Authentication and Access Control

Download Report

Transcript Authentication and Access Control

Information Security
Information Security in Today’s
World
Abdalla Al-Ameen
Assistant Prof.
Computer Science and information Dept.
College of Arts and Science in WadiAddawasir
Salman Bin Abdulaziz University
K.S.A
Web site :http://faculty.sau.edu.sa/a.alameen
Email: [email protected]
Information Security
Protecting Your PC, Privacy and Self
“The minute you dial in to your Internet service provider or
connect to a DSL or cable modem, you are casting your
computer adrift in a sea of millions of other computers – all
of which are sharing the world's largest computer network,
the Internet. Most of those computers are cooperative and
well behaved, but some are downright nasty. Only you can
make sure your computer is ready for the experience.”
Daniel Appleman, Always Use Protection, A Teen's Guide to
Safe Computing, (2004 – Apress)
2
Information Security
Objectives:
this seminar aims to cover the following topics












Computer Security definition
Information Security Topic areas
Core Security Concepts
Why Study Computer Security?
The Importance of Information Security
Security Services
Challenges
Latest Trends
Overview of Existing Security Systems
Protecting one Computer
Protecting a Wireless Local Area Network (WLAN)
What Can We Do?
Information Security
Introduction
Information security is defined
as methods and technologies
for deterrence (scaring away hackers),
protection, detection, response, recovery and
extended functionalities
OR
Process by which digital information assets are protected
4
Information Security
Information Assurance
A broader category than computer security, information
security, etc.
 Concerned with the

• Security of information in system
• Quality/Reliability of information in system
5
Information Security
What Information Security Topic areas?
 Policies
and procedures,
 authentication,
 attacks,
 remote access, E-mail, Web, wireless,
 devices, media/medium, secure architectures,
IDSes/IPSes, operating systems, secure code,
Cryptography,
 physical security,
 digital media analysis…
6
Information Security
Core Security Concepts

Vulnerability, Exploit, Threat
• Vulnerability – a weakness in some aspect of a system
• Exploit – a known method for taking advantage of a vulnerability
• Threat – the likelihood of some agent using an exploit to compromise
security
– Note: not all users/groups are equal threats to various systems
• “Hackers” more of a threat to popular web sites, businesses
• Disgruntled employees more of a threat to isolated businesses
7
Information Security
Generic Security Principles
Generic Security System
Deterrence
(Scare away)
Protection
Detection
Response
Recovery
Information
while in transmission
Information
while in storage
Hacker
Hardware
8
Information Security
Why Study Computer Security?
 Increasingly
important issue for:
• Computer system and network administrators
• Application programmers
 Security
issues follow technology
• Desktop systems, wireless networks, handheld devices
 Security
issues affect software, laws, profits and
businesses
9
Information Security
The Importance of Information Security
 Prevents
data theft
 Avoids legal consequences of not securing
information
 Maintains productivity
 Foils cyberterrorism
 Thwarts identity theft
10
Information Security
Security Services : Confidentiality
Confidentiality
Authentication
To keep a message secret to
those that are not authorized
to read it
Access Control
Integrity
Non-repudiation
Availability
11
Information Security
Security Services: Authentication
Confidentiality
Authentication
Access Control
To verify the identity of the
user / computer
Integrity
Non-repudiation
Availability
12
Information Security
Security Services: Access Control
Confidentiality
Authentication
Access Control
Integrity
To be able to tell who can do
what with which resource
Non-repudiation
Availability
13
Information Security
Security Services: Integrity
Confidentiality
Authentication
Access Control
Integrity
Non-repudiation
To make sure that a message
has not been changed while
on Transfer, storage, etc
Availability
14
Information Security
Security Services: Non-repudiation
Confidentiality
Authentication
Access Control
Integrity
Non-repudiation
To make sure that a
user/server can’t deny later
having participated in a
transaction
Availability
15
Information Security
Security Services: Availability
Confidentiality
Authentication
Access Control
Integrity
Non-repudiation
Availability
To make sure that the
services are always
available to users.
16
Information Security
Challenges
A
number of trends illustrate why security is
becoming increasingly difficult:
•Speed of attacks
•Sophistication of attacks
•Faster detection of weaknesses
•Distributed attacks
•Difficulties of patching
17
Information Security
Latest Trends - Identity Theft
 Crime
of the 21st century
 Involves using someone’s personal information, such
as social security numbers, to establish bank or
credit card accounts that are then left unpaid,
leaving the victim with the debts and destroy their
credit rating
 National, state, and local legislation continues to be
enacted to deal with this growing problem.
18
Information Security
Latest Trends - Identity Theft - continued
 Phishing
is a method used by identity thieves to
take financial information from a computer
user
 The word “phishing” was made up by hackers
as a cute word to use for the concept of fishing
for information
 One of the most profitable forms of spamming
 Often used in conjunction with spoofed Web
sites
19
Information Security
Latest Trends - Malicious Software
(Malware)
 Designed
to operate without the computer
user’s permission
 May change or destroy data
 May operate hardware without authorization
 Can hijack your Web browser
 Might steal information or otherwise cheat a
computer user or organization
20
Information Security
Malware:
• Includes computer viruses, worms, trojan horses, bots,
spyware, adware, etc
• Software is considered malware based on the intent of
the creator rather than any particular features
21
Information Security
Malware Trends
 Spyware
 Keyloggers
 Rootkits
 Mobile
malware
 Combined attack mechanisms
22
Information Security
Malware Trends - Spyware
 Advertisement-focused
applications that, much
like computer worms, install themselves on systems
with little or no user interaction
 While such an application may be legal, it is
usually installed without the user’s knowledge or
informed consent
 A user in an organization could download and
install a useful (often “free”) application from the
Internet and in doing so, install a spyware
component
23
Information Security
Spyware:
• Spyware can collect many different types of
information about a user:
– Records the types of websites a user visits
– Records what is typed by the user to intercept passwords or
credit card numbers
– Used to launch “pop up” advertisements
• Many legitimate companies incorporate forms of
spyware into their software for purposes of
advertisement(Adware)
24
Information Security
Spyware Example
25
Information Security
Spyware Example
(add-on toolbars)
26
Information Security
Malware Trends - Keyloggers
 Used
to capture user’s keystrokes:
•Also known as Keystoke Logging
 Hardware and software-based
 Useful purposes:
•Help determine sources of errors on system
•Measure employee productivity on certain
clerical tasks
27
Information Security
Keystroke Logging:
• Can be achieved by both hardware and software
means
• Hardware key loggers are commercially available
devices which come in three types:
– Inline devices that are attached to the keyboard cable
– Devices installed inside standard keyboards
– Keyboards that contain the key logger already built-in
• Writing software applications for keylogging is trivial,
and like any computer program can be distributed as
malware (virus, trojan, etc.)
28
Information Security
Malware Trends - Rootkits
 Is
a set of software tools intended to hide running
processes, files or system data, thereby helping an
intruder to maintain access to a system while
avoiding detection
 Often modify parts of the operating system or install
themselves as drivers or kernel modules
 Are known to exist for a variety of operating systems
 Are difficult to detect
29
Information Security
Malware Trends - Mobile Malware
 Increase
in the number of mobile phone viruses
being written
 But ,
 Insignificant compared to the much larger
number of viruses being written which target
Windows desktop computers
30
Information Security
Malware Trends - Combined Attack
Mechanisms
 SPAM
with spoofed Web sites
 Trojans installing bot software
 Trojans installing backdoors

‫برنامج آلي‬
31
Information Security
Spam:
• Spamming is the abuse of electronic messaging
systems to send unsolicited, undesired bulk messages
• Spam media includes:
– e-mail spam (most widely recognized form)
– instant messaging spam
– Usenet newsgroup spam
– Web search engine spam
– spam in blogs
– mobile phone messaging spam
32
Information Security
Spam Example
33
Information Security
Phishing:
• A criminal activity using social engineering
techniques.
• An attempt to acquire sensitive data, such as
passwords and credit card details, by appearing as a
trustworthy person or business in an electronic
communication.
• Typically carried out using email or an instant
message
34
Information Security
Phishing Example
Points to “bad” IP
Address!
35
Information Security
Latest Trends - Ransomware
 Type
of malware that encrypts the victim’s
data, demanding ransom for its returning.
 Cryptovirology predates ransomware
36
Information Security
Overview of Existing Security Systems : Firewalls
Used even for Deterring (Scaring attackers)
Firewalls  Designed to prevent malicious packets from entering
Software based  Runs as a local program to protect one computer
(personal firewall) or as a program on a separate computer (network firewall)
to protect the network
Hardware based  separate devices that protect the entire network (network
37
firewalls)
Information Security
Overview of Existing Security Systems : Detection Intrusion Detection Systems
Intrusion Detection System (IDS)  Examines the activity on a network
Goal is to detect intrusions and take action
Two types of IDS:
Host-based IDS  Installed on a server or other computers (sometimes all)
Monitors traffic to and from that particular computer
Network-based IDS  Located behind the firewall and monitors all network
traffic
38
Information Security
Overview of Existing Security Systems :
Network Address Translation (NAT)
Network Address Translation (NAT) Systems  Hides the IP address of network
devices
Located just behind the firewall. NAT device uses an alias IP address in place of
the sending machine’s real one “You cannot attack what you can’t see”
39
Information Security
Overview of Existing Security Systems : Proxy Servers
Proxy Server  Operates similar to NAT, but also examines packets to look for
malicious content Replaces the protected computer’s IP address with the proxy
server’s address
Protected computers never have a direct connection outside the networkThe
40
proxy server intercepts requests. Acts “on behalf of” the requesting client
Information Security
Adding a Special Network called Demilitarized Zone (DMZ)
Demilitarized Zones (DMZ)  Another network that sits outside the secure network
perimeter. Outside users can access the DMZ, but not the secure network
Some DMZs use two firewalls. This prevents outside users from even accessing
the internal firewall  Provides an additional layer of security
41
Information Security
Overview of Existing Security Systems : Virtual Private Networks
(VPN)
 Virtual Private Networks (VPNs)  A secure
network connection over a public network
• Allows mobile users to securely access information
• Sets up a unique connection called a tunnel
42
Information Security
Overview of Existing Security Systems : Virtual Private Networks
(VPN)
43
Information Security
Overview of Existing Security Systems : Honeypots
Honeypots  Computer located in a DMZ and loaded with files and software that
appear to be authentic, but are actually imitations
44
Intentionally configured with security holes
Goals: Direct attacker’s attention away from real targets; Examine the techniques
used by hackers
Information Security
Overview of Existing Security Systems : Secure Socket
Layer (SSL)
SSL is used for securing communication between clients
and servers. It provid es mainly confidentiality, integrity
and authentication
Establish SSL connection communication protected
Client
45
WWW Server
Summary
(continued)
Information
Security
Protecting one Computer

Operating system hardening is the process of
making a PC operating system more secure
•
•
•
•
•
•
•
Patch management
Antivirus software – to protect your pc from viruses
Antispyware software
Firewalls – to deter (scare), protect
Setting correct permissions for shares
Intrusion detection Systems – to detect intrusions
Cryptographic systems
46
Information Security
Protecting a Wireless Local Area Network (WLAN)
47
Information Security
Security in a Wireless LAN
WLANs include a different set of security
issues
 Steps to secure:

•
•
•
•
•
•
Turn off broadcast information
MAC address filtering
Encryption
Password protect the access point
Physically secure the access point
Use enhanced WLAN security standards
whenever possible
• Use cryptographic systems
48
Information Security
What Can We Do?

Security Assessment
• Identify areas of risk
• Identify potential for security holes, breakdown
• Identify steps to mitigate

Security Application
• Multi-layered Approach (there is no single solution)
• Policies and Procedures

Security Awareness
• Not just for the geeks!
• Security Training at all levels (external and/or internal)
• Continuing education and awareness – not a one-time shot!
• Make it part of the culture
49
Information Security
What Can We Do?
 Security Awareness
• Not just for the geeks!
• Security Training at all levels (external and/or internal)
• Continuing education and awareness – not a one-time shot!
• Make it part of the culture
50
Information Security
References
1.
2.
3.
4.
5.
6.
http://en.wikipedia.org/wiki/Security visited at 14-11-2013
Allen, Julia, (2012) The CERT Guide to System and Network Security Practices,
Addison-Wesley, New York
Ratzan, Lee, (2012) Understanding Information Systems, American Library
Association, Chicago
The Information Security Process: Prevention,Detection and Response, James
LaPiedra ,GIAC practical repository, SANS Institute,
http://www.giac.org/practical/gsec visited at 14-11-2013
InformIT Reference Guides
,http://www.informit.com/isapi/articles/index.asp, visited at 15-11-2014
Information Security
Thank you for coming!!