Question 3 (another version of the last question)

[keatron]

Now here's the types of questions where you get your noodle fried. Instead of just which are affected. Let's change it and say which one is affected the most. This should render some awesome answers

A user's password and login information is mistakenly shared with 2 other users in an office. Which ONE of the following controls does this event affect the MOST?

A. Identification
B. Authentication
C. Authorization
D. Accountibility
E. Auditing

[keatron]

At a minimum, the users password would have to be changed. None of the other elements really need to be modified as they all hinge on identification and authentication. It is actually a good idea to change the username and password, but again, at a minimum the password would have to be changed. So authentication is probably the one affected the most because it is the one that will have to be modified.

[Chivalry1]

I must say that the answer is E. Auditing. After the password and username has been compromised by the user the company can no longer audit who could possibly be a hacker to its network. Within seconds this same password and username could be spread over the entire hacking world.

E. Auditing I think is the answer. Although accountibility comes very close.

[keatron]

Quote:

Originally Posted by Chivalry1

I must say that the answer is E. Auditing. After the password and username has been compromised by the user the company can no longer audit who could possibly be a hacker to its network. Within seconds this same password and username could be spread over the entire hacking world.

E. Auditing I think is the answer. Although accountibility comes very close.

Yes, but the point is, once the username and password have been changed to something else, there's no need to change anything in the auditing mechanism.

[blacksun]

D. Accountibility is the right Answer

[Slowhand]

If this was a question on an exam, I'd go with D. Passwords can be changed and the situation can be sorted out, but the damage done while the other two users have the first user's credentials is the key issue here. Before the situation is sorted out, or even discovered, it would appear as if though the first user is the one doing whatever the other two should choose to do. There's no way to know who is accountable for whatever damage or changes those users make, under the guise of the first user, so the blame would technically fall to the initial user. It's the same dilemma that faces credit card companies and stolen cards, trying to sort out what purchases are legitimate and which ones were made by the thief.

[keatron]

Quote:

Originally Posted by Slowhand

If this was a question on an exam, I'd go with D. Passwords can be changed and the situation can be sorted out, but the damage done while the other two users have the first user's credentials is the key issue here. Before the situation is sorted out, or even discovered, it would appear as if though the first user is the one doing whatever the other two should choose to do. There's no way to know who is accountable for whatever damage or changes those users make, under the guise of the first user, so the blame would technically fall to the initial user. It's the same dilemma that faces credit card companies and stolen cards, trying to sort out what purchases are legitimate and which ones were made by the thief.

Good answer. If you imagine that each one of these roles is played by a person, the accountiblity person would probably most be affected. Once the security break down is discovered, all the other affected areas can be easily fixed. But as far as accountibility, you can't truely say the person who's password was shared was indeed the person who carried out whatever action it is that might be investigated.

Identification is obviously not a good choice because we're talking passwords as the focal point here.

Athentication is affected, but not quiet as much as other areas. Because authentication does happen (given the authentication mechanism, which happens to be single factor, ie passwords). Using two or three factor authentication could have made this much harder to carry out, especially if with a biometric control.

Authorization was affected as well because the user account in question was still only able to do what that account is authorized to do. So we can salvage some of the guessing in this incident by being able to narrow down to some extent exactly WHAT these group of people might have been able to carry out given the original users level of authorization.

While auditing could be a good choice as well, it's not quiet affected as much simply because you're still not hendered in auditing what that account did. Doesn't matter who was ACTUALLY logged in with that users account, the auditing person's job is just to verify that we're able to say which account logged in and "deleted the files" for example.

When it all comes down, the guy who's going to have the most trouble is the one trying to hold any one of the of the three in question accountable for anything that transpired. Mainly because now he's going to have to go through the painful task of trying to prove which of the three was for example on site at the time, probably comb through tons of video footage (if it's available), check keyfob or key card records for entry into the building and who knows what else!!!!!

[Slowhand]

This is something discussed pretty heavily at the RSA Security Conference, especially by the RSA Corporation, itself. They are pushing heavily for a single-signon type of infrastructure within networks, to ensure that accountability is assured. Basically, the approach is that you have one username and one password, regardless the size or nature of your network and business, and you are charged to keep that single username and password secure.

Where I work, we have something almost like it, but not quite tied into every system. To pass through doors at any location, you supply your passkey, password, and your handprint. On the big screen in the NOC, your picture shows up on the screen, along with the door you're going through, which side of the door was triggered, the date and time you entered, and your name. Unfortunately, the system isn't tied into our AD infrastructure, or it would be far easier to administrate the biometrics and update information in the system.

Regardless, it's an impressive system, and what companies like RSA are trying to do is tie those types of systems together, letting a security administrator regulate entry into a facility like the one I work in. The logging system that appears on our big screen does help with accountability, ensuring that we know who is opening the door to the server room, to the room that houses generators, the front door, etc. . . And, since all the user's information appears in the log, along with a picture, it is easy to cross-check with the security cameras, to ensure that who is using the passcard is, indeed, the authorized user.

Now, if we could just tie that system into the other two or three seperate networks we run, so the system engineers wouldn't have to leave our desks (read "stop playing UT2004") to go check on alarms and reboot internal servers, we'd be all set. You know, just open the security alarm mmc, or the managed server mmc, the security door mmc, the soda machine mmc. . .

[agustinchernitsky]

I would answer . Accountibility.

If password is shared... there is now way to know who really did what.