OV 11 - 1Copyright © 2011 Element K Content LLC. All rights reserved.

System Security

Computer Security Basics System Security Tools Authentication Methods Encryption Methods

OV 11 - 2Copyright © 2011 Element K Content LLC. All rights reserved.

Security Factors

Authorization

Accountability Auditing

Access control

OV 11 - 3Copyright © 2011 Element K Content LLC. All rights reserved.

Least Privilege

User 1 User 4

User 2 User 3

Data Entry Clerks Financial Coordinators

Perform their jobwith more access

privileges

Perform their jobwith more access

privileges

Perform their jobwith fewer access

privileges

Perform their jobwith fewer access

privileges

OV 11 - 4Copyright © 2011 Element K Content LLC. All rights reserved.

Non-Repudiation

With non-repudiation: Owner or sender of data remains associated with the data Independent verification of sender’s identity Sender is responsible for message and data

OV 11 - 5Copyright © 2011 Element K Content LLC. All rights reserved.

Threats

Information Security Threats

Changes toInformation

Interruption ofServices

Interruption ofAccess

Damage toHardware

Damage toFacilities

Unintentionalor intentionalUnintentionalor intentional

OV 11 - 6Copyright © 2011 Element K Content LLC. All rights reserved.

Vulnerabilities

Vulnerabilities include: Improperly configured or installed hardware or software Bugs in software or operating systems Misuse of software or communication protocols Poorly designed networks Poor physical security Insecure passwords Unchecked user input Design flaws in software or operating systems

Attacker Unsecured router Information system

OV 11 - 7Copyright © 2011 Element K Content LLC. All rights reserved.

Attacks

Physical Security Attacks Software-Based Attacks

Social Engineering Attacks Web Application-Based Attacks

Network-Based Attacks

OV 11 - 8Copyright © 2011 Element K Content LLC. All rights reserved.

Risks

Risks include: System loss Power outage Network failure Physical losses

OV 11 - 9Copyright © 2011 Element K Content LLC. All rights reserved.

Unauthorized Access

Attacker

Intentional orunintentional

misuse

Intentional orunintentional

misuse

Deliberate attackby outsider

Deliberate attackby outsider

OV 11 - 10Copyright © 2011 Element K Content LLC. All rights reserved.

Data Theft

Attacker

Data in transitData in transit

Files on serverFiles on server

OV 11 - 11Copyright © 2011 Element K Content LLC. All rights reserved.

Hackers and Attackers

Possess skills to gain access to computersPossess skills to gain access to computers Always malicious intentAlways malicious intent

Hacker Attacker

OV 11 - 12Copyright © 2011 Element K Content LLC. All rights reserved.

Permissions

Administrators: Full access

User01: Read-only access

Contractors: No access

Marketing documents

OV 11 - 13Copyright © 2011 Element K Content LLC. All rights reserved.

NTFS Permissions

Supports file-level security on Windows operating systems Permissions can be applied either to folders or to individual files. When applied on a folder, these permissions, are applied to the files and

subfolders within it. There are several levels of NTFS permissions, which specify whether users

can: Read files or run applications Write to existing files and Modify, create, or delete files.

OV 11 - 14Copyright © 2011 Element K Content LLC. All rights reserved.

Group Policy

Group policy controls workstation, and security features

Group policy controls workstation, and security features

OV 11 - 15Copyright © 2011 Element K Content LLC. All rights reserved.

Authentication

Validates an individual’s credentials

to access resources

Validates an individual’s credentials

to access resources

OV 11 - 16Copyright © 2011 Element K Content LLC. All rights reserved.

User Name/Password Authentication

Compares user’s credentials against stored credentials

Compares user’s credentials against stored credentials

OV 11 - 17Copyright © 2011 Element K Content LLC. All rights reserved.

Strong Passwords

! P a s s 1 2 3 4

Minimum lengthMinimum length

Special charactersSpecial characters

Uppercase letters

Uppercase letters

Lowercase letters

Lowercase letters

NumbersNumbers

OV 11 - 18Copyright © 2011 Element K Content LLC. All rights reserved.

Tokens

PINPINUnique valueUnique value

User informationUser information PasswordPassword

OV 11 - 19Copyright © 2011 Element K Content LLC. All rights reserved.

Biometrics

Fingerprint scanner Retinal scanner Hand geometry scanner Voice-recognition software Facial-recognition software

Fingerprint Scanner

OV 11 - 20Copyright © 2011 Element K Content LLC. All rights reserved.

Multi-Factor Authentication

PasswordPassword

Requires validation of two authentication factors

Requires validation of two authentication factors

OV 11 - 21Copyright © 2011 Element K Content LLC. All rights reserved.

Mutual Authentication

Each party verifies another’s identity

Each party verifies another’s identity

OV 11 - 22Copyright © 2011 Element K Content LLC. All rights reserved.

SSO

Email

Instant Messaging

OV 11 - 23Copyright © 2011 Element K Content LLC. All rights reserved.

EAP

EAP: Hardware-based identifiers for authentication:

Fingerprint scanners Smart Card readers

Different EAP type for each authentication scheme Might need password in addition to physical authentication

Fingerprint scanner

OV 11 - 24Copyright © 2011 Element K Content LLC. All rights reserved.

Kerberos

Kerberos server

Ticket

Ticket

User passes credentials to an

authentication server

User passes credentials to an

authentication server

OV 11 - 25Copyright © 2011 Element K Content LLC. All rights reserved.

Wireless Authentication Methods

There are three wireless authentication methods: Open system Shared-key 802.1x and EAP

OV 11 - 26Copyright © 2011 Element K Content LLC. All rights reserved.

Wireless Authentication Methods (Cont.)

OV 11 - 27Copyright © 2011 Element K Content LLC. All rights reserved.

Wireless Authentication Methods (Cont.)

Shared WEP key

OV 11 - 28Copyright © 2011 Element K Content LLC. All rights reserved.

Wireless Authentication Methods (Cont.)

Access point RADIUS server Active directory

Request

Response

OV 11 - 29Copyright © 2011 Element K Content LLC. All rights reserved.

Encryption

Converts data from cleartext to ciphertext

Converts data from cleartext to ciphertext

OV 11 - 30Copyright © 2011 Element K Content LLC. All rights reserved.

Encryption and Security Goals

Encryption supports: Confidentiality Integrity Non-repudiation

OV 11 - 31Copyright © 2011 Element K Content LLC. All rights reserved.

Key-Based Encryption Systems

Shared-Key Encryption

Encrypts dataEncrypts data Decrypts dataDecrypts data

Same key on both sidesSame key on both sides

OV 11 - 32Copyright © 2011 Element K Content LLC. All rights reserved.

Key-Based Encryption Systems (Cont.)

Key-Pair Encryption

Computer A Computer B

Computer A Computer B

Public key B

Computer A Computer B

Public key A

Exchange public keysExchange public keys

Data encrypted using public key BData encrypted using public key B Data decrypted using private key BData decrypted using private key B3322

11

OV 11 - 33Copyright © 2011 Element K Content LLC. All rights reserved.

WEP

Same security as on a wired network without encryption

Same security as on a wired network without encryption

OV 11 - 34Copyright © 2011 Element K Content LLC. All rights reserved.

WPA/WPA2

TKIP EAP

TKIP EAP

TKIP provides improved data encryption.EAP provides stronger user authentication.TKIP provides improved data encryption.

EAP provides stronger user authentication.

OV 11 - 35Copyright © 2011 Element K Content LLC. All rights reserved.

Digital Certificates

User with Certificate Device with Certificate

OV 11 - 36Copyright © 2011 Element K Content LLC. All rights reserved.

Certificate Encryption

11 22

44 33

1. User obtains certificate and keys

2. User shares public key

3. Data encrypted with public key

4. Data decrypted with private key

OV 11 - 37Copyright © 2011 Element K Content LLC. All rights reserved.

PKI

CA

CA

Certificates Software Services Other Cryptographic Components

CA

CA issuing user certificates

CA issuing user certificates

OV 11 - 38Copyright © 2011 Element K Content LLC. All rights reserved.

Certificate Authentication

11

22

44

33

1. Presents certificate

2. Validates and accepts certificate

3. Issues certificate

4. Certificate authentication is successful

Certificate holder Resource

CA

OV 11 - 39Copyright © 2011 Element K Content LLC. All rights reserved.

DES

3 DES keys

Shared DES key

56 bits 8 parity bits

Triple encodingTriple encoding

OV 11 - 40Copyright © 2011 Element K Content LLC. All rights reserved.

Encryption Devices

Encryption device (HSM)

Restricts execution of external programs

Restricts execution of external programs

OV 11 - 41Copyright © 2011 Element K Content LLC. All rights reserved.

SSL

SSL combines: Digital certificates RSA public-key encryption

SSLSSL

OV 11 - 42Copyright © 2011 Element K Content LLC. All rights reserved.

Encryption Using SSL

Request secure connectionRequest secure connection11

Send certificate and public keySend certificate and public key22

Negotiate encryptionNegotiate encryption33

Generates and encrypts a session keyGenerates and encrypts a session key44

Uses session key for data encryptionUses session key for data encryption55

OV 11 - 43Copyright © 2011 Element K Content LLC. All rights reserved.

TLS

TCP/IP

OV 11 - 44Copyright © 2011 Element K Content LLC. All rights reserved.

Reflective Questions

1. Which of the basic security concepts in this lesson were familiar to

you, and which were new?

2. Can you describe some situations in which you have used basic

security techniques such as authentication, access control, and

encryption, or made use of a security policy?