1 / 15

Lesson 4-General Security Concepts

Lesson 4-General Security Concepts. Background. The operational model of computer security acknowledges that absolute protection of PCs and networks is not possible. A security awareness program should be in place as t echnology alone will not solve the problem. The policy should include:

lloyd
Download Presentation

Lesson 4-General Security Concepts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 4-General Security Concepts

  2. Background • The operational model of computer security acknowledges that absolute protection of PCs and networks is not possible. • A security awareness program should be in place as technology alone will not solve the problem. The policy should include: • Malware and passwords • Workstation security • Destruction of sensitive materials • Systematic removal of accesses • Laptops • Piggybacking and tailgating •  Social engineers •  Backup your data • Security incidents

  3. Password • Organizations have instituted additional policies and rules relating to password selection to complicate an attacker’s effort. • The following are password related problems: • “Legacy” Protocols Are Clear Text • FTP, Telnet, POP, etc. • Password Length Totally Ineffective • Most Mail Credentials = LAN Credentials • “Sniffing” LAN Traffic is effortless • Any Encryption Can be Cracked (if one has enough time – more on this later)

  4. Basic Rules for Password Protection Computer intruders rely on poor passwords to gain unauthorized access to a system or network. • Memorize passwords; do not write them down • Use different passwords for different functions • Use at least 8 - 10 characters, depending on OS • Use mixture of uppercase and lowercase letters, numbers, and other characters • Change periodically • Should not consist of dictionary words • Should never contain the user id • Shouldn’t contain anything that is easily identified with the user.

  5. Strong Password Creation Techniques • Easy to remember; difficult to recognize • Examples: • First letters of each word of a simple phrase (passphrase); add a number and punctuation • Asb4Mf? • Combine dissimilar words and place a number between them • Bad to the Bone – Bad2theB1 • Substitute numbers for letters (not obvious numbers) • Don’t use pa55w0rd – these are obviously

  6. Passwords • Here's what I do ... I come up with the WORD ... some word I can remember without writing it down ... and I come up with a way to capture a few characters related to the site that needs a password ... perhaps their initials, perhaps first few letters of name of company ... then I combine the WORD with the RULE based on that company ... now I have a unique password for that place, and it not have to be written down ... all I need to remember is the WORD and the RULE ... and from time to time I redo my passwords with a new WORD.

  7. Techniques to Use Multiple Passwords • Group Web sites or applications by appropriate level of security • Use a different password for each group – ie newsgroups • Different passwords for each critical group such as financial • Another method - cycle more complex passwords down the groups, from most sensitive to least

  8. Password Auditing / Cracking • Read section 3.4 of the NIST document. • Dictionary (Word lists) – relies on speed and guile • Brute Force - relies purely on power and repetition – but slow • Hybrid - combo of dictionary and brute force • L0phtCrack– Windows - Hybrid • John the Ripper – Unix • Linux NT Password Recovery (linnt) • Linux Single User Mode

  9. Human Attacks • Piggybacking or tailgating is the tactic of closely following a person who has just used an access card or PIN to gain physical access to a room or building. • Shoulder surfing is a procedure in which attackers position themselves to observe the authorized user entering the correct access code. • Dumpster diving • Installing unauthorized hardware and software • Access by non-employees • Social engineering • Reverse social engineering

  10. Access by Non-employees • One should examine who has legitimate access to a facility. • Many organizations require employees to wear identification badges at work. Easy to implement and may be a deterrent to unauthorized individuals. • Employees should challenge individuals not wearing identification badges. • Contractors, consultants, and partners may frequently not only have physical access to the facility but also have network access. • Nighttime custodial crewmembers and security guards have unrestricted access to the facility when no one is around.

  11. Social Engineering • Using social engineering, the attacker deceives to: • Obtain privileged information. • Convince the target to do something that they normally would not. • Social engineering is successful because of two reasons. • The first is the basic human nature to be helpful. • The second reason is that individuals normally seek to avoid confrontation and trouble. • A variation on social engineering • Forged mail or bogus web site allow indirect contact between target and attacker • Insiders may also attempt to gain unauthorized information and they can better spin a story that may be believable to other employees.

  12. Stanley Mark Rifkin (1978) • In 1978, when Stanley Mark Rifkin stole $10.2 million from the Security Pacific Bank in Los Angeles: • He was working as a computer consultant for the bank. • He learned details on how money could easily be transferred to accounts anywhere in the United States. • He transferred the money to another account in Switzerland under a different name. • The crime might have gone undetected if he had not boasted of his exploits to an individual.

  13. Stopping Social Engineering • The most effective means to stop social engineering is through the training and education of users, administrators, and security personnel. • To stop social engineering, employees should: • Recognize the type of information that should be protected. • Recognize how seemingly unimportant information may be combined with other information to divulge sensitive information (also known as data aggregation). • http://www.crime-research.org/library/Razum2.htm

  14. Reverse Social Engineering • Reverse social engineering - the attacker hopes to convince the target to initiate the contact. • Methods of convincing the target to make the initial contact include: • Sending out a spoofed e-mail claiming to be from a reputable source that provides another e-mail address or phone number to call for “tech support.” • Posting a notice or creating a bogus Web site for a legitimate company that also claims to provide “tech support.” • According to Methods of Hacking: Social Engineering, a paper by Rick Nelson, the three parts of reverse social engineering attacks are sabotage, advertising, and assisting. The hacker sabotages a network, causing a problem arise. That hacker then advertises that he is the appropriate contact to fix the problem, and then, when he comes to fix the network problem, he requests certain bits of information from the employees and gets what he really came for. They never know it was a hacker, because their network problem goes away and everyone is happy.

  15. Individual User Responsibilities • Certain responsibilities that should be adopted by all users include: • Locking the door to the office or workspace. • Not leaving sensitive information unprotected inside the car. • Securing storage media containing sensitive information. • Shredding paper containing organizational information before discarding it. • Not divulging sensitive information to unauthorized individuals. • Not discussing sensitive information with family members. • Protecting laptops that contain sensitive or important organization information. • Being aware of who is around when discussing sensitive corporate information. • Enforcing corporate access control procedures. • Being aware of the procedures to report suspected or actual violations of security policies. • Enforcing good password security practices, which all employees should follow. • Cultivating an environment of trust in the office and an understanding of the importance of security

More Related