lease privilege is an important concept in it security because it determines exactly what type of data is accessible to an individual user ideally we would set up rights and permissions so that a single person would have access to only the necessary data to be able to perform their job function this is not only security at the user level but it also provides security for your applications if malware happens to be installed on a system it would only have the rights and permissions associated with that particular user that's a good example of how lease privilege might be able to contain the destructive nature of malicious software we also don't want our users to run with administrative rights this would obviously provide them with access to data that they should not have access to but it also allows all applications and malware to be able to do whatever they would like to do on your network another good logical security technique is to use access control list or acls an access control list can allow or disallow access through a network or allow or disallow access to an object in an operating system you often see acls used on a router to determine what traffic should go through a network address translation or be managed by quality of service we could also set acls on a router to be able to control what traffic should be allowed or disallowed through a particular interface if you were to look at an acl on a router you would see a number of different criteria that we can use to filter out this traffic we could use a source ip address destination ip address tcp port number udp port number or icmp or other type of protocol traffic that goes through the router will go through this list to see if any of this traffic matches an existing access control list and then we can look at the disposition of this acl to determine whether this traffic should be allowed through the router or if it should be dropped and as i've mentioned an acl can be used in an operating system to allow or disallow access to a file a directory applications or any object in that operating system when logging into a device we commonly use a username and a password that password is an authentication factor it's a unique value that is something we only know or we only have access to that proves that we are who we say we are there are many different types of authentication factors some are something you are something you have something you know somewhere you are and something you do we can use one or many of these authentication factors during the login process to really confirm that you are the right person logging in to this account you might carry around a pseudo-random token generator like this one that gives a different number on the screen every 30 to 60 seconds you would use this during the login process you would add your username and password you would then hit the button on this device and then put in whatever code showed up on the screen we refer to this as something you have because you must have this device with you to be able to complete the login there are also software versions of these token generators i use one on my desktop and on my mobile devices so that i can connect from wherever i happen to be this is still considered something you have because you have to have your phone with you to be able to use the app that then provides you with the code this can save you money because you don't have to give people separate physical code generators they can simply install a piece of software on their smartphone and now they always have that software wherever they happen to go another type of authentication can come from sms or the short message service this is effectively text messaging that is used to send you the code instead of using an app or an external token generator to log in you would submit your username and password which would then send you a text message with another code that you would then input on a separate screen this confirms that you are the one that has your phone with you and you have now authenticated using this additional authentication factor this is perhaps not the most secure form of an authentication factor because there are ways for a third party to gain access to that authentication code without having your phone one of the ways to get around this is your attacker will contact your phone company and have them reassign your number to their phone then whenever the sms message is sent out it's not going to your phone but instead going to the attacker's phone attackers can also spoof the source of an sms message or they can intercept the message that's being sent to you this obviously creates a less secure form of authentication which is why some organizations will not use sms and prefer using a secure app on their smartphone instead of receiving an sms text message you might receive a voice call on the voice call a computer will talk to you and tell you what the code happens to be and then you would type that code into your login screen this has exactly the same problems as an sms however because if somebody does gain access to your phone number then they can receive that call instead of you and of course that phone call might be intercepted or forwarded to another phone which effectively has the same problem as authenticating with an sms another common logical security technique is blocking any unsolicited email we commonly do this at the email gateway that we're using for our organization sometimes we can do this with servers that we have on site or we may be providing this email filtering in the cloud this allows us to see all of the emails going in and out of our organization we can see if there are any attachments we can scan those attachments to see if they might be malicious and that we can decide what to do with this email if we feel it poses a security risk