Understanding Information System Security: Concepts, Tools, and Mechanisms

computer science and cyber n.w
1 / 41
Embed
Share

Explore the essential concepts and tools related to information system security, covering topics such as authentication, authorization, confidentiality, and integrity. Learn about different security mechanisms to protect information systems effectively.

  • Information Security
  • Cybersecurity
  • Authentication
  • Authorization
  • Confidentiality
rayaanacharya
pani Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Computer Science and Cyber by Cong Wang, PhD Department of Computer Science Old Dominion University THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  2. Module Objective Identify and explain concepts and tools around information system security Learn and get familiar with security terminology Explain existing and emerging mechanisms to protect information systems THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  3. Security Topics Authentication Authorization Confidentiality Integrity Firewall Virtual Private Network THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  4. Authentication Verification of the identity of (user or machine) a person is who claimed to be. Authentication Internet, Bank, Smartphone, Home camera Authenticate: What you know ? Password/PIN What you have ? Access card (RFID) or other physical devices Who you are ? Biometric such as fingerprints/face/Iris THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  5. Password Authentication Basic idea: User has the secret password System authenticates user by matching the password Primary issue: How the password is stored and make it hard to guess? Password Password file 1978-09-27 dsafsda dghfads Use hash function One-way, irreversible THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  6. Password Authentication Hash function One way function easy to do h(passwd) = hash; hard to do h^-1(hash) = passwd. User s password stored as h(passwd) System computes h(passwd) compares with the stored hash Password not stored on disk Brute-Force Attack Dictionary attack Easy-to-memorized password (names, birthday, etc), can be cracked within hours offline Security enhancement use random password (reduce usability, random password is hard to memorize) THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  7. Attacks on Mobile Passcode Mobile phones adopt passcode to authenticate the user Passcode Swipe/pattern locks Should-surfing attacks Smudge attacks Advanced attacks THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  8. Physical Devices What you have Physical devices to authenticate users eToken -Data physically protected on the device itself -On the client side, the token is accessed via password -Successful client-side authentication with the password invokes the token to generate a stored or generated passcode, which is sent to the server-side for authentication. Smart cards RFID Issues: devices can be stolen; replay attacks THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  9. Biometric Who you are Use of a biometric reading to confirm that a person is who he/she claims to be - recording of some physical or behavioral attribute of a person Physical Biometrics: Fingerprints, Iris, Hand Geometry, Face, Retina, Palm Print, DNA Behavioral Biometrics: Signature, Voice, Keystroke, Gait Legal issues with Biometric attributes centralized collection and storage of private biometric attributes raise legal concerns. THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  10. 2-factor Authentication Requires 2 out of 3 of 1. Something you know 2. Something you have 3. Something you are Examples ATM: Card and PIN Credit card: Card and signature Password generator: Device and PIN Smartcard with password/PIN THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  11. Authorization Authorization Are you allowed to do that? Restrictions on actions of authenticated users A form of access control Simple: Read, Write e.g. Access Control Matrix Good for file systems, not scalable Objects A B C D r r - r/w r - r/w r - r - - r/w - r/w alice bob subjects charlie dave THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  12. Objectives of Information Security Confidentiality Integrity Availability Authorized user have reliable and timely access to information Prevents unauthorized use or disclosure of information Safeguards the accuracy and completeness of information THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  13. Confidentiality Confidentiality ensures that computer-related assets are accessed only by authorized parties. Only those who should have access to something will actually get that access. Access means not only reading but includes viewing, printing (or) simply knowing that a particular asset exists. Also known sometime as secrecy (or) privacy. THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  14. Threats Access to confidential information by any unauthorized person Intercepted data transfers Physical loss of data Privileged access of confidential information by employees Social engineered methods to gain confidential information Unauthorized access to physical records Transfer of confidential information to unauthorized third parties Compromised machine where attacker is able to access data thought to be secure THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  15. Examples Scheduling information regarding national level speakers/sensitive private meetings highly restricted Concerns over leaks via IT from opposition groups within the national organization Financial losses due to loss of trade secrets. Leaking private data. Examples? THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  16. Encryption When to use - Anytime you wouldn't want anyone/everyone to see what you're doing Financial transactions Personal e-mails Anything confidential Various solutions PGP, S/MIME, PKI, OpenVPN, SSH, SFTP, etc. Drawbacks/difficulties May not be allowed Not always user friendly Not what used to Debate: As terrorist may encrypt messages, and not even NSA can decrypt. Case: Should Apple help FBI crack the terrorist s iPhone? THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  17. Symmetric Encryption Plaintext Encryption Algorithm Secret Key (known to sender and receiver) Ciphertext Decryption Algorithm Cryptos: DES, 3DES, RC5, AES Secret Secret Key Key Plaintext Encryption Decryption Plaintext Message Algorithm Algorithm Message Transmitted Ciphertext THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  18. Asymmetric Encryption Symmetric private/secret/single key cryptography uses one key Key is shared by both sender and receiver if the key is disclosed communications are compromised also known as symmetric, both parties are equal hence does not protect sender from receiver forging a message & claiming is sent by sender THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  19. Public Key Cryptography Most significant advance in the 3000 year history of cryptography Two keys a public key and a private key Asymmetric since parties are not equal Clever application of number theory concepts to function Public-key: which may be known by anybody, and can be used to encrypt messages, and verify signatures Private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures Those who encrypt messages or verify signatures cannot decrypt messages or create signatures Classic Crypto Scheme: RSA THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  20. RSA Security Approaches to attacking RSA: Brute force key search (infeasible given size of numbers) Mathematical attacks (attempt to factor modulus N) Timing attacks (on running of decryption) THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  21. Availability Hackers interrupts service availability via Denial of Service attacks. Using up resources and / or bandwidth of a server in a malicious way to prevent legitimate users from accessing its services. A DoS attack carried out using a large number of compromised systems (Botnet) improving its potency and reducing traceability of the originator. Ways: TCP-SYN flood, Ping of death. Distributed Denial of Service Attack: Use hundreds of thousands Botnets to overwhelm service and make them unavailable. Detection: Internet Traffic, IP Access List, CPU utilization. THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  22. DDoS Attacks (IoT) Internet-of-Things emerging technology, massive deployment, cheaply made, fixed firmware (no updates). Easy target to exploit and launch DDoS attacks. Mirai DDoS attack in 2016 bring down several ISPs on the U.S. east coast. Devices infected by Mirai look for IoT devices Identify devices with factory default usernames and password (people don t usually change the password for IoTs) Infect them with Mirai malware THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  23. Network Attacks Common types of networking attacks: Source by McAfee Labs THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  24. Browser Attack Most common attack Trick Internet users into downloading malware (disguised as software or an update) Man-in-the-browser - Use trojan horse to infect the browser with vulnerabilities. - Can be detected/removed by Anti-virus software - 23% success rate for Zeus in 2009 - Some well-known malwares: Zeus, URLZone, THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  25. Man-in-the-Browser The term was coined in 2005. Utilizing common features provided by browsers such as (IE s Browser Helper Objects- DLL loaded upon startup, browser extensions, API- hooking, Javascripts) Zeus Trojan horse for stealing banking information/keystroke logging and form grabbing (grab the form before reaching the intended web server). Trick victims of tech support scams claim user has a virus (make use of command prompt/event viewer to make users believe) THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  26. Tech support scam THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  27. CryptoJacking Use the victim s computer to mine cryptocurrencies using javascript Hard to defend spreading all over the world when Bitcoin peaks at Dec. 2017. THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  28. Port-scanning Hostile searchers over the Internet for open ports attacker can gain access. Attackers use before the attack Intruder sends a message to a port Wait for response from the port Help identify OS and vulnerabilities Collect zombies/botnet for DDoS or sell them for profit MS 3389 Exploit XP Service Pack THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  29. DNS Spoofing DNS cache poisoning (URL->IP address) corrupt DNS cache and return an incorrect IP address Redirect the traffic to the attacker s server DNS uses cache for fast performance Attackers use exploits in DNS software Redirected website has worms/virus/phishing THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  30. Spoofing Attack The attacker masquerades as the victim by falsifying data. IP Spoofing Create a false source IP address hide the identify of sender. MAC spoofing MAC are hard-coded by hardware. Some drivers allow MAC to be changed not illegal - Aaron Swartz spoofed MAC and illegally access JSTOR library (purposeful intent to commit crime) Email address spoofing used by spammers to hide their original email GPS spoofing broadcast incorrect GPS signals. - Iran capture the drone possibly using GPS spoofing. THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  31. Phishing Attack Disguise as a trustworthy entity to gain user s password/username/credit card/banking info. Typical ways: Email, instant message, Ads, social web Phishing techniques: Spear phishing (91%) Clone phishing duplicate previous email and replace the link inside Whaling high-value targets (business executives) specially designed as business email Phone phishing bank account frozen/IRS scam/crime THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  32. Example of Phishing Attack THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  33. Buffer overflow Attack Buffer overflow is common in program when data exceeds the boundary of the buffer. Attacker tries to store too much information in an undersized receptacle most exploits are based on buffer overflow char *ptr = (char*) malloc(30); ptr[30] = d -> Overflow the stack or heap Cause crash/seg fault/etc THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  34. Intrusion Detection Systems (IDS) Software framework monitors for malicious activities/policy violations Placed at strategic points to monitor network traffic Firewall (mostly outside) vs. IDS (also watch for attacks from inside) Detection methods: Signature based: Looking for (static) signatures of specific patterns intrusion sequences by malware Anomaly based: Detecting unknown attacks traffics deviating from the normal ones. THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  35. Firewall Sits between two networks Used to protect one from the other Places a bottleneck between the networks - All communications must pass through the bottleneck this gives us a single point of control THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  36. Firewall Protection Methods Packet Filtering Rejects TCP/IP packets from unauthorized hosts and/or connection attempts by unauthorized hosts Network Address Translation (NAT) Translates the addresses of internal hosts so as to hide them from the outside world Also known as IP masquerading Proxy Services Makes high level application level connections to external hosts on behalf of internal hosts to completely break the network connection between internal and external hosts Additional services: Virus Scanning - searches incoming data streams for virus signatures so they may be blocked Content Filtering - allows the blocking of internal users from certain types of content. THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  37. Firewall Deployment This work was supported in part by the National Science Foundation under Grant CNS-0831823. Risk: Internal private network expose to external network Server Customer Web Server Hacker Server Firewall Router Client Mail Server Hacker Internal Private Network External Private Network External Public Network THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  38. DMZ Server Customer Web Server Hacker Server Router Firewall Client FTP Hacker Server Internal Private Network DMZ External Public Network THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  39. Limitations of Firewall Many e-mail hacks phishing, spoofed email Vulnerabilities in allowed application protocols Ex. Incoming HTTP requests to an IIS server Connection restrictions and usability Many users don t like the restrictions that firewalls place on them and will try to subvert those restrictions THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  40. VPN Used to connect two private networks via the internet Provides an encrypted tunnel between the two private networks Usually cheaper than a private leased line but should be studied on an individual basis Once established and as long as the encryption remains secure the VPN is impervious to exploitation For large organizations using VPNs to connect geographically diverse sites, always attempt to use the same ISP to get best performance. - Try to avoid having to go through small Mom-n-Pop ISPs as they will tend to be real bottlenecks THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

  41. VPN Many firewall products include VPN capabilities But, most Operating Systems provide VPN capabilities Windows NT provides a point-to-point tunneling protocol via the Remote Access server Encrypted Authentication Many enterprises provide their employees VPN access from the Internet for work-at-home programs or for employees on-the- road THIS MATERIAL IS BASED UPON WORK SUPPORTED BY THE NATIONAL SCIENCE FOUNDATION UNDER GRANT NO. 1723635.

Related


No related presentations.

More Related Content