1 / 20

FIT3105 Security and Identity Management

FIT3105 Security and Identity Management. Lecture 1. Schedule. 1. Introduction to computer system security and Identity management: software, hardware, data and users 2. Cryptography for authentication and identification (2 lectures) 3. Smart card based identification systems

kreeli
Download Presentation

FIT3105 Security and Identity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FIT3105Security and Identity Management Lecture 1

  2. Schedule • 1. Introduction to computer system security and Identity management: software, hardware, data and users • 2. Cryptography for authentication and identification (2 lectures) • 3. Smart card based identification systems • 4. Biometric based identification systems • 5. Crypto-based identification systems • 6. Strong authentication for system components and mobile users • 7. Authentication and identity systems: design and implementation (2 lectures) • 9. Large scale identity systems: privacy, security and efficiency (2 lectures) • 11. Case studies and discussion • 12. Research in security and identification system FIT3105 - Security and Identity Management

  3. Outline • Introduction to the subject. • Discuss the method to study this unit. • Discuss the assessments and lab exercises. • Discuss the exam format. • Discuss the assignments and methods to do them. • Introduction to security and identity management • The importance of authentication and identity management • Problems with many id systems • Examples and possible solutions FIT3105 - Security and Identity Management

  4. Assessments • Exam of 50% • Two assignments of 20% each • Lab exercises of 10% • You are required to attend all the lab sessions to be able to finish some parts of the assignments and most parts of the lab work. FIT3105 - Security and Identity Management

  5. Why study security and identity management • Who has done the bad things to your organisation using a computer? • Who should be allowed to access to the bank money? • Who should be allowed to see government documents? • Who are the people working at your organisation? • Who can use your computer network? • Who can listen to your network communications? FIT3105 - Security and Identity Management

  6. Company‘s computer systems Internet communictions Database systems Etc. Computer Security and Identity Management Government and private intelligence communities Internal threats (dishonest employees, software failures etc.) Business partners(customers, competitors,suppliers, etc.) Hackers, investigator,reporters etc. FIT3105 - Security and Identity Management

  7. Vulnerabilities • Things can go wrong without strong security and identity management: • hardware • interruption (denial of service), interception (theft) • software • interruption (deletion), interception (theft), modification • data • interruption (loss), interception (theft), modification and fabrication FIT3105 - Security and Identity Management

  8. Security facts without strong authentication and identity management – believe it or not! • Bank robbery through computers, code breaking, rouge servers, etc. • Industrial espionage on corporate information • Loss of individual information and privacy (files, emails, money transfer, internet transactions, private video conferencing, ...) • Information vandalism using fake ids (destroy backup, delete files, vandalise web pages, …) • Computer viruses: sending viruses using fake email addresses. • (more can be found in “comp.risks” and other websites) FIT3105 - Security and Identity Management

  9. Security and identity management– e.g • Attacks can be INTERNAL and EXTERNAL. • INTERNAL: • altering data; stealing secrete information; carrying out illegal transactions; stealing source code; • damaging computer systems and revealing confidential information without a trace. • intentionally writing bad code for later use or trap other users; • Using fake ids for blackmailing, and vandalizing. • EXTERNAL • Send malicious programs from different ids or fake systems; • Scanning your network for vulnerabilities and attack it without leaving any ids; • Sending logic bombs, worms, etc. (for Windows and Unix)- annoying, destructive, or causing disruption; • Etc. FIT3105 - Security and Identity Management

  10. Computer Threat • 35% annual increases in data sabotage incidents from 1997 to 1999 • 25 % annual increases in financial fraud penetrated on-line (9% using fake ids) • Abuse of network access increased over 20% resulting losses of billions of dollars • Security breaches caused US$15 billions damage in 2000 in US alone – many of them left no trace. Internet sources FIT3105 - Security and Identity Management

  11. Other Surveys • Poll of 1,400 companies with > 100 employees • About 90% are confident with their firm’s security • But 50% failed to report break-ins • 58% increased in spending on security • 1997-2001,fortune firms lost US$45 billions; high-tech firms most vulnerable • 2005-2006, US$215 billions spent on Security and Identity systems (US and Europe). Internet sources FIT3105 - Security and Identity Management

  12. Security with strong authentication and identification mechanisms • Why strong authentication is an essential part of security? • Why do we need good identity management? • How do we provide strong authentication and good identification mechanisms for things we want to protect: • computer systems and subsystem components • software and hardware components • client-server applications • users • data • etc. FIT3105 - Security and Identity Management

  13. Examples • How do you authenticate a computer user of your company? • Passwords? Good enough? • What is the identification of the computer user? • Employee id and password? Good enough? • What is the identification of a software package? • No need to worry about this because it is not part of id management! • How do you mange all the user identities in your company? • Store them on a database server and protect it with firewalls? • How can you design and implement a strong authentication system or a secure and efficient identity system, especially a large one? FIT3105 - Security and Identity Management

  14. Examples • How do you authenticate a web server? • Using a shared key? • Using a digital certificate? • What is the identification of a computer or a network? • The name of the network? • A digital signature of the network? • An IP address? • What is the identification of a script that you have to run in a web application? • Hash value of the script? • Certificate of the owner of the script? • Certificate of the script itself? • How do you mange all the software on your company computer system? • Using a certificate for each piece of software? • Using a certificate for a group of related pieces of software? FIT3105 - Security and Identity Management

  15. Examples • Can we apply the same authentication for all identities? • an associated password for each identity? • A smart card for each identity? • What is the best authentication for users? • What is the best authentication for client-server applications? • What is the best authentication for different types of users of different environments? • Users and mobile users • Wireless and wired environments FIT3105 - Security and Identity Management

  16. More examples • How do you identify a process on your computer network? • A user process on a Unix computer (beast.csse.monash.edu.au) of Monash network • How do you authenticate a mobile user of your computer network? • A wireless user of Monash network has to have a valid MAC address and password? • How do you authenticate a web server that I am going to pay something using my credit card? • Pay your bills using a safe connection with encryption? • How do you authenticate a client who wants to access sensitive information on your computer system? • Require a certificate from the client and verify it? FIT3105 - Security and Identity Management

  17. Authentication and identity management: design and implementation • How do you design and implement authentication and identity management of your company? • E.g: monash uni, commonwealth bank, Telstra, etc • How do you design and implement authentication and identity management of a national system? • E.g: national id. system, health care system, national education systems, etc. • How do you design and implement authentication and identity management of international system? • E.g: Euro trade systems, Euro rail systems, International money transfer systems, international trade systems, etc. FIT3105 - Security and Identity Management

  18. Example of a corporate id system • Photo id with finger print or facial recognition • Smart cards for computer system usages • Password for computer system access • Private and public key crypto system for sensitive information sharing and data transmission • Log files for record tracking • Intrusion detection system to detect misuses of the system or illegal access. FIT3105 - Security and Identity Management

  19. How about wireless identities • Heavily relies on crypto-based authentication • Device registration and authentication • Private and public key or certificates • Smart cards can still be useful • Biometric methods are less effective FIT3105 - Security and Identity Management

  20. Career in security and identity system design implementation • Does every organisation need an id system? • Can we use one id system for all organisation? • Security analysis • Security policy design • Id system design and implementation • Software security • Security experts needed for authentication design and implementation FIT3105 - Security and Identity Management

More Related