security
Download
Skip this Video
Download Presentation
Security

Loading in 2 Seconds...

play fullscreen
1 / 28

Security - PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on

Security. Lecture 11, May 14, 2003 Mr. Greg Vogl Data Communications and Networks Uganda Martyrs University. Sources. Networks 1999, Ch. 9 and Appendix A Computers in Your Future modules 10B, C Burgess Section 8 Solomon Parts 12, 13 Ritchie Ch. 14. Overview. Problems and causes

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Security' - mohawk


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security

Security

Lecture 11, May 14, 2003

Mr. Greg Vogl

Data Communications and Networks

Uganda Martyrs University

sources
Sources
  • Networks 1999, Ch. 9 and Appendix A
  • Computers in Your Future modules 10B, C
  • Burgess Section 8
  • Solomon Parts 12, 13
  • Ritchie Ch. 14

Data Communications and Networks: Lecture 11: Security

overview
Overview
  • Problems and causes
    • Threats, attackers, responsible people
  • Prevention and recovery
    • Physical security, software security, viruses
    • Data security, long-term storage and retrieval
    • Disaster recovery
    • Human security
    • Authentication and passwords
    • Encryption

Data Communications and Networks: Lecture 11: Security

threats damages and costs
Threats, damages and costs
  • Natural disaster (e.g. flood, fire, lightning)
  • Deliberate sabotage/vandalism (e.g. viruses)
  • Damaged or stolen hardware
  • Damaged/deleted/leaked data/information
  • Net downtime/overload; use of staff time
  • Lost privacy, confidentiality; public safety
  • Reputation/appearance of no security/safety

Data Communications and Networks: Lecture 11: Security

categories of threats
Categories of threats
  • Unauthorised disclosure
    • Viewing information with no rights to see
  • Unauthorised updates
    • Making changes with no rights to change
  • Denial of service
    • Interference with legitimate user access

Data Communications and Networks: Lecture 11: Security

attackers and their motives
Attackers and their motives
  • Hobbyists: crackers, virus authors, thieves
    • Challenge, ego, financial gain
  • Employees: terminated, disgruntled, corrupt
    • Financial gain, organisational harm/revenge
  • Corporate spies: competitors
    • Market competition
  • Information terrorists
    • Harm state governments

Data Communications and Networks: Lecture 11: Security

types of attacks
Types of attacks
  • Cracking programs: try passwords
  • Eavesdropping: watching users, wiretapping
  • Spoofing: pretending to be a client or server

Data Communications and Networks: Lecture 11: Security

who is responsible for security
Who is responsible for security?
  • Managers
    • Design general policies
  • System designers
    • Create mechanisms to enforce specific policies
  • System administrators
    • Design and enforce specific policies
  • Users
    • Adhere to general and specific policies

Data Communications and Networks: Lecture 11: Security

physical security
Physical security
  • Equipment protection, protective equipment
    • Door locks, burglar bars, armed guards
    • Dust, AC, surge protector, UPS, standby power
    • Alarms: temperature, burglar
  • Physically separate equipment, data
    • secure and non-secure
  • Investment appropriate to nature of business

Data Communications and Networks: Lecture 11: Security

software security
Software security
  • File and directory access control (rwx)
  • Network services can be security loopholes
    • E.g. finger, sendmail, remote login, dial-up
    • Use tools to log & audit use of existing services
    • Disable or turn off all unused network services
  • Use firewall software e.g. ZoneAlarm
  • Use loophole detection tools e.g. SATAN

Data Communications and Networks: Lecture 11: Security

secure software design principles
Secure software design principles
  • Public design
    • No secret algorithms; weaknesses revealed
  • Default = no access
    • Minimum privileges; add only when needed
  • Timely checks
    • Security of passwords “wear out” over time
  • Simple, uniform mechanisms
  • Appropriate levels of security

Data Communications and Networks: Lecture 11: Security

viruses
Viruses
  • Malicious self-replicating program
    • infects programs with copies of itself
    • spread by running programs
  • Types: boot sector, program, macro
    • variations: worm, Trojan horse, time bomb
  • Locations: memory/files, programs/data
  • Transmission methods
    • Floppies, installing software, downloads, email

Data Communications and Networks: Lecture 11: Security

virus prevention and recovery
Virus prevention and recovery
  • Install anti-virus software on all computers
    • Schedule automatic virus scans
    • Keep active auto-protect features enabled
    • Keep virus software and definitions updated
    • Repair, quarantine or delete infected files
  • Educate users about viruses
    • Causes, prevention, removal
    • Specific, current, serious threats

Data Communications and Networks: Lecture 11: Security

data security
Data security
  • Backups and archiving
  • Antivirus software
  • Encryption of sensitive information
  • Disposal of obsolete, sensitive information
    • Erase (possibly reformat) disks
    • Shred paper documents

Data Communications and Networks: Lecture 11: Security

long term storage and retrieval
Long-term storage and retrieval
  • Daily backups (and possibly mirroring)
  • Document info removal/purge procedures
  • Test equipment & procedures for restoration
  • Keep storage media physically secure
    • Store backup copies at remote locations

Data Communications and Networks: Lecture 11: Security

disaster recovery preparation
Disaster recovery preparation
  • Create a disaster recovery plan
    • Discuss, document, communicate, test
  • List and categorise possible disasters
    • Minor, major, catastrophic
  • Prepare for these disasters
    • Minimum: backup, inventory, net docs
    • Spares, maintenance contracts, recovery site
    • Research user needs/tolerances

Data Communications and Networks: Lecture 11: Security

human security
Human security
  • Educate users, receptionists, “gatekeepers”
  • Encourage securing passwords, accounts
  • Be careful when giving out information
    • “Helpful” employees may leak important info
    • Know who has rights to what info
    • Be aware of threats and ask questions first
    • Background checks, ID cards/badges

Data Communications and Networks: Lecture 11: Security

authentication
Authentication
  • Permit access to authorised users
    • Username/password combination is valid
  • Deny access to unauthorised users
    • Display error message “invalid login”
  • Regulate/authorise user actions after login
    • E.g. read/write/execute access to files/folders

Data Communications and Networks: Lecture 11: Security

access terminology
Access terminology
  • Objects (what to access)
    • Hardware, software (files, databases, processes)
  • Principals (users, owners of objects)
    • People, groups, projects, roles (admin)
  • Rights (permissions to use operations)
    • Read, write, update, delete, execute, etc.
  • Domains (set of rights; location of objects)

Data Communications and Networks: Lecture 11: Security

access matrix
Access matrix

Data Communications and Networks: Lecture 11: Security

secure passwords
Secure passwords
  • Not crackable (blank, short, words, names)
  • Not guessable (phone, birthdate, username)
  • Not written down
    • Except admin passwords kept physically secure
  • Use numbers, symbols, mix case
  • Memorable (so no need to write down)

Data Communications and Networks: Lecture 11: Security

account security
Account security
  • Require users to change password regularly
  • Log password attempts, limit no. of failures
  • Run crack programs to find poor passwords
  • Audit account status and usage regularly
  • Delete or disable accounts when people go
  • Archive and safeguard old account data

Data Communications and Networks: Lecture 11: Security

encryption
Encryption
  • The sender encrypts (encodes) a message
    • Substitute unreadable data, apparently nonsense
  • Only some receivers can decrypt/decode it
    • Translate coded data into readable data
  • Coding and decoding require using keys
    • Encoding/decoding algorithms plus secret text
  • Encryption only useful if the key is secure
    • Anyone who intercepts the key can decrypt

Data Communications and Networks: Lecture 11: Security

password file
Password file
  • User-readable file, but passwords encrypted
    • /etc/passwd in older UNIX; now /etc/shadow
  • Data Encryption Standard (DES)
    • One-way algorithm: key + password  code
    • Encrypt password attempt, compare with code
    • If two codes match, login is valid, else not
    • System holds key; passwords never revealed
  • Powerful computers can crack passwords
    • A 56 bit key is unsafe; 128 bits is reasonable

Data Communications and Networks: Lecture 11: Security

public key encryption pke
Public Key Encryption (PKE)
  • Receiver announces his/her public key
  • Sender encrypts a message with public key
  • Receiver decrypts using his/her private key
  • No danger of private key being intercepted
  • Enables criminals to communicate secretly
    • Governments need access to combat crime
    • Key escrow/recovery allows access to some

Data Communications and Networks: Lecture 11: Security

rsa public key encryption
RSA public key encryption
  • Choose two large prime numbers p and q
  • Choose e relatively prime to (p-1)(q-1)
    • They have no common divisors
  • Calculate d such that ed = 1 mod (p-1)(q-1)
  • Calculate n = pq
  • Public key is (n, e); private key is d
  • p and q must be kept secret
  • Long computation to decrypt by factoring n

Data Communications and Networks: Lecture 11: Security

encryption in windows
Encryption in Windows
  • Many programs can password protect files
    • E.g. Word, Excel, Access, WinZip
  • Windows NTFS can encrypt files, folders
    • Right-click, Properties, General, Advanced
  • E-mail and web pages can be encrypted
    • Passwords, messages, attachments
  • Microsoft Point to Point Encryption
    • Point to Point Tunneling Protocol for PPP

Data Communications and Networks: Lecture 11: Security

some other uses of encryption
Some other uses of encryption
  • Authentication, confidentiality, integrity, non-repudiation
  • Pretty Good Privacy
    • High security free 128-bit RSA PKE algorithm
  • Secure Sockets Layer
    • Secure electronic financial Web transactions
  • Secure HTTP (HTTPS) and .shtml files
    • Digital IDs, signatures, certificates

Data Communications and Networks: Lecture 11: Security

ad