MET CS 695 Assignment 3
Assignment covering key concepts in MET CS 695 coursework.
Isaac Ross
Contributor
4.6
51
about 1 month ago
Preview (2 of 4)
Sign in to access the full document!
MET CS 695 Assignment 3 Page 1 of 4
MET CS 695 Assignment 3
ASSIGNMENT INFORMATION
The following is an extract from a corporate security policy (list 1):
10.5.2 LOGON PROCEDURES
It is the responsibility of service providers, system administrators, and application developers to
implement logon procedures that minimize opportunities for unauthorized access. Threshold and
time periods are to be defined by the Trustee.
Logon procedures should be enabled that disclose the minimum information about the system,
application, or service to avoid providing an unauthorized user with unnecessary assistance.
Logon procedures should:
• Not display system or application identifiers until the logon process has been successfully completed.
• Not disclose/display to the screen the password entered during logon.
• Display a specific warning that the system and/or application should only be accessed by authorized
users.
• Not provide help messages during the logon procedure that would aid an unauthorized user.
• Internet-based systems must only request authentication credentials via HTTP POST method using
encryption, such as TLS.
• Validate the logon information only upon completion of all input credentials. If an error condition arises,
the system should not indicate which part of the authentication credentials is correct and which part is
incorrect.
• Limit the number of unsuccessful logon attempts allowed before an access denial action is taken.
Three attempts are recommended and in no circumstances should more than six attempts be allowed.
• Establish thresholds for the maximum number of denial actions within a given period before further
unsuccessful logon attempts are considered a security-relevant event. Six attempts by the same logon
ID or requesting device in a 24 hour period should be set as an upper threshold. Exceeding thresholds
should cause one or more of the following:
• The authentication device is suspended or rendered inoperable until reset.
• The authentication device's effectiveness is suspended for a specified time period.
• Logging of the invalid attempts and/or a real time alert is generated.
• A time delay is forced before further access attempts are allowed.
• Limit the maximum time period allowed for the logon procedure. 20 seconds is recommended,
however 30 to 40 seconds may be required for two-factor authentication.
• Disconnect and give no assistance after a rejected attempt to logon.
• Display the following information upon completion of a successful logon:
• Date and time of the previous successful logon.
• Details of any unsuccessful logon attempts since the last successful logon.
The following is an extract from a detailed set of corporate security requirements
(list 2):
MET CS 695 Assignment 3
ASSIGNMENT INFORMATION
The following is an extract from a corporate security policy (list 1):
10.5.2 LOGON PROCEDURES
It is the responsibility of service providers, system administrators, and application developers to
implement logon procedures that minimize opportunities for unauthorized access. Threshold and
time periods are to be defined by the Trustee.
Logon procedures should be enabled that disclose the minimum information about the system,
application, or service to avoid providing an unauthorized user with unnecessary assistance.
Logon procedures should:
• Not display system or application identifiers until the logon process has been successfully completed.
• Not disclose/display to the screen the password entered during logon.
• Display a specific warning that the system and/or application should only be accessed by authorized
users.
• Not provide help messages during the logon procedure that would aid an unauthorized user.
• Internet-based systems must only request authentication credentials via HTTP POST method using
encryption, such as TLS.
• Validate the logon information only upon completion of all input credentials. If an error condition arises,
the system should not indicate which part of the authentication credentials is correct and which part is
incorrect.
• Limit the number of unsuccessful logon attempts allowed before an access denial action is taken.
Three attempts are recommended and in no circumstances should more than six attempts be allowed.
• Establish thresholds for the maximum number of denial actions within a given period before further
unsuccessful logon attempts are considered a security-relevant event. Six attempts by the same logon
ID or requesting device in a 24 hour period should be set as an upper threshold. Exceeding thresholds
should cause one or more of the following:
• The authentication device is suspended or rendered inoperable until reset.
• The authentication device's effectiveness is suspended for a specified time period.
• Logging of the invalid attempts and/or a real time alert is generated.
• A time delay is forced before further access attempts are allowed.
• Limit the maximum time period allowed for the logon procedure. 20 seconds is recommended,
however 30 to 40 seconds may be required for two-factor authentication.
• Disconnect and give no assistance after a rejected attempt to logon.
• Display the following information upon completion of a successful logon:
• Date and time of the previous successful logon.
• Details of any unsuccessful logon attempts since the last successful logon.
The following is an extract from a detailed set of corporate security requirements
(list 2):
Preview Mode
Sign in to access the full document!
100%
Study Now!
XY-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
Document Chat
Document Details
University
Boston University
Subject
Information Technology