By Matt Norris

Physical Security - Threats -User Authentication Techniques Information Security - Threats -User Authentication Techniques Good Authentication Practices

Types of Security - Physical Security - Information Security

Steps taken to protect a facility, resource, or information from being physically accessed Design concepts to ‘harden’ facilities. - barriers, locks, etc.

Two types of threats - Outsiders - Insiders

Outsider threat – By person(s) who are not part of the target organization – Easier to defend against - gaining entry into an area more difficult - less knowledge of area - less common of two threats

Insider threat – By person(s) who belong to the target organization – More difficult to defend against - Actor is knowledgeable of area, procedures and protocols - most common threat

Guards – posted security personnel at access points - verify authorization to restricted areas (i.e. IDs, Personnel Roster) - physical presence prevent unauthorized access to restricted areas

User authentication controls may be Something you have… Something you know… Something you are…

Something You Have… Locks – restricts access until unlocked or deactivated Padlocks – require key or combination to gain access Weaknesses: 1. duplicate keys 2. easily bypassed

Keycards – scanned through a card reader to gain access to a restricted area Only keycards with authorization can access that area - Role-based access control (RBAC) - Level of access based on role Weakness - stolen keycard

Something You Know… Door Codes – require code to gain entry Keypad on door serves as input device of entry code RBAC – knowledge of code based on role Weakness: Employees writing down code, easily stolen

Something You Are… Biometrics – method of identifying a unique human trait or characteristic as a means of authentication Best type of defense against unauthorized access

How it works: 1) Initial template enrolled in database 2) Later access attempts measured against initial template 3) Template ran against Match Index Decision Criterion(is it close enough?) 4) Template either accepted/rejected

Types of Biometrics - Voice Recognition - Fingerprint/Hand Geometry Scan - Iris/Retinal Scan - Handwriting

Weaknesses: - most expensive - False Accept Rate (FAR): accepting a template that should be rejected - False Reject Rate (FRR): rejecting a template that should be accepted

Information Security – protecting the information stored on computer hardware Prevents unauthorized access to personal information and data

Password/Key Crackers – tries a combination of usernames and passwords until password is discovered 3 types of cracking techniques - Brute Force Attack - Dictionary Attack - Hybrid Attack

Brute Force Attack – tests alpha and numeric characters, starting at 1 character, then 2, 3 etc. Dictionary Attack – uses words from the dictionary Hybrid Attack – Alphanumeric attack, uses different combinations of letters and numbers

Man-in-the-middle attack: attacker passes information between users on a network, with each thinking their connection is secure - intercept passwords, files, s, etc. - only works on unsecure networks that do not require authentication

Social Engineering – gathering information through deception to commit fraud or gain computer system access Most common form of social engineering: Phishing

Phishing – fraudulent attempt to gain personal information or computer access Things they’re after: -username, password, credit card info Methods - , chat, instant messaging

Key loggers – covertly recording the keys struck on a keyboard Makes guessing passwords easier Types of key loggers: - software - hardware - acoustic - optical surveillance

Username/id – unique name/number that identifies an authorized user Each user has their own username/id Usually used in conjunction with passwords Weakness: often listed/posted where unauthorized users can see

Passwords – code made up of letters and characters that enables a user access (i.e. Good password practice: -Should be lengthy -Made up of different numbers, letters and characters - Should be changed frequently

The combination of a username/id and password is the most common user authentication technique Lockout after set number of unsuccessful login attempts, user notified Weakness: - human error, choose easy to remember, reuse password - vulnerable to password cracker

Security Questions – question(s) used to verify identity of user after correct login information accepted Personal questions, only user would know the answer(s) Like with username/id and password, lock out and notification to user after set number of unsuccessful login attempts

Weakness: - not commonly used - others know answers to some of the questions (information is often posted on social networking sites)

Encryption – data is scrambled by an algorithm Decryption – data reassembled using reverse algorithm - Provides 3 assurances - data not modified - decryption holders only ones who can view - data received at intended destination

Key encryption – weaves key made up of random characters into original data, creating cipher text 2 types of key encryption - Private - Public

Private Key Encryption – deciphering key of data only known by senders/receivers Very secure Weakness: - Key must be shared between sender/receiver in order to work

Public Key Encryption – data encrypted using 2 keys, private and public Public Key Infrastructure - uses public/private key pair that is obtained/shared through a trusted authority Provides for a digital certificate that can identify an individual

Authentication protocols – rules computers follow to verify a user’s credentials Authentication, authorization, accounting (AAA) – common form of access control

Remote Authentication Dial In User Service (RADIUS) – networking protocol with centralized AAA management, share authentication database - commonly used by ISPs to manage access to the Internet, wireless connections

Terminal Access Controller Access- Control System +(TACACS+) - provides centralized validation of users attempting to gain access to a router or network Similar to RADIUS

Differences: - RADIUS combines authentication and authorization, TACACS+ separates the two - RADIUS uses User Datagram Protocol (UDP) whereas TACACS+ uses Transmission Control Protocol (TCP)

Password Authentication Protocol (PAP) - Uses two step authentication process 1. Here are my credentials 2. Have/have not been authenticated - Simple, not secure

Challenge Handshake Authentication Protocol (CHAP) - uses three-way handshake - encrypts data 1. Here is a challenge 2. Here is the challenge, plus encrypted password 3. You have/have not been authenticated

Security Policy – outlines protocols to ensure user authentication integrity, combats security threats - make sure policy is practiced! Patches/Updates – keep systems current, fix problems that designers find before exploited Use multiple user authentication techniques to increase security

Department of Defense’s (DOD) Army Knowledge Online - username/password - password combination of letters, numbers, characters - 3 security questions - password changed every 150 days - requires ID card to change password

Pearson Custom Business Resources. COSC 316. Boston: Pearson Learning Solutions, Print. Dean, Tamara. Network+ Guide to Networks. 5th. Print.