Security Vulnerabilities Of Microsoft Word: Essay On Access Control And Core Security.

Access Control Mechanisms

Discuss about the Security Architecture Based on Defense.

Microsoft Word, the commonly used graphical word processor worldwide developed by Microsoft, is a component of the Microsoft Office suite productivity. The usability of Microsoft Word depends on the version of Microsoft Office. The security system of the Word Processor also depends upon the version of the Microsoft Word or the Microsoft Office. This happens to be evolving from time to time. Out of the applications in the Office Suite, except for Power Point, all of the applications contains some or the other level of encryptions. In spite of the level of encryptions that Microsoft Word possesses, hackers still try to hack into the systems of Microsoft Word (Mavroeidakos, Michalas & Vergados, 2016). The following report would focus on such a try of an attacker who would like to view the contents of a Microsoft Word file to which the attacker does not have the rights to view or do not possess any kind of access. This would be done in two parts in the report. The first part would consist of the credential brief of the assignment, the operations of the access control mechanisms and the core security mechanisms that Windows implements to prevent the attackers. The second part of the report would include the discussion if the attacker gains the administrator access to the Word files. The discussion would include the failure of the existing architecture, the operation of the control mechanism and the core security mechanism that Windows implements to prevent the attackers.

The Microsoft Word documents that the attackers are most likely to gain access over do not have the right to do so, rather they are not willing to gain the right but illegally hack the system (Niemelä, 2017). However, the need for hacking into the secured system needs to barge into the networks that are presented with some features would require a standard level of expertise. There are certain credentials to the systems which are to be discussed as below:

• Absence of any kind of exploitable vulnerabilities: The Microsoft Word documents that the hackers are trying to access through unregistered access do not possess any kind of vulnerabilities and are not easily exploitable to access through an inaccessible way.
• Attacker possesses non-privileged account on the system: The attacker who is trying to gain access over the file in Microsoft Word has no authorized account on the system (Padmaja & Seshadri, 2016). Instead, it attains a non-privileged account on the system.
• Lack of permission to access the file: There is no permission aided to the attacker that would permit access to the files to any malicious hacker based on the architectural division of Microsoft Word.
• No permission for changing controls: The attacker is not permitted to make any direct changes to the controls directly, thus the changes made to the files in Microsoft Word must be indirect.
• No possibility of physical hamper to the system: There are no possibilities that the attacker could possibly cause any harm to the system in any possible physical way. Therefore, the system that secures the file for Microsoft Word holds immense permeability so that the attacker could not harm the system by any means.

The Access Control Mechanism can be defined as a set of controls that helps in restricting the access towards certain resources (Peiris, Balachandran & Sharma, 2018). There are various kinds of access controls, however, according to the Windows access control mechanisms in case of Microsoft Word security, the logical access controls are considered. These different kinds of access control mechanisms can be described in details as below:

• Discretionary Access Controls or DAC: This access control mode works on the discretion of the user who has the proper judgement to present the access rights to the resources that he or she discriminates to be trustworthy. One of the primary examples of DAC is the Access Control List or ACL.
• Mandatory Access Control or MAC: In this kind of Access Control Mechanism, the owners or the users do not get to decide the accessing authority of the files. The operating system takes the onus of deciding the access controls which in turn overrides the wishes of the owners or the users (Rathi et al., 2016). The MAC allows every user and their resources as classified and allowed with respect to a security label. These security labels decide to whom the access control would be assigned to.
• Role-based Access Control: This access control mechanism had created a new buzz in the business era. This model decides the access control to the subjects or users according to the role they serve to the defined area or an organization. It is also known as Non-Discretionary Access Control because of this.

Security Features for Microsoft Word Files

In the contemporary times, it has been found that the people using Microsoft Word remain very concerned about the security hazards of the information they share in the media. This exists because of the vulnerabilities that are there in the data security that fails to recognize the confidentiality, integrity, authenticity and availability of the contents.

Security is considered to be one of the primary components of the current version of Microsoft Office. This extends to the Microsoft Word application as well. The access control systems defined by Microsoft thus helps in providing security to the important portion in the operating system under which the Microsoft Office works in a system (Sawicki et al., 2016). These access controls not only helps in the accession of files, but also assists only the secured users to perform designated changes in the system. The applications that come under the Microsoft Office operated by Windows, offers access controls to these files. There are thus two approaches that are used to monitor the access control in a Windows system (Varadharajan et al., 2018). These are to be described as follows:

• Common-level Access Monitoring: This system allows an easy access control, which in turn helps in providing an easy method that is used for allocating the resources. This method only helps to provide the access of the resource files for either Read-Only Access or Full Access.
• User-level Access Monitoring: Windows uses the access control system with the help of the request of authenticated users, which helps in securing the network resources that are allocated. The presence of security holder in the system helps in allowing the authorization but it is allowed only to the authorized users (Susanto, Kang & Leu, 2016). This is done with the help of a system where the authentication of the users is authorized with the validation of the username and the passwords. These are then tallied with the user account specifications that are saved on the internet service provider’s records

Instead of the security systems that the Microsoft Words and Windows provide with access controls, the attacker seems to gain access over the files by acquiring the administrative access over the security systems (Caelli & Janczewski, 2016). This has also resulted in the doubting of many organizations to the access control systems as there have been many occurrences of file accession by attackers. After investigating the current data gaps, it has been found that a different approach must be given to the current security systems that Microsoft Word predominantly uses nowadays (Tao et al., 2017). If the old security system be followed, there are chances that data might again be unattainable given the current circumstances. The attacker might be successful again in accessing administrative controls over the files that are otherwise secured from these attackers.

Thus, this proves that the traditional systems for restricting access to these files in Microsoft Word are vulnerable to threats that would enable the attackers to get access over the administration to the files (Zulkefli et al., 2015). The situation is thus seen to have reached a certain point of bending, which shall require a different kind of approach to the information security techniques for saving the access controls to the files thus created in Microsoft Word as provided by the Windows operating system.

Existing Security Architecture of Microsoft Word

The security vulnerability that the traditional existing security architecture possesses makes the attackers to access the administrative rights over the files of Microsoft Word in spite of their existing security systems (Langer, 2016). Thus, new security architecture can be suggested that would successfully replace the existing system for a better secured atmosphere to stop the attackers. This is thus known as the OSI Security Architecture that has the ability to prevent the attackers from gaining administrative access to the files.

This security framework can be successfully defined by the design artefacts that are able to illustrate the safety arrangement and their interconnection in the overall plan of the systems. The modified security architecture can be denoted as the OSI Privacy Architecture. This happens to prohibit the security attacks that the malicious attackers impose upon the access systems of Microsoft Word governed by the Windows architecture (Kostopoulos, 2017). The OSI architecture often happens to prohibit the attacks on the security system, especially when the system administration and file access system needs securing. One of the most important security services that have been offered by the security architecture of OSI happens to be the x.800 (Khadim et al., 2015). The service of x.800 is constructed with the help of the protocol layer generally used for broadcasting the open system. This system however, ensures that the presence of security system that are sufficient for providing security to the networks as well as the devices.

The service also has some important features that help in maintaining the security of the system. These features include the confidentiality of data, dignity of data, data honesty, and availability of services, authorization of services, non-repudiation, and maintaining authenticity of digital signatures, traffic padding and routing control that helps in protecting the information from the attackers (Karmakar et al., 2016). All these make a malicious attacker to lose the authorized access to a Windows network and further authorization to a Microsoft file.

Although the OSI security architecture has many advantages to provide security to Windows model as well as Microsoft Word files, there are also prevailing disadvantages to the security architecture. It can be found with the security mechanism of OSI is that when there is an increasing amount of security levels of authority, that is, the information security authorization levels, it somehow results in the restricting the authorization of the security systems (Dänekas et al., 2016). There are even restrictions faced by the initial security systems when there are more levels of security added to it. The added layers also make the usability access functions of the controls difficult to the users.

Limitations of the Existing Security Approach

Conclusion

Thus, it can be finally concluded that in spite of the successful security access controls that the previous Microsoft Word possessed, there could be security issues and vulnerabilities imposed upon the system by malicious attackers. The situation is thus assumed where at first the security system has secured access control providing safety to the files, again in another case, in spite of the security systems, the malicious attackers have attained success in gaining access controls over the files. The above report has thus focused on such a try of an attacker who would like to view the contents of a Microsoft Word file to which the attacker does not have the rights to view or do not possess any kind of access. This had been done in two parts in the report. The first part consists of the credential brief of the assignment, the operations of the access control mechanisms and the core security mechanisms that Windows implements to prevent the attackers. The second part of the report includes the discussion if the attacker gains the administrator access to the Word files. The discussion also holds the failure of the existing architecture, the operation of the control mechanism and the core security mechanism that Windows implements to prevent the attackers. The situation is concluded with a suggestion of another impermeable and non-vulnerable security system for the files and also the limitations of the security approach.

Reference

Caelli, W., & Janczewski, L. J. (2016). Security of Small Countries: Summary and Model. In Cyber Conflicts and Small States (pp. 197-216). Routledge.

Dänekas, C., Neureiter, C., Rohjans, S., Uslar, M., & Engel, D. (2014). Towards a model-driven-architecture process for smart grid projects. In Digital enterprise design & management (pp. 47-58). Springer, Cham.

Karmakar, K. K., Varadharajan, V., Tupakula, U., & Hitchens, M. (2016, April). Policy based security architecture for software defined networks. In Proceedings of the 31st Annual ACM Symposium on Applied Computing (pp. 658-663). ACM.

Khadim, U., Khan, A., Ahmad, B., & Khan, A. (2015). Information hiding in text to improve performance for word document. International Journal of Technology and Research, 3(3), 50.

Kostopoulos, G. (2017). Cyberspace and cybersecurity. Auerbach Publications.

Langer, A. M. (2016). Cyber Security, ISO 9000, and the Software Development Life Cycle. In Guide to Software Development (pp. 341-354). Springer, London.

Mavroeidakos, T., Michalas, A., & Vergados, D. D. (2016, April). Security architecture based on defense in depth for Cloud Computing environment. In Computer Communications Workshops (INFOCOM WKSHPS), 2016 IEEE Conference on(pp. 334-339). IEEE.

Niemelä, J. (2017). U.S. Patent No. 9,779,267. Washington, DC: U.S. Patent and Trademark Office.

Padmaja, K., & Seshadri, R. (2016). A review on cloud computing technologies and security issues. Indian Journal of Science and Technology, 9(45).

Peiris, C., Balachandran, B., & Sharma, D. (2018). Cloud computing tipping point model. GSTF Journal on Computing (JoC), 1(1).

Rathi, N., De, A., Naeimi, H., & Ghosh, S. (2016). Cache bypassing and checkpointing to circumvent data security attacks on STTRAM. arXiv preprint arXiv:1603.06227.

Sawicki, M., Namba, K. A., Jones, B., & Pratley, C. (2016). U.S. Patent No. 9,256,753. Washington, DC: U.S. Patent and Trademark Office.

Susanto, H., Kang, C., & Leu, F. (2016). A Lesson Learn from IT as Enable of Business Process Re-Design.

Tao, Y., Zhang, Y. X., Ma, S. Y., Fan, K., Li, M. Y., Guo, F. M., & Xu, Z. (2017). Combining the big data analysis and the threat intelligence technologies for the classified protection model. Cluster Computing, 20(2), 1035-1046.

Varadharajan, V., Karmakar, K., Tupakula, U., & Hitchens, M. (2018). A Policy based Security Architecture for Software Defined Networks. arXiv preprint arXiv:1806.02053.

Zulkefli, Z., Singh, M. M., & Malim, N. H. A. H. (2015, June). Advanced Persistent Threat Mitigation Using Multi Level Security–Access Control Framework. In International Conference on Computational Science and Its Applications(pp. 90-105). Springer, Cham.