CIS502 discussion post responses. Respond to the colleagues posts regarding: Access Control Models If you were going to design an access system that would control people getting into your favorite or most valued items (e.g., financial records, health records, or other sensitive files), what things would you consider based on your readings from Chapter 14? Make sure you address all the possible avenues of attack that could be exploited. Remember, security measures are designed to slow and draw attention to attackers. No system can completely prevent a successful attack.   KF’s post states the following:Top of Form Access Control Models If you were going to design an access system that would control people getting into your favorite or most valued items (e.g., financial records, health records, or other sensitive files), what things would you consider based on your readings from Chapter 14? Make sure you address all the possible avenues of attack that could be exploited. Remember, security measures are designed to slow and draw attention to attackers. No system can completely prevent a successful attack.   First of all we need to decide what exactly our defense mechanism is going to protect. There are cloud defense mechanisms, network defense, and application defenses to name a few (I’m using all three for my MOST FAVORITE ITEM!). As many students have discussed the defense in depth approach is great. The layered security measures are an excellent way to acknowledge security within an enterprise environment. I would like to get more into that layered approach and the different layers of the “castle” if you will. Regarding access systems and the defense in depth approach, physical, technical, and administrative controls need to be implemented. Physical DiD: Locked doors, security cameras to organizational assets, barriers to prevent collisions, proper lighting within areas that should be lighted. Hacking Physical DiD: Locked doors <brute force: through wall> were breaking in so screw it! Security cameras can be accessed remotely prior to hacking the system or accessed within the LAN after jacking into the source. Barriers can be bypassed with the right mapping, and lighting, again, if connected on a server can be bypassed with jacking in and the proper scripting. Technical DiD: As we all have learned AV software, IDS, IPS, SIEM’s, Logging and Monitoring would all be considered Technical DiD aspects. Hacking DiD: AV software can be manipulated with Advanced Evasion Tactics (AET). IDS and IPS are useless once inside of the LAN, were jacked in hard already so were fine there. SIEM’s can be tricky, but the right script will erase all logs so we were technically never even there (locally or remotely). Administrative DiD: Administrative DiD would consist of access controls for users, privilege settings,super userconfigurations, what programs can be executed/read/write/run. File access, server access, server access locations, file access locat ...

1. CIS502 discussion post responses.
Respond to the colleagues posts regarding:
Access Control Models
If you were going to design an access system that would control
people getting into your favorite or most valued items (e.g.,
financial records, health records, or other sensitive files), what
things would you consider based on your readings from Chapter
14? Make sure you address all the possible avenues of attack
that could be exploited. Remember, security measures are
designed to slow and draw attention to attackers. No system can
completely prevent a successful attack.
KF’s post states the following:Top of Form
Access Control Models
If you were going to design an access system that would control
people getting into your favorite or most valued items (e.g.,
financial records, health records, or other sensitive files), what
things would you consider based on your readings from Chapter
14? Make sure you address all the possible avenues of attack
that could be exploited. Remember, security measures are
designed to slow and draw attention to attackers. No system can
completely prevent a successful attack.
First of all we need to decide what exactly our defense
mechanism is going to protect. There are cloud defense
mechanisms, network defense, and application defenses to name
a few (I’m using all three for my MOST FAVORITE ITEM!).
As many students have discussed the defense in depth approach
is great. The layered security measures are an excellent way to
acknowledge security within an enterprise environment. I would
like to get more into that layered approach and the different
layers of the “castle” if you will. Regarding access systems and

2. the defense in depth approach, physical, technical, and
administrative controls need to be implemented.
Physical DiD: Locked doors, security cameras to organizational
assets, barriers to prevent collisions, proper lighting within
areas that should be lighted.
Hacking Physical DiD: Locked doors <brute force: through
wall> were breaking in so screw it! Security cameras can be
accessed remotely prior to hacking the system or accessed
within the LAN after jacking into the source. Barriers can be
bypassed with the right mapping, and lighting, again, if
connected on a server can be bypassed with jacking in and the
proper scripting.
Technical DiD: As we all have learned AV software, IDS, IPS,
SIEM’s, Logging and Monitoring would all be considered
Technical DiD aspects.
Hacking DiD: AV software can be manipulated with Advanced
Evasion Tactics (AET). IDS and IPS are useless once inside of
the LAN, were jacked in hard already so were fine there.
SIEM’s can be tricky, but the right script will erase all logs so
we were technically never even there (locally or remotely).
Administrative DiD: Administrative DiD would consist of
access controls for users, privilege settings,super
userconfigurations, what programs can be
executed/read/write/run. File access, server access, server
access locations, file access locations, posting, authorizing,
singular or dispersed shared controlling, and anything related to
admins of the service.
Hacking Administrative DiD: Admins are known to be attacked
because of their levels of privilege within a system. If the
admin is hacked then so is the 100k users of the system as well.

3. The admin also has full access controls to upload files, make
changes, and execute malicious code within a system. From an
attacker’s perspective, we need that! Makes everything so much
easier, let’s just social engineering, zero day an application, or
password re-use attacks from old leaks, take the account, and
secure remote connection.
My ITEM! At this point the item is irrelevant, it’s the means to
get to the item that is important. I would have a concrete steel
reinforced door barricaded by a structure, a safe…maybe? I’m
creative so I’m thinking more of a barrier inside of a barrier.
The first layer would be accessible through a network while the
second layer located inside the steel plating and concrete
structure would be a faraday cage. Within my safe would lie all
the servers that would be connected to the entire structure while
my security controls such as my safe lock would be located
inside of my faraday cage (closed loop circuit). My network
would be more of a counter attack setup opposed to a defense
mechanism. I say this because if I am being attacked, what’s
going to detour the attackers from my system? An attack on
theirs! Evolved AI would be utilized to do this. I would of
course have Advanced AV software capable of recognizing
source code modifications, IDS and IPS with real time
monitoring, logging, and reporting in real time. Snort and
WireShark monitoring any and all connection packets.
Advanced Encryption Standards would be implemented for any
traffic happening. All software being utilized would be fully
patched and up-to-date or removed, Z3r0d4ys will not be
tolerated and fully eliminated. Honeypots could also be utilized
to gain knowledge of exploits being utilized in the wild and not
disclosed. Regarding my administrative privileges any software
that can be exploited to gain privilege escalation will be
patched or removed. Passwords would be 64bit key generated
with random numbers and characters changing and only
accessible with the proper authorization through the proper
channels first.

4. JP’s post states the following:Top of Form
First, I would consider the benefits versus cost aspect of it. If
the security type costs more to maintain than the assets being
protected, the security option may need to be re-examined. For
physical items a safe with a lock or digital combination is quite
effective. Now to keep digital personal or business information
safe I would apply a Risk Management Framework (RMF). It
provides information on how risk is to be assessed, resolved,
and monitored. Because hackers and online security threats are
constantly evolving and improving, establishing and
maintaining security awareness is a behavior that needs to be
included in todays day to day practices. Acquiring the services
of a third party such as IDShield can also help in securing
identity theft, of course it isn't free however plans start at
$12.95 monthly depending on the level of protection needed to
secure sensitive information.
Reference
https://www.csoonline.com/article/2125140/metrics-budgets/it-
risk-assessment-frameworks–real-world-experience.html
https://www.idshield.com/?msclkid=f90683bf66f514cc7e0bde73
0ca84a92&utm_source=bing&utm_medium=cpc&utm_campaign
=B_IDS_US_Awareness&utm_term=%2Bprotect%20%2Bidentit
y%20%2Btheft&utm_content=Identity%20Theft%20Protection
CIS510 discussion post responses.
Respond to the colleagues posts regarding:
Object-Oriented Design versus Traditional Approach " Please
respond to the following:
Compare the object-oriented approach to design to the
traditional approach. Give your opinion on whether you believe
there are certain projects where one design approach might be
better that the other. If so, provide an example of one (1) such
project. If not, explain why not.
Give your opinion on which approach discussed in Part 1 of this

5. discussion you believe is easier for you to understand and
explain why.
SR’s post states the following:Top of Form
Compare the object-oriented approach to design to the
traditional approach. Give your opinion on whether you believe
there are certain projects where one design approach might be
better that the other. If so, provide an example of one (1) such
project. If not, explain why not.
In the object-oriented approach, the focus is on capturing the
structure and behavior of information systems into small
modules that combines both data and process. Whereas, the
traditional approach uses traditional projects this approach leads
software developers to focus on the breakdown of larger
algorithms into smaller ones.
In my opinion there are certain projects where one design
approach is better than the other because no project is the same.
However, the object- oriented approach offers the only realistic
solution to the promise of truly distributed client/server
applications. As organizations move to OOD, they are facing
and resolving problems. Nevertheless, if OOD is used properly,
the rewards and benefits can be greater than using traditional
approaches. Just like the adoption of any new technology, there
is a learning curve involved with the adoption of OOD. Instant
and complete submersion in OOD can be disastrous, whereas
carefully planned and scaled adoption of these new technologies
can bring out all the positive advantages that they have to offer.
Give your opinion on which approach discussed in Part 1 of this
discussion you believe is easier for you to understand and
explain why.
For many people, the OOD approach is one of the most poorly
understood things in computer programming. However, for me,
the traditional approach is easier for me to understand. The
traditional approach has a sequential pattern which makes it
easy to follow. Since the projects are easier to follow, it takes
less time in completion and in meeting the timeline

6. successfully.
GO’s post states the following:Top of Form
The concept behind the object-oriented design is that it
creates concepts as objects. In a sense, it gives physical form to
a concept or idea. The process allows for easier explanation of
design and also for the abstraction of the concept into smaller
parts that are easier to develop on a technical level.
(Wazlawick, 2014).
The traditional approach sees concepts as steps in a process.
Each item follows a sequence that flows from one point to the
next in a set way. Inputs, outputs, data storage, and flow, and
processes are the focus of this approach. (Satzinger,2016)
Each approach takes a different point of view when looking
at how to address a problem. It comes down to which approach
will help to give a clearer picture and generate a more useful
solution. When designing SQL databases, the object-oriented
approach would be better. SQL databases are relationship based
in design and require abstraction of data. An object-oriented
way of thinking helps to break down information stored to
manageable pieces and allows for polymorphism in the design.
Satzinger, J. (2016) Systems Analysis and Design in a Changing
World, 7e. [Strayer University Bookshelf]. Retrieved from
https://strayer.vitalsource.com/#/books/9781305465268/
Wazlawick, R. S. (2014). Object-Oriented Analysis and Design
for Information Systems : Modeling with UML, OCL, and
IFML. Amsterdam: Morgan Kaufmann. Retrieved from
https://search.ebscohost.com/login.aspx?direct=true&db=nlebk
&AN=601350&site=eds-live&scope=site