Protecting your data.

utterlypanoramicSecurity

Nov 30, 2013 (3 years and 10 months ago)

77 views

Protecting your data.

http://www.flickr.com/photos/photobunny_earl/2625899895/sizes/z/in/photostream/


security
system


a set of actions taken, or put in place, to prevent adverse
consequences


asset


an entity the security system is designed to
protect


attacker


someone who intentionally attempts to violate
security


threat


the possibility of a successful
attack


vulnerability


a weakness in the security
system


mitigation


something
that corrects
vulnerabilities

Vulnerabilities

weaknesses in the operating system

flaws in application software

user ignorance

server software flaws


User


Attacker

weaknesses in network protocols

Lack of “flood control”


LAN


shoddy network configuration

Server

Foundations of Information
Security


Integrity

Confidentiality

Availability


Two kinds of integrity


Data integrity: data has not been corrupted


Owner integrity: data owner (source) is correct


Attacks on Integrity include:


viruses/worms:


a computer program that is part of data that you download
or install. The program is installed without your knowledge.


You didn't expect these programs to be present


Spoofing:


one person/device impersonates another


Confidential information is not disclosed to
unauthorized persons, processes or devices.


Attacks against confidentiality:


Shoulder surfing:


peeking at things others consider private


Phishing:


A web site or email that asks you for confidential data.


Network sniffing:


examining someone else's network transmissions.


Even if your data maintains confidentiality and integrity; it
may still lack 'security'.


Data must be available in a timely fashion to authorized
users.


Attacks on availability:


Denial of Services (
DoS
):


Unauthorized users attempt to access so much information that
authorized users cannot access their information.


Spam can be considered a
DoS

attack. So much spam is sent that
legitimate information is often overlooked or inadvertently tagged
as spam.


Security
requires confidentiality.


Must be able to identify ‘things’


You can say something confidential to your friend.


How do you know if it is really your friend on the other end of
the 'chat' or phone or text
-
message?


Authentication is the process of validating
identity.


Authentication can be done by:


passwords


smart cards or tokens


biometrics


retinal scan


fingerprint


voice recognition


facial recognition


palm print


DNA


typing rhythm


gait



Four factors can be used to authenticate

1.
Something you know

2.
Something you possess

3.
Something you
are

4.
Somewhere you are



2
-
Factor authentication


Any system that involves 2 of the four factors



Which factors are involved for the following systems?


passwords


Using an ATM


smart cards or tokens


biometrics


credit card




Authentication leads to authorization


Authorization grants certain rights:


Right to read a file


Right to create a file


Right to execute a program


Right to withdraw money from an account


Right to borrow money





In a computing system the rights are classified as either


read


write


own


execute


Encryption mitigates threats by mitigating


owner integrity


confidentiality



Consider the case where a hacker gains access to a file that you
own.


The hacker can see all the bits in the file


The hacker can
understand

the bits if the bits are ‘plaintext’
(plaintext files are understandable by anyone)


The hacker
cannot understand
the bits if the bits are
encrypted
.



Encryption
: the process
of encoding messages
in
such a way
that
hackers
cannot
understand it
, but that authorized parties
can.

cipher text

plain text

encryption algorithm

The cipher text can not
be understood by
anyone!

Is one
-
way encryption useful?

password

encryption algorithm

Is one
-
way encryption useful?

Sally

sally

|
zy
#!(
kdbh

password

Sally

Compare

Create/Update

password

Authenticate

encryption algorithm

cipher
text

plain text

encryption
algorithm

decryption
algorithm

A key is required
to allow the
algorithm to
generate the
output

The decryption key is
dependent on the
encryption key. They
might even be the
same.

plain text

cipher
text

plain text

encryption
algorithm

decryption
algorithm

plain text


Public key
-
encryption is a two
-
way encryption system.


Every user has a private key (only they know)


Every user has a public key (everyone knows this key)

Danas public key

Danas private key

Jason creates and encrypts a message on
his computer. He encrypts the message
with Dana’s public key.

The cipher text can only be decrypted with Dana’s
private key. She receives the encrypted message
and decrypts it on her computer.


Message is created and sent from Jason's computer


Jason create the plaintext message


A program creates a digest of the plaintext message


Jason encrypts the digest using his own private key. This is the digital signature.


The plaintext message with signature is then encrypted with Dana’s public key.




Message is received, decrypted, authenticated by Dana’s computer


Dana decrypts the message with her private key.


A digest of the plaintext of the message is generated (using the same program
that Jason used).


The signature of the message is decrypted with Jason’s public key. This signature
is compared to the digest created above.

Based on CERT recommendations for computers connected to the Internet



use virus protection software and update frequently



keep software patched (both O.S. and apps)



open email attachments reluctantly



use software and hardware firewalls



backup critical data regularly



use strong passwords



use caution with downloads and installs



use file access controls and encryption



be wary about running untrusted programs



turn off computer when not in use

8 characters or more in length

no words in password

include capital & small letters, digits and special symbols

don’t
reuse them



don’t share authentication data