Page 692 - StudyBook.pdf
P. 692
676 Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery
While each of these policies address individual topics, together they enhance
the security of an organization as a whole.
Restricted Access Policies
Access can be controlled in a variety of ways.When determining access levels for
employees, it is important that each user only receive the minimum access required
to do their job.Anything more is a security risk.
Determining what level of security a user needs to perform their job usually
requires some investigation.All users of a network may have their own personal
directories for storing files, but may need additional access to databases, programs,
and files stored on various servers.To determine how much access a user or group
needs, the user’s duties should be discussed with management. Understanding the
job a user performs enables the administrator to determine what resources the user
will require access to.
The Internet is another area where restricted access may be necessary. Many
sites have areas that contain information that is limited to a selected group of users.
Corporate Web sites may have sections for employees, where they are required to
enter a username and password to view information on pensions, employee dis-
counts, and other confidential or restricted information.Another common require-
ment for restricted access on Web sites involves “members only” access, where
customers pay for access to information, files, or other data that isn’t available to the
public at large. Generally, individual usernames and passwords are all that’s required
to prevent unauthorized users from accessing these sections.
More elaborate security is needed if the data being accessed is sensitive enough,
or users need to access resources on an internal network from the Internet or using
dial-up connections.Virtual Private Networks (VPNs) may be used in a company,
allowing authorized users to connect over the Internet to access files, programs, and
other network resources. Using tunneling protocols like Point-to-Point Tunneling
Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP), remote clients can
access resources over an encrypted connection.Two factor authentications, using a
username and password combined with a PIN number or some other identifier
may also be used to authenticate users. For example, RSA Security provides an
authentication method called SecurID, where users have a token (a piece of hard-
ware with a digital display) that generates a different numeric code every sixty sec-
onds or so.This code is different for each token, and corresponds to a number
generated on a server.When a user logs in over a VPN or remote connection, he or
she must enter a username, PIN number, and the number provided by the token.
www.syngress.com
