Skip to content

ESET launches psychometric test to uncover visionary thinkers across the world

BRATISLAVA, December 6th, 2022 ESET, a global leader in cybersecurity, today announces the launch of the Progress Personas psychometric test, developed in partnership with The Myers-Briggs Company, a pioneer in personality and professional development assessments. The test is designed for the curious and inquisitive, with the questionnaire allowing individuals to identify where they fit on the scale of visionary thinkers.

The Progress Personas test is designed to understand what makes people tick, innovate, and push society forward. After responding to a series of short questions, individuals will be provided with a bespoke report outlining the likely strengths and weaknesses of their forward-thinking personalities. The reports detail the specific innovative persona type they fall into, including The Changemaker, Flex Fury, Authentic Dynamo, Power Pro, Firestarter, Captain Conventional, Doctor Constant, The Chameleon, or The Inventor.

“We live in a changing world where we need to adapt and be resilient in order to progress. ESET believes that any inquiring mind has a role to play in contributing to progress that keeps the world turning,” comments Ignacio Sbampato, Chief Business Officer at ESET. “Everyone has different ways of being progress-minded. This psychometric test will highlight an individual’s forward-thinking persona and provide hints and tips to help reach their full potential. We’re excited to be partnering with a respected institution like The Myers-Briggs Company, to bring something insightful and fun to our global audience.”

“ESET places immense importance on the development of science and technology around the world. Whilst progress comes in many shapes and forms, it is important to protect it. ESET is proud to have been at the forefront of protecting progress for more than three decades,” adds Sbampato.

The psychometric test was developed in coordination with the company that publishes the famed Myers-Briggs Type Indicator® (MBTI®) assessment that reveals the differing psychological preferences in how people perceive the world and make decisions. The MBTI assessment indicates a person’s preference in four separate categories: Extraversion or Introversion, Sensing or Intuition, Thinking or Feeling, and Judging or Perceiving. The framework was developed in the 1940s by Katharine Cook Briggs and her daughter, Isabel Briggs Myers, who were inspired by Swiss psychiatrist Carl Jung’s book Psychological Types.

“The Progress Personas assessment has been developed to be a reliable measure of innovation style and resilience,” comments John Hackston, head of Thought Leadership at The Myers-Briggs Company. “By combining the scores of these two dimensions, the report gives people a unique insight into their individual style of achieving progress — their progress persona.”

The Progress Personas test follows ESET’s Heroes of Progress Awards which were announced in September, designed to shine a light on the visionary thinkers helping to make our planet a better place.

To take the free psychometric test, please visit: https://www.eset.com/int/progress-protected/heroes-of-progress/progress-persona-test/

To learn more about how ESET keeps progress protected, please visit: https://www.eset.com/hk/progress-protected/

 

To learn more about The Myers-Briggs Company, please visit: https://eu.themyersbriggs.com/

 



About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Top 7 Types of Phishing Attacks and How to Prevent Them

Social engineering, in the context of information security, consists of practices performed by hackers to manipulate users to take actions that go against their interests, exploiting their vulnerability and lack of knowledge for their benefit.

One of the main types of social engineering is a phishing attack, which has been growing every day. According to the Verizon Data Breach Investigation 2022 report, 20% of data leaks in the surveyed period involved phishing.

These numbers warn us about the need of knowing the different types of phishing and how to avoid this threat – topics covered in this article. To facilitate your understanding, we divided our text into topics. They are as follows: 

  • What Is Phishing?
  • How Phishing Works
  • Top 7 Types of Phishing Attacks
  • Common Phishing Signs
  • Best Practices for Preventing Phishing Attacks
  • senhasegura GO Endpoint Manager: The Solution to Protect Against Phishing Attacks
  • About senhasegura
  • Conclusion

Enjoy the reading!

What Is Phishing?

Phishing is a very common type of social engineering in which hackers impersonate legitimate entities or trusted people to manipulate their victims and ask them to perform certain actions, such as providing sensitive information or clicking on malicious links.

Social engineering attacks such as phishing are present in almost all cybersecurity incidents and often involve other threats, such as network attacks, code injection, and malware. 

How Phishing Works

Typically, cybercriminals use means such as social media to gather data from their victims, such as names, roles, interests, and email addresses. 

Then, this information is used to create a false message on behalf of a trusted entity, such as banks, the victim’s workplace, or the victim’s university.

In the messages, the user is asked to download malicious attachments or click on links to malicious websites in order to collect confidential information, which may include usernames, passwords, and bank details.

Some attackers use inappropriate fonts, logos, and layouts in phishing emails, making it easier to identify them as such, but cybercriminals are increasingly getting better at this, making their messages look authentic.

Top 7 Types of Phishing Attacks

Here are the top 7 types of phishing used by cybercriminals to manipulate their victims:

Deceptive Phishing

Deceptive Phishing is the most common among types of phishing. In it, attackers impersonate a legitimate entity to access their victims’ personal data or login credentials, using messages with threats and a sense of urgency to manipulate them.

Here are some common techniques used in Deceptive Phishing:

  • Use of legitimate links in emails, including contact information of the organization they are impersonating;
  • Combination of malicious and non-malicious codes to cheat Exchange Online Protection (EOP). It is possible, for example, to replicate the CSS and JavaScript of a tech company’s login page to steal users’ account credentials;
  • Use of abbreviated URLs to deceive Secure Email Gateways (SEGs) and “time bombing” to redirect users to a phishing landing page;
  • Change of an HTML attribute in brand logos to prevent email filters from detecting the theft of the company’s symbols;
  • Emails with minimal content, often in image form, to avoid detection.

Spear Phishing

Spear Phishing is also among the types of phishing that use email, but this model is more targeted. In practice, hackers use open-source intelligence (OSINT) to gather publicly available company data. 

Then, they focus on specific users, using this information to make the victims believe the message is from someone within the organization, thus facilitating the accomplishment of their requests.

To identify Spear Phishing, one needs to be aware of unusual insider requests, shared drive links, and documents that require a user login ID and password.

Whaling

Whaling is also among the types of phishing that use OSINT. Known as Whale Phishing, Whale Fraud, or CEO Fraud, this type of attack consists of identifying the name of the organization’s CEO through social media or corporate website and sending a message posing as them and making requests to victims.

To identify this type of attack, one must pay attention to abnormal requests made by leaders who have never sent this type of message before, for example. Moreover, it is important to verify the message has not been sent to or via a personal email. 

Vishing

Vishing is voice phishing, which happens when a cybercriminal contacts their victims by phone to awaken their sense of urgency and make them respond to their requests.

To identify Vishing, it is valid to check if the phone number used is from an unusual or blocked location, if the time of the call coincides with a stressful event, such as a tax filing season, and if the personal data requested is unusual.

Smishing

Smishing is an evolution of Vishing, which is characterized by sending texts asking the user to take a certain action to change a delivery, such as clicking on a link that installs malware on their device.

One can spot it by going to the service website and checking the status of the delivery or by comparing the area code with their contact list.

Pharming

Pharming is among the most difficult types of phishing to identify. It consists of hijacking a Domain Name Server (DNS) and directing the user who enters the website address to a malicious domain.

To protect yourself against this type of attack, you need to look for websites that are HTTPS, not HTTP, and be aware of indications that the website is false, such as strange fonts, spelling errors, or incompatible colors.

Angler Phishing

Angler Phishing is a type of attack in which malicious users send notifications or messages in a social media app to convince their victims to perform certain actions.

In such cases, it is advisable to be careful about notifications that may have been added to a post with malicious links, direct messages from people who hardly use the app, and links to websites shared in direct messages.

Common Phishing Signs

Keeping an eye for signs is a way to protect yourself from the action of malicious attackers who use different types of phishing to manipulate their victims. The following are the main indications of this threat:

Emails Exploring a Sense of Urgency

Messages that stimulate immediate action through threats or another way of awakening a sense of urgency should be faced with suspicion. After all, in this context, the goal of hackers is to ensure their victims respond to their requests in a hurry, before they can even notice inconsistencies in the email received.

Inadequate Tone

An important feature of phishing is that messages can use inadequate language and tone. Therefore, if you receive a message from a friend with an overly formal tone, suspect.

Unusual Requests

Emails with unusual requests often consist of phishing attacks. In practice, the victim may receive a message asking them to perform an action normally performed by the IT department, for example.

Spelling and Grammar Mistakes

In general, organizations often set up spellchecking of their emails. Thus, it is important to pay attention to spelling and grammatical mistakes that may indicate a phishing attack.

Incompatible Web Addresses

Another way to detect phishing attacks is by comparing the sender’s address with previous communication, which may point to incompatibility.

To do this, simply hover over the link in an email before clicking on it to see its true destination.

Unexpected Requests

Often, cybercriminals use fake login pages associated with emails that appear to be legitimate. On these pages, they can request financial information, which should in no way be provided by users without them checking the website that allegedly sent the email.

Best Practices for Preventing Phishing Attacks

Here are some best practices to prevent different types of phishing:

Train Your Employees

Educating your employees is the first step you should take to prevent phishing attacks, after all, unprepared people are an easy target for malicious agents. Nevertheless, the training offered must go beyond the traditional approach and include recent and sophisticated threats.

Use Email Filters

Usually associated with spam, email filters go beyond this capability and indicate threats related to phishing attacks. In practice, using an email filter can prevent the user from receiving a large number of phishing emails.

Ensure Protection Against Malicious Websites

Knowing that organizations are filtering emails to prevent phishing, cybercriminals have been attacking website codes. 

So, you must install website alerts in browsers so that they point out possible risks to end users.

Limit Internet Access

Another way to reduce the risks associated with malicious websites is to create access control lists, which deny the connection to certain websites and applications to everyone who tries.

Require the Use of Multi-factor Authentication

One of the main goals of cybercriminals is to steal users’ credentials, a risk that can be reduced by using multi-factor authentication (MFA). 

In practice, this mechanism requires the user to use two or more items to authenticate themselves by combining something they know (such as a password), something they have (such as a token), and something associated with who they are (such as fingerprint or facial recognition).

Remove Fake Websites

You can count on solutions that monitor and eliminate counterfeit versions of your website. This way, you can prevent your employees and customers from clicking on malicious links.

Back Up Regularly

It is very common for phishing attacks to be associated with malware, including ransomware, which can impact the productivity of your business if you do not have a data backup program.

senhasegura GO Endpoint Manager: The Solution to Protect Against Phishing Attacks

One of the most effective solutions to prevent different types of phishing is senhasegura GO Endpoint Manager, which allows you to protect computers remotely connected to Windows and Linux endpoints. 

This tool:

  • Allows you to control lists of authorized, notified, and blocked actions for each user, reducing threats related to the installation of malicious software and privilege abuse;
  • Ensures compliance with regulations such as PCI, ISO, SOX, GDPR, and NIST;
  • Enables provisioning and revocation of access for privileged local users, without having to install any agent on the target device;
  • Records all requests for the use of administrative credentials in session logs; and
  • Allows the segregation of access to confidential information, isolating critical environments and correlating environments.

About senhasegura

senhasegura guarantees the digital sovereignty of organizations. This is because it acts by avoiding the traceability of actions and loss of information on devices, networks, servers, and databases.

Our services are also useful to bring our customers into compliance with audit criteria and strict standards such as PCI DSS, Sarbanes-Oxley, ISO 27001, and HIPAA.

Conclusion

In this article, you saw what phishing is, how this cyberattack works, what the different types of phishing are, and how to identify them. We have also shown the features of senhasegura GO Endpoint Manager and how it contributes to avoiding this threat.  

Do you need this solution in your company? Contact us.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

Centralized Identity Management: A Guide

Modern IT environments are incredibly diverse, and while this is great for many reasons, it can also make the IT department’s job more difficult. Today’s environments are often comprised of a mixture of on-prem and cloud resources, corporate owned and BYOD devices, varying device and operating system (OS) types such as Mac, Windows, Linux, iOS, Android, and more.

All of these factors, plus the popularity of hybrid work, add complexity around managing identities and sometimes make it feel like centralized and simplified identity management is out of the question. Luckily, this is not the case at all, though some organizations might need to adjust their infrastructure and tool choices to be more future-proof to achieve a modern and unified identity management strategy. Let’s take a look at why that is and how it can be done.

Centralized Identity Management Barriers

As mentioned above, heterogenous IT environments can be a problem for IT, because resources live in many different places, employees work from all over the world, and there are a plethora of device and OS types out there.

Here’s how some of these factors affect identity management:

  • Cloud and on-prem resources: It can be hard to get visibility into who has access to what resources, and SaaS apps might not connect to a traditional directory such as Microsoft AD.
  • Hybrid and remote working models: Monitoring, managing, and helping employees that aren’t in the office can be problematic without the proper tools.
  • BYOD: Personal devices typically don’t connect back to traditional directory services, and they are sometimes difficult or impossible to manage.
  • Mac, Windows, and Linux device popularity: Most tools are meant to help you manage certain device types but not others, making it hard to keep track of and secure devices that employees use.

All of these factors and more contribute to an incomplete, decentralized identity management strategy in many organizations. 

Why Centralized Identity Management Is Key

This decentralized approach is often forced on IT, rather than chosen, simply because of the disparate resources that need to be managed on top of the fact that many organizations use outdated or disconnected IT management tools. This strategy (or lack thereof) can quickly turn into a security and compliance nightmare, an unnecessary weight on IT, a fractured employee experience, and a hit to the organization’s bottom line, among other things.

When users and their digital identities are not centrally managed, it’s virtually impossible to get visibility into their resource access privileges, what devices they’re accessing company resources on (whether company-managed or completely unsecured), what problems they might be experiencing, whether their systems are up-to-date or not, and much more. On top of all of this, Shadow IT is as prevalent as ever, which causes even more security hiccups when left unchecked due to poor identity management. 

Considering that 84% of organizations experienced at least one identity-related breach in the past year, you can see how far-reaching the effects of the decentralized identity management problem truly are.

To avoid all of this to the furthest extent possible, IT needs centralized control over all identities, access, and devices, while simultaneously allowing departments and employees the flexibility they need to get work done.

How to Centralize Identity Management

So, the end goal is to provide employees with flexibility in where and how they work, while maintaining the amount of control that you want over their digital identities, access, and devices. To do so, you’ll want to centralize the management of all of these things, as much as possible.

Centralized user management provides IT with the control and visibility over every device, application, and network across the organization, without dictating what resources are the right choice for each group. This strategy saves IT time with easier day-to-day workflows, helps ensure compliance, enhances security, and ameliorates the end user experience.

A modern way to centralize identity management is by adding JumpCloud’s open directory platform to the center of your IT infrastructure. The beauty of an open directory is that it can easily connect to all of your existing infrastructure, as well as any other tools (such as other directories, HR tools, and more) you decide to adopt in the future, allowing your business to evolve and scale with ease. This means that with the JumpCloud Directory Platform, you can centrally manage identities, access, and devices, all from a single, modern platform.

Get complete, centralized visibility into employee identities, what they do or do not have access to, and their devices. With JumpCloud’s identity lifecycle management capabilities, enjoy simplified onboarding and offboarding, add users to groups for easy control, keep devices patched and up-to-date, quickly change access levels, and much more. With this solution, your organization still maintains the flexibility it needs to leverage the best devices, applications, and tools on the market. Plus, you can hire the best talent, regardless of their location, without worrying about how it’ll impact security or how IT will manage them.

JumpCloud

Use JumpCloud to ensure that your identity lifecycle management process is efficient, secure, and complete.

Learn More

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

New Subscription Tab

Do you want to view the details of your purchased license? Need to send the license PDF to your CFO? This one is for you. In your dashboard, navigate to Settings -> Subscription. Click the three dots icon at the right to download the report. New and easy license view, just for you!

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Choosing the Right Access Control Model

In my previous article, Code security and safety tips when making guidelines, I mentioned that it is very important to give someone access based on the role assigned in your system. I have also mentioned the 3 most widely accepted access control models: Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Permission Based Access Control (PBAC).

Choosing the right access control model for your project/organization is of great importance from a security point of view. With the proper implementation, you can prevent unauthorized access to the resources. Thus, you can prevent possible attacks.

There are more access control models, and I will try to show you their differences. By doing that, I will help you choose the best model for your application. 

How to determine which access control you should give to the user/employee?

First, you would need to identify the person’s job. Then you would need to authenticate them by their identification, and then you would need to grant a person access to the hardware/software they need. By doing that, you must ensure they have the right level of permission to the organization’s resources to do their job. At this stage, you would need to choose the type of access control model.

Main categorization of access control models

There are 6 main types of access control models:

  • Mandatory Access Control (MAC)

  • Discretionary Access Control (DAC)

  • Role-Based Access Control (RBAC)

  • Rule-Based Access Control 

  • Attribute-Based Access Control (ABAC)

  • Risk-Based Access Control

 

Mandatory Access Control – This model gives access controls only to the system’s owner. The end user doesn’t have any rights. The system owner can allow the end user which resources to access. This model has the highest level of restriction compared to the other models.

Because of its restrictive level, this model is used in government facilities and/or the military.

This model is also connected with two security models: Bell-LaPadula and Biba.

Biba allows the user with a lower-level classification to read higher-level info and the user with a higher-level classification to write to lower levels.

Bell-LaPadula allows the user with higher-level classification to write on its level and not on the lower levels, but they can read at lower levels.

If you want to know more about these two security models, check out Bell-LaPadula and Biba video. You can also check out Clark Wilson model, which focuses on upholding integrity.

 

Discretionary Access Control – This model gives all access controls to the user. It is the opposite compared to the MAC. As you can guess, the implementation of this model can lead to many cyber attacks, so you must be very aware of its flaws if you plan to use it.

 

Role-Based Access Control – This model gives predefined permissions based on the employee’s position. This can be tricky to implement if you need to later modify a person’s permissions and provide some specific access to some resource.

 

Rule-Based Access Control – This model gives access control based on rules. The system administrator manages the rules, checks the boxes, or adds some code to the settings. In the web application, this can be implemented in some settings page where you would have, for example, a list of rules, and by each rule you would have some check box. Depending on which of the rules you will check, you can save it and have the rules list you can use to assign to someone/or some custom role, etc. 

 

Attribute-Based Access Control – This model is defined by attributes. Attributes are tightly coupled with subject, object, environment, and actions. This means that we would have a lot of variations based on mentioned attributes, which could lead to increased implementation difficulty/complexity.  

 

Risk-Based Access Control – This model gives access based on risk evaluation. Mainly the profile risk of the user who is going to log in is evaluated. For example, if the user logs in from a different location, the risk is higher, and they will be prompted to further authenticate.

 

Example of implementation of Role-Based Access Control in the web application

For this example, I am going to use the Angular framework. You will see in the code below that I am checking roles in two cases. The first case is when you navigate to a certain page if the user has access to it, and the second is if the user has access but should be permitted to see a certain part of the page, or they have just read rights but not write… 

Create RoleGuard class that will implement the CanActivate interface. As mentioned on the Angular official site, the canActivate method will return true if the route can be activated. It will give the access and false if the requested route cannot be activated. 

As you can see from the code, in local storage, roles were stored, and in the isRoleAssigned method, it is checked whether the user has the required role from the list of roles in the method’s input. If the user has the role, the method will return true, and it will navigate to the required route, and with false, the user will be redirected to the home page, for example (or maybe some custom page).

 

import {
 ActivatedRouteSnapshot,
 CanActivate,
 Router,
} from "@angular/router";
 
@Injectable()
export class RoleGuard implements CanActivate {
 constructor(
  private route: Router,
  private _localStorage: LocalStorageManager
 ) {
  }
 
 public canActivate(route: ActivatedRouteSnapshot): Observable<boolean> | boolean{
  return this.isRoleAssigned(route.data.roles);
 }
 
 private isRoleAssigned(roles: string[]): boolean {
  let assignedRoles = this._localStorage.retrieveObject(
   this._localStorage.roles
  );
  if (assignedRoles.roles.filter(role => roles.includes(role)).length > 0) {
   return true
  } else {
   this.route.navigateByUrl("home");
   return false
  }
 }
}

 

In app.routing.ts, import RoleGuard and as you can see, we are sending in the data, which is a list of roles someone needs to have to get to the wanted route.

 

import { RoleGuard } from "./auth/role.guard";
 
export const routes: Routes = [
…,
 {
  path: "user-statistic-report",
  component: UserStatisticReportComponent,
  data: { title: "User Statistic Report", roles: ["Manager"]},
  canActivate: [AuthGuard, RoleGuard],
 },
…

 

That part explained the routing part. The code below will present the state of the button based on the role.

So, I have implemented the role service in which I get assigned roles. And I am calling it on the page to check whether the user has the required role. For example, are they a Manager or an Admin.

 

 get isManagerOrAdmin() {
  return (
   this.roleService.userRoles &&
   (this.roleService.checkRole(Roles.MANAGER) || this.roleService.checkRole(Roles.ADMINISTRATOR))
  );
 }

 

When the page is initializing, I will call the mentioned method, and based on the outcome, I will enable or disable the button that has the function of saving the report.

 

 ngOnInit(): void {
  if (!this.isManagerOrAdmin) {
    this._buttons.find(x => x.title === "Save report").display = false
  }
…
 }

 

Conclusion

Establishing the model you want to use that is the best for your project/organization is very important. For example, a company with smaller applications will easily implement the Discretionary Access Control model. And other companies whose applications contain highly confidential or sensitive information would prefer to use Role-Based Access Control or Mandatory Access Control models.

I would say put everything “on paper” before you choose the right model; All the requirements your project/organization now has and the ones it could have in the future.

 

Cover photo by Victor Forgacs

#appSec #accessControlModels

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×