Download Computer Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
Document related concepts

Next-Generation Secure Computing Base wikipedia , lookup

Password strength wikipedia , lookup

Distributed firewall wikipedia , lookup

Information security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Mobile security wikipedia , lookup

Computer security wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Security-focused operating system wikipedia , lookup

Authentication wikipedia , lookup

Unix security wikipedia , lookup

3-D Secure wikipedia , lookup

Access control wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Information Systems Security
Access Control
Domain #2
Objectives






Access control types
Identification, authentication, authorization
Control models and techniques
Single sign-on technologies
Centralized and decentralized administration
Intrusion Detection Systems (IDS)
Roles of Access Control
 Limit System Access
 Access based on identity, groups,
clearance, need-to-know, location, etc.
 Protect against unauthorized disclosure,
corruption, destruction, or modification
– Physical
– Technical
– Administrative
Access Control Examples
 Physical
– Locks, guards
 Technical
– Encryption, password, biometrics
 Administrative
– Policies, procedures, security training
Access Control Characteristics
 Preventative
– Keeps undesirable events from happening
 Detective
– Identify undesirable events that have happened
 Corrective
– Correct undesirable events that have happened
 Deterrent
– Discourage security violations from taking place
Continued
 Recovery
– Restore resources and capabilities after a
violation or accident
 Compensation
– Provides alternatives to other controls
Who are You?
 Identification – username, ID account #
 Authentication – passphrase, PIN, bio
 Authorization – “What are you allowed to do”
 Separation of Duties
 Least Privilege
Authentication
 Something you know
 Something you have
 Something you are
 2-Factor Authentication
– Use 2 out of the 3 types of characteristics
Access Criteria
 Security Clearance
– Mandatory control systems and labels
 Need-to-Know
– Formal processes
– Requirements of role within company for access
 Least Privilege
– Lease amount of rights to carry out tasks
– No authorization creep
 Default to “NO ACCESS”
Example Controls
 Biometrics
– Retina, finger, voice, iris
 Tokens
– Synchronous and Asynchronous device
 Memory Cards
– ATM card, proximity card
 Smart Cards
– Credit card, ID card
Biometric Controls




Uses unique personal attributes
Most expensive and accurate
Society has low acceptance rate
Experience growth after 9-11-2001
Error Types
 Type I error
– Rejects authorized individuals (False Reject)
– Too high a level of sensitivity
 Type II error
– Accepts imposter (False Accept)
– Too low a level of sensitivity
 Crossover Error Rate (CER)
– JUST RIGHT!!!!!
Biometric Example
 Fingerprint
– Ridge endings and bifurcations
 Finger Scan
– Uses less data than fingerprint (minutiae)
 Palm Scan
– Creases, ridges, and grooves from palm
 Hand Geometry
– Length and width of hand and fingers
More Biometrics
 Retina Scan
– Blood vessel pattern on back of eyeball
 Iris Scan
– Colored portion of eye
 Signature Dynamics
– Electrical signals of signature process
 Keyboard Dynamics
– Electrical signals of typing process
More Biometrics
 Voice Print
– Differences in sound, frequency, and pattern
 Facial Scan
– Bone structure, nose, forehead size, and eye
width
 Hand Topology
– Size and width of side of hand
Passwords





Least secure but cheap
Should be at least 8 characters and complex
Keep a password history
Clipping levels used
Audit logs
Password Attacks
 Dictionary Attacks
– Rainbow tables
 Brute Force Attack
– Every possible combination
Countermeasures




Encrypt passwords
Use password advisors
Do not transmit in clear text
GREATLY protect central store of
passwords
 Use cognitive passwords
– Based on life experience or opinions
One-time Passwords




Dynamic
Generated for one time use
Protects against replay attacks
Token devices can generate
– Synchronized to time or event
– Based on challenge response mechanism
 Not as vulnerable as regular passwords
Passphrase




Longer than a password
Provides more protection
Harder to guess
Converted to virtual password by software
Memory Cards
 Magnetic stripe holds data but cannot
process data
 No processor or circuits
 Proximity cards, credit cards, ATM cards
 Added costs compared to other
technologies
Smart Card




Microprocessor and IC
Tamperproof device (lockout)
PIN used to unlock
Could hold various data
– Biometrics, challenge, private key, history
 Added costs
– Reader purchase
– Card generation and maintenance
Single Sign-on (SSO)
 Scripting Authentication Characteristics
– Carry out manual user authentication
– As users are added or changed, more
maintenance is required for each script
– Usernames and passwords held in one central
script
 Many times in clear text
SSO Continued
 Used by directory services (x.500)
 Used by thin clients
 Used by Kerberos
– If KDC is compromised, secret key of every
system is also compromised
– If KDC is offline, no authentication is possible
Kerberos






Authentication, confidentiality, integrity
NO Non-availability and repudiation services
Vulnerable to password guessing
Keys stored on user machines in cache
All principles must have Kerberos software
Network traffic should be encrypted
SESAME
 Secure European System for Application in
a Multi-vendor Environment
 Based on asymmetric cryptography
 Uses digital signatures
 Uses certificates instead of tickets
 Not compatible with Kerberos
Access Control Threats







DOS
Buffer Overflow
Mobile Code
Malicious Software
Password Cracker
Spoofing/Masquerading
Sniffers
More Access Control Threats







Eavesdropping
Emanations
Shoulder Surfing
Object Reuse
Data Remanence
Unauthorized Data Mining
Dumpster Diving
More Threats
 Theft
 Social Engineering
 Help Desk Fraud
Access Control Models
 Once security policy is in place, a model
must be chosen to fulfill the directives
– Discretionary access control (DAC)
– Mandatory access control (MAC)
– Role-based access control (RBAS)
 Also called non-discretionary
Discretionary
 Used by OS and applications
 Owner of the resource determines which
subjects can access
 Subjects can pass permissions to others
 Owner is usually the creator and has full
control
 Less secure than mandatory access
Mandatory Access
 Access decisions based on security
clearance of subject and object
 OS makes the decision, not the data owner
 Provides a higher level of protection
– Used by military and government agencies
Role Based Access Control
 Also called non-discretionary
 Allows for better enforcing most commercial
security policies
 Access is based on user’s role in company
 Admins assign user to a role (implicit) and
then assign rights to the role
 Best used in companies with a high rate of
turnover
Remote Authentication Dial-in User
Services (RADIUS)





AAA protocol
De facto standard for authentication
Open source
Works on a client/server model
Hold authentication information for access
Terminal Access Controller Access
Control System (TACACS)
 Cisco proprietary protocol
 Splits authentication, authorization, and
auditing features
 Provides more protection for client-to-server
communication than RADIUS
 TACACS+ adds two-factor authentication
 Not compatible with RADIUS
Diameter
 New and improved RADIUS
 Users can move between service provider
networks and change their point of
attachment
 Includes better message transport, proxying,
session control, and higher security for AAA
 Not compatible with RADIUS
Decentralized Access Control
 Owner of asset controls access
administration
 Leads to enterprise inconsistencies
 Conflicts of interest become apparent
 Terminated employees’ rights hard to
manage
 Peer-to-peer environment
Hybrid Access Control
 Combines centralized and decentralized
administration methods
 One entity may control what users access
 Owners choose who can access their
personal assets
Ways of Controlling Access
 Physical location
– MAC addresses
 Logical location
– IP addresses
 Time of day
– Only during work day
 Transaction type
– Limit on transaction amounts
Technical Controls
 System access
– Individual computer controls
– Operating system mechanisms
 Network access
– Domain controller logins
– Methods of access
 Network architecture
– Controlling flow of information
– Network devices implemented
 Auditing and encryption
Physical Controls
 Network segregation
– Wiring closets need physical entry protection
 Perimeter security
– Restrict access to facility and assets
 Computer controls
– Remove floppys and CDs
– Lock computer cases
Protect Audit Logs
 Hackers attempt to scrub the logs
 Organizations that are regulated MUST
keep logs for a specific amount of time
 Integrity of logs can be protected with
hashing algorithms
 Restrict network administrator access
Intruder Detection Systems (IDS)
 Software employed to monitor a network
segment or an individual computer
 Network-based
– Monitors traffic on a network segment
– Sensors communicate with central console
 Host-based
– Small agent program that resides on individual
computer
– Detects suspicious activity on one system
IDS Placement
 In front of firewall
– Uncover attacks being launched
 Behind firewall
– Root out intruders who have gotten through
 Within intranet
– Detect internal attacks
Type of IDS
 Signature-based
– Knowledge based
– Database of signatures
– Cannot identify new attacks
– Need continual updating
 Behavior-based
– Statistical or anomaly based
– Creates many false positives
– Compares activity to ‘what is normal’
IDS Issues
 May not process all packets on large
network
 Cannot analyze encrypted data
 Lots of false alarms
 Not an answers to all problems
 Switched networks make it hard to examine
all packets
Traps for Intruders
 Padded Cell
– Codes within a product to detect if malicious
activity is taking place
– Virtual machine provides a ‘safe’ environment
– Intruder is moved to this environment
– Intruder does not realize that he is not is the
original environment
– Protects production system from hacking
– Similar to honeypots
Related documents
Name : Ahmed AL_Balawi ID: 200600112
Name : Ahmed AL_Balawi ID: 200600112
Security
Security
Chapter 5 Protection of Information Assets
Chapter 5 Protection of Information Assets
Network Device Security Options
Network Device Security Options
Accounts and Authentication
Accounts and Authentication
Factors Driving the Need for Network Identity
Factors Driving the Need for Network Identity
Hepix-Prague-Cyber
Hepix-Prague-Cyber
Document
Document
L16_Security
L16_Security
PPT - CS
PPT - CS
Operating System Security Fundamentals
Operating System Security Fundamentals
Panel: Security and the World Wide Web
Panel: Security and the World Wide Web