Protecting your data.
http://www.flickr.com/photos/photobunny_earl/2625899895/sizes/z/in/photostream/
•
security
system
–
a set of actions taken, or put in place, to prevent adverse
consequences
•
asset
–
an entity the security system is designed to
protect
•
attacker
–
someone who intentionally attempts to violate
security
•
threat
–
the possibility of a successful
attack
•
vulnerability
–
a weakness in the security
system
•
mitigation
–
something
that corrects
vulnerabilities
Vulnerabilities
weaknesses in the operating system
flaws in application software
user ignorance
server software flaws
User
Attacker
weaknesses in network protocols
Lack of “flood control”
LAN
shoddy network configuration
Server
Foundations of Information
Security
Integrity
Confidentiality
Availability
•
Two kinds of integrity
–
Data integrity: data has not been corrupted
–
Owner integrity: data owner (source) is correct
•
Attacks on Integrity include:
–
viruses/worms:
•
a computer program that is part of data that you download
or install. The program is installed without your knowledge.
•
You didn't expect these programs to be present
–
Spoofing:
•
one person/device impersonates another
•
Confidential information is not disclosed to
unauthorized persons, processes or devices.
•
Attacks against confidentiality:
–
Shoulder surfing:
•
peeking at things others consider private
–
Phishing:
•
A web site or email that asks you for confidential data.
–
Network sniffing:
•
examining someone else's network transmissions.
•
Even if your data maintains confidentiality and integrity; it
may still lack 'security'.
•
Data must be available in a timely fashion to authorized
users.
•
Attacks on availability:
–
Denial of Services (
DoS
):
•
Unauthorized users attempt to access so much information that
authorized users cannot access their information.
•
Spam can be considered a
DoS
attack. So much spam is sent that
legitimate information is often overlooked or inadvertently tagged
as spam.
•
Security
requires confidentiality.
–
Must be able to identify ‘things’
–
You can say something confidential to your friend.
•
How do you know if it is really your friend on the other end of
the 'chat' or phone or text
-
message?
•
Authentication is the process of validating
identity.
•
Authentication can be done by:
–
passwords
–
smart cards or tokens
–
biometrics
•
retinal scan
•
fingerprint
•
voice recognition
•
facial recognition
•
palm print
•
DNA
•
typing rhythm
•
gait
•
Four factors can be used to authenticate
1.
Something you know
2.
Something you possess
3.
Something you
are
4.
Somewhere you are
•
2
-
Factor authentication
–
Any system that involves 2 of the four factors
•
Which factors are involved for the following systems?
–
passwords
–
Using an ATM
–
smart cards or tokens
–
biometrics
–
credit card
•
Authentication leads to authorization
•
Authorization grants certain rights:
–
Right to read a file
–
Right to create a file
–
Right to execute a program
–
Right to withdraw money from an account
–
Right to borrow money
–
…
•
In a computing system the rights are classified as either
–
read
–
write
–
own
–
execute
•
Encryption mitigates threats by mitigating
–
owner integrity
–
confidentiality
•
Consider the case where a hacker gains access to a file that you
own.
–
The hacker can see all the bits in the file
–
The hacker can
understand
the bits if the bits are ‘plaintext’
(plaintext files are understandable by anyone)
–
The hacker
cannot understand
the bits if the bits are
encrypted
.
•
Encryption
: the process
of encoding messages
in
such a way
that
hackers
cannot
understand it
, but that authorized parties
can.
cipher text
plain text
encryption algorithm
The cipher text can not
be understood by
anyone!
Is one
-
way encryption useful?
password
encryption algorithm
Is one
-
way encryption useful?
Sally
sally
|
zy
#!(
kdbh
password
Sally
Compare
Create/Update
password
Authenticate
encryption algorithm
cipher
text
plain text
encryption
algorithm
decryption
algorithm
A key is required
to allow the
algorithm to
generate the
output
The decryption key is
dependent on the
encryption key. They
might even be the
same.
plain text
cipher
text
plain text
encryption
algorithm
decryption
algorithm
plain text
•
Public key
-
encryption is a two
-
way encryption system.
•
Every user has a private key (only they know)
•
Every user has a public key (everyone knows this key)
Danas public key
Danas private key
Jason creates and encrypts a message on
his computer. He encrypts the message
with Dana’s public key.
The cipher text can only be decrypted with Dana’s
private key. She receives the encrypted message
and decrypts it on her computer.
•
Message is created and sent from Jason's computer
–
Jason create the plaintext message
–
A program creates a digest of the plaintext message
–
Jason encrypts the digest using his own private key. This is the digital signature.
–
The plaintext message with signature is then encrypted with Dana’s public key.
•
Message is received, decrypted, authenticated by Dana’s computer
–
Dana decrypts the message with her private key.
–
A digest of the plaintext of the message is generated (using the same program
that Jason used).
–
The signature of the message is decrypted with Jason’s public key. This signature
is compared to the digest created above.
Based on CERT recommendations for computers connected to the Internet
use virus protection software and update frequently
keep software patched (both O.S. and apps)
open email attachments reluctantly
use software and hardware firewalls
backup critical data regularly
use strong passwords
use caution with downloads and installs
use file access controls and encryption
be wary about running untrusted programs
turn off computer when not in use
8 characters or more in length
no words in password
include capital & small letters, digits and special symbols
don’t
reuse them
don’t share authentication data
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο