Ingredients of Information Security
- Who has access the asset?
- Is the asset correct?
- Is the asset accessible?
…uncorrupted?…authentic?
What assets need to be secured?
Quality of Information System (IS) reflecting local correctnessand reliability of the operating system; the logical Completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of stored data.†
† Definition from National Information Systems Security
Assurance that information is not disclosed to unauthorizedpersons, processes, or devices.†
† Definition from National Information Systems Security
Timely, reliable access to data and information serviced forauthorized users.†
† Definition from National Information Systems Security
spoofing playback (replay) attack man in the middle attack dumpster diving password cracking denial of service (DoS) attack shoulder surfing
network infrastructure attack
network scanning
buffer overflow
syn flood
AssetAsset
Security System
AttackProperAccess
At the root of all security is trust.
What don’t you (or shouldn’t you) trust??
Since we obviously can’t trust everything, we need to develop and implement security policy...
A security _________ defines what needs to be done.
A security ______________ defines how to do it.
All passwords must be updated on a regular basis and every one must include at least
one embedded non-alphabetic symbol.
example security policy
corresponding security mechanisms
AssetAsset
Security System
Security is about building barriers to protect assets.
What complicates security is the necessity for barrier penetration.
AttackProperAccess
To be secure the barrier holes must be guarded.
Basic Concepts in Barrier Penetration Control
- Can you prove it?
- That which you are permitted to do.
- You should be held responsible.
- Who are you?
Security systems need to be able to distinguish the“white hats” from the “black hats”. This all begins with identity.
What are some common identifiers used in our world?
What is the problem with using people’s names as identifiers?
Access privileges granted to a user, program, or process.†
† Definition from National Information Systems Security
Common authorization tokens:
Security measure designed to establish the validity of a transmission, message, or originator,or a means of verifying an individual’s authorization to receive specific categories of information.†
† Definition from National Information Systems Security
Authentication ... is a basis for trust
Password -- the most common means of authentication
Passwords are vulnerable to attacks. Why?
Uses challenge - reponse protocol
RESPONSE
password:
CHALLENGE
(Encryption required)
Challenge-response systems fail when responses are efficiently discovered.
Give password cracking software a challenge.The conventional wisdom is as follows...
Use first letters from some phrase you can remember.
TtlsH1wwya
Don’t use short passwords (at least 12 symbols).
Include both lowercase and uppercase and digits.
Bracket the password with non-alphanumerics.
#TtlsH1wwya&
Bracket the password with non-alphanumerics.
#TtlsH1wwya&
Alt - 0181
cracker algorithm == repeatedlycracker algorithm == repeatedly
token -- small device carried by user(often includes microprocessor, keypad and/or real-time clock)
Challenge-Response Token1) System displays random number which user enters on keypad.2) Card uses keypad input to calculate and display number.3) User enters number in computer which system verifies by same computation.
Time-Based Token1) Card uses internal real-time clock value to calculate and display number.2) User enters number in computer which system verifies with its clock.
HHAD - Hand Held Authentication Device
biometric -- requires special devices to read human features
digital certificate -- a certificate authority performs a security checkon a user and grants an electronic certificate (essentially encryption keys)
smartcard -- physically requires reader, contains full microprocessor with cryptographic calculations performed onboard.
Smartcards can store ...
Tampering with a smartcard typically renders it useless.
...what you _______ (password)
...what you _______ (key, token, smartcard)
...what you _____ (biometrics - fingerprints, retinal scan)
..._______ you are (in secure location, at some terminal)
Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, soneither can later deny having processed the data.†
† Definition from National Information Systems Security
Access
Attacker
User