User identification and authorization
The person in charge of securing your information systems can protect the different systems being used by means of determining user access. This can be done by user identification and authorization systems.
User Identification involves two steps: (1) Identify the user and (2) Authenticate (validate) the identity (i.e. confirm that the identity of said user is true).
The simplest systems make use of passwords only. Some of the more complex systems use cards (e.g. smart card (i.e., a card with a barcode identification strip) and/or biometric methods (e.g., fingerprints, eye scan, etc.) in combination with passwords.
Passwords are envisioned to protect against browsing of information especially in systems where information has restricted access. Passwords offer protection but may not be a guarantee against a determined hacker or criminal. A computer password serves as the key to a computer or a system. If there are several people using the same password, this is similar to such people using the same key to unlock a door.
CRITERIA FOR PASSWORD CREATION/ISSUANCE
1. Be unique to an individual and kept confidential. They should not be shared with anyone. Remember, one person, one password! Just in case an individual needs temporary access to a particular system, his/her user ID can be added temporarily to the list of authorized users. Once the user has finished his/her work, his/her user ID must be deleted from the list of authorized users.
2. Be different from the individual’s user ID.
3. Ideally be:
a. alphanumeric (or involving non-alphanumeric symbols) and
b. at least six characters long.
4. Be changed on a regular basis, at least every 30 days. Systems can warn the user automatically when his/her password expires. To guarantee that s/he enters a new one, s/he will not be able to access the system after the expiration date, although s/he may be granted a limited number of 'grace' log-ins. This makes the user accountable for regularly updating/changing his/her password.
5. Be properly managed. This will involve:
Making a list of frequently used passwords such as names, brands and other words that are easy to guess and therefore not suitable as passwords. New passwords will not be added; only the system manager will be able to change the list. Some systems take note of this policy and generate passwords automatically based on such standards.
6. Be removed immediately, thus canceling access rights if an employee leaves the organization or gives notice of leaving.
Last but not least it is important to note that care should be taken with the password used for systems maintenance. Never use passwords that you use to access different systems for maintenance purposes
OTHER IDENTIFICATION SYSTEMS
The 'password' method may be easily undermined especially if someone other than the user gets hold of a password. Other identification systems that have been introduced to deal with the shortcomings of the password method are the smart card and biometrics systems.
There are two main types of smart cards:
1. Magnetic strip card: As its name suggests, this type of card has a magnetic strip containing some confidential information to be used together with the individual’s personal code. Examples of this are ID cards, ATM cards, credit cards, etc.
2. Chip card: Instead of a magnetic strip, the card has a built in microchip. The simplest type contains a memory chip (e.g. telephone cards) containing some information but has no processing capability. The other, better, type is the 'Active' Card. It contains a microchip with both a memory to store some information and a processor.
Biometric systems make use of specific personal characteristics (biometrics) of a specific person e.g. fingerprint, voice, keystroke characteristics or the 'pattern' of the retina. Biometric systems are still quite expensive (except for the keystroke system) and not commonly used.
But always remember that these systems aren’t foolproof. Precautions still have to be made.
After identification and authentication of the user, a procedure to determine what level of access in a specific system the user has should be in place. This determines what can and cannot be accessed by a specific user given the user –ID and password s/he has entered.
Most, if not all, computer systems have some kind of log or a listing of all transactions that were done. Even stand-alone (i.e., those that are not connected) systems sometimes have identification and authorization systems that include a log especially if different users, with different authorization levels, use them. These identification and authorization systems are also useful when restrictions like not using the disk drive (as an anti-virus measure) or changing files need to be implemented.
Security of information systems and protection of information in such systems can only be achieved if the different security measures/precautions are properly followed up with a log that can be analyzed accordingly.
A proper log will answer the questions and can help the IT security manager trace any questionable access points:
- WHO (user)
- WHEN (time - date)
- WHERE (place)
- WHAT (event/activity)
- ADDITIONAL (Additional information depending on activity)