to them TABLE OF CONTENTS Description of the Vulnerability 2 Reasons why the Vulnerability is Important 3 Examples of Access Vulnerabilities 4 Impacts of the Vulnerability on Organizations 5 Strategies used by Organizations to Address the Possible Impacts 7 Question: What are the vulnerabilities associated with present access control methods and what is the solution to these vulnerabilities? Objective: To determine access Control Methods, their associated limitations, and Solutions to these limitations Description of the Vulnerability Access control vulnerability is the leading challenge faced by most managers in most businesses and organizations. While there are a variety of access control measures that have been put in place, most of them have limitations which allow attackers get access to confidential information. This has been illustrated with weak access control systems such as commonality in the share of access control sin a number of systems, absence of role-based authentication of components of communication, ability for a remote user to upload a file to the desired location on a particular location and arbitrary file upload or download when a given computer hosts are selected (Ardagna et al. 2006). Another limitation associated with the existing access controls is that the services are more focused on user rights associated with user accounts. When any device is exploited, it can allow an attacker control on a computer’s network when the hacker has permission of the services. Access control escalations are possible when vulnerable service running is done using more privileges compared with those that attackers have identified. The main weaknesses of this vulnerability is that it is possible to use the manager’s account, it is also possible to exploit the application used to manage the manager’s computer, and database service can be run as an administrator. Reasons why the Vulnerability is Important The main significance of access control is that it ensures confidentiality of information by preventing those who are not allowed to access the information do not access it. According to Ausanka-Crues (2001), this is mainly important for managers involved in managing large corporations where particular information is considered confidential for the purpose of accomplishing the interests of a company. Confidentiality is a state where information is kept sensitive when it is transmitted from one location to another. It is not only important to ensure the information is authenticated or allow interaction with system on the basis of authorization. During exchange of data between communicating parties, there is high sensitivity involved De (Capitani di Vimercati et al. 2005). The act of sending passwords through authentication stages and transactional information sent from one party to another are examples of sensitive information that must be protected from unauthorized access. Another reason why access control is important is that it ensures integrity of information. For instance, access control is an important measure in ensuing information cannot be modified by unauthorized persons (Di Vimercati et al. 2007). The main focus of access control is that they prevent a potential user from using the information or access the entities through which there is a flow of information through the activities of the subject such as the screen, keyboard, printer or memory. The most commonly used access control systems have been the Mandatory Access control and Discretionary Access Control Models. There are many forms of mandatory Access Control Models. These include bell-LaPadula Confidentiality Model, and Biba Integrity Model. There are a number of limitations associated with these models that result into vulnerability of systems in organization. According to Samarati & Di Vimercati (2001), the assignment and implementation of security levels by the system when MAC is used is subject to restrictions on the user actions that prevent alterations of the main policies and there is the need to implement large parts of operating systems and other utilities that need to be placed in the access control framework. There is the need for additional access controls in order to restrict access to components that are considered confidential. On the other hand, in practice, it has been established that it is almost impossible to use MAC when the entire operating system is not used. In addition, it has been suggested that MAC has the potential to over-classify Examples of Access Vulnerabilities There exist various types of access vulnerabilities. An example of such vulnerability is managed and unmanaged elements that may require compliance of the elements with security policies of organizations. Most organizations use a range of checks such as the ability to collect information regarding the operating system of an element, the list of patches, and the existence of anti-virus software (Ardagna et al. 2006). There are many elements that operate on an enterprise network but they are not accounted for. In addition, the elements involved in running operating systems apart from Microsoft Windows operate on a network without any endpoint security assessment. There is also the concern regarding the technology used by most organizations in performing element detection, based on the flaws that prevent effective identification of elements that operate in a particular network, resulting in operation without accounting for elements in the network. In addition, there are exception rules during identification of particular elements in accordance with specific characteristics such as the MAC address that exists in the exception rule. Ausanka-Crues (2001), states that, it is possible to disconnect a printer from a network, while another element can take the function of MAC address and be allowed to access the network. Endpoint security assessment has also been a challenge in the use of access controls in organizations. A number of organizations are involved in enrolling security patch immediately after its release. This is followed by testing the security patch unless possible damages are less likely to result from its installation. The fact is that a number of organizations have not rolled a service pack that ensures enrollment of a security patch. Impacts of the Vulnerability on Organizations When there is improper access control checks in various possible execution paths, it is possible for users to access information and perform activities that they are not expected to perform. Another access control strategy that has been used in many organizations is Discretionary Access Control (DAC) that enables subjects have the discretion to determine the manner in which they access particular rights. The fact that Access Control Matrices have one row corresponding to each object, the number of entries is determined by the number of subject’s times that number of objects. According to De Capitani di Vimercati et al. (2005), there will be no impact on access control if the matrix was kept dense, despite lack of access rights to a number of objects, resulting into a sparse matrix. When access control information was kept in the form of a matrix, it would result into the waste of a large quantity of information and look-ups would become expensive. An example of DAC is the Access Control Lists (ACLs) that provides a representation of objects in tabular form and provides default representations of access rights when UNIX systems are used basically correspond to the specific columns of ACM. Di Vimercati et al. (2007) states that, these forms of access controls are effective but they have low time-efficiency when low numbers of subjects are involved. The use of ACLs is associated with enabling control over system objects. When fine-grained controls are used, it is possible to implement strategies that ensure least access is achieved. DAC has intuitive characteristics during implementation and are likely to be invisible to users so it is considered as the least expensive for use in domestic purposes. The limitations associated with DAC are that enabling users control access to the object is accompanied with side-effect of opening the system to accessibility of Trojan. Samarati & Di Vimercati (2001) states that, there are difficulties involved during maintenance and verification of the principles of DAC systems due to the rights that users have over access rights to objects. There is lack of constraints on the copy privileges of the ‘Safety Problem’ which acts as a liability to DAC. Inexistence of constraints on copying information from one file to another result into difficulties during maintenance of safety principles and verification of safety policies to ensure they are not compromised during operation of possible exploits when Trojan horses are being used. Strategies used by Organizations to Address the Possible Impacts There are particular considerations that can ensure effectiveness of access control of most systems and cybersecurity can be enhanced. Ardagna et al. (2006) states that, it is recommended that systems should be designed with fewer privileges concepts, provision of ability of creating a number of accounts will enable granting of each account with least privileges in performing a function. Another recommendation is that if the starting of most services does not incorporate root user groups, the possibility that there will be a flaw in the services of windows will be greatly reduced in the case where a flaw is discovered. It is recommended that running should be done with minimum privileges due to its ability to reduce possible harms that can be caused by a service due to a bug, an accident and malicious attempt to use the service. Another strategy for achieving access control is to reinforce authorization into databases by creating an authorization right which can only be accessed by the user of a particular system. According to Ausanka-Crues (2001), permission should determine the activity that needs to be performed such as updating information or to run a stored procedure. In addition, access control can involve the use of stored procedures that can be written using a program to determine whether there has been a breach of security. Another strategy of enhancing access control is the use of object oriented authorization process that includes the capacity to create a security of both data and behavior. According to De Capitani di Vimercati et al. (2005), a checkpoint should be created that enables validation of users and making the required decisions in case there is a security breach. This process is also called Access verification and involves validation, penalizing and preventing accessibility for hackers. In addition, it is recommended that users should be provided with a number of functionalities but if they try to use a functionality that is not allowed for use, there should be the right error-handling procedures. Furthermore, it is suggested that access control should involve creating a limited view. Users should be provided with what they can run. Despite the difficulty of using this approach, it is regarded as user-friendly and has a high security and ability to detect errors. Users should also be assigned one or more functionalities so that they access particular information based on their functionalities such as HR_Manager with security roles assigned to those roles. There should also be Secure Access Layer. It is only possible for an application to have security of functions when its components interacts with it, consequently it is required that access layer should be provided during communication with external systems in a less risky manner (Di Vimercati et al. 2007). In addition, there should be a secure way in which various components of an application provide security during interaction with them. Another suggestion for ensuing access control is session control. This is a process where a system is able to capture session information of the user of the system such as ID and host name and other security privileges. References Ardagna, C. A., Cremonini, M., Damiani, E., di Vimercati, S. D. C., & Samarati, P. (2006, March). Supporting location-based conditions in access control policies. In Proceedings of the 2006 ACM Symposium on Information, computer and communications security (pp. 212-222). ACM. Ausanka-Crues, R. (2001). Methods for access control: advances and limitations. Harvey Mudd College, 301. https://www.cs.hmc.edu/~mike/public_html/courses/security/s06/projects/ryan.pdf De Capitani di Vimercati, S., Samarati, P., & Jajodia, S. (2005). Policies, models, and languages for access control. Databases in Networked Information Systems, 225-237. Di Vimercati, S. D. C., Foresti, S., Jajodia, S., Paraboschi, S., & Samarati, P. (2007, September). Over-encryption: management of access control evolution on outsourced data. In Proceedings of the 33rd international conference on Very large data bases (pp. 123-134). VLDB endowment. Samarati, P., & Di Vimercati, S. D. C. (2001). Access control: Policies, models, and mechanisms. Lecture notes in computer science, 137-196. Read More