As I told you earlier in this series when talking about categories of security countermeasures, there are three categories of countermeasures: administrative, physical, and logical (technical). By its definition, access control is also considered as a security countermeasure. It can be done administratively, physically, and/or technically.
Administrative Access Control
Access control can be implemented using administrative means such as:
- Strict policies, standards, and procedures.
- Background checks for newly hired staff.
- Security Awareness Training.
- Data classification.
Physical Access Control
Physical access control employs methods like:
- Fences.
- Security Guards.
- Lights.
- Locks.
- Guard dogs.
- Video Surveillance.
- Alarms.
- Man traps.
- Intrusion Detection Systems.
Technical Access Control
The technical access control uses technologies like:
- Firewalls.
- Intrusion Prevention Systems IPS.
- Router Access Lists.
- Authentication.
- TCP Wrappers.
- File and Directories Permissions.
Authentication Methods
There are three main authentication methods:
Something You Know using a secret piece of information like passwords, pass phrases, and PIN numbers.
Something You Have using smart cards, USB tokens, and hardware dongles.
Something You Are. This method uses biometric access control technologies like retina scan, fingerprints, iris, hand geometry, and voice print.
In the following sections, we will investigate the most commonly-used authentication methods in more details.
Pass phrases
A special of type passwords is the pass phrases. A pass phrase is a secret string of characters that is considerably much longer (usually exceed 20 characters) than normal passwords, and has a private meaning to its owner. For example, if your favorite movie is “Harry Potter and the Half-Blood Prince”, you may choose a pass phrase like “H@rryPotter&Za1/2BloodPrince”; a 28-characters string that is very long compared to normal passwords, easy to remember because it depends on something meaningful, and at the same time very difficult to crack. Such long complex pass phrase may require years to crack using the most powerful computers.
Passwords
passwords are the most commonly-used authentication method. A password is a secret string of characters used to prove the identity claimed by a user. Being the most commonly-used method makes passwords a very important target to hackers and crackers. Many attacks target passwords like dictionary attacks, brute-force attacks, and rainbow tables.
A password policy must be prepared and enforced to mitigate such attacks and reduce the possibility of password cracking. The policy should include restrictions like:
- Minimum Password Length: the minimum number of characters that a valid password must contain.
- Password Complexity: the password must contain:
1. Uppercase letters.
2. Lowercase letters.
3. Numbers.
4. Special Characters. - Maximum Password Age: the period in which a password is valid. When the period is over, the password expires and must be changed. Usually set to 6 weeks, or three months (90 days).
- Password History: after expiration, the same password can’t be re-used before a certain period passes. This period is usually set to 1 year.
PIN Numbers
A personal identification number PIN is a numeric password, used mainly to authenticate the user of a debit or credit cards in ATM and POS machines.
Secret Questions
In many social network and email service sites, the procedure to recover a forgotten password dictates that the user is challenged by a secret question that he had answered before. If the user provides the correct pre-set answer, he is allowed to set a new password for his account. Questions range from:
- What is the name of your father’s mother?
- What is the name of your first school?
- What is the name of your first teacher?
- What is the name of your favorite restaurant?
Smart Cards
A smart card is a plastic card that is the same size as credit cards, and usually comes with tiny electronic microchip. The smart card can store information that could be used for identification and authentication purposes.
For example, your ID card identifies you when you walk through the premises of your company, can be used to authenticate you on the access control machine at the company entrance, and on restricted areas that you are authorized to enter.
For increases security, the info stored on the card can be made unreadable without providing a piece of information (PIN number) that unlocks this data. In this case, smart cards can be considered as two-factor authentication because the user must insert or swipe the card (something you have), and then enter a PIN (something you know).
Dongles
A Hardware dongle is a device used to protect against software piracy. The idea is to program the software to work only if the dongle is present (and connected to the computer on which the software is installed).
Summary
- Access Control can be done administratively, technically, and physically.
- There are three main authentication methods: something you know, something you have, and something you are.
In the next article, we will continue our discussion on Access Control. We will talk about Biometrics and One-Time Passwords. See you.
