Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2013 Pearson.  Controlling Access to Resources ◦ If criminals cannot get access, they cannot do harm.  Authentication ◦ Proving one’s identity ◦ Cannot.

Published byLee Douglas Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2013 Pearson.  Controlling Access to Resources ◦ If criminals cannot get access, they cannot do harm.  Authentication ◦ Proving one’s identity ◦ Cannot."— Presentation transcript:

1 © 2013 Pearson

2  Controlling Access to Resources ◦ If criminals cannot get access, they cannot do harm.  Authentication ◦ Proving one’s identity ◦ Cannot see the other party © 2013 Pearson 2

3  The supplicant proves its identity to the verifier by sending its credentials (proofs of identity). © 2013 Pearson 3

4  Reusable Passwords ◦ Strings of characters typed to authenticate the use of a username (account) on a computer. ◦ They are used repeatedly and so are called reusable passwords.  Benefits ◦ Ease of use for users (familiar) ◦ Inexpensive because built into operating systems © 2013 Pearson 4

5  Often Weak (Easy to Crack) ◦ Word and name passwords are common.  spot, mud, helicopter, veterinarian ◦ They can be cracked quickly with dictionary attacks. ◦ Word and name passwords are never adequately strong, regardless of how long they are. © 2013 Pearson 5

6  Hybrid Dictionary Attacks ◦ Look for common variations of names and words.  Capitalizing only the first letter  Ending with a single digit  And so on ◦ Passwords that can be cracked with hybrid dictionary attacks are never adequately strong, regardless of how long they are. © 2013 Pearson 6

7  Passwords Should Be Complex ◦ Should mix case, digits, and other keyboard characters ($, #, etc.). ◦ Complex passwords can be cracked only with brute force attacks (trying all possibilities).  Passwords Also Should Be Long ◦ Should have a minimum of eight characters. ◦ Each added character increases the brute force search time by a factor of about 70. © 2013 Pearson 7

8  For each password, how would it be cracked, and is it acceptably strong: ◦ Mississippi ◦ 4$5aB ◦ 34d8%^tdy © 2013 Pearson 8

9  Other Concerns ◦ If people are forced to use long and complex passwords, they tend to write them down. ◦ People should use different passwords for different sites.  Otherwise, a compromised password will give access to multiple sites. ◦ Overall, reusable passwords are too vulnerable to be used for high security today. © 2013 Pearson 9

10  Perspective ◦ Goal is to eliminate reusable passwords.  Access Cards ◦ Permit door access. ◦ Proximity access cards do not require physical scanning. ◦ Need to control distribution and disable lost or stolen cards. © 2013 Pearson 10

11  Biometrics ◦ Uses body measurements to authenticate you ◦ Methods vary in cost, precision, and ease of deception ◦ Fingerprint scanning  Inexpensive but poor precision, deceivable  Sufficient for low-risk uses  On a notebook, may be better than requiring a reusable password © 2013 Pearson 11

12  Biometrics ◦ Iris scanning  Patterns in the colored part of your eye  Expensive but precise and difficult to deceive ◦ Facial scanning  Based on facial features  Controversial because it can be done surreptitiously—without the scanned person’s knowledge © 2013 Pearson 12

13  Digital Certificate Authentication ◦ The strongest form of authentication ◦ Components  Everyone has a private key only he or she knows.  Everyone also has a non-secret public key.  If John communicates with Sylvia, how many public and private keys will there be?  If there are 20 students in the classroom, how many public and private keys will there be? © 2013 Pearson 13

14  Digital Certificate Authentication ◦ Components  Public keys are available in unalterable digital certificates.  Digital certificates are provided by trusted certificate authorities. © 2013 Pearson 14

15 © 2013 Pearson 15

16 © 2013 Pearson 16 Verifier gets the public key of the true party from the true party’s digital certificate. Verifier gets the public key of the true party from the true party’s digital certificate.

17 © 2013 Pearson 17

18  Two-Factor Authentication ◦ Supplicants need two forms of credentials ◦ Example: debit card and PIN ◦ Strengthens authentication (defense in depth) ◦ Fails if attacker controls the user’s computer or ◦ Intercepts the authentication communication © 2013 Pearson 18 + = 2-Factor Authentication 4400 (PIN)

19 © 2013 Pearson 19 Firewall examines all packets passing through it.

20 © 2013 Pearson 20 Drops and logs provable attack packets Drops and logs provable attack packets

21 © 2013 Pearson 21 Passes packets that are not provable attack packets

22  What does a firewall do with a packet that is highly suspicious? © 2013 Pearson 22

23  Firewalls Inspect Packets. ◦ There are several firewall filtering (inspection) methods. ◦ We will look at three. ◦ Static packet filtering is inexpensive, insufficient. ◦ Stateful Packet Inspection (SPI) is the most common filtering mechanism. ◦ Deep inspection firewalls. © 2013 Pearson 23

24 © 2013 Pearson 24

25  Stateful Packet Inspection ◦ The most common firewall inspection mechanism.  Conversations have different states. ◦ On the telephone, there is the initial determination of who the other party is. ◦ Afterward, identity does not have to be checked. ◦ Data conversations also have different states with different security requirements. © 2013 Pearson 25

26  Connections have states with different security needs. ◦ During connection openings, there has to be very careful authentication and other status checking. ◦ After the connection opening, heavy authentication and other status checking is unnecessary.  Stateful Packet Inspection (SPI) basic insight: only do heavy filtering for risky stages of a connection. © 2013 Pearson 26

27 © 2013 Pearson 27

28  For all packets that attempt to open a connection ◦ Not for the more numerous packets that do not attempt to open a connection © 2013 Pearson 28 RuleDestination IP Address or Range Service (Port) Action 1ALL25Allow Connection 210.47.122.7980Allow Connection 3ALL Do Not Allow Connection

29  If packet does not attempt to open a connection… ◦ If the packet is part of an accepted connection,  Pass without further inspection (although may do further inspection if desired) ◦ Otherwise, drop and log © 2013 Pearson 29

30  Nearly all packets are NOT part of connection-opening attempts. ◦ Simplicity of filtering for packets that do not attempt to open connections makes cost of processing most packets low.  At the same time, there is heavy filtering at the initial state, which needs heavy filtering.  The result is good security and good cost. © 2013 Pearson 30

31 © 2013 Pearson 31 All Packets Packets that Attempt to Open a Connection Other Packets Pass Through Access Control List Part of Previously Permitted Connection Not Part of Previously Permitted Connection Drop PacketAccept Packet Accept or Reject Connection

32  Examine Streams of Messages ◦ Stateful inspection firewalls know packet context (connection-opening or not) but still examine only individual packets. ◦ Deep inspection firewalls look at streams of packets for patterns. ◦ For example, reconstruct application messages from TCP segments in different packets. © 2013 Pearson 32

33  Read All Packet Layers, Including Application Messages ◦ Stateful packet inspection packets do not read application messages in detail. ◦ Deep inspection firewalls examine application messages in detail. ◦ This allows them to tell when a message to Port 80 is not an HTTP message. ◦ These may use Port 80 for illegal file sharing and other attacks. © 2013 Pearson 33

34  Read All Packet Layers, Including Application Messages ◦ Some deep inspection packets are application- aware, allowing administrators to set up filtering rules for many specific applications. ◦ This provides very powerful control. © 2013 Pearson 34

35  Intrusion Detection Systems (IDSs) ◦ Deep inspection firewalls began as intrusion detection systems (IDSs) ◦ Found suspicious patterns in traffic and notified the firewall administrators ◦ Evolved to the point where there was enough confidence to let them actively stop traffic © 2013 Pearson 35

36  Requires Extensive Processing Power ◦ Far more than SPI ◦ Made possible by application-specific integrated circuits (ASICs) ◦ ASICs handle specific deep firewall inspection tasks in specialized hardware, which is very fast ◦ Finally making deep inspection feasible © 2013 Pearson 36

37  Group of Protections Based on Mathematics ◦ Confidentiality: eavesdropper cannot read transmissions. ◦ Authentication: identity of the sender is proven. ◦ Message Integrity: receiver can tell if the message has been altered en route. ◦ Collectively called CIA. © 2013 Pearson 37

38 © 2013 Pearson 38 Encryption methods are called ciphers, not codes.

39 © 2013 Pearson 39 Encrypted messages thwart eavesdroppers. Encrypted messages thwart eavesdroppers.

40 © 2013 Pearson 40 Receiver decrypts with the same cipher and symmetric key.

41  Notes ◦ A single key is used to encrypt and decrypt in both directions. ◦ The most popular symmetric key encryption cipher today is the Advanced Encryption System (AES). ◦ Key lengths have to be at least 100 bits long to be considered strong. © 2013 Pearson 41

42 © 2013 Pearson 42

43  Cryptographic Systems ◦ Packages of Cryptographic Protections ◦ Users do not have to know the details ◦ Defined by cryptographic system standards  Examples of Cryptographic System Standards ◦ SSL/TLS ◦ IPsec © 2013 Pearson 43

44 © 2013 Pearson

45  Some attacks inevitably succeed. ◦ Successful attacks are called incidents or compromises. ◦ Security moves into the respond stage.  Response should be “reacting according to plan.” ◦ Planning is critical. ◦ A compromise is not the right time to think about what to do. © 2013 Pearson 45

46  Stages ◦ Detecting the attack ◦ Stopping the attack ◦ Repairing the damage ◦ Punishing the attacker? © 2013 Pearson 46

47  Major Incidents and CSIRTs ◦ Major incidents are incidents the on-duty security staff cannot handle. ◦ Company must convene a computer security incident response team (CSIRT). ◦ CSIRTs should include members of senior management, the firm’s security staff, members of the IT staff, members of affected functional departments, and the firm’s public relations and legal departments. © 2013 Pearson 47

48  Disasters and Disaster Recovery ◦ Natural and humanly made disasters ◦ IT disaster recovery  Dedicated backup sites and transferring personnel or  Having two sites mutually back up each other ◦ Business continuity recovery  Getting the whole firm back into operation  IT is only one concern © 2013 Pearson 48

49  Rehearsals ◦ Incident response is responding according to plan. ◦ Rehearsals are necessary for accuracy.  To find problems with the plan. ◦ Rehearsals are necessary for response speed.  Time literally is money. © 2013 Pearson 49

Download ppt "© 2013 Pearson.  Controlling Access to Resources ◦ If criminals cannot get access, they cannot do harm.  Authentication ◦ Proving one’s identity ◦ Cannot."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
SSH: An Internet Protocol By Anja Kastl IS 373 - World Wide Web Standards.

SSH: An Internet Protocol By Anja Kastl IS World Wide Web Standards.
Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)

Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Cryptographic Technologies

Cryptographic Technologies
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Chapter 9 Security. The Threat Environment 3 Figure 9-1: CSI/FBI Survey Companies Face Many Attacks –Viruses (and other malware) –Insider abuse of net.

Chapter 9 Security. The Threat Environment 3 Figure 9-1: CSI/FBI Survey Companies Face Many Attacks –Viruses (and other malware) –Insider abuse of net.
Network Security Chapter 3 Panko and Panko

Network Security Chapter 3 Panko and Panko
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Similar presentations

Ads by Google