Another question real world question

A user's password and login information is mistakenly shared with 2 other users in an office. Which of the following controls does this event affect and how?

A. Identification
B. Authentication
C. Authorization
D. Accountibility
E. Auditing

Find more posts tagged with

Comments

crap I forgot my old pwd

hmm...yes, I too would like to know the answer to this. In a sense, it affects all of them.

JDMurray

Hmmmm....I'll say B, C, D, and E. Login names and password are authentication information that is used to determine access controls (authorization), establish accountability for actions, and used as auditing information.

However, simply knowing a login name and password does not confirm or verify the identity of the person (or process) logging in. Identity can't be truly confirmed only through "something you know."

Ten9t6

jdmurray wrote:

Hmmmm....I'll say B, C, D, and E. Login names and password are authentication information that is used to determine access controls (authorization), establish accountability for actions, and used as auditing information.

However, simply knowing a login name and password does not confirm or verify the identity of the person (or process) logging in. Identity can't be truly confirmed only through "something you know."

But, knowing that username and password does verify your identity to the system that you are accessing. While it is not your username and password or identity, the system will still authenticate you...if those are valid logins. You should use some sort of multifactor authentication to help against this. So, even if you have a username and password, you can't access the system without something like a ....token. Either one by themselves are useless.

To answer the original question...It affects all of them. I will wait until others answer to give my reasons.

Kenny

determinedgerman

I say that A, D and E are affected the most.

I base this on the assumption that all three users probably are supposed to have the same level of access to the system.

A.)Identification: With only one user name and one password identification is no longer possible because it could be either of the three users logging in. In case something on the system will be screwed up it will not be possible to determine who out of the three screwed up.

D.)Accountability:Accountability is no longer valid since the system will not be able to differentiate between the 3 users.

E.)Auditing: Auditing is going to be affected for the same reason. Nobody is going to be able to figure out who screwed the system up because it could be either one of the three but since there is no differentiation between the three users auditing is worthless.

The system will still authnticate and authorize all three of them the same way as based on the username and password. Therefore if the assumption is correct that all three users do have the same access levels those A,D and E are my answers.

keatron

jdmurray wrote:

However, simply knowing a login name and password does not confirm or verify the identity of the person (or process) logging in. Identity can't be truly confirmed only through "something you know."

This demonstrates the biggest weakness in single factor authentication (where the password is supposedly the "something you know" authenticator). This is presents a good case for the implementation of two factor authentication. For example, a password and biometrics, (which would be the something you know and something you are scenario) or a password and something like an RSA SecureID card (which would be something you know and something you have).

I should have pointed out that this would be one of the "choose all that apply" questions. I apologize for that, and Kenny is right. In reality, they are all affected. Even though the user name is simply a form of identification not authentication, it is still important and affected in this scenario. Once upon a time I didn't think it was such a big deal for someone to find out a username because they still had to guess/crack/figure out the authentication part of the process right? Well once I was introduced to things such as cross site scripting I completely changed my attitude on that!!

jdmurray wrote:

However, simply knowing a login name and password does not confirm or verify the identity of the person (or process) logging in. Identity can't be truly confirmed only through "something you know."

I agree to an extent because both pieces of this access control process are highly susceptable to compromise. However in the world we live in, this is still by far the most utilized means of authentication. And as far as the CISSP and ISC2 are concerned, this is a authentication method (single factor). Kenny hit it right on the head; If there were physically a person in this process for example, you have to show a security guard an ID and then enter a password or keycode, then this single factor authentication (which is also sometimes considered two factor, because the guard effectively checks the "something you are" by looking at you) becomes much more effective as the security guard would be trained (or at least should be) to pick up on things such as body language. Also if you enter the same building every day, using this type of authentication, and see the same guards every day, the likelihood of someone being able to pass themselves off as you are pretty slim. But when we're talking computing/automated systems, they are not descriminatory like a person can be, so if you got a username and password in a single factor system, then you are indeed authenticated.

One piece of advice I can give to the people with experience who are going to sit this exam is to not second guess your instinct to much. I can tell by the answers that mostly everyone really felt that all choices were affected. And in this case, you were right.

Germangiant actually came the closest to completely answering the question because the question is "which are affected and why". But very good answers from all of you.

JDMurray

Ten9t6 wrote:

But, knowing that username and password does verify your identity to the system that you are accessing.

My ATM card and PIN do not establish my identity to the ATM machine; they only provide authentication that a financial transaction can take place. If I give my ATM card and PIN to another person, they are not truly assuming my identity, only my ability to authorize financial transactions under my account.

The problem is that "illicit authentication" has been lumped under the category "identity theft." In my reasoning, stealing and using someone's login name and password is no more identity theft than stealing and using the key to their house. Cards and PINs, login names and passwords, and house keys are examples of "blind trust" devices, and are simply not trustworthy for establishing the true identity of an entity (human or software).