Presentation is loading. Please wait.

Presentation is loading. Please wait.

EECS4482 20151 Chapter 8 – Common Access Control.

Published byPhillip Rich Modified over 8 years ago

Similar presentations

Presentation on theme: "EECS4482 20151 Chapter 8 – Common Access Control."— Presentation transcript:

1 EECS4482 20151 Chapter 8 – Common Access Control

2 EECS4482 20152 Access Control Objectives zConfidentiality (includes privacy) zIntegrity zAvailability How do they relate to CAATO?

3 EECS4482 20153 Access Control Processes zIdentification zAuthentication zAuthorization zLogging zMonitoring

4 EECS4482 20154 Common Access Controls zPassword zTwo-factor authentication zBiometrics zAccess control lists for granting authorization to information zLocks

5 EECS4482 20155 Common Access Controls zEncryption zAnti-virus zPatching zFirewall zIntrusion detection system zIntrusion prevention system Collectively called defence in depth

6 EECS4482 20156 General Access Control zApplies to a multitude of systems. zCan be a policy, a set of standards or a system control. zCrucial to the external audit as it affects organization controls and program change controls.

7 EECS4482 20157 General Access Control zSecurity education zPhysical security zEncryption

8 EECS4482 20158 General Access Control zInformation security policy zCode of Business Conduct zWeb filtering to deny employee access to inappropriate web sites zPasswords zPrivacy policy zNetwork and operating system security

9 Requirements for Effective Operating Systems Performance zProtect against tampering by users zPrevent users from tampering with the programs of other users zSafeguard users’ applications from accidental corruption zSafeguard its own programs from accidental corruption zProtect itself from power failures and other disasters 9EECS4482 2015

10 10 Application Access Control zApplies to specific systems zCan be procedural or automated zSupports management or independent controls zAn example is a password

11 EECS4482 201511 Application Access Controls zPasswords zAccess control lists (ACL) to restrict functions in an application, e.g., only payroll people can process pay raises. ACL can be by individual users. zEncryption. zProcedures. zMonitoring zIt supports segregation of duties.

12 EECS4482 201512 Passwords zShould not be shared zShould be changed by user zShould be changed frequently and upon compromise (suspected unauthorized disclosure)

13 EECS4482 201513 Passwords zLong, at least 8 characters zAlphanumeric zHashed (one-way scrambling) zSystem should allow only a few attempts before locking out account

14 EECS4482 201514 Password Cracking Methods zDictionary attacks – try scrambling the common names and all dictionary words zBrute force – try scrambling all possible combinations of characters, most time consuming zSystematic deduction – try name followed by month, etc. zHacker community has tables of hashes, called rainbow tables to help in cracking.

15 EECS4482 201515 Passwords zAn 8-letter password is 676 times stronger than a 6-letter password. zA user chosen 6- character alphanumeric Word password can be cracked in 7 seconds. zA 6-character alphanumeric password is 6 times stronger than a 6-letter password. zA completely random 8-character alphanumeric is virtually uncrackable with a modern PC, takes about a year. zStrength should depend on user’s privilege and locality of system.

16 EECS4482 201516 Two-factor Authentication (general or application) zUsed to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking. zUses what the user has and what the user knows. zExamples are to use a token with a dynamic password and ATM.

17 EECS4482 201517 Biometrics (general or application) zCan include fingerprint, hand geometry, voice etc. zHeld back by privacy concerns. zNot recognised legally in place of signature

18 EECS4482 201518 Operating System Security (general control) zUse a standard checklist for configuration zLocks down workstation access by employees to prevent unauthorized installation of software zUse scanning software to detect vulnerabilities before implementation and periodically zUse automated patching tools to install security fixes.

19 EECS4482 201519 Firewall (general control) zCan be hardware based only, e.g., a router. zCan be a server with sophisticated software, more granular and reliable than a router, provides better logs. zCan use artificial intelligence to check for patterns.

20 EECS4482 201520 Firewall zEvery organization that hosts a web site should have a firewall to protect its internal network from hackers zThe firewall would block traffic that is definitely unacceptable.

21 EECS4482 201521 Firewall zA typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations. zA data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address.

22 EECS4482 201522 Firewall zA port is a logical connection point in a network device including a computer. zIt is used to standardize Internet traffic, e.g., web browsing uses port 80, e- commerce uses port 443.

23 EECS4482 201523 Firewalls, Intrusion Detection Systems, and Antivirus Software (continued) zNetwork address translation (NAT) yProvides an additional layer of protection yConceals the IP address of the host computer to sniffer programs. TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL

24 EECS4482 201524 Firewall Management zFirewall should not be remotely administerable in order to reduce the risk of hacking. zFirewall logs should be reviewed frequently to avoid the log getting full and firewall collapsing.

25 EECS4482 201525 Virus Protection zCompanies around the world spend about US $20 billion a year to clean up viruses zAll critical servers are protected zAll internet email is scanned zAutomated identification of workstations that do not have up-to-date signature files zOrganizations should block common virus file types to be proactive

26 EECS4482 201526 Computer viruses: Rogue software programs that attach to other programs in order to be executed, usually without user knowledge or permission Deliver a “payload” Can spread by email attachments SYSTEM VULNERABILITY AND ABUSE Malicious Software: Viruses, Worms, Trojan Horses, and Spyware

27 EECS4482 201527 Worms: Programs that copy themselves from one computer to another over networks Can destroy data, programs, and halt operation of computer networks Most common payload is to tie up a network to deny service. SYSTEM VULNERABILITY AND ABUSE Malicious Software (continued)

28 EECS4482 201528 Worm zUnlike a virus, an Internet worm requires no user interaction to infect a computer. A computer only has to be on a network. zIf the computer has the security hole targeted by the worm, it will be infected. zMain control is patching.

29 EECS4482 201529 Virtual Private Network (general or application) zTo secure remote access to company systems by staff or contractors. zShould require two-factor authentication. zEncrypts the data like eBusiness.

30 EECS4482 201530 Intrusion Detection System (general control) zScreens traffic that passes a firewall to build pattern. zAlerts security administrator of questionable or unacceptable pattern. zAdministrator can then decide, with management guidance if significant, to place a firewall rule to block further traffic of this pattern.

31 EECS4482 201531 Intrusion Prevention System (general control) zScreens traffic that passes a firewall to build pattern. zRejects highly questionable or unacceptable traffic. zMore effective than firewalls but may have false positive. Deployed to protect highly sensitive servers.

32 EECS4482 201532 Encryption (general or application) zUses mathematics to scramble data. zUses a key and an algorithm. Commercial algorithms are public knowledge. zSymmetric key. zAsymmetric keys (private/public key pair). zCan prevent sniffing, i.e., unauthorized interception of data transmission.

33 EECS4482 201533 Symmetric Key Encryption zThe same key is used to decrypt and encrypt zSimple to encrypt and decrypt zLarge number of keys required for one- on-one secret communication zNumber of keys for N people is N(N-1)/2 zNeed to secure the key

34 Application of Encryption zeBusiness zVirtual private network zeMail zStored data zDigital signature zWireless network EECS4482 201534

35 EECS4482 201535 Asymmetric Encryption zA pair of key is generated by a user, a private key and a corresponding public key. zThe public key can be disclosed. The private key is secured. zPeople can use the public key to encrypt material. zUse of private key should require a passphrase.

36 EECS4482 201536 Asymmetric Encryption zThe corresponding private key is needed to decrypt. zThe 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key. zLonger keys than symmetric and therefore a longer process to encrypt and decrypt.

37 EECS4482 201537 Asymmetric Encryption zNeeded for email encryption. zUsed for e-commerce, digital certificates and digital signatures. zNumber of keys for N users is 2N.

38 EECS4482 201538 Digital signature: A digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message Digital certificates: Data files used to establish the identity of users and electronic assets for protection of online transactions. Encryption and Public Key Infrastructure TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL

39 EECS4482 201539 A set of policy, procedures and servers used to operate a public key environment. There is a public key server that holds everybody’s public key for retrieval by programs that use encryption. There are servers used to authenticate users that activate private keys. Public Key Infrastructure TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL

40 EECS4482 201540 Limitation of Encryption zIf key is lost, data cannot be decrypted. zRogue parties can delete an encrypted file without knowing the key; therefore access control list is important. zEncrypted email attachments are generally deleted by the anti-virus program.

41 EECS4482 201541 Digital Signature zA digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged.

42 EECS4482 201542 Digital Signature zThe sender uses an algorithm to compute a hash (garbled digest) of the document zSender uses its private key to encrypt the hash. zRecipient uses same algorithm to hash the plain text document when received. zRecipient uses the public key to decrypt the digital signature and compare to the hash the recipient created, to confirm integrity.

43 EECS4482 201543 Digital Certificate An electronic business card that establishes your credentials when doing business or other transactions on the Web. It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key. People can use the certificate authority’s public key to verify the signature.

44 EECS4482 201544 Certificate Authority zAn organization that issues digital certificates to companies and individuals zAn organization can issue digital certificates to its own customers or employees to authenticate local transactions zThe certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate.

45 EECS4482 201545 eBusiness Encryption zUses both symmetric keys and asymmetric keys zEnforced by the merchant zMerchant sends its certificate and public key to the browser

46 EECS4482 201546 eBusiness Encryption zBrowser generates a symmetric key based on the Secure Socket Layer (SSL) standard, usually 128 bits. zBrowser encrypts the symmetric key with the merchant’s public key zBrowser authenticates the digital certificate zEncrypted symmetric key is sent to merchant

47 EECS4482 201547 eBusiness Encryption zMerchant decrypts the symmetric key with its private key zThe symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off.

48 Secure Electronic Transaction (SET) zNot widely used in North America because it is less flexible than traditional eBusiness SSL encryption. zUsed more in Hong Kong, Japan and South Korea for wealthy clients. EECS4482 201548

49 SET Process A customer receives a “personal” digital certificate from the credit card issuing financial institution, along with a private key. The customer stores it on the hard disk or a memory disk. The financial institution requires the customer to protect it with a pass phrase. EECS4482 201549

50 SET Process When the customer buys something on a web site, s/he sends his or her digital certificate to the merchant, which sends a copy of it to the financial institution. The customer is required to use a passphrase to send the personal certificate. S/he also downloads the merchant’s and the financial institution’s digital certificates. EECS4482 201550

51 SET Process zThe customer’s browser hashes the purchase order and the credit card information separately to form two message digests. zThe customer signs the message digests to form a composite digital signature. zThe digital signature is sent to the merchant which in turn forwards a copy of it to the financial institution. EECS4482 201551

52 SET Process The customer uses the merchant’s public key to encrypt the purchase order and s/he uses the financial institution’s public key to encrypt the credit card information. The merchant forwards the credit card information along with the amount to be charged to the financial institution. EECS4482 201552

53 SET Process zThe merchant and the financial institution use the customer’s public key to decrypt the digital signature. zThe merchant and financial institution use their private keys to decrypt the purchase order and credit card info. EECS4482 201553

54 SET Process zThe merchant and the financial institution independently computes the message digests of the purchase order and credit card info respectively. zThe independently computed message digests are then compared to the message digests in the decrypted digital signature. EECS4482 201554

55 SET Process zNow the merchant and the financial institution/ePayment vendor have authenticated the purchase and credit/ePayment card information separately and independently. zThe credit information is not known to the merchant and the purchase order (except the final amount) is not known to the card issuing financial institution or payment vendor. EECS4482 201555

56 SET PRocess The financial institution or payment vendor sends a code to the merchant indicating payment is approved or declined. EECS4482 201556

57 EECS4482 201557 Email Encryption zSender uses the recipient’s public key to encrypt the message zSender signs the message with own private key zRecipient uses own private key to decrypt message zRecipient uses sender’s public key to authenticate the digital signature zThe above process applies to non-Web based email. Web mail encryption is same as eBusiness.

58 Wireless Encryption zBased on IEEE (Institute of Electrical and Electronic Engineers) standard, latest is 802.11i, wifi protected access (WPA). zUses 128 bit or 256 bit symmetric keys that changes with every packet of data. zUses a static 128 bit key for encrypting the challenge response text to authenticate the user computer. EECS4482 201558

59 WPA zA device authorized to access an access point (wireless router) is installed with the access point’s ID, called a service set ID (SSID), a static 128 bit symmetric key and the encryption software. zThe access point sends challenge response text to the client device (desktop, laptop or phone). EECS4482 201559

60 WPA zThe device encrypts the challenge response text and the SSID and sends it to the access point. zThe access point decrypts the text and SSID and compares to the plain text that it sent out earlier. If there is a match, the device is allowed connection. EECS4482 201560

61 WPA zThe access point and the device generate a new 128 bit symmetric key for each packet exchanged. The packet keys are encrypted using the static key for each device. EECS4482 201561

62 Stored Data Encryption zUses a symmetric key. zKey should be activated with a passphrase. zApplies to laptop, smart phones, memory disks, desktops and servers. EECS4482 201562

63 EECS4482 201563 Encryption Strength zThe secrecy of the key zThe length of the key zThe rigour of the algorithm

64 EECS4482 201564 Cookie zUseful to web sites and users to remember info so users can be provided with more relevant info and it reduces keying, e.g., remembers the account number. zMust not be used to remember password. zPrivacy concern as web sites can track user behaviour more.

65 EECS4482 201565 Web Application Security Input validation: Web applications implement controls to ensure the input entered is valid. zWeb applications expect valid input – that is, it is of correct length, right type (text vs integer), etc. zDevelopers often insert edit checks via JavaScript that is executed on the client side. zHowever end users can always modify these checks (since they reside on client side) to bypass them and submit wrong inputs to the application. zDevelopers should implement edit checks on the server side.

66 EECS4482 201566 Buffer Overflow Buffer overflows: Attack wherein malicious input spills into sensitive portions of memory compromising applications. zBuffer overflow - Buffers are memory locations allocated by programmers to store user’s inputs. zAttackers may provide malicious input that runs past the size of the buffer. zExtra input could spill into sensitive portions of memory with results ranging from nothing happening, to application crashing, to a complete compromise. z.

67 EECS4482 201567 Buffer Overflow Buffer overflow risks: zImpact of buffer overflow ranges from application failing its execution, to its crash, to running of malicious code of attacker’s choice resulting in complete compromise. Controls: zEnforce boundary checks before accepting inputs. Use compilers that warn of potential overflow conditions. zEducate programmers in safe programming practices. z.

68 EECS4482 201568 SQL Injection Attack SQL injection: Attack wherein malicious SQL commands are passed into web applications via user inputs. zWeb applications with back-end databases are often susceptible to these attacks. zThese applications convert user supplied input into SQL commands that are processed by the database. zAttackers can craft special input that make the SQL commands malicious in nature.

69 EECS4482 201569 SQL Injection Attack SQL injection: SQL injection attack example. zConsider, a web application, that allows users to type in a keyword to search a particular product type by asking: Product keyword: antique zSay, the resulting SQL executed by the database is: SELECT product FROM product_table WHERE product_description like ‘%antique%’; zThis query results in showing all products from the product_table that have the keyword ‘antique’ in it.

70 EECS4482 201570 SQL Injection Attack SQL injection: SQL injection attack example contd. zNow consider, if the user provides the following special input: Product keyword: antique%’; DROP password_table zThe resulting SQL executed by the database then is: SELECT product FROM product_table WHERE product_description like ‘% antique%’; DROP table_w_sensitive_data; --%’; zThis results in deletion of a table!

71 EECS4482 201571 Conclusion zAccess control increasingly important because of e-commerce. zAccess control supports organization control and program change control. zAccess controls support management control, independent controls and segregation of duties.

72 Review Questions z1. What is the relationship between privacy and access control? z 2. Who should the chief information security officer report to and why? z 3. Why is email encryption not very commonly used? EECS4482 201572

73 z4. What are the relationships between access controls and other internal controls? z z 5. Which technique is used both in a password control and a digital signature? How? z 6. How is defence in depth achieved? z EECS4482 201573

74 Review Questions z7. What is the difference between hashing and encryption? z 8. Where should an intrusion detection system be placed in relation to a firewall and z why? EECS4482 201574

75 Review Questions z9. How does encryption affect anti-virus software tools and what should z an organization do to address the effect? z z10. What security risk can materialize if a domain name server is compromised? z EECS4482 201575

76 MC Question Which of the following provides the strongest protection against hackers? A. Operating system B. Access control list C. Firewall D. Virtual private network EECS4482 201576

77 MC Question Which of the following would be the most appropriate task for a systems administrator to perform? A. Configure the operating system. B. Develop access control lists. C. Develop a checklist for operating system configuration. D. Set a password policy. EECS4482 201577

78 MC Question Which of the following is most likely to change with technology? zA. Security policy zB. Code of business conduct zC. Security configuration zD. Security training EECS4482 201578

79 MC Question Which of the following technologies would conflict with encryption the most? zA. Virtual private network zB. Digital certificate zC. Anti-virus software zD. Password EECS4482 201579

80 MC Question Which of the following is the most effective solution for preventing external users from modifying sensitive and classified information? A.Security standards B.Intrusion detection system C. Access logs D. Firewall EECS4482 201580

Download ppt "EECS4482 20151 Chapter 8 – Common Access Control."

Similar presentations

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.

Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Securing Information Systems

Securing Information Systems
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
CSE 4482, Fall 2009, D Chan Session 2 – Common Security Techniques.

CSE 4482, Fall 2009, D Chan Session 2 – Common Security Techniques.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

Similar presentations

Ads by Google