Ingredients of Information Security. - Who has access the asset? - Is the asset correct? - Is the asset accessible? …uncorrupted? …authentic?

Slides:

Advertisements

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Advertisements

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Lecture 6 User Authentication (cont)

Authentication Chapter 2. Learning Objectives Create strong passwords and store them securely Understand the Kerberos authentication process Understand.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

第十章 1 Chapter 10 Authentication of People. 第十章 2 Introduction This chapter deals with password-related issues like how to force users to choose unguessable.

Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

Authentication Approaches over Internet Jia Li

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Chapter 10: Authentication Guide to Computer Network Security.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

BUSINESS B1 Information Security.

Solutions for Secure and Trustworthy Authentication Ramesh Kesanupalli

Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

The Beneficent the MERCIFUL In the NAME of. “ASSURING RELIABLE AND SECURE IT SERVICES”

Cryptography, Authentication and Digital Signatures

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.

1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester

. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.

Information Security What is Information Security?

Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id #

CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.

Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.

Authentication Chapter 2. Learning Objectives Create strong passwords and store them securely Understand the Kerberos authentication process Understand.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.

1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.

CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.

Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

Quality of Information System (IS) reflecting local correctness and reliability of the operating system; the logical completeness of the hardware and software.

Definition s a set of actions taken to prevent or minimize adverse consequences to assets an entity of importance a weakness in the security system to.

Focus On Bluetooth Security Presented by Kanij Fatema Sharme.

Ingredients of Security

Authentication What you know? What you have? What you are?

COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.

CPT 123 Internet Skills Class Notes Internet Security Session B.

Internet2 Base CAMP Topics in Middleware: Authentication.

CSCE 201 Identification and Authentication Fall 2015.

My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

Definition s a set of actions taken to prevent or minimize adverse consequences to assets an entity of importance a weakness in the security system to.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

Information Systems Design and Development Security Precautions Computing Science.

Challenge/Response Authentication

Security Issues in Information Technology

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Challenge/Response Authentication

Authentication.

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Security Barriers Asset Proper Access Attack Security System

Module 2 OBJECTIVE 14: Compare various security mechanisms.

Authentication Chapter 2.

Chapter Goals Discuss the CIA triad

Presentation transcript:

Ingredients of Information Security

- Who has access the asset? - Is the asset correct? - Is the asset accessible? …uncorrupted? …authentic?

What assets need to be secured?

Quality of Information System (IS) reflecting local correctness and reliability of the operating system; the logical Completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of stored data.† † Definition from National Information Systems Security

Assurance that information is not disclosed to unauthorized persons, processes, or devices.† † Definition from National Information Systems Security

Timely, reliable access to data and information serviced for authorized users.† † Definition from National Information Systems Security

 spoofing  playback (replay) attack  man in the middle attack  dumpster diving  password cracking  denial of service (DoS) attack  shoulder surfing  network infrastructure attack  network scanning  buffer overflow  syn flood

Asset Security System Attack Proper Access

At the root of all security is trust. What don ’ t you (or shouldn ’ t you) trust?? Since we obviously can ’ t trust everything, we need to develop and implement security policy...

A security _________ defines what needs to be done. A security ______________ defines how to do it. All passwords must be updated on a regular basis and every one must include at least one embedded non-alphabetic symbol. example security policy corresponding security mechanisms

Asset Security System Security is about building barriers to protect assets. What complicates security is the necessity for barrier penetration. Attack Proper Access To be secure the barrier holes must be guarded.

Basic Concepts in Barrier Penetration Control - Can you prove it? - That which you are permitted to do. - You should be held responsible. - Who are you?

Security systems need to be able to distinguish the “ white hats ” from the “ black hats ”. This all begins with identity. What are some common identifiers used in our world? What is the problem with using people ’ s names as identifiers?

Access privileges granted to a user, program, or process.† † Definition from National Information Systems Security Common authorization tokens:

Security measure designed to establish the validity of a transmission, message, or originator,or a means of verifying an individual ’ s authorization to receive specific categories of information.† † Definition from National Information Systems Security

Authentication... is a basis for trust Password -- the most common means of authentication Passwords are vulnerable to attacks. Why? Uses challenge - reponse protocol RESPONSE password:  CHALLENGE  (Encryption required) Challenge-response systems fail when responses are efficiently discovered.

Give password cracking software a challenge. The conventional wisdom is as follows...  Use first letters from some phrase you can remember. TtlsH1wwya  Don ’ t use short passwords (at least 12 symbols).  Include both lowercase and uppercase and digits.  Bracket the password with non-alphanumerics. #TtlsH1wwya&  Bracket the password with non-alphanumerics.  #TtlsH1wwya&  Alt cracker algorithm == repeatedly

token -- small device carried by user (often includes microprocessor, keypad and/or real-time clock) Challenge-Response Token 1)System displays random number which user enters on keypad. 2)Card uses keypad input to calculate and display number. 3)User enters number in computer which system verifies by same computation. Time-Based Token 1)Card uses internal real-time clock value to calculate and display number. 2)User enters number in computer which system verifies with its clock. HHAD - Hand Held Authentication Device

biometric -- requires special devices to read human features

digital certificate -- a certificate authority performs a security check on a user and grants an electronic certificate (essentially encryption keys) smartcard -- physically requires reader, contains full microprocessor with cryptographic calculations performed onboard. Smartcards can store... Tampering with a smartcard typically renders it useless.

...what you _______ (password)...what you _______ (key, token, smartcard)...what you _____ (biometrics - fingerprints, retinal scan)..._______ you are (in secure location, at some terminal)

Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender ’ s identity, so neither can later deny having processed the data.† † Definition from National Information Systems Security Access Attacker User