SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?

Slides:



Advertisements
Similar presentations
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Advertisements

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
CSA 223 network and web security Chapter one
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
FIT3105 Smart card based authentication and identity management Lecture 4.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Risks, Controls and Security Measures
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Lecture 11 Reliability and Security in IT infrastructure.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Chapter 19 Security.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.
Chapter 31 Network Security
DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE  Ethical Issues in Information Systems  Threats to Information Security  Protecting Information.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
CIS 450 – Network Security Chapter 8 – Password Security.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Building Success Websites What to build and what to look out for!
Cryptography, Authentication and Digital Signatures
Not only business information, but a large amount of personal information too is now digitized and stored in computer connected to the internet. System.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
ICOM 5018 Network Security and Cryptography Description This course introduces and provides practical experience in network security issues and cryptographic.
Chap1: Is there a Security Problem in Computing?.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Deck 10 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.
Authentication What you know? What you have? What you are?
Private key
CPT 123 Internet Skills Class Notes Internet Security Session B.
Network Security Celia Li Computer Science and Engineering York University.
CSCE 201 Identification and Authentication Fall 2015.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Security Protecting information data confidentiality
Unit 3 Section 6.4: Internet Security
Public Key Infrastructure (PKI)
Network Security (the Internet Security)
USAGE OF CRYPTOGRAPHY IN NETWORK SECURITY
Controlling Computer-Based Information Systems, Part II
SECURITY in IT ~Shikhar Agarwal.
Security in Networking
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
Message Digest Cryptographic checksum One-way function Relevance
Security.
Operating System Concepts
Presentation transcript:

SECURITY Chapter 15 CNS 3660

Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems? Also: Does it matter what their motivations are?

Motivation a challenge notoriety ideological "cyber warfare" steal money free goods and services fun

Stopping crackers Back up important information Have hiring policies that attract honest and loyal staff Choose secure software and keep it up to date Train staff to identify weaknesses Use audits and logs to detect break-ins

"Most successful attacks on computer systems take advantage of well-known weaknesses such as easily guessed passwords, common misconfigurations, and old versions of software."

How important is your information? Hobby user Business Bank Military Why would crackers break into a hobby system?

"Even the computer with the least interesting data still has significant appeal as an anonymous launching pad for attacks on other systems."

Security Threats Exposure of confidential data Loss of data Repudiation Modification of data Denial of service Errors in software

Exposure of confidential data Don't store secret info on web server –Info that is provided to the public –Info that has recently been collected from the public Remove unnecessary services Design, configure, code and test carefully Require authentication Use encryption More on these two subjects later

Loss of data Break-ins, careless employees, hard drive crash Back up your data Keep back ups away from your computer –Safe deposit boxes in two different cities –Source code, compiler, OS, etc. –Copy of thesis in seven different places (car, freezer, etc.) Test your recovery procedure

Modification of data Prevent: File permission facilities of OS Encryption Detect: can be difficult Checksums Store off-line Recover: Logs and back-ups

Denial of service (DoS) someone's actions make it difficult or impossible to users to access a service Year 2000 attacks on eBay, Amazon, Yahoo!, etc. "one of the most difficult threats to guard against" Why?

Errors in software Web projects often have short development times Effects of errors in software –service unavailability –security breaches –financial losses –poor service to customers

Common causes of errors Poor specifications Assumptions made by developers –Data will be valid, will not contain unusual characters, or will be less than a certain size –Assumptions about timing of events Poor testing

Secure coding Is the strcpy function in C and C++ a security problem?

"Historically, the operating system or application level weaknesses exploited by crackers have usually been related either to buffer overflows or race conditions."

Repudiation "when a party involved in a transaction denies having taken part" Issues: –Authentication –Tamperproof messages E-commerce companies get certificates Customers do not have certificates

Balancing Usability, Performance, Cost, and Security Competing goals Ask yourself: –How valuable is your information? –What is your budget? –How many visitors do you expect to serve? –What obstacles will users put up with?

Authentication Principles Authentication: proving that someone is who they claim to be What authentication techniques are you familiar with? Which are in common use on the web?

Authentication techniques passwords digital signatures biometric techniques hardware –smart cards, keys, etc. documents –passport, driver's license, etc. What are biometric techniques?

Authentication techniques passwords digital signatures biometric techniques hardware –smart cards, keys, etc. documents –passport, driver's license, etc. Only these two are commonly used with web applications.

Passwords Simple concept that is widely used. Secure as long as no one else finds out the password. What are the advantages and disadvantages of using passwords?

Advantages of passwords Simple, cheap, and easy Relatively effective

Disadvantages of passwords Passwords can be captured from file or network traffic (especially unencrypted) Many passwords are easily guessed –Educate users –Enforce password selection policy What happens if you force selection of hard-to-remember passwords?

user name fred password k3%mq9 How users remember hard-to-remember passwords

Creating passwords Random character strings Combination of two short words with special characters or digits First letter in phrase or line from song Diceware

HTTP basic authentication Server requests authentication info Browser stores details and gives to server with each request Transmits user id and password in clear Set up realm name, user names, passwords

Problems with basic authentication No secure identification of host Cracker can replay request Cracker can capture packets and obtain password –HTTP provides digest authentication which uses MD5 to "disguise the details"--slightly more secure than plaintext

Basic authentication with Apache Can use.htaccess file in directory –Server must parse file with every request Can also use httpd.conf file –more efficient than.htaccess Use htpasswd command to create password file –encrypts passwords

Encryption basics "An encryption algorithm is a mathematical process to transform information into a seemingly random string of data." Plain Text Encryption Algorithm Cypher Text

One-way encryption Encryption algorithm is not reversible for one-way encryption. When is one-way encryption useful? Plain Text Encryption Algorithm Cypher Text

Two-way encryption Decryption algorithm recovers plain text. Encryption and decryption require same key Encryption Algorithm Cypher Text Plain Text Decryption Algorithm Plain Text Key

Public key encryption Two keys: –Private key is secret –Public key is distributed freely Encryption Algorithm Cypher Text Plain Text Decryption Algorithm Plain Text Public key Private key

Digital signature Encrypt with private key –Usually only encrypt message digest (hash) Decrypt with public key to verify Encryption Algorithm Cypher Text Plain Text Decryption Algorithm Plain Text Public key Private key

Digital Certificates Issued by certifying authority (CA) –e.g. Verisign, etc. Signed by CA (encrypted with private key) Includes server's public key More later with secure transactions

Other security issues Auditing and logging Firewalls Data backups Physical security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.