* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Current Issues in Maintaining a Secure System
Computer virus wikipedia , lookup
Trusted Computing wikipedia , lookup
Security-focused operating system wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Unix security wikipedia , lookup
Antivirus software wikipedia , lookup
Web of trust wikipedia , lookup
Computer security wikipedia , lookup
Rainbow table wikipedia , lookup
Next-Generation Secure Computing Base wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Mobile security wikipedia , lookup
Cryptographic hash function wikipedia , lookup
Microsoft Security Essentials wikipedia , lookup
Cybercrime countermeasures wikipedia , lookup
Cryptanalysis wikipedia , lookup
Post-quantum cryptography wikipedia , lookup
Current Issues in Maintaining a Secure System: PKI Options, Cryptography and Current Threats David Canavan, Canavan Associates David A. Crist, Permovio, Inc. (Moderator) September 18-19, 2006 – Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development Overview • • • • • • • Learning Objectives PKI, Cryptography, and Hashing Virus Protection MalWare Firewalls Disposal System Monitoring Learning Objectives • To provide participants with a cursory understanding of PKI and Public/Private Key technology. • To introduce and provide examples of virus protection, firewalls and spyware to help protect your computer from hackers. • To explain other terms frequently used with system security and examples of how they fit into the big picture. PKI- What Is It? Why Do I Have to Work With It? • Public Key Infrastructure • In cryptography, a public key infrastructure (PKI) is an arrangement that provides for trusted third party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This is usually carried out by software at a central location together with other coordinated software at distributed locations. The public keys are typically in certificates. Based on the Mathematical Field of Cryptography • Cryptography (or cryptology; derived from Greek κρυπτός kryptós "hidden," and γράφειν gráfein "to write") is a discipline of mathematics concerned with information security and related issues, particularly encryption, authentication, and access control. Its purpose is to hide the meaning of a message rather than its existence. In modern times, it has also branched out into computer science. Cryptography is central to the techniques used in computer and network security for such things as access control and information confidentiality. Cryptography is used in many applications that touch everyday life; the security of ATM cards, computer passwords, and electronic commerce all depend on cryptography What?? (Caesar Cipher) Huh? http://www.sacred-texts.com/eso/sta/img/17002.jpg Slowly We Got Better http://en.wikipedia.org/wiki/Lorenz_Cipher Then There Is the Hash http://en.wikipedia.org/wiki/Hash_function How Do We Know It Works? • Basically because very smart people say it does. In general Hash Functions should have the following qualities: – The block cipher is secure. – The resulting hash size is big enough. 64-bit is too small, 128-bit might be enough. – The last block is properly length padded prior to the hashing. – Length padding is normally implemented and handled internally in specialised hash functions like SHA-1 etc. What If I Don’t Believe You? • That’s okay. There are plenty of resources to help you understand. Cryptography has been around for about 2500 years and is well understood by those who choose to study it. Like This Guy Ron Rivest (one of the inventors of the RSA algorithm) Who Create Things That Look Like This MD5 Hash Algorithm (also invented by Ron Rivest, wicked smart) Which Produce Things Like This The hash sums seen here (in hexadecimal format) are actually the first four bytes of the SHA-1 hash sums of those text examples. http://en.wikipedia.org/wiki/Hash_function What Does That Mean? • One analogy is that of a locked store front door with a mail slot. The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key. Anyone knowing the street address can go to the door and drop a written message through the slot. However, only the person who posseses the matching private key, the store owner in this case, can open the door and read the message. What Does That Get Me? • Well it all depends on how it is implemented. – PKI can provide many benefits to your organization if it is implemented with an eye towards those benefits. – It also makes you compliant with the HUD Data and Technical Standards. • Anyone here implemented a PKI? How did you do it? What PKI Should I Use? • Short answer is whatever one works for you. There are many different products out there and any one of them might be the right one. Like any other process you should evaluate what your community needs and what is the most cost effective way to meet that need. Different Implementations • Red Hat Certificate Management System • Computer Associates eTrust PKI • Entrust • Microsoft • US Government External Certificate Authority (ECA) • Nexus • OpenCA (an open source publicly available PKI scheme including server software) • RSA Security • phpki • GenCerti • • • • • • • • • • • ejbca newpki Papyrus CA Software pyCA IDX-PKI EuropePKI (not available) TinyCA ElyCA SimpleCA SeguriData Safelayer Secure Communications • Australian Government AGIMO Gatekeeper system (Of course neither HUD nor I am endorsing or recmmending any of these products) Their inclusion is purely illustrative. The technology of the PKI is not difficult. • Ask Ron. It’s the people that make it challenging So What Do I Do? • Identify resources that will help you make the right decision. – Those can be on the Web. • Almost every slide so far in this show is taken from Wikipedia. On purpose. – Resources can be technical assistance from National TA team. • Which conveniently, I am on. – Can be peer communities that have done this already. – Could be your HMIS solution provider. Virus Protection • Significant growth in number and variety of virus technology – Proliferation of automated attacks • Allows for constant attempts across a broad set of vulnerabilities • Truly undermines the argument that any installation is too small to be noticed – Microsoft has acknowledged “recovery from malware becoming impossible” Malware Change in Language • MALicious softWARE • Software designed to destroy, aggravate, wreak havoc, hide incriminating information, disrupt, or damage computer systems • Includes all different types of viruses, spyware, and adware Malware Protection • All major software packages offer spyware, popup, and adware detection tools • Microsoft has a beta version spyware detection and removal software available • Reinforces the importance of automated protection and monitoring Malware Prevention • Many companies are blocking employees from nonbusiness related web browsing with technology rather than policy. – General Electric bars instant messaging, file sharing programs, and access to personal email. – JP Morgan Chase blocks any traffic it can’t trace and analyze including phone, messaging, and email programs Firewalls Not As Solid As They Used to Be • Increased permeability of firewalls means they are not as effective as they used to be in blocking attacks. • Some products being marketed as “firewall friendly” which actually means they circumvent the firewall • More and more web protocols designed to bypass typical firewall configurations (IPP and WebDAV) • ActiveX, Java, JavaScript make detection more difficult Disposal • Johnson County, Kansas – Stopped auction of old equipment in 2004 after 12 machines discovered to still have social security numbers and other private information still on them. – Has yet to implement a disposal policy – Some departments have drilled hard drives – Some have reformatted – Do you have a disposal policy? Does it meet the standard? System Monitoring • Greatest area of growth in the coming years. – Audits becoming more common – Data Trust and Accountability Act coming up • Specifically mandates that organizations make known and unauthorized disclosures of clients/customers information • Allows FTC to audit companies for 5 years after disclosure Sources • Wikipedia! • “Bullers, Finn. “Purging Computers a Priority” The Kansas City Star 11 Dec 2005 : B1 • Nareine, Ryan. “Microsoft Says Recovery from Malware Becoming Impossible” eWeek.com 4 Apr 2006 <http://www.eweek.com/article2/0,1895,1945782,00.asp • Young, Shawn. “Security Fears Prod Many Firms to Limit Staff Use of Web Services” The Wall Street Journal Online 31 Mar 2006 <http://www.careerjournal.com/hrcenter/articles/2006033 1-young.html> • Earthlink Spy Audit n.d. n.p. 2004 <http://www.earthlink.net/spyaudit/press/> Contact Info David Canavan Managing Director, Canavan Associates www.davidcanavan.com (413) 584-0894