need 4 pages in 5 hours

profilekuku345
unit_2_notes.pdf

    ITEC  6620  Information  and  Systems  Security  

© 2012 Laureate Education Inc. 1  

Unit 2 Notes Discussion notes: In small organizations, IT changes often can be made quickly and carefully without any formal planning. However, for more mature organizations, the situation is much more complex because of the sheer number of IT assets across departments. Therefore, IT departments must proceed cautiously and systematically before making any major changes. To properly effect change, large organizations typically employ change management. This methodology requires a well-documented process that clearly defines the roles, responsibilities, and procedures related to any changes. Before any changes can be effected, they must be reviewed, approved, scheduled, and ultimately communicated to impacted users. Furthermore, roll-back capabilities must be determined ahead of time to avoid service disruptions. Configuration controls (also called configuration management) are concerned with how devices’ baseline settings (or configurations) are setup and managed. Because these settings are tuned to corporate security policy requirements, any changes to existing systems or any introduction of new systems can generate risks. Therefore, configuration controls often are put in place to ensure that systems comply with stated policies and standards. Any changes to the configuration controls also must go through the change management process. Assignment 2 notes: In cases where physical security controls cannot be bypassed, attackers still may be able to steal data by convincing employees (or computer systems) that they are legitimate users. Authentication is the process of validating someone’s identity. The most common form of authentication is the username-password mechanism, which assumes that the username and password are difficult to guess (and crack). Yet, the conformity with which users are provisioned often translates into highly predictable usernames (e.g., first six letters of the last name followed by first initial). If the username is known or can be guessed easily, the strength on the authentication system now depends on the strength of a user’s password. A 2012 report (Cowley, 2012) found that one of the most commonly used passwords on business systems is Password1 (three character classes: uppercase, lowercase, and numeric). Obviously the use of single-factor authentication (to which username-password belongs) is too weak for cases where sensitive data must be protected. Besides the government, classified, and military sectors, more businesses and even some banks are adopting two-factor (or more) authentication. The ubiquity of mobile devices has led many to adopt soft-token authentication mechanisms where a token is generated and sent to your mobile devices as a text message. You then log in with three pieces of information: username, password, and token. Yet, even two-factor authentication is proving vulnerable to attacks, especially when the endpoints cannot be trusted.

    ITEC  6620  Information  and  Systems  Security  

© 2012 Laureate Education Inc. 2  

Reference: Cowley, S. (2012). If you're using 'Password1,' change it. Now. CNN Money. Retrieved from http://money.cnn.com/2012/03/01/technology/password_security/index.htm