Security Lecture 11, May 14, 2003 Mr. Greg Vogl Data Communications and Networks Uganda Martyrs...

Security

Lecture 11, May 14, 2003

Mr. Greg Vogl

Data Communications and Networks

Uganda Martyrs University

May 14, 2003 Data Communications and Networks: Lecture 11: Security

2

Sources

Networks 1999, Ch. 9 and Appendix A Computers in Your Future modules 10B, C Burgess Section 8 Solomon Parts 12, 13 Ritchie Ch. 14


3

Overview

Problems and causes– Threats, attackers, responsible people

Prevention and recovery– Physical security, software security, viruses– Data security, long-term storage and retrieval– Disaster recovery– Human security– Authentication and passwords – Encryption


4

Threats, damages and costs

Natural disaster (e.g. flood, fire, lightning) Deliberate sabotage/vandalism (e.g. viruses) Damaged or stolen hardware Damaged/deleted/leaked data/information Net downtime/overload; use of staff time Lost privacy, confidentiality; public safety Reputation/appearance of no security/safety


5

Categories of threats

Unauthorised disclosure– Viewing information with no rights to see

Unauthorised updates– Making changes with no rights to change

Denial of service– Interference with legitimate user access


6

Attackers and their motives

Hobbyists: crackers, virus authors, thieves– Challenge, ego, financial gain

Employees: terminated, disgruntled, corrupt– Financial gain, organisational harm/revenge

Corporate spies: competitors– Market competition

Information terrorists– Harm state governments


7

Types of attacks

Cracking programs: try passwords Eavesdropping: watching users,

wiretapping Spoofing: pretending to be a client or server


8

Who is responsible for security?

Managers – Design general policies

System designers– Create mechanisms to enforce specific policies

System administrators– Design and enforce specific policies

Users– Adhere to general and specific policies


9

Physical security

Equipment protection, protective equipment– Door locks, burglar bars, armed guards– Dust, AC, surge protector, UPS, standby power– Alarms: temperature, burglar

Physically separate equipment, data– secure and non-secure

Investment appropriate to nature of business


10

Software security

File and directory access control (rwx) Network services can be security loopholes

– E.g. finger, sendmail, remote login, dial-up– Use tools to log & audit use of existing services– Disable or turn off all unused network services

Use firewall software e.g. ZoneAlarm Use loophole detection tools e.g. SATAN


11

Secure software design principles

Public design– No secret algorithms; weaknesses revealed

Default = no access – Minimum privileges; add only when needed

Timely checks– Security of passwords “wear out” over time

Simple, uniform mechanisms Appropriate levels of security


12

Viruses

Malicious self-replicating program – infects programs with copies of itself– spread by running programs

Types: boot sector, program, macro– variations: worm, Trojan horse, time bomb

Locations: memory/files, programs/data Transmission methods

– Floppies, installing software, downloads, email


13

Virus prevention and recovery

Install anti-virus software on all computers– Schedule automatic virus scans– Keep active auto-protect features enabled– Keep virus software and definitions updated– Repair, quarantine or delete infected files

Educate users about viruses– Causes, prevention, removal– Specific, current, serious threats


14

Data security

Backups and archiving Antivirus software Encryption of sensitive information Disposal of obsolete, sensitive information

– Erase (possibly reformat) disks– Shred paper documents


15

Long-term storage and retrieval

Daily backups (and possibly mirroring) Document info removal/purge procedures Test equipment & procedures for

restoration Keep storage media physically secure

– Store backup copies at remote locations


16

Disaster recovery preparation

Create a disaster recovery plan– Discuss, document, communicate, test

List and categorise possible disasters– Minor, major, catastrophic

Prepare for these disasters– Minimum: backup, inventory, net docs– Spares, maintenance contracts, recovery site– Research user needs/tolerances


17

Human security

Educate users, receptionists, “gatekeepers” Encourage securing passwords, accounts Be careful when giving out information

– “Helpful” employees may leak important info– Know who has rights to what info– Be aware of threats and ask questions first– Background checks, ID cards/badges


18

Authentication

Permit access to authorised users– Username/password combination is valid

Deny access to unauthorised users– Display error message “invalid login”

Regulate/authorise user actions after login – E.g. read/write/execute access to files/folders


19

Access terminology

Objects (what to access)– Hardware, software (files, databases, processes)

Principals (users, owners of objects)– People, groups, projects, roles (admin)

Rights (permissions to use operations)– Read, write, update, delete, execute, etc.

Domains (set of rights; location of objects)


20

Access matrix

Objects

Principals/ domains

File x Disk y

JoeUser Rights:

Read

Rights:

Read

Administrators Rights:

Read, write, execute

Rights:

Read, write


21

Secure passwords

Not crackable (blank, short, words, names) Not guessable (phone, birthdate, username) Not written down

– Except admin passwords kept physically secure

Use numbers, symbols, mix case Memorable (so no need to write down)


22

Account security

Require users to change password regularly Log password attempts, limit no. of failures Run crack programs to find poor passwords Audit account status and usage regularly Delete or disable accounts when people go Archive and safeguard old account data


23

Encryption

The sender encrypts (encodes) a message– Substitute unreadable data, apparently nonsense

Only some receivers can decrypt/decode it– Translate coded data into readable data

Coding and decoding require using keys– Encoding/decoding algorithms plus secret text

Encryption only useful if the key is secure– Anyone who intercepts the key can decrypt


24

Password file

User-readable file, but passwords encrypted– /etc/passwd in older UNIX; now /etc/shadow

Data Encryption Standard (DES)– One-way algorithm: key + password code– Encrypt password attempt, compare with code– If two codes match, login is valid, else not– System holds key; passwords never revealed

Powerful computers can crack passwords– A 56 bit key is unsafe; 128 bits is reasonable


25

Public Key Encryption (PKE)

Receiver announces his/her public key Sender encrypts a message with public key Receiver decrypts using his/her private keyNo danger of private key being interceptedEnables criminals to communicate secretly

– Governments need access to combat crime– Key escrow/recovery allows access to some


26

RSA public key encryption

Choose two large prime numbers p and q Choose e relatively prime to (p-1)(q-1)

– They have no common divisors Calculate d such that ed = 1 mod (p-1)(q-1) Calculate n = pq Public key is (n, e); private key is d p and q must be kept secret Long computation to decrypt by factoring n


27

Encryption in Windows

Many programs can password protect files– E.g. Word, Excel, Access, WinZip

Windows NTFS can encrypt files, folders– Right-click, Properties, General, Advanced

E-mail and web pages can be encrypted– Passwords, messages, attachments

Microsoft Point to Point Encryption– Point to Point Tunneling Protocol for PPP


28

Some other uses of encryption

Authentication, confidentiality, integrity, non-repudiation

Pretty Good Privacy– High security free 128-bit RSA PKE algorithm

Secure Sockets Layer– Secure electronic financial Web transactions

Secure HTTP (HTTPS) and .shtml files– Digital IDs, signatures, certificates

Date post:	11-Jan-2016
Category:	Documents
Upload:	benjamin-gaines
View:	214 times
Download:	1 times

Security Lecture 11, May 14, 2003 Mr. Greg Vogl Data Communications and Networks Uganda Martyrs...

Documents