Docstoc

ACTG 4620 Session 9 - ACCESS CONTROL

Document Sample
ACTG 4620 Session 9 - ACCESS CONTROL Powered By Docstoc
					Session 2 – Common Security Techniques




              CSE 4482, Fall 2009, D Chan
Two-factor Authentication

Used to compensate for the inherent
 weaknesses of passwords, i.e., guessing and
 hacking.

Uses what the user has and what the user
 knows.

Examples are to use a token with a dynamic
 password and ATM.

                 CSE 4482, Fall 2009, D Chan
Biometrics

Can include fingerprint, hand geometry,
 voice etc.

Held back by privacy concerns.

Not recognised legally in place of
 signature

               CSE 4482, Fall 2009, D Chan
Operating System Security

Use a standard checklist for configuration

Implement vendor updates

Use scanning software to detect
 vulnerabilities before implementation and
 periodically

               CSE 4482, Fall 2009, D Chan
Firewall

Can be hardware based only, e.g., a router.

Can be a server with sophisticated software,
 more granular and reliable than a router,
 provides better logs.

Can use artificial intelligence to check for
 patterns.


                  CSE 4482, Fall 2009, D Chan
Firewall

Every organization that hosts a web site
 should have a firewall to protect its
 internal network from hackers

The firewall would block traffic that is
 definitely unacceptable.



                CSE 4482, Fall 2009, D Chan
Firewall

A typical firewall uses rules to determine
 whether traffic is acceptable, e.g., port
 scanning is not allowed by some
 organizations.
A data packet typically consists of a
 source Internet Protocol (IP) address, a
 port and a destination Internet Protocol
 address.
                CSE 4482, Fall 2009, D Chan
Firewall

A port is a logical connection point in a
 network device including a computer.

It is used to standardize Internet traffic,
 e.g., web browsing uses port 80, e-
 commerce uses port 443.



                CSE 4482, Fall 2009, D Chan
Virus Protection
Companies around the world spend about US
 $20 billion a year to clean up viruses
All critical servers are protected
All internet email is scanned
Automated identification of workstations that do
 not have up-to-date signature files
Organizations should block common virus file
 types to be proactive

                 CSE 4482, Fall 2009, D Chan
Virtual Private Network

To secure remote access to company systems
 by staff or contractors.

Should require two-factor authentication.

Encrypted traffic, bypasses firewall, secure
 tunnel should end at another firewall with traffic
 decrypted.


                  CSE 4482, Fall 2009, D Chan
Intrusion Detection System

Installed at critical points of a network to
 inspect incoming and outgoing traffic for
 anomalies and malicious messages.

Alerts systems administrators to take pre-
 emptive or corrective actions.



                CSE 4482, Fall 2009, D Chan
Intrusion Prevention
System

Combines firewall and intrusion detection
 technologies.

Rejects highly questionable or
 unacceptable traffic.

More effective than firewalls but may
 have false positive.

               CSE 4482, Fall 2009, D Chan
Encryption
Uses mathematics to scramble data.

Uses a key and an algorithm . Commercial
 algorithms are public knowledge.

Symmetric key.

Asymmetric keys (private/public key pair).

               CSE 4482, Fall 2009, D Chan
Symmetric Key Encryption

The same key is used to decrypt and
 encrypt
Simple to encrypt and decrypt
Large number of keys required for one-
 on-one secret communication
Number of keys for N people is N(N-1)/2
Need to secure the key

              CSE 4482, Fall 2009, D Chan
Asymmetric Encryption

A pair of key is generated by a user, a
 private key and a corresponding public
 key.
The public key can be disclosed. The
 private key is secured.
People can use the public key to encrypt
 material.

               CSE 4482, Fall 2009, D Chan
Asymmetric Encryption

The corresponding private key is needed
 to decrypt.
The 2 keys cannot be reengineered, i.e.,
 you cannot use the public key to derive
 the private key.
Longer keys than symmetric and
 therefore a longer process to encrypt and
 decrypt.

               CSE 4482, Fall 2009, D Chan
Asymmetric Encryption

Needed for email encryption.

Used for e-commerce, digital certificates
 and digital signatures.

Number of keys for N users is 2N.



               CSE 4482, Fall 2009, D Chan
Digital Signature

A digital signature is an electronic
 signature that can be used to authenticate
 the identity of the sender of a message or
 the signer of a document, and to ensure
 that the original content of the message or
 document that has been sent is
 unchanged.


               CSE 4482, Fall 2009, D Chan
Digital Signature

The sender uses an algorithm to compute a
 hash (garbled digest) of the document
Sender uses its private key to encrypt the hash.
Recipient uses same algorithm to hash the plain
 text document when received.
Recipient uses the public key to decrypt the
 digital signature and compare to the hash the
 recipient created, to confirm integrity.


                 CSE 4482, Fall 2009, D Chan
Digital Certificate
• An electronic business card that establishes
  your credentials when doing business or other
  transactions on the Web.
• It is issued and digitally signed by a certification
  authority. It contains your name, a serial
  number, expiration dates, the certificate
  authority’s name and public key, and your public
  key.
• People can use the certificate authority’s public
  key to verify the signature.

                   CSE 4482, Fall 2009, D Chan
Certificate Authority

An organization that issues digital certificates to
 companies and individuals
An organization can issue digital certificates to
 its own customers or employees to authenticate
 local transactions
The certificate authority will do due diligence to
 confirm the existence and authenticity of the
 party before issuing a certificate.


                  CSE 4482, Fall 2009, D Chan
E-commerce Encryption

Uses both symmetric keys and
 asymmetric keys

Enforced by the merchant

Merchant sends its certificate and public
 key to the browser


               CSE 4482, Fall 2009, D Chan
E-commerce Encryption

Browser generates a symmetric key
Browser encrypts the symmetric key with
 the merchant’s public key
Browser authenticates the digital
 certificate
Encrypted symmetric key is sent to
 merchant

              CSE 4482, Fall 2009, D Chan
E-commerce Encryption

Merchant decrypts the symmetric key with
 its private key

The symmetric key is used for all
 subsequent transfer of information
 between the 2 parties until the user logs
 off.


               CSE 4482, Fall 2009, D Chan
Email Encryption

Sender uses the recipient’s public key to encrypt
 the message
Sender signs the message with own private key

Recipient uses own private key to decrypt
 message
Recipient uses sender’s public key to
 authenticate the digital signature


                 CSE 4482, Fall 2009, D Chan
Conclusion

Security is increasingly important because
 of e-commerce.

Security is the responsibility of every
 employee.

 Organizations should designate a chief
 information security officer to coordinate.

                CSE 4482, Fall 2009, D Chan

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:4/12/2013
language:English
pages:26