Security
Download
1 / 28

Security - PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on

Security. Lecture 11, May 14, 2003 Mr. Greg Vogl Data Communications and Networks Uganda Martyrs University. Sources. Networks 1999, Ch. 9 and Appendix A Computers in Your Future modules 10B, C Burgess Section 8 Solomon Parts 12, 13 Ritchie Ch. 14. Overview. Problems and causes

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security' - mohawk


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security

Security

Lecture 11, May 14, 2003

Mr. Greg Vogl

Data Communications and Networks

Uganda Martyrs University


Sources
Sources

  • Networks 1999, Ch. 9 and Appendix A

  • Computers in Your Future modules 10B, C

  • Burgess Section 8

  • Solomon Parts 12, 13

  • Ritchie Ch. 14

Data Communications and Networks: Lecture 11: Security


Overview
Overview

  • Problems and causes

    • Threats, attackers, responsible people

  • Prevention and recovery

    • Physical security, software security, viruses

    • Data security, long-term storage and retrieval

    • Disaster recovery

    • Human security

    • Authentication and passwords

    • Encryption

Data Communications and Networks: Lecture 11: Security


Threats damages and costs
Threats, damages and costs

  • Natural disaster (e.g. flood, fire, lightning)

  • Deliberate sabotage/vandalism (e.g. viruses)

  • Damaged or stolen hardware

  • Damaged/deleted/leaked data/information

  • Net downtime/overload; use of staff time

  • Lost privacy, confidentiality; public safety

  • Reputation/appearance of no security/safety

Data Communications and Networks: Lecture 11: Security


Categories of threats
Categories of threats

  • Unauthorised disclosure

    • Viewing information with no rights to see

  • Unauthorised updates

    • Making changes with no rights to change

  • Denial of service

    • Interference with legitimate user access

Data Communications and Networks: Lecture 11: Security


Attackers and their motives
Attackers and their motives

  • Hobbyists: crackers, virus authors, thieves

    • Challenge, ego, financial gain

  • Employees: terminated, disgruntled, corrupt

    • Financial gain, organisational harm/revenge

  • Corporate spies: competitors

    • Market competition

  • Information terrorists

    • Harm state governments

Data Communications and Networks: Lecture 11: Security


Types of attacks
Types of attacks

  • Cracking programs: try passwords

  • Eavesdropping: watching users, wiretapping

  • Spoofing: pretending to be a client or server

Data Communications and Networks: Lecture 11: Security


Who is responsible for security
Who is responsible for security?

  • Managers

    • Design general policies

  • System designers

    • Create mechanisms to enforce specific policies

  • System administrators

    • Design and enforce specific policies

  • Users

    • Adhere to general and specific policies

Data Communications and Networks: Lecture 11: Security


Physical security
Physical security

  • Equipment protection, protective equipment

    • Door locks, burglar bars, armed guards

    • Dust, AC, surge protector, UPS, standby power

    • Alarms: temperature, burglar

  • Physically separate equipment, data

    • secure and non-secure

  • Investment appropriate to nature of business

Data Communications and Networks: Lecture 11: Security


Software security
Software security

  • File and directory access control (rwx)

  • Network services can be security loopholes

    • E.g. finger, sendmail, remote login, dial-up

    • Use tools to log & audit use of existing services

    • Disable or turn off all unused network services

  • Use firewall software e.g. ZoneAlarm

  • Use loophole detection tools e.g. SATAN

Data Communications and Networks: Lecture 11: Security


Secure software design principles
Secure software design principles

  • Public design

    • No secret algorithms; weaknesses revealed

  • Default = no access

    • Minimum privileges; add only when needed

  • Timely checks

    • Security of passwords “wear out” over time

  • Simple, uniform mechanisms

  • Appropriate levels of security

Data Communications and Networks: Lecture 11: Security


Viruses
Viruses

  • Malicious self-replicating program

    • infects programs with copies of itself

    • spread by running programs

  • Types: boot sector, program, macro

    • variations: worm, Trojan horse, time bomb

  • Locations: memory/files, programs/data

  • Transmission methods

    • Floppies, installing software, downloads, email

Data Communications and Networks: Lecture 11: Security


Virus prevention and recovery
Virus prevention and recovery

  • Install anti-virus software on all computers

    • Schedule automatic virus scans

    • Keep active auto-protect features enabled

    • Keep virus software and definitions updated

    • Repair, quarantine or delete infected files

  • Educate users about viruses

    • Causes, prevention, removal

    • Specific, current, serious threats

Data Communications and Networks: Lecture 11: Security


Data security
Data security

  • Backups and archiving

  • Antivirus software

  • Encryption of sensitive information

  • Disposal of obsolete, sensitive information

    • Erase (possibly reformat) disks

    • Shred paper documents

Data Communications and Networks: Lecture 11: Security


Long term storage and retrieval
Long-term storage and retrieval

  • Daily backups (and possibly mirroring)

  • Document info removal/purge procedures

  • Test equipment & procedures for restoration

  • Keep storage media physically secure

    • Store backup copies at remote locations

Data Communications and Networks: Lecture 11: Security


Disaster recovery preparation
Disaster recovery preparation

  • Create a disaster recovery plan

    • Discuss, document, communicate, test

  • List and categorise possible disasters

    • Minor, major, catastrophic

  • Prepare for these disasters

    • Minimum: backup, inventory, net docs

    • Spares, maintenance contracts, recovery site

    • Research user needs/tolerances

Data Communications and Networks: Lecture 11: Security


Human security
Human security

  • Educate users, receptionists, “gatekeepers”

  • Encourage securing passwords, accounts

  • Be careful when giving out information

    • “Helpful” employees may leak important info

    • Know who has rights to what info

    • Be aware of threats and ask questions first

    • Background checks, ID cards/badges

Data Communications and Networks: Lecture 11: Security


Authentication
Authentication

  • Permit access to authorised users

    • Username/password combination is valid

  • Deny access to unauthorised users

    • Display error message “invalid login”

  • Regulate/authorise user actions after login

    • E.g. read/write/execute access to files/folders

Data Communications and Networks: Lecture 11: Security


Access terminology
Access terminology

  • Objects (what to access)

    • Hardware, software (files, databases, processes)

  • Principals (users, owners of objects)

    • People, groups, projects, roles (admin)

  • Rights (permissions to use operations)

    • Read, write, update, delete, execute, etc.

  • Domains (set of rights; location of objects)

Data Communications and Networks: Lecture 11: Security


Access matrix
Access matrix

Data Communications and Networks: Lecture 11: Security


Secure passwords
Secure passwords

  • Not crackable (blank, short, words, names)

  • Not guessable (phone, birthdate, username)

  • Not written down

    • Except admin passwords kept physically secure

  • Use numbers, symbols, mix case

  • Memorable (so no need to write down)

Data Communications and Networks: Lecture 11: Security


Account security
Account security

  • Require users to change password regularly

  • Log password attempts, limit no. of failures

  • Run crack programs to find poor passwords

  • Audit account status and usage regularly

  • Delete or disable accounts when people go

  • Archive and safeguard old account data

Data Communications and Networks: Lecture 11: Security


Encryption
Encryption

  • The sender encrypts (encodes) a message

    • Substitute unreadable data, apparently nonsense

  • Only some receivers can decrypt/decode it

    • Translate coded data into readable data

  • Coding and decoding require using keys

    • Encoding/decoding algorithms plus secret text

  • Encryption only useful if the key is secure

    • Anyone who intercepts the key can decrypt

Data Communications and Networks: Lecture 11: Security


Password file
Password file

  • User-readable file, but passwords encrypted

    • /etc/passwd in older UNIX; now /etc/shadow

  • Data Encryption Standard (DES)

    • One-way algorithm: key + password  code

    • Encrypt password attempt, compare with code

    • If two codes match, login is valid, else not

    • System holds key; passwords never revealed

  • Powerful computers can crack passwords

    • A 56 bit key is unsafe; 128 bits is reasonable

Data Communications and Networks: Lecture 11: Security


Public key encryption pke
Public Key Encryption (PKE)

  • Receiver announces his/her public key

  • Sender encrypts a message with public key

  • Receiver decrypts using his/her private key

  • No danger of private key being intercepted

  • Enables criminals to communicate secretly

    • Governments need access to combat crime

    • Key escrow/recovery allows access to some

Data Communications and Networks: Lecture 11: Security


Rsa public key encryption
RSA public key encryption

  • Choose two large prime numbers p and q

  • Choose e relatively prime to (p-1)(q-1)

    • They have no common divisors

  • Calculate d such that ed = 1 mod (p-1)(q-1)

  • Calculate n = pq

  • Public key is (n, e); private key is d

  • p and q must be kept secret

  • Long computation to decrypt by factoring n

Data Communications and Networks: Lecture 11: Security


Encryption in windows
Encryption in Windows

  • Many programs can password protect files

    • E.g. Word, Excel, Access, WinZip

  • Windows NTFS can encrypt files, folders

    • Right-click, Properties, General, Advanced

  • E-mail and web pages can be encrypted

    • Passwords, messages, attachments

  • Microsoft Point to Point Encryption

    • Point to Point Tunneling Protocol for PPP

Data Communications and Networks: Lecture 11: Security


Some other uses of encryption
Some other uses of encryption

  • Authentication, confidentiality, integrity, non-repudiation

  • Pretty Good Privacy

    • High security free 128-bit RSA PKE algorithm

  • Secure Sockets Layer

    • Secure electronic financial Web transactions

  • Secure HTTP (HTTPS) and .shtml files

    • Digital IDs, signatures, certificates

Data Communications and Networks: Lecture 11: Security