SECURITY in IT ~Shikhar Agarwal
DEFINITION Computer security is a branch of computer science that addresses enforcement of 'secure' behavior on the operation of computers. The definition of 'secure' varies by application, and is typically defined implicitly or explicitly by a security policy that addresses confidentiality, integrity and availability of electronic information that is processed by or stored on computer systems.
Security in IT context Physical Security Computing Security Information Security Secure computer and networks from malicious use. Prevent users from accessing facility, resource or information stored on physical media Prevent unauthorized and unwarranted access of data or information in any form
Information Security
Compliance/Regulations What Information Security means Availability Confidentiality Non-repudiation Integrity Digital Credentials Authentication Auditing Risk assessment Compliance/Regulations Administration Governance
Common Fraudulent Practices
Online Fraud Common types of fraud Phishing Identity theft Man-In-the-Middle Attacks Denial of Service (Dos) Password Attack Data Theft
Securing Systems
To Secure Systems we need Physical Security Technological Security Policies and Procedures
Securing Systems (cont’d) Technological security is just one part of security problem Physical security of systems is important Only right people (authorized users) have access to the systems First priority is to make systems physically secure Technological Security Network security: To secure systems over network Only valid packets delivered to web server Application security: Web servers, Apps are secure Operating system security Policies and Procedures Ensure systems are secure overall Every employee should be asked not to give out passwords To anybody within or outside organization For example n-strikes policies for passwords Document Shredding Sensitive papers to be shredded
Key Security Concepts
Key Security Concepts Authentication Authorization Confidentiality Data/Message Integrity Accountability Availability Non-Repudiation
Key Concepts 1. Authentication
Authentication Authentication Three general ways of authentication: Verifies identity is a process by which an entity proves that it is who it claims to be Three general ways of authentication: Something we know (i.e., Passwords) Something we have (i.e., Tokens) Something we are (i.e., Biometrics)
Something we KNOW Something we know Example: Pros Cons Passwords, Pass phrase, PIN Pros Simple to implement Simple for us to understand Cons Easy to crack (unless we choose strong ones) Hacker can try common login names, concatenations of words etc. We need to be forced to choose strong passwords for example, by setting password policies Passwords are reused many times Each time we enter a password to access the system, the attacker listens-in every time
Something we HAVE – A Token Smart Cards ATM Cards SecurID USB Tokens
Something we ARE Biometrics Techniques used: Pros Palm scan Retinal scan Iris scan Fingerprint Voice Id Facial Recognition Signature Dynamics Pros Provides a strong authentication solution Raise the bar for authentication Cons Difficulty in terms of deployment and management Social acceptance Key management If a bad guy is able to copy a fingerprint – then how are the secret pieces of info actually managed?
Two Factor Authentication Two Factor Authentication (T-FA) requires two independent ways to establish identity and privileges Combination of “what we know” and “what we have” factors Example: ATM Cards + What we have What we know
Types of Authentication Person to computer Computer to Computer There are three types of authentication Server Authentication – who is the client Client Authentication – who is the server Mutual Authentication (Client and Server) Authenticated user is the “Principal”
Server Authentication Server authentication is the process in which the server authenticates to the client, thus helping the client to verify the server Server authentication is very important in Financial Institutions and Home Banking systems Example, Personal Assurance Message (PAM) which identifies the server to the user, and helps prevent phishing attacks
Client Authentication Client authentication involves proving the identity of the client to a server on the web Client generally communicates with the server using Hypertext Transfer Protocol (HTTP) HTTP being a stateless, sessionless protocol, the client must provide an authentication token
Mutual Authentication Mutual authentication refers to a client/user authenticating themselves to the server and that server authenticating itself to the user in such a way that both parties are assured of the other’s identity This is done for a client process and a server process without user interaction
Key Concepts 2. Authorization
Authorization Authorization is the process of granting or denying user’s access to a resource Authorization is a step next to authentication, in which the users access to various system is based on the permissions granted to them
Key Concepts 3. Confidentiality
Confidentiality Protecting the communication/data from the unintended recipients Keep the contents of the communication secret by using a shared secret between the communicating parties Confidentiality can be achieved through Cryptography Access Controls Database views Shared key access
Key Concepts 4. Message/Data Integrity
Message/Data Integrity Data integrity is the process of ensuring non-alteration of data during the transit Techniques used to check the data integrity are Hashing algorithms Checksums Message Authentication Codes (MAC)
Key Concepts 5. Accountability
Accountability Logging & Audit Trials Logging all the activities carried out by the system user Auditing is a surveillance mechanism that watches over access to all sensitive information contained within the database Requirements to implement Logging and Audit Trails Secure Time stamping (OS vs. Network) Data integrity in logs / audit trials
Key Concepts 6. Availability
Availability The period for which the system / network is available to the user Example Dial tone availability, System Downtime limit, Web server response time Solutions Add redundancy to eliminate single point of failure Impose limits that legitimate users can use
Key Concepts 7. Non-Repudiation
Non-Repudiation Non-repudiation provides evidence of the message source, so that the sender cannot refuse its origin. Generate evidence / receipts (digitally signed documents)
Privileges
Privileges A privilege in a computer system is a permission to perform an action. Privileges can be Automatic Granted Applied for Examples of various privileges include the ability to create a file in a directory to read or delete a file access a device have read or write permission to a socket for communicating over the Internet
Principle of least privilege A user/computer program is given the least amount of privileges necessary to accomplish his/its task. Example: Use of Valet keys in the car Allows the valet only to start the car and drive down to the parking lot, these keys do not allow the valet to access the store part in the car where the valuables are kept. The idea of the valet key is to provide access only to the required resources
Secure Defaults Only enable 20% features of the product that will be used by 80% of the users Harden systems – switch of all unnecessary services by default
Cryptography
What is Cryptography? The conversion of data into a secret code for protection of privacy using a specific algorithm and a secret key The original text, or “plaintext”, is converted into a coded equivalent called “ciphertext” via an encryption algorithm Cryptography is used in many software security systems to achieve high level of security The ciphertext can only be decoded (decrypted) using a predefined secret key Cryptography: The study of how to encode and decode messages BAD guys should not be able to decode messages Based on mathematics and number theory Applied Cryptography Focuses on how to use cryptography to achieve security goals Part of lower end of solution, to help achieve higher end security goals