Download session_10

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

VS/9 wikipedia , lookup

Security-focused operating system wikipedia , lookup

Unix security wikipedia , lookup

Transcript
Session 10 – More Cyber Security
EECS 4482 2016
1
Today’s Outline
Cyber risks
Identity management
Internet security
Email security
PC security
Mobile security
Payment card security
EECS 4482 2016
2
Cyber Risks
Virus
Identity theft
Hacking
Scam
Pornography
Ransomware
EECS 4482 2016
3
Virus
Can spread by email in the form of an
email attachment or a web link (URL), like
www.abc.com.
Also can be spread when using someone’s
memory disk.
EECS 4482 2016
4
Virus
A common virus is one that harvests email
addresses from an infected computer and
uses one of the addresses to send an
email to a bunch of other addresses
fetched from the infected computer.
So when you receive such a message,
that does not necessarily mean the
sender’s computer is infected.
EECS 4482 2016
5
Internet Worm
A variant of virus that does not require
you to click any thing.
If your computer has the weakness
targeted by the worm, it will be infected.
The worm travels on the Internet.
Once infected, your computer will be very
slow and it may be used as a zombie to
send the worm around the Internet.
EECS 4482 2016
6
Internet Worm
It can be used to disable web sites such
as what happened in Sept to CNN,
Netflex, Paypal and Twitter.
Once your computer has up-to-date antivirus software, the worm will be removed
but can come back until your computer
receives the necessary fix (update) from
Apple or Microsoft (pushed to your
computer automatically)
EECS 4482 2016
7
EECS 4482 2016
8
Identity theft
Phishing
Password cracking
Virus that copies your identity information
or monitors your keystrokes.
EECS 4482 2016
9
Phishing
Email purporting to be from your bank
asking you to click a link to update your
account info like password.
Banks do not send email to customers
except to remind them that their
statements are ready for viewing, and
customers would have to sign in to view,
instead of clicking a link from the email.
Check the URL provided
with right click. 10
EECS 4482 2016
Hacking
Every computer connected to the Internet
faces this risk even if you are not using
the browser or checking email.
Hacking is largely automated and your
computer, once hacked, may be used to
hack other computers.
Hackers can copy or change your info like
email passwords, delete files or plant
malicious programs.
EECS 4482 2016
11
Scam
Email enticing people to put up a small
sum for large gain, like buying material to
work at home.
Or email that asks for help saying your
friend is in distress.
Just delete, or call your friend or his/her
family.
EECS 4482 2016
12
Child pornography
Storing, sending or active viewing is
criminal.
Exercise caution when text or graphic
starts to bother you.
A quick way to avoid incrimination is to
shut down the computer immediately.
EECS 4482 2016
13
EECS 4482 2016
14
Password
Should not be shared
Should be changed by user
Should be changed frequently and upon
compromise (suspected unauthorized
disclosure)
EECS 4482 2016
15
EECS 4482 2016
16
Password
Long, at least 8 characters
Alphanumeric and include at least 1 upper
case letter
Hashed (one-way scrambling) by
operating system
EECS 4482 2016
17
Password Cracking
Methods by Hackers
Dictionary attacks – try scrambling the common
names and all dictionary words
Brute force – try scrambling all possible
combinations of characters, most time
consuming
Systematic deduction – try name followed by
month, etc.
Hacker community has tables of hashes, called
rainbow tables to help in cracking.
EECS 4482 2016
18
Passwords
An 8-letter password is 676 times stronger than
a 6-letter password.
A user chosen 6- character alphanumeric Word
password can be cracked in an hour.
A 6-character alphanumeric password is 7 times
stronger than a 6-letter password.
A completely random 8-character, case
sensitive, alphanumeric password takes a
modern PC 6 months to crack.
EECS 4482 2016
19
PIN
Change regularly.
Do not use as your PC or phone
password.
Use different PINs for debit and credit
cards.
EECS 4482 2016
20
EECS 4482 2016
21
OS Confiruation
Controlled by a system administrator. A
system administrator has full control of a
computer and must therefore be closely
monitored by management, think of
Snowden.
Organizations should have a standard
blue print for each OS to ensure
consistency.
EECS 4482 2016
22
System Administrator
Control
Careful screening before hiring, e.g.,
criminal record check, psychology test.
Rotation of duties among servers.
Segregation of duties, e.g.., an SA must
not also be a DBA.
Use vendor supplied tools to generate
reports on SA activities for frequent
management review.
EECS 4482 2016
23
User Control
General users should not be given root
access to the operating system.
General users should not be given
administrative privilege to their computers
so that they cannot change OS setting
and cannot install programs.
This helps to prevent virus spreading,
copyright infringement and hacking.
EECS 4482 2016
24
Patching
A patch is a fix from an operating system
vendor to cover a security hole used by
hackers.
A security hole is also called a
vulnerability, it is made up of a service,
port, combination thereof, or the way
some services can be combined to achieve
successful hacking.
EECS 4482 2016
25
Patching
Organizations should procure patching
tools to check for updates from OS
vendors, test the updates and then
automatically distribute the updates to
servers, workstations and laptops.
Patching should also apply to organization
owned smart phones.
Devices should be checked by the
organization network
for up to date
EECS 4482 2016
26
Access Control
Access control lists (ACL) can be set up in
an OS to restrict access by applications
and those users who have direct access
an OS.
An ACL will define the subject
(application), object (data and OS services
etc.) and the type of access (read, write,
delete).
Most business users
access don’t need 27
EECS 4482 2016
Browser Security
 Ordinary users without local
administration privilege can change
browser security and privacy settings.
This means more monitoring and
education are required.
 The web usage policy should indicate
what options should not be turned on.
EECS 4482 2016
28
Modern OS Security Features
Anti-virus software, firewall and full hard
drive encryption now come standard with
commercial PC operating systems.
EECS 4482 2016
29
Windows Action Center
It allows the user to schedule Windows
updates so that updates will be
downloaded and implemented
automatically. Organizations should
disable this function and instead, let the
domain controller (server) oversee this
function.
EECS 4482 2016
30
Windows Action Center
Locking down users to prevent them from
installing programs.
Defining user access rights as guest, folder
owner, administrator (full access), and
specific user (requiring logon account).
Defining access control lists for folders and files.
EECS 4482 2016
31
Windows Action Center
Data Execution Prevention feature that prevents
buffer overflow by marking certain memory
pages intended for data as non-executable. This
feature is turned on by default in Windows XP
and later versions of Windows.
Protected Media Path to protect digital rights
management through denying access of
digitally righted material by unauthorized
applications. This prevents the copying of
programs that can only be executed.
EECS 4482 2016
32
Active Directory
This hierarchical access authentication and authorization
structure has replaced the function of the primary
domain controllers and backup domain controllers in
authentication and authorization. It has the following
features:
 Central location for network administration and security
 Information security and single sign-on for user access
to networked resources
 The ability to scale up or down easily
 Standardizing access to application data
 Synchronization of directory updates across servers
EECS 4482 2016
33
Password Salting
Most operating systems add a bit string to
the raw password before hashing to make
it difficult to crack.
Unix uses a 12 bit random salt each time
a password is created or changed.
Windows salts passwords only for offline
access to compensate for the lack of
Active Directory authentication.
EECS 4482 2016
34
File Permissions on
Critical Files
Unix controls access to files, programs, and all
other resources via file permissions.
Unix permission are controlled by three
categories: Owner, Group, and World
Each category has the ability to either READ,
WRITE, and/or EXECUTE Unix files or resources
Ex. –rwxr-x--x
EECS 4482 2016
35
Syslog
The syslog utility allows systems
administrators to log various events
occurring on the Unix system.
If Syslog is configured correctly, Unix can
log many security events without the use
of a third party plug-in.
EECS 4482 2016
36
Mainframe Operating System
z/OS has weaker security than Windows
and Unix because its predecessors,
Multiple Virtual Storage and Virtual
Memory, were developed well before the
Internet and not designed to mitigate
the risk of hacking. RACF should be
installed to provide commercial grade
security for Z series servers.
EECS 4482 2016
37
Resource Access Control
Facility (RACF)
RACF provides user authentication, resource
access control, security logging and audit
reporting. It is much more granular than
operating system security. For example, it
makes available 254 security levels (labels) that
can be assigned to each resource object. A label
indicates the users or objects that can access a
resource and how. A resource object may be a
data table (file), a program, a workstation, an
ATM or another network device. The type of
access may be read, write, delete.
EECS 4482 2016
38
RACF
Each user has a profile that controls that
user in terms of access allowed and binds
the user to security policies like password
change frequency, password length. A
user may also be restricted by day of
week and time of day.
An administrator has full access. An
“auditor” in RACF has full read access,
including generating reports on access,
EECS 4482 2016
39
profiles and history log.
Penetration Testing
Self hacking, should be done periodically
by large organizations.
EECS 4482 2016
40
Penetration Testing
Map the network, i.e., studying the network to
identify entry points including IP addresses. One
might argue that this does not simulate hacking
because a hacker would not have this information.
If the penetration tester wants to be more
objective and to simulate an actual hack more
closely, s/he may decide not to rely on internal
documentation of the network and instead, use
external scanning, Internet research and social
engineering.
EECS 4482 2016
41
Penetration Testing
Probe the network by using automated
commands like ping to find out what ports are
open on each web server.
Use security scanning software to scan web
server for loopholes, e.g., unpatched operating
system.
Try to hack into a system to view confidential
information. There are automated tools
available on the Internet and within the hacker
community
EECS 4482 2016
42
 Obtain system administrator IDs and passwords of
servers.
 Obtain firewall, IDS and IPS rules.
 Inject a small amount of bogus traffic to test the firewall
and intrusion prevention system. There are automated
tools available on the Internet and within the hacker
community.
 Shows attempts and ability to cause denial-of-service
attack, defacement or changing data.
 Report deficiencies to management and make
recommendations for improvements.
EECS 4482 2016
43
Conclusion
 PC and PC based server security continues to be improved by their
vendors.
 Recently made available features include full hard disk encryption,
application firewall and integrated malicious software features including
anti-virus.
 In security, the weakest link is people, including people’s commitment to
defining strong policies and complying with policies.
 Organizations should have tight operating system images for desktops and
servers across the enterprise to comply with their policies.
 User access rights should be limited to their job functions and users should
not be given administrator privilege to their desktops and laptops. System
administrators should be controlled with thorough reference check, criminal
record check before hiring and periodically thereafter, rotation of duties
among servers, limiting the servers they support, limiting their other duties
and regular management review of the system logs using software
products to turn system logs into meaningful management reports.
EECS 4482 2016
44
EECS 4482 2016
45