Presentation On Basic Computer Security By: - Sachin Shaw RE3001A12
Basic Security - Outline • What is computer security ? • Core security concepts • Security concerns • Contributing factors • Basic security objective • Security Terms • Trends for 2011 • Security Components • Certification Authority
What is computer security? Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users
Core Security Concepts • Vulnerability, Exploit, Threat • Vulnerability – a weakness in some aspect of a system • Exploit – a known method for taking advantage of a vulnerability • Threat – the likelihood of some agent using an exploit to compromise security
Security Concerns • Unauthorized access to resources. • Masquerade as authorized user or end system. • E-mail forgery. • Malicious attacks. • Monitoring and capture of network traffic. • Exploitation of software bugs.
Contributing Factors • Increased Internet use: • Home broadband, • Greater coverage (wired and wireless): • More ubiquitous on-line use: • Education, • Business, • Games, • Shopping… • Lack of awareness of threats and risks. • Wide-open network policies. • Unencrypted network traffic. • Complexity of security measurements and administration. • Software bugs. • Availability of cracking tools .
Basic Security Objectives • Confidentiality: prevent/detect/deter improper disclosure of information. • Integrity: prevent/detect/deter improper modification of information. • Availability: prevent/detect/deter improper denial of access to services.
Security Terms Authentication: • The process by which a person or other entity proves that it is who (or what) it says it is. • Want to authenticate the person or entity that you are dealing before transferring something valuable, such as information or money, to or from, it. • Authentication is achieved by presenting some uniqueidentifying entity to the endpoint that is undertaking the process: • An example of this process is the way you authenticate yourself with an ATM: here you insert your bank card (something you have) and enter your personal identification number (PIN, something you know).
Identification • Being able to identify yourself to a computer is absolutely essential: • ATM, e-banking, • Access to e-mail, computer accounts, • Access to personal information (e.g., staff or student portal). Non-computer identification • Bank teller knows you by sight (good). • Bank teller checks your picture against a photo ID (dodgy). • Bank back office compares cheque signature to one on record (dodgy).
Computer Identification • How we identify a human to a computer? • Username/Passwords (common), • Token, e.g. ATM card, • Cryptographic protocols, • Combinations, e.g. token and password, • Biometrics, e.g. face recognition, finger prints, and retina/iris scans.
Passwords • Most common identification technique: • Variants: such as “PIN” (number), memorable date, mothers maiden name. • Problem: we are not well-suited to remembering passwords: • Especially rarely used ones, • We can also confuse passwords used in similar contexts.
Vulnerabilities • Users reveal passwords to outsiders. • Users reuse passwords. • Users choose “easy to guess” passwords. • Password observed on entry. • Password obtained from system files. Biometric identification • Passwords are pretty useless at identifying people. • Can we identify them by their properties? • Face, handwriting, retina, DNA, voice, signature, fingerprint… • “How humans identify other humans”.
Other issues • Cost: • Voice recognition is cheap, • Eye (iris) scanning is expensive. • User comfort: • Face recognition is nice (look into camera), • DNA matching is not (blood/skin sample). • Theoretical accuracy: • Iris is unique (determined while an embryo), • DNA is shared by identical twins, • Voice can be imitated. • Excluded population: • Voice does not work on mute people, • Fingerprints do not work on amputees, • DNA works on everyone! • Variability: • Dirty fingers, or sick (cold) for voice.
Security Terms Integrity: • This is the assurance that the data has not changed since it was written: • e.g., prevent a potential intruder-in-the-middle from changing messages. • Data integrity can be checked using: • A check-sum, which is a simple error-detection scheme where each transmitted message is accompanied by a numerical value based on the number of set bits in the message: • Checked by the receiving station - if different the receiver can assume that the message has been garbled. • Hash functions, any one-way function that reduces variable sized data to a fixed length “hash code”: • If the hashes of two documents differ, then the documents differ.
Security Terms Confidentiality: • This is the act of ensuring no one but authorised parties (who know some secret) can understand the data. • There are two mechanisms used to ensure data confidentiality, the more common encryption, and steganography: • With encryption an algorithm or function (encrypt) that transforms plain text to cypher text where the meaning is hidden, but which can be restored to the original plain text by another algorithm (decrypt). • Steganography, on the other hand is where a message is hidden in another message or image: • It is used when it is necessary to conceal the fact that a secret message is being transmitted.
Trends for 2011 • Malware, worms, and Trojan horses • spread by email, instant messaging, malicious or infected websites • Botnets and zombies • improving their encryption capabilities, more difficult to detect • Scare ware – fake/rogue security software • Attacks on client-side software • browsers, media players, PDF readers, etc. • Ransom attacks • malware encrypts hard drives, or DDOS attack • Social network attacks • Users’ trust in online friends makes these networks a prime target. • Cloud Computing - growing use will make this a prime target for attack. • Web Applications - developed with inadequate security controls • Budget cuts - problem for security personnel and a boon to cyber criminals.
Security Components Encryption and Decryption: • Encryption is the conversion of data into a form, called a ciphertext, which cannot be easily understood by unauthorised entities. • Decryption is the process of converting encrypted data back into its original form, so it can be understood. • Most security technologies rely, to some degree, on encryption of text or data: • For example, encryption is used in the creation of certificates and digital signatures, for the secure storage of secrets or transport of information. • Encryption can be anything from a simple process of substituting one character for another, in which case the key is the substitution rule, to some complex mathematical algorithm.
Security Components Encryption and Decryption: • We assume that the more difficult it is to decrypt the cipher text, the better. • Trade-off - if the algorithm is too complex and it takes too long to use, or requires keys that are too large to store easily, it becomes impractical to use: • Need a balance between the strength of the encryption; that is, how difficult it is for someone to discover the algorithm and the key, and ease of use. • There are two main types of encryption in use for computer security, referred to as symmetric and asymmetric key encryption.
Certification Authority • CAs issue digital certificates after verifying that a public key belongs to a certain owner: • Driving licenses, identification cards and fingerprints are examples of documentation required. • Some examples of CAs are: