Download Current Issues in Maintaining a Secure System

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Computer virus wikipedia , lookup

Spyware wikipedia , lookup

Trusted Computing wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Unix security wikipedia , lookup

Antivirus software wikipedia , lookup

Web of trust wikipedia , lookup

Computer security wikipedia , lookup

Rainbow table wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

SHA-1 wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Mobile security wikipedia , lookup

Cryptographic hash function wikipedia , lookup

Microsoft Security Essentials wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Cryptanalysis wikipedia , lookup

Malware wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Cryptography wikipedia , lookup

History of cryptography wikipedia , lookup

Transcript
Current Issues in Maintaining a
Secure System:
PKI Options, Cryptography and
Current Threats
David Canavan, Canavan Associates
David A. Crist, Permovio, Inc. (Moderator)
September 18-19, 2006 – Denver, Colorado
Sponsored by the U.S. Department of Housing and Urban Development
Overview
•
•
•
•
•
•
•
Learning Objectives
PKI, Cryptography, and Hashing
Virus Protection
MalWare
Firewalls
Disposal
System Monitoring
Learning Objectives
• To provide participants with a cursory understanding of PKI
and Public/Private Key technology.
• To introduce and provide examples of virus protection,
firewalls and spyware to help protect your computer from
hackers.
• To explain other terms frequently used with system security
and examples of how they fit into the big picture.
PKI- What Is It? Why Do I Have to Work With
It?
• Public Key Infrastructure
• In cryptography, a public key infrastructure
(PKI) is an arrangement that provides for trusted
third party vetting of, and vouching for, user
identities. It also allows binding of public keys to
users. This is usually carried out by software at a
central location together with other coordinated
software at distributed locations. The public keys are
typically in certificates.
Based on the Mathematical Field of
Cryptography
• Cryptography (or cryptology; derived from Greek
κρυπτός kryptós "hidden," and γράφειν gráfein "to write")
is a discipline of mathematics concerned with information
security and related issues, particularly encryption,
authentication, and access control. Its purpose is to hide
the meaning of a message rather than its existence. In
modern times, it has also branched out into computer
science. Cryptography is central to the techniques used in
computer and network security for such things as access
control and information confidentiality. Cryptography is
used in many applications that touch everyday life; the
security of ATM cards, computer passwords, and electronic
commerce all depend on cryptography
What??
(Caesar Cipher)
Huh?
http://www.sacred-texts.com/eso/sta/img/17002.jpg
Slowly We Got Better
http://en.wikipedia.org/wiki/Lorenz_Cipher
Then There Is the Hash
http://en.wikipedia.org/wiki/Hash_function
How Do We Know It Works?
• Basically because very smart people say it does. In
general Hash Functions should have the following
qualities:
– The block cipher is secure.
– The resulting hash size is big enough. 64-bit is too
small, 128-bit might be enough.
– The last block is properly length padded prior to the
hashing.
– Length padding is normally implemented and handled
internally in specialised hash functions like SHA-1 etc.
What If I Don’t Believe You?
• That’s okay. There are plenty of resources to help
you understand. Cryptography has been around for
about 2500 years and is well understood by those
who choose to study it.
Like This Guy
Ron Rivest (one of the inventors of the RSA algorithm)
Who Create Things That Look Like This
MD5 Hash Algorithm (also invented by Ron Rivest, wicked smart)
Which Produce Things Like This
The hash sums seen here (in hexadecimal format) are
actually the first four bytes of the SHA-1 hash sums of
those text examples.
http://en.wikipedia.org/wiki/Hash_function
What Does That Mean?
• One analogy is that of a locked store front door with a
mail slot. The mail slot is exposed and accessible to
the public; its location (the street address) is in
essence the public key. Anyone knowing the street
address can go to the door and drop a written
message through the slot. However, only the person
who posseses the matching private key, the store
owner in this case, can open the door and read the
message.
What Does That Get Me?
• Well it all depends on how it is implemented.
– PKI can provide many benefits to your organization if it
is implemented with an eye towards those benefits.
– It also makes you compliant with the HUD Data and
Technical Standards.
• Anyone here implemented a PKI? How did you do it?
What PKI Should I Use?
• Short answer is whatever one works for you. There
are many different products out there and any one of
them might be the right one. Like any other process
you should evaluate what your community needs and
what is the most cost effective way to meet that
need.
Different Implementations
• Red Hat Certificate
Management System
• Computer Associates eTrust
PKI
• Entrust
• Microsoft
• US Government External
Certificate Authority (ECA)
• Nexus
• OpenCA (an open source
publicly available PKI scheme
including server software)
• RSA Security
• phpki
• GenCerti
•
•
•
•
•
•
•
•
•
•
•
ejbca
newpki
Papyrus CA Software
pyCA
IDX-PKI
EuropePKI (not available)
TinyCA
ElyCA
SimpleCA
SeguriData
Safelayer Secure
Communications
• Australian Government AGIMO
Gatekeeper system
(Of course neither HUD nor I am endorsing or recmmending any of these products) Their inclusion is purely illustrative.
The technology of the PKI is not difficult.
• Ask Ron.
It’s the people that make it challenging
So What Do I Do?
• Identify resources that will help you make the right
decision.
– Those can be on the Web.
• Almost every slide so far in this show is taken from
Wikipedia. On purpose.
– Resources can be technical assistance from National TA
team.
• Which conveniently, I am on.
– Can be peer communities that have done this already.
– Could be your HMIS solution provider.
Virus Protection
• Significant growth in number and variety of virus
technology
– Proliferation of automated attacks
• Allows for constant attempts across a broad set of
vulnerabilities
• Truly undermines the argument that any installation
is too small to be noticed
– Microsoft has acknowledged “recovery from malware
becoming impossible”
Malware
Change in Language
• MALicious softWARE
• Software designed to destroy, aggravate, wreak
havoc, hide incriminating information, disrupt, or
damage computer systems
• Includes all different types of viruses, spyware, and
adware
Malware Protection
• All major software packages offer spyware, popup,
and adware detection tools
• Microsoft has a beta version spyware detection and
removal software available
• Reinforces the importance of automated protection
and monitoring
Malware Prevention
• Many companies are blocking employees from nonbusiness related web browsing with technology rather
than policy.
– General Electric bars instant messaging, file sharing
programs, and access to personal email.
– JP Morgan Chase blocks any traffic it can’t trace and
analyze including phone, messaging, and email
programs
Firewalls
Not As Solid As They Used to Be
• Increased permeability of firewalls means they are
not as effective as they used to be in blocking
attacks.
• Some products being marketed as “firewall friendly”
which actually means they circumvent the firewall
• More and more web protocols designed to bypass
typical firewall configurations (IPP and WebDAV)
• ActiveX, Java, JavaScript make detection more
difficult
Disposal
• Johnson County, Kansas
– Stopped auction of old equipment in 2004 after 12
machines discovered to still have social security
numbers and other private information still on them.
– Has yet to implement a disposal policy
– Some departments have drilled hard drives
– Some have reformatted
– Do you have a disposal policy? Does it meet the
standard?
System Monitoring
• Greatest area of growth in the coming years.
– Audits becoming more common
– Data Trust and Accountability Act coming up
• Specifically mandates that organizations make
known and unauthorized disclosures of
clients/customers information
• Allows FTC to audit companies for 5 years after
disclosure
Sources
• Wikipedia!
• “Bullers, Finn. “Purging Computers a Priority” The Kansas
City Star 11 Dec 2005 : B1
• Nareine, Ryan. “Microsoft Says Recovery from Malware
Becoming Impossible” eWeek.com 4 Apr 2006
<http://www.eweek.com/article2/0,1895,1945782,00.asp
• Young, Shawn. “Security Fears Prod Many Firms to Limit
Staff Use of Web Services” The Wall Street Journal Online
31 Mar 2006
<http://www.careerjournal.com/hrcenter/articles/2006033
1-young.html>
• Earthlink Spy Audit n.d. n.p. 2004
<http://www.earthlink.net/spyaudit/press/>
Contact Info
David Canavan
Managing Director, Canavan Associates
www.davidcanavan.com
(413) 584-0894