Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 8 – Common Access Control

Published byGinger Quinn Modified over 6 years ago

Similar presentations

Presentation on theme: "Chapter 8 – Common Access Control"— Presentation transcript:

1 Chapter 8 – Common Access Control
EECS

2 Access Control Objectives
Confidentiality (includes privacy) Integrity Availability EECS

3 Access Control Processes
Identification Authentication Authorization Logging Monitoring EECS

4 Common Access Controls
Password Two-factor authentication Biometrics Access control lists for granting authorization to information Locks EECS

5 Common Access Controls
Encryption Anti-virus Patching Firewall Intrusion detection system Intrusion prevention system Collectively called defence in depth EECS

6 Passwords Should not be shared Should be changed by user
Should be changed frequently and upon compromise (suspected unauthorized disclosure) EECS

7 Passwords Long, at least 8 characters Alphanumeric
Hashed (one-way scrambling) System should allow only a few attempts before locking out account EECS

8 Password Cracking Methods
Dictionary attacks – try scrambling the common names and all dictionary words Brute force – try scrambling all possible combinations of characters, most time consuming Systematic deduction – try name followed by month, etc. Hacker community has tables of hashes, called rainbow tables to help in cracking. EECS

9 Passwords An 8-letter password is 676 times stronger than a 6-letter password. A user chosen 6- character alphanumeric Word password can be cracked in 7 seconds. A 6-character alphanumeric password is 6 times stronger than a 6-letter password. A completely random 8-character alphanumeric is virtually uncrackable with a modern PC, takes about a year. Strength should depend on user’s privilege and locality of system. EECS

10 Two-factor Authentication (general or application)
Used to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking. Uses what the user has and what the user knows. Examples are to use a token with a dynamic password and ATM. EECS

11 Biometrics (general or application)
Can include fingerprint, hand geometry, voice etc. Held back by privacy concerns. Not recognised legally in place of signature EECS

12 Operating System Security (general control)
Use a standard checklist for configuration Locks down workstation access by employees to prevent unauthorized installation of software Use scanning software to detect vulnerabilities before implementation and periodically Use automated patching tools to install security fixes. EECS

13 Firewall Can be hardware based only, e.g., a router.
Can be a server with sophisticated software, more granular and reliable than a router, provides better logs. Can use artificial intelligence to check for patterns. EECS

14 Firewall Every organization that hosts a web site should have a firewall to protect its internal network from hackers The firewall would block traffic that is definitely unacceptable. EECS

15 Firewall A typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations. A data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address. EECS

16 Firewall A port is a logical connection point in a network device including a computer. It is used to standardize Internet traffic, e.g., web browsing uses port 80, e-commerce uses port 443. EECS

17 TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Firewalls, Intrusion Detection Systems, and Antivirus Software (continued) Network address translation (NAT) Provides an additional layer of protection Conceals the IP address of the host computer to sniffer programs. EECS

18 Firewall Management Firewall should not be remotely administerable in order to reduce the risk of hacking. Firewall logs should be reviewed frequently to avoid the log getting full and firewall collapsing. EECS

19 Virus Protection Companies around the world spend about US $20 billion a year to clean up viruses All critical servers are protected All internet is scanned Automated identification of workstations that do not have up-to-date signature files Organizations should block common virus file types to be proactive EECS

20 Can spread by email attachments
SYSTEM VULNERABILITY AND ABUSE Malicious Software: Viruses, Worms, Trojan Horses, and Spyware Computer viruses: Rogue software programs that attach to other programs in order to be executed, usually without user knowledge or permission Deliver a “payload” Can spread by attachments EECS

21 SYSTEM VULNERABILITY AND ABUSE Malicious Software (continued)
Worms: Programs that copy themselves from one computer to another over networks Can destroy data, programs, and halt operation of computer networks Most common payload is to tie up a network to deny service. EECS

22 Worm Unlike a virus, an Internet worm requires no user interaction to infect a computer. A computer only has to be on a network. If the computer has the security hole targeted by the worm, it will be infected. Main control is patching. EECS

23 Virtual Private Network
To secure remote access to company systems by staff or contractors. Should require two-factor authentication. Encrypts the data like eBusiness. EECS

24 Intrusion Detection System
Screens traffic that passes a firewall to build pattern. Alerts security administrator of questionable or unacceptable pattern. Administrator can then decide, with management guidance if significant, to place a firewall rule to block further traffic of this pattern. EECS

25 Intrusion Prevention System
Screens traffic that passes a firewall to build pattern. Rejects highly questionable or unacceptable traffic. More effective than firewalls but may have false positive. Deployed to protect highly sensitive servers. EECS

26 Encryption Uses mathematics to scramble data.
Uses a key and an algorithm . Commercial algorithms are public knowledge. Symmetric key. Asymmetric keys (private/public key pair). Can prevent sniffing, i.e., unauthorized interception of data transmission. Encryption enables information to be kept on a computer or sent across communication networks without losing confidentiality or integrity. The goal of encryption is to make it impossible to take scrambled text and reproduce the original plain text without the corresponding key and to raise the cost of guessing the key beyond what is practical. An encryption algorithm transforms plain text into a coded equivalent, known as the cipher text, for transmission or storage. THe coded text is subsequently decoded at the receiving end and restored to plain text. The algorithm uses a key, which is a binary number that is typically from 56 to 128 bits in length for symmetric key systems or 512 to 4,096 bits for asymmetric-key systems. Symmetric key algorithms are used for the bulk encryption of data or data streams. These algorithms are designed to be very fast and usually have a large number of possible keys. The best symmetric key algorithms offer near-perfect secrecy: once data is encrypted with a given key, there is not way to decrypt the data without possessing the same key. The other major type of algorithm in popular use is public key encryption, which is based on two keys: one to encrypt the message digest (which then is used to encrypt the message) and another to decrypt the message digest. The algorithm is not symmetric, so knowing the public encryption key is no help in being able to decrypt a message. Users wanting to receive confidential information can freely announce their public keys, which then are used by the sendesr to encrypt data to be sent to them. The data can be decrypted only by the holder of the corresponding private key. This type of algorithm eliminates the complexity of handling the large number of secret key pairs needed for single-key algorithms, but it requires a process to ensure the public keys are authentic and really belong to their announced owner. Public keys are attached to a digital certificate, which ties the user's identity to the public key. The problem of managing a large number of public keys and making them available is the primary challenge that needs to be addressed. However, interest in and use of public key cryptography continues to grow rapidly because of its potential to facilitate electronic commerce using the Internet, in particular because it does not require an out-of-band process for secure exchange of private keys before sending encrypted messages. EECS

27 Symmetric Key Encryption
The same key is used to decrypt and encrypt Simple to encrypt and decrypt Large number of keys required for one-on-one secret communication Number of keys for N people is N(N-1)/2 Need to secure the key EECS

28 Application of Encryption
eBusiness Virtual private network Stored data Digital signature Wireless network EECS

29 Asymmetric Encryption
A pair of key is generated by a user, a private key and a corresponding public key. The public key can be disclosed. The private key is secured. People can use the public key to encrypt material. Use of private key should require a passphrase. EECS

30 Asymmetric Encryption
The corresponding private key is needed to decrypt. The 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key. Longer keys than symmetric and therefore a longer process to encrypt and decrypt. EECS

31 Asymmetric Encryption
Needed for encryption. Used for e-commerce, digital certificates and digital signatures. Number of keys for N users is 2N. EECS

32 Digital certificates:
TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL Encryption and Public Key Infrastructure Digital signature: A digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message Digital certificates: Data files used to establish the identity of users and electronic assets for protection of online transactions. EECS

33 TECHNOLOGIES AND TOOLS FOR SECURITY AND CONTROL
Public Key Infrastructure A set of policy, procedures and servers used to operate a public key environment. There is a public key server that holds everybody’s public key for retrieval by programs that use encryption. There are servers used to authenticate users that activate private keys. EECS

34 Limitation of Encryption
If key is lost, data cannot be decrypted. Rogue parties can delete an encrypted file without knowing the key; therefore access control list is important. Encrypted attachments are generally deleted by the anti-virus program. EECS

35 Digital Signature A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged. EECS

36 Digital Signature The sender uses an algorithm to compute a hash (garbled digest) of the document Sender uses its private key to encrypt the hash. Recipient uses same algorithm to hash the plain text document when received. Recipient uses the public key to decrypt the digital signature and compare to the hash the recipient created, to confirm integrity. EECS

37 Digital Certificate An electronic business card that establishes your credentials when doing business or other transactions on the Web. It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key. People can use the certificate authority’s public key to verify the signature. A CA certificate contains the public key of a certificate authority and either the name of the CA or the name of a particular service being certified. It can be self-signed or in turn signed by another CA. It is used to certify other kinds of certificates. A server certificate contains the public key of an SSL server, the name of the organization that runs the server, its Internet hostname, and the server’s public key. A personal certificate contains an individual’s name and the individual’s public key. It can have other information, such as the individual’s address, postal address, or anything else. A software publisher certificate is used to sign distributed software. EECS

38 Certificate Authority
An organization that issues digital certificates to companies and individuals An organization can issue digital certificates to its own customers or employees to authenticate local transactions The certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate. EECS

39 eBusiness Encryption Uses both symmetric keys and asymmetric keys
Enforced by the merchant Merchant sends its certificate and public key to the browser EECS

40 eBusiness Encryption Browser generates a symmetric key based on the Secure Socket Layer (SSL) standard, usually 128 bits. Browser encrypts the symmetric key with the merchant’s public key Browser authenticates the digital certificate Encrypted symmetric key is sent to merchant EECS

41 eBusiness Encryption Merchant decrypts the symmetric key with its private key The symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off. EECS

42 Secure Electronic Transaction (SET)
Not widely used in North America because it is less flexible than traditional eBusiness SSL encryption. Used more in Hong Kong, Japan and South Korea for wealthy clients. EECS

43 SET Process A customer receives a “personal” digital certificate from the credit card issuing financial institution, along with a private key. The customer stores it on the hard disk or a memory disk. The financial institution requires the customer to protect it with a pass phrase. EECS

44 SET Process When the customer buys something on a web site, s/he sends his or her digital certificate to the merchant, which sends a copy of it to the financial institution. The customer is required to use a passphrase to send the personal certificate. S/he also downloads the merchant’s and the financial institution’s digital certificates. EECS

45 SET Process The customer’s browser hashes the purchase order and the credit card information separately to form two message digests. The customer signs the message digests to form a composite digital signature. The digital signature is sent to the merchant which in turn forwards a copy of it to the financial institution. EECS

46 SET Process The customer uses the merchant’s public key to encrypt the purchase order and s/he uses the financial institution’s public key to encrypt the credit card information. The merchant forwards the credit card information along with the amount to be charged to the financial institution. EECS

47 SET Process The merchant and the financial institution use the customer’s public key to decrypt the digital signature. The merchant and financial institution use their private keys to decrypt the purchase order and credit card info. EECS

48 SET Process The merchant and the financial institution independently computes the message digests of the purchase order and credit card info respectively. The independently computed message digests are then compared to the message digests in the decrypted digital signature. EECS

49 SET Process Now the merchant and the financial institution/ePayment vendor have authenticated the purchase and credit/ePayment card information separately and independently. The credit information is not known to the merchant and the purchase order (except the final amount) is not known to the card issuing financial institution or payment vendor. EECS

50 SET PRocess The financial institution or payment vendor sends a code to the merchant indicating payment is approved or declined. EECS

51 Encryption Sender uses the recipient’s public key to encrypt the message Sender signs the message with own private key Recipient uses own private key to decrypt message Recipient uses sender’s public key to authenticate the digital signature The above process applies to non-Web based . Web mail encryption is same as eBusiness. EECS

52 Wireless Encryption Based on IEEE (Institute of Electrical and Electronic Engineers) standard, latest is i, wifi protected access (WPA). Uses 128 bit or 256 bit symmetric keys that changes with every packet of data. Uses a static 128 bit key for encrypting the challenge response text to authenticate the user computer. EECS

53 WPA A device authorized to access an access point (wireless router) is installed with the access point’s ID, called a service set ID (SSID), a static 128 bit symmetric key and the encryption software. The access point sends challenge response text to the client device (desktop, laptop or phone). EECS

54 WPA The device encrypts the challenge response text and the SSID and sends it to the access point. The access point decrypts the text and SSID and compares to the plain text that it sent out earlier. If there is a match, the device is allowed connection. EECS

55 WPA The access point and the device generate a new 128 bit symmetric key for each packet exchanged. The packet keys are encrypted using the static key for each device. EECS

56 Stored Data Encryption
Uses a symmetric key. Key should be activated with a passphrase. Applies to laptop, smart phones, memory disks, desktops and servers. EECS

57 Encryption Strength The secrecy of the key The length of the key
The rigour of the algorithm Cryptographic strength can almost never be proven; it can only be disproven. When new encryption algorithms are proposed, their creators believe that the algorithm is perfect. That is, the creator believes that the algorithms are strong and that there is no way to decrypt an encrypted message without possession of the corresponding key. The algorithm’s creator can also show that the algorithm is resistant to specific attacks which are already known. As time passes, people usually find new attacks that work against the algorithm and publish them. EECS

58 Cookie Useful to web sites and users to remember info so users can be provided with more relevant info and it reduces keying, e.g., remembers the account number. Must not be used to remember password. Privacy concern as web sites can track user behaviour more. EECS

59 Web Application Security
Input validation: Web applications implement controls to ensure the input entered is valid. Web applications expect valid input – that is, it is of correct length, right type (text vs integer), etc. Developers often insert edit checks via JavaScript that is executed on the client side. However end users can always modify these checks (since they reside on client side) to bypass them and submit wrong inputs to the application. Developers should implement edit checks on the server side. EECS

60 Buffer Overflow Buffer overflows: Attack wherein malicious input spills into sensitive portions of memory compromising applications. Buffer overflow - Buffers are memory locations allocated by programmers to store user’s inputs. Attackers may provide malicious input that runs past the size of the buffer. Extra input could spill into sensitive portions of memory with results ranging from nothing happening, to application crashing, to a complete compromise. . EECS

61 Buffer Overflow Buffer overflow risks:
Impact of buffer overflow ranges from application failing its execution, to its crash, to running of malicious code of attacker’s choice resulting in complete compromise. Controls: Enforce boundary checks before accepting inputs. Use compilers that warn of potential overflow conditions. Educate programmers in safe programming practices. . EECS

62 SQL Injection Attack SQL injection: Attack wherein malicious SQL commands are passed into web applications via user inputs. Web applications with back-end databases are often susceptible to these attacks. These applications convert user supplied input into SQL commands that are processed by the database. Attackers can craft special input that make the SQL commands malicious in nature. EECS

63 SQL Injection Attack SQL injection: SQL injection attack example.
Consider, a web application, that allows users to type in a keyword to search a particular product type by asking: Product keyword: antique Say, the resulting SQL executed by the database is: SELECT product FROM product_table WHERE product_description like ‘%antique%’; This query results in showing all products from the product_table that have the keyword ‘antique’ in it. EECS

64 SQL Injection Attack SQL injection: SQL injection attack example contd. Now consider, if the user provides the following special input: Product keyword: antique%’; DROP password_table The resulting SQL executed by the database then is: SELECT product FROM product table WHERE product_description like ‘% antique%’; DROP password_table; --%’; This results in deletion of the password table! EECS

65 Conclusion Access control increasingly important because of e-commerce. Access control supports organization control and program change control. Access controls support management control, independent controls and segregation of duties. EECS

66 Review Questions 1. What is the relationship between privacy and access control? 2. Who should the chief information security officer report to and why? 3. Why is encryption not very commonly used? EECS

67 6. How is defence in depth achieved?
4. What are the relationships between access controls and other internal controls? 5. Which technique is used both in a password control and a digital signature? How? 6. How is defence in depth achieved? EECS

68 Review Questions 7. What is the difference between hashing and encryption? 8. Where should an intrusion detection system be placed in relation to a firewall and why? EECS

69 Review Questions 9. How does encryption affect anti-virus software tools and what should an organization do to address the effect? 10. What security risk can materialize if a domain name server is compromised? EECS

70 MC Question Which of the following provides the strongest protection against hackers? A. Operating system B. Access control list C. Firewall D. Virtual private network EECS

71 MC Question Which of the following would be the most appropriate task for a systems administrator to perform? A. Configure the operating system. B. Develop access control lists. C. Develop a checklist for operating system configuration. D. Set a password policy. EECS

72 MC Question Which of the following is most likely to change with technology? A. Security policy B. Code of business conduct C. Security configuration D. Security training EECS

73 MC Question Which of the following technologies would conflict with encryption the most? A. Virtual private network B. Digital certificate C. Anti-virus software D. Password EECS

74 MC Question Which of the following is the most effective solution for preventing external users from modifying sensitive and classified information? Security standards Intrusion detection system C. Access logs D. Firewall EECS

Download ppt "Chapter 8 – Common Access Control"

Similar presentations

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
1 Cryptography Cryptography is a collection of mathematical techniques to ensure confidentiality of information Cryptography is a collection of mathematical.

1 Cryptography Cryptography is a collection of mathematical techniques to ensure confidentiality of information Cryptography is a collection of mathematical.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.

Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
CSE 4482, Fall 2009, D Chan Session 2 – Common Security Techniques.

CSE 4482, Fall 2009, D Chan Session 2 – Common Security Techniques.

Similar presentations

Ads by Google