Access controls are features that control how users interact and communicate with systems. Access control and its components control what type of access a user has based on their authorization level.
When it comes to information how do you protect it, and what levels do users need in order to do their jobs? For information to be useful it must be accessible, but what and how this is done is important.
Confidentiality is one of the cornerstones of information security. It gives one the assurance that information was or is not disclosed to unauthorized people. Control mechanisms should be in place to monitor, report and analysis what has been accessed and by whom.
There are three factors of authentication one can use:
In IT there are many different types of technologies one can use to authenticate users and help you manage access controls and each have their strength and weaknesses.
Overall following a standard either created internal, and an international standard. But the goal is to have a standard that can be measured in some way and tracked - meaning reporting tools and protocols that are outlined and easy to follow.
Password Management is one the most used methods for access control. Using password synchronization systems can reduce the user having to remember many different passwords. Also using self-service password reset systems, can help reduce IT support calls. Furthermore, going to a biometrics, or token a system can also help improve security authentications.
Threats on Access Controls can come in many forms:
Password brute force attacks.
Rainbow table type attacks
Social Engineered Attacks
• ISO/IEC 14443-3 Initialization and anticollision
• ISO/IEC 14443-4 Transmission protocol
Of the three main types of Access Control Modals one can use. Discretionary, Mandatory, and Role based. Each has it strength and weaknesses! Once you do a threat analysis you will better understand the type of method will work best for you, be it a "Discretionary Access Control, Identity-Based Access Control, or a Mandatory Access Control model or some type of Hybrid method.
Some of the newer based systems are now using Behavioral-Based, or Heuristic-Based methods that learns how users interact on the system, and can tag errors, and exceptions for further analysis by a trained security people.
But still one of the most effective way to uncover passwords is social engineering, and if you can combine that with some type of hybrid attack like a brute force or dictionary attack....well you know what will happen next!