Download Data Encryption Standard - gozips.uakron.edu

Document related concepts

Authentication wikipedia , lookup

Cyberwarfare wikipedia , lookup

Information privacy law wikipedia , lookup

Cross-site scripting wikipedia , lookup

Multilevel security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cryptanalysis wikipedia , lookup

Cryptography wikipedia , lookup

Airport security wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Information security wikipedia , lookup

Distributed firewall wikipedia , lookup

Hacker wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Unix security wikipedia , lookup

Wireless security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Social engineering (security) wikipedia , lookup

Mobile security wikipedia , lookup

Computer security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript
2440: 141
Web Site Administration
Introduction to Security
Instructor: Enoch E. Damson
Information Security
 Consists of the procedures and measures taken to
protect each component of information systems
 Protecting data, hardware, software, networks, procedures
and people
 The concept of information security is based on the
C.I.A triangle (according to the National Security
Telecommunications and Information Security
Committee – NSTISSC)
 C – Confidentiality
 I – Integrity
 A – Availability
Introduction to Security
2
Confidentiality
 Addresses two aspects of security with subtle differences
 Prevents unauthorized individuals from knowing or
accessing information
 Safeguards confidential information and disclosing secret
information only to authorized individuals by means of
classifying information
Introduction to Security
3
Integrity
 Ensures data consistency and accuracy
 The integrity of the information system is measured by the
integrity of its data
 Data can be degraded into the following categories:
 Invalid data – not all data is valid
 Redundant data – the same data is recorded and stored in several




places
Inconsistent data – redundant data is not identical
Data anomalies – one occurrence of repeated data is changed and the
other occurrences are not
Data read inconsistency – a user does not always read the last
committed data
Data non-concurrency – multiple users can access and read data at the
same time but loose read consistency
Introduction to Security
4
Availability
 Ensures that data is accessible to authorized
individuals to access information
 An organization’s information system can be
unavailable because of the following security issues
 External attacks and lack of system protection
 Occurrence of system failure with no disaster recovery
strategy
 Overly stringent and obscure security procedures and
policies
 Faulty implementation of authentication processes, causing
failure to authenticate customers properly
Introduction to Security
5
Information Security Architecture
 The model for protecting logical and physical assets
 The overall design of a company’s implementation of the
C.I.A triangle
 Components range from physical equipment to logical
security tools and utilities
Introduction to Security
6
Components of Information Security
Architecture
 The components of information security architecture are:
 Policies and procedures – documented procedures and
company policies that elaborate on how security is to be
carried out
 Security personnel and administrators – people who
enforce and keep security in order
 Detection equipment – devices to authenticate users and
detect and equipment prohibited by the company
Introduction to Security
7
Components of Information Security
Architecture…
 Other components of information security
architecture include:
 Security programs – tools to protect computer system’s
servers from malicious code such as viruses
 Monitoring equipment – devices to monitor physical
properties, users, and important assets
 Monitoring applications – utilities and applications used to
monitor network traffic and Internet activities, downloads,
uploads, and other network activities
 Auditing procedures and tools – checks and controls to
ensure that security measures are working
Introduction to Security
8
Levels of Security
 The levels of security include:
 Highly restrictive
 Moderately restrictive
 Open
Introduction to Security
9
Levels of Security…
 Before deciding on a level of security, answer these
questions:
 What must be protected?
 From whom should data be protected?
 What costs are associated with security being breached and
data being lost or stolen?
 How likely is it that a threat will actually occur?
 Are the costs to implement security and train users to use a
secure network outweighed by the need to provide an
efficient, user-friendly environment?
Introduction to Security
10
Highly Restrictive Security Policies
 Include features such as:
 Data encryption
 Complex password requirements
 Detailed auditing and monitoring of computer/network access
 Intricate authentication methods
 Policies that govern use of the Internet/e-mail
 Might require third-party hardware and software
 Implementation cost is high
 Cost of a security breach is high
Introduction to Security
11
Moderately Restrictive Security
Policies
 Most organizations can opt for this type of policy
 Requires passwords, but not overly complex ones
 Auditing detects unauthorized logon attempts, network resource misuse,
and attacker activity
 Most network operating systems contain authentication, monitoring, and
auditing features to implement the required policies
 Infrastructure can be secured with moderately priced off-the-shelf
hardware and software (firewalls, etc)
 Costs are primarily in initial configuration and support
Introduction to Security
12
Open Security Policies
 Policy might have simple or no passwords, unrestricted access
to resources, and probably no monitoring and auditing
 May be implemented by a small company with the primary
goal of making access to basic data resources
 Internet access should probably not be possible via the
company LAN
 Sensitive data, if it exists, might be kept on individual
workstations that are backed up regularly and are physically
inaccessible to other employees
Introduction to Security
13
Securing the Web Environment
 Both Linux and Windows need to configured carefully to
minimize security risks
 Keep software patches up to date
 Web servers with static pages are relatively easy to protect
than those with dynamic pages
 To secure transmission, data may be encrypted with Secure
Socket Layer (SSL) and Secure Shell (SSH)
 To isolate a Web server environment:
 Firewalls may be used to block unwanted access to ports
 Proxy servers may be used to isolate computers
 To discover whether and how attackers have penetrated a
system, intrusion detection software may be used
Introduction to Security
14
Identifying Threats and
Vulnerabilities
 Hackers sometimes want the challenge of penetrating
a system and vandalizing it – other times they are
after data
 Data can be credit card numbers, user names and
passwords, other personal data
 Information can be gathered by hackers while it is
being transmitted
 Operating system flaws can often assist hackers
Introduction to Security
15
Types of Attacks & Vulnerabilities
 Some of the numerous methods to attack systems are as
follows:
 Virus – code that compromises the integrity and state of a system
 Worm – code that disrupts the operation of a system
 Trojan horse – malicious code that penetrates a computer system or
network by pretending to be legitimate code
 Denial of service – the act of flooding a Web site or network system
with many requests with the intent of overloading the system and
forcing it to deny service to legitimate requests
 Spoofing – malicious code that looks like legitimate code
 Bugs – software code that is faulty due to bad design, logic, or both
Introduction to Security
16
Types of Attacks & Vulnerabilities…
 Other methods to attack systems include:
 Email spamming – E-mail that is sent to many recipients
without their permission
 Boot sector virus – code that compromises the segment in
the hard disk containing the program used to start the
computer
 Back door – an intentional design element of some
software that allows developers of a system to gain access
to the application for maintenance or technical problems
 Rootkits and bots – malicious or legitimate software code
that performs functions like automatically retrieving and
collecting information from computer systems
Introduction to Security
17
Examining TCP/IP
 TCP/IP was not designed to be secure but to allow systems to
communicate
 Hackers often take advantage of the ignorance about TCP/IP to
access computers connected to the Internet
 The following are parts of the IP header most relevant to
security
 Source address – start-point IP address
 Destination address – end-point IP address
 Packet identification, flags, fragment offset
 Total length – length of packet in bytes
 Protocol – TCP, UDP, ICMP
Introduction to Security
18
Vulnerabilities of DNS
 Historically, DNS has had security problems
 BIND is the most common implementation of DNS and
some older versions had serious bugs
 Current versions of BIND have been more secure
Introduction to Security
19
Vulnerabilities in Operating
Systems
 Operating systems are large and complex
 Hence, more opportunities for attack
 Inattentive administrators often fail to implement
patches when available
 Some attacks, such as buffer overruns, can allow the
attacker to take over the computer
Introduction to Security
20
Vulnerabilities in Web servers
 Static HTML pages pose virtually no problem
 Programming environments and databases add
complexity that a hacker can exploit
Introduction to Security
21
Vulnerabilities of E-mail Servers
 By design, e-mail servers are open
 E-mail servers can be harmed by a series of very large
e-mail messages
 Sending an overwhelming number of messages at the
same time can prevent valid users from accessing the
server
 Viruses can be sent to e-mail users
 Retrieving e-mail over the Internet often involves
sending your user name and password as clear text
Introduction to Security
22
Security Basics
 Some of the basic security rules are as follows:
 Security and functionality are inversely related – the more
security you implement, the less functionality you will have,
and vice versa
 No matter how much security you implement and no
matter how secure your site is, if hackers want to break in,
they will
 The weakest link in security is human beings
Introduction to Security
23
Security Methods
 People
 Physical limits on access to hardware and documents
 Through the processes of identification and authentication,
make certain that the individual is who he/she claims to be
through the use of devices, such as ID card, eye scans,
passwords
 Training courses on the importance of security and how to
guard assets
 Establishments of security policies and procedures
Introduction to Security
24
Security Methods…
 Applications
 Authentication of users who access applications
 Business rules
 Single sign-on (a method for signing on once for different
applications and Web sites)
Introduction to Security
25
Security Methods…
 Network
 Firewalls – to block network intruders
 Virtual private network (VPN) – a remote computer
securely connected to a corporate network
 Authentication
Introduction to Security
26
Security Methods…
 Operating System
 Authentication
 Intrusion detection
 Password policy
 Users accounts
Introduction to Security
27
Security Methods…
 Database Management Systems
 Authentication
 Audit mechanism
 Database resource limits
 Password policy
Introduction to Security
28
Security Methods…
 Data Files
 File permissions
 Access monitoring
Introduction to Security
29
Securing Access to Data
 Securing data on a network has many facets:
 Authentication and authorization – identifying who is
permitted to access which network resources
 Encryption/decryption – making data unusable to anyone
except authorized users
 Virtual Private Networks (VPNs) – allowing authorized
remote access to a private network via the public Internet
 Firewalls – installing software/hardware device to protect a
computer or network from unauthorized access and attacks
Introduction to Security
30
Securing Access to Data…
 Other facets of securing data on a network include:
 Virus and worm protection – securing data from software
designed to destroy data or make computer or network
operate inefficiently
 Spyware protection – securing computers from
inadvertently downloading and running programs that
gather personal information and report on browsing and
habits
 Wireless security – implementing unique measures for
protecting data and authorizing access to the wireless
network
Introduction to Security
31
Securing Data Transmission
 To secure data on a network, you need to encrypt the
data
 Secure Socket Layer (SSL) is commonly used to encrypt
data between a browser and Web server
 Secure Shell (SSH) is a secured replacement for Telnet
Introduction to Security
32
Securing the Operating System
 Use the server for only necessary tasks
 Minimize user accounts
 Disable services that are not needed
 Make sure that you have a secure password
Introduction to Security
33
Securing Windows
 Some services that are not needed in Windows for most
Internet-based server applications may be turned off
 Examples include:







Alerter
Computer browser
DHCP client
DNS client
Messenger
Server
Workstation
 Also, the registry can be used to alter the configuration to
make it more secure such as disabling short file names
Introduction to Security
34
Securing Linux
 Only run needed daemons
 Generally, daemons are disabled by default
 The command netstat -l gives you a list of daemons
that are running
 Use chkconfig to enable and disable daemons
 chkconfig imap on would enable imap
Introduction to Security
35
Securing E-mail
 Tunneling POP3 can prevent data from being seen
 Microsoft Exchange can also use SSL for protocols it uses
 Set a size limit for each mailbox to prevent someone from
sending large e-mail messages until the disk is full
Introduction to Security
36
Securing the Web Server
 Enable the minimum features
 If you do not need a programming language, do not enable
it
 Make sure programmers understand security issues
 Implement SSL where appropriate
Introduction to Security
37
Authenticating Web Users
 Both Apache and IIS use HTTP to enable authentication
 If HTTP tries to access a protected directory and fails then:


it requests authentication from the user in a dialog box
Accesses directory with user information
 Used in conjunction with SSL
Introduction to Security
38
Using a Firewall
 A firewall implements a security policy between networks
 Limit access, especially from the Internet to your internal
computers
 Restrict access to Web servers, e-mail servers, and other
related servers
Introduction to Security
39
Types of Filtering
 Packet filtering
 Looks at each individual packet
 Based on rules, it determines whether to let it pass through the firewall
 Circuit-level filtering (stateful or dynamic filtering)
 Controls complete communication session, not just individual packets
 Allows traffic initialized from within the organization to return, yet
restricts traffic initialized from outside
 Application-level
 Instead of transferring packets, it sets up a separate connection to
totally isolate applications such as Web and e-mail
Introduction to Security
40
Using a Proxy Server
 A proxy server delivers content on behalf of a user or server
application
 Proxy servers need to understand the protocol of the
application that they proxy such as HTTP or FTP
 Forward proxy servers isolate users from the Internet
 Users contact proxy server which gets Web page
 Reverse proxy servers isolate Web server environment from
the Internet
 When a Web page is requested from the Internet, the proxy server
retrieves the page from the internal server
Introduction to Security
41
Using Intrusion Detection Software
 Intrusion detection is designed to show you that your
defenses have been penetrated
 With Microsoft Internet Security and Acceleration (ISA)
Server, it only detects specific types of intrusion
 In Linux, Tripwire tracks changes to files
Introduction to Security
42
Tripwire
 Tripwire allows you to set policies that allow you to
monitor any changes to the files on the system
 Tripwire can detect file additions, file deletions, and
changes to existing files
 By understanding the changes to the files, you can
determine which ones are unauthorized and then try
to find out the cause of the change
Introduction to Security
43
Implementing Secure Authentication
and Authorization
 Administrators must control who has access to the
network (authentication) and what logged on users
can do to the network (authorization)
 Network operating systems have tools to specify options
and restrictions on how/when users can log on to network
 File system access controls and user permission settings
determine what a user can access on a network and what
actions a user can perform
Introduction to Security
44
Cryptography
 The science of encrypting and decrypting information to
ensure that data and information cannot be easily understood
or modified by unauthorized individuals
 Allows encryption of data from its original form into a form that can
only be read with a correct decryption key
 Some of security functions addressed by cryptography
methods are:
 Authentication
 Privacy
 Message integrity
 Provisions of data signatures
Introduction to Security
45
Vocabulary of Cryptography
 Cryptanalysis – the process of evaluating cryptographic algorithms to






discover their flaws
Cryptanalyst – a person who uses cryptanalysis to find flaws in
cryptographic algorithms
Cryptographer – a person trained in the science of cryptograpy
Alphabet – set of symbols used in cryptographic to either input or output
messages
Plaintext (cleartext or raw data) – the original data in its raw form
Cipher (algorithm) – a cryptographic encryption algorithm for transforming
data from one form to another
Cyphertext - the encrypted data
Introduction to Security
46
Encryption
 The act of encoding readable data into a format
that is unreadable without a decoding key
 Decryption – the act of decoding encoded data back into
the original readable format
 Encryption provides privacy (confidentiality)
Introduction to Security
47
Encryption Methodology
 There are two elements in encryption:
 Encryption method (ciper or algorithm) – specifies the
mathematical process used in encryption
 Key – the special string of bits used in encryption
Introduction to Security
48
Types of Cryptographic Ciphers
 Ciphers fall into one of two major categories:
 Symmetric (single-key) ciphers – the same key is used to
both encryption and decryption
 Asymmetric (public-key) ciphers – different keys are used
for encryption and decryption
Introduction to Security
49
Symmetric (Single Key) Ciphers
 The most common and simplest form of encryption
 Both parties in the encryption process use the same key and must
keep the key secret
 Symmetric ciphers are divided into:
 Steam ciphers – encrypt the bits of message one at a time
 Block ciphers – encrypt a number of bits as a single unit
 Some symmetric ciphers include:
 Data Encryption Standard (DES), Triple-DES, DESX, RDES, Blowfish,
Twofish, AES (Advanced Encryption Standard), and IDEA (International
Data Encryption Algorithm), Serpent
Introduction to Security
50
Asymmetric (Public Key) Ciphers
 There are two keys for each party
 The sender and receiver each has a private and public key
 Public key – senders will encrypt data using non-secure connections with the receivers’
public key
 Private key – the receivers use their private keys to decrypt data
 The only person who can decrypt the ciphertext is the owner of the private key that
corresponds to the public key used for the encryption
 Well regarded asymmetric techniques include: RSA (Rivest, Shamir, and Adleman),
DSS (Digital Signature Standard), and EIGamal
 Internet protocols using asymmetric ciphers include: Secure Socket Layer (SSL),
Transport Layer Security (TLS), Secure Shell (SSH), Pretty Good Privacy (PGP), and
GNU Privacy Guard (GPG)
Introduction to Security
51
Encryption Example
 Alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ
 Plaintext: Meet me on the corner
 Cipher (algorithm): C = P + K
 C – the ciphertext character
 P – the plaintext character
 K – the value of the key
 Key: 3
 The algorithm simply states that to encrypt a plaintext character (P) and generate a
ciphertext (C), add the value of the key (K) to the plaintext character
 Shift the plaintext character to the right of the alphabet by three characters

D replaces A, E replaces B, F replaces C, etc
 The following message is generated:
 Ciphertext: Phhw ph rq wkh fruqhu
Introduction to Security
52
Authentication
 One purpose of encryption is to prevent anyone who
intercepts a message from being able to read the
message
 It brings authorization (confidentiality) – only authorized
users can use data
 In contrast, authentication proves the sender’s identity
Introduction to Security
53
Forms of Authentication
 There are many forms of authentication:
 Passwords
 Authentication cards – ATMs use these with coded
information
 Biometrics – measures body dimensions like finger-print
analyzers
 Public key authorization – uses digital signatures

Digital signature – the electronic version of a physical signature
Introduction to Security
54
Security Experts
 Two of the most prominent computer security
organizations are the CERT Coordination Center
(CERT/CC) and the Systems Administration,
Networking, and Security (SANS) Institute
 CERT/CC – a federally funded software engineering institute
operated by Carnegie Mellon University
 SANS – a prestigious and well-regarded education and
research organization with members including some of the
leading computer security experts in the country
Introduction to Security
55
Security Resources
 Computer Security Resources
 http://www.sans.org (SANS Institute)
 http://www.cert.org (CERT/CC)
 http://www.first.org (FIRST – Forum of Incident Response
and Security Teams)
 http://csrc.nist.gov (NIST – National Institute of Standards
and Technology, Computer Security Resource Center)
 http://www.securityfocus.com (Security Focus Forum)
Introduction to Security
56