attackers and their attacks security basic
Post on 06-Apr-2018
225 Views
Preview:
TRANSCRIPT
-
8/3/2019 Attackers and Their Attacks Security Basic
1/105
Attackers and
Their Attacks
-
8/3/2019 Attackers and Their Attacks Security Basic
2/105
Objectives
Develop attacker profiles Describe basic attacks
Describe identit attacks
2
Identify denial of service attacks
Define malicious code (malware)
-
8/3/2019 Attackers and Their Attacks Security Basic
3/105
Developing Attacker Profiles
Six categories:
Hackers
Crackers
3
cr pt es Spies
Employees
Cyberterrorists
-
8/3/2019 Attackers and Their Attacks Security Basic
4/105
Hackers
Person who uses advanced computer skills to attack
computers, but not with a malicious intent
Use their skills to expose security flaws and improvesecurity.
4
Hacker Code of ethics: Breaking into anotherpersons computer is ethically acceptable as long as
they dont commit theft, damage, or break of
confidentiality.
-
8/3/2019 Attackers and Their Attacks Security Basic
5/105
Person who violates system security with maliciousintent
Have advanced knowledge of computers and
Crackers
5
ne wor s an e s s o exp o em Destroy data, deny legitimate users of service, or
otherwise cause serious problems on computers and
networks
"crackers are often mistakenly called hackers
-
8/3/2019 Attackers and Their Attacks Security Basic
6/105
Break into computers to create damage Are unskilled users
Download automated hackin software from Web
Script Kiddies
6
sites and use it to break into computers
Tend to be young computer users with almost
unlimited amounts of free time , which they can use
to attack systems
-
8/3/2019 Attackers and Their Attacks Security Basic
7/105
Person hired to break into a computer and stealinformation
Do not randomly search for unsecured computers to
Spies
7
a ac Hired to attack a specific computer that contains
sensitive information
Motivation is almost always financial.
-
8/3/2019 Attackers and Their Attacks Security Basic
8/105
One of the largest information security threats tobusiness
Employees break into their companys computer for
Employees
8
ese reasons: To show the company a weakness in their security
To say, Im smarter than all of you
For money.
A dissatisfied employee wanting to get back at thecompany
-
8/3/2019 Attackers and Their Attacks Security Basic
9/105
Experts fear terrorists will attack the network andcomputer infrastructure to cause panic
Cyberterrorists motivation may be defined as
Cyberterrorists
9
eo ogy, or a ac ng or e sa e o e r pr nc p esor beliefs
One of the targets highest on the list of
cyberterrorists is the Internet itself
-
8/3/2019 Attackers and Their Attacks Security Basic
10/105
Three goals of a cyberattack: Deface electronic information to spread disinformation
and propaganda
Cyberterrorists (continued)
10
Deny service to legitimate computer users Commit unauthorized intrusions into systems and
networks that result in critical infrastructure outagesand corruption of essential data
-
8/3/2019 Attackers and Their Attacks Security Basic
11/105
Developing Attacker Profiles(continued)
11
-
8/3/2019 Attackers and Their Attacks Security Basic
12/105
Attack classifications
Passive Attacks: Attackers goal is to obtain information
Attacker doesnt modify data or harm the system.
The system continues its normal operation.
Difficult to detect.
Which principle, goal, or information characteristic
does this class of attacks threaten?
-
8/3/2019 Attackers and Their Attacks Security Basic
13/105
Attack classifications
Active Attacks: Attacker may change the data or harm the system.
Easier to detect.
Which principle, goal, or information characteristicdoes this class of attacks threaten?
-
8/3/2019 Attackers and Their Attacks Security Basic
14/105
Attack Categories
Basic attacks Identity attacks
Denial of services DoS
Malicious code
-
8/3/2019 Attackers and Their Attacks Security Basic
15/105
Today, the global computing infrastructure is mostlikely target of attacks
Attackers are becoming more sophisticated, moving
Understanding Basic Attacks
15
away rom searc ng or ugs n spec c so wareapplications toward inquiring the underlying softwareand hardware infrastructure itself
-
8/3/2019 Attackers and Their Attacks Security Basic
16/105
Understanding Basic Attacks
Social Engineering. Password guessing.
Software ex loitation
Weak keys.
Mathematics attacks.
16
-
8/3/2019 Attackers and Their Attacks Security Basic
17/105
Easiest way to attack a computer system requiresalmost no technical ability and is usually highlysuccessful
Social Engineering
17
oc a eng neer ng re es on r c ng an ece v ngsomeone to access a system
Social engineering is not limited to telephone calls or
dated credentials
Examples: Customer service representative, helpdesk personneletc
-
8/3/2019 Attackers and Their Attacks Security Basic
18/105
Social Engineering (continued)
18
s ng: sen ng peop e e ec ron c reques s orinformation that appear to come from a valid source
-
8/3/2019 Attackers and Their Attacks Security Basic
19/105
Social Engineering (continued)Phishing attacks examples:
19
-
8/3/2019 Attackers and Their Attacks Security Basic
20/105
Social Engineering (continued)Phishing attacks examples:
20
-
8/3/2019 Attackers and Their Attacks Security Basic
21/105
Develop strong instructions or company policies
regarding:
When passwords are given out
Social Engineering (continued)
21
What to do when asked questions by anotheremployee that may reveal protected information
Educate all employees about the policies and ensure
that these policies are followed
-
8/3/2019 Attackers and Their Attacks Security Basic
22/105
Password Guessing
Password: secret combination of letters and numbersthat validates or authenticates a user
Passwords are used with usernames to log on to a
22
sys em us ng a a og ox
Attackers attempt to exploit weak passwords bypassword guessing
-
8/3/2019 Attackers and Their Attacks Security Basic
23/105
Password Guessing (continued)
23
-
8/3/2019 Attackers and Their Attacks Security Basic
24/105
Characteristics of weak passwords:
Using a short password (XYZ)
Using a common word (blue)
Password Guessing (continued)
24
s ng persona n ormat on name o a pet
Using same password for all accounts
Writing the password down and leaving it under themouse pad or keyboard
Not changing passwords unless forced to do so
-
8/3/2019 Attackers and Their Attacks Security Basic
25/105
Password Exploitation attacks:1. Brute force: attacker attempts to create every possible
password combination by changing one character at a
Password Guessing (continued)
25
,
the system.
E.g. Password = 6523.
Possible combinations are 10X10X10X10=10,000
Personal computer can create more than1,000,000 combinations per second.
-
8/3/2019 Attackers and Their Attacks Security Basic
26/105
Password Exploitation attacks:1. Brute force:
Time calculations:
Password Guessing (continued)
26
Four digit = 10x10x10x10 = 10,000 (0.01 Second) Four capital letters = 26x26x26x26 = 456,976 (.45 Second)
Four capital and small letters = 52x52x52x52 = 7,311,616 (7.3 Seconds)
Four digit, capital and small letters= 62x62x62x62 = 14,776,336 (14.7Seconds)
Four digit, special character (10), capital and small letters = 72x72x72x72 =1,934,917,632 (32 Minutes)
Eight digit, special character (10), capital and small letters =72x72x72x72x72x72x72x72= 722,204,136,308,736 (23 Years)
-
8/3/2019 Attackers and Their Attacks Security Basic
27/105
Password Exploitation attacks:2. Dictionary attack: takes each word from a dictionary
and encodes it (hashing) in the same way the
Password Guessing (continued)
27
-
8/3/2019 Attackers and Their Attacks Security Basic
28/105
Password Exploitation attacks:
3. Software exploitation: takes advantage of anyweakness in software to bypass security requiring a
Password Guessing (continued)
28
Buffer overflow: occurs when a computer programattempts to stuff more data into a temporary storagearea than it can hold
SQL Injection.
Defenses: Code Review, Code Testing and IDS.
-
8/3/2019 Attackers and Their Attacks Security Basic
29/105
-
8/3/2019 Attackers and Their Attacks Security Basic
30/105
Encryption: changing the original text to a secretmessage using cryptography
Success of cryptography depends on the process
Weak Keys
33
use o encryp an ecryp messages
Process is based on algorithms
-
8/3/2019 Attackers and Their Attacks Security Basic
31/105
Algorithm is given a key that it uses to encrypt themessage
Any mathematical key that creates a detectable
Weak Keys (continued)
34
pa ern or s ruc ure wea eys prov es an a ac erwith valuable information to break the encryption
-
8/3/2019 Attackers and Their Attacks Security Basic
32/105
Cryptanalysis: process of attempting to break anencrypted message
Mathematical attack: analyzes characters in an
Mathematical Attacks
35
encryp e ex o scover e eys an ecrypthe data
-
8/3/2019 Attackers and Their Attacks Security Basic
33/105
Category of attacks in which the attacker attempts toassume the identity of a valid user.
Man-In-the-Middle attacks.
Examining Identity Attacks
38
Replay attacks. TCP/IP Hijacking.
-
8/3/2019 Attackers and Their Attacks Security Basic
34/105
Make it seem that two computers are communicating
with each other, when actually they are sending andreceiving data with a computer between them
Man-in-the-Middle Attacks
39
-
8/3/2019 Attackers and Their Attacks Security Basic
35/105
Man-in-the-Middle Attacks
Can be active or passive:
Passive attack: attacker captures sensitive data beingtransmitted and sends it to the original recipient without
Active attack: contents of the message are interceptedand altered before being sent on
40
-
8/3/2019 Attackers and Their Attacks Security Basic
36/105
Man-in-the-Middle Attacks
Defenses:
Educate users
Deploy PKI
Secure the DNS
Secure the wiring/ wireless access (e.g. use networkdevices that are prohibited from forwarding redirectedmessages)
Mutual authentication between the end points.
41
-
8/3/2019 Attackers and Their Attacks Security Basic
37/105
-
8/3/2019 Attackers and Their Attacks Security Basic
38/105
TCP/IP Hijacking
In TCP/IP Hijacking, an attacker sets up a device onthe network that tricks other devices on the networkinto sending their packets to it instead of where they
are intended to o.
43
TCP/IP hijacking uses a technique called spoofing.
Spoofing is basically the act of pretending to be
something you are not ( e.g. the legitimate owner)
One particular type of spoofing is Address ResolutionProtocol (ARP) spoofing
-
8/3/2019 Attackers and Their Attacks Security Basic
39/105
TCP/IP Hijacking (continued)
In ARP spoofing, each computer using TCP/IP musthave a unique IP address.
Certain types of local area networks (LANs), such as
44
erne , mus a so ave ano er a ress, ca e e
media access control (MAC) address, to moveinformation around the network
Computers on a network keep a table that links an IP
address with the corresponding address
In ARP spoofing, a hacker changes the table so
packets are redirected to his computer.
-
8/3/2019 Attackers and Their Attacks Security Basic
40/105
TCP/IP Hijacking (continued)
45
-
8/3/2019 Attackers and Their Attacks Security Basic
41/105
Identifying Denial of Service Attacks
Denial of service (DoS) attack attempts to make aserver or other network device unavailable byflooding it with requests
46
er a s or me, e server runs ou o resources
and can no longer function.
DoS Attacks:
SYN Attack
Ping Attack
Distributed DoS (DDoS).
-
8/3/2019 Attackers and Their Attacks Security Basic
42/105
Identifying Denial of Service Attacks(continued)
SYN Attack:
47
Normal Operation
SYN Flood
-
8/3/2019 Attackers and Their Attacks Security Basic
43/105
Identifying Denial of Service Attacks(continued)
Ping Attack:
Another DoS attack tricks computers into responding toa false request
48
An attacker can send a request to all computers on thenetwork making it appear a server is asking for aresponse.
Each computer then responds to the server,
overwhelming it, and causing the server to crash or beunavailable to legitimate users.
-
8/3/2019 Attackers and Their Attacks Security Basic
44/105
Identifying Denial of Service Attacks(continued)
Distributed denial-of-service (DDoS) attack:
Instead of using one computer, a DDoS may use
hundreds or thousands of computers
50
DDoS works in stages
-
8/3/2019 Attackers and Their Attacks Security Basic
45/105
Understanding Malicious Code(Malware)
Consists of computer programs designed to breakinto computers
.
Most common types:
51
Viruses Worms
Logic bombs
Trojan horses
Back doors
-
8/3/2019 Attackers and Their Attacks Security Basic
46/105
Programs that secretly attach to another document orprogram and execute when that document orprogram is opened
Viruses
52
g con a n ns ruc ons a cause pro ems
toerasing files from a hard drive or causing a computer
to crash repeatedly
-
8/3/2019 Attackers and Their Attacks Security Basic
47/105
Viruses (continued)
Types of viruses:
Boot-sector: This type of virus is placed into the firstsector of the hard drive so when the computer boots,
.
Polymorphic: This type of virus can change form eachtime it is executed.
Macro: This type of virus is inserted into a MicrosoftOffice document and emailed to unsuspecting users.
53
-
8/3/2019 Attackers and Their Attacks Security Basic
48/105
Viruses (continued)
Types of viruses:
Stealth Virus: it attempts to avoid detection by redirectcommands around itself, reports different file size
Retrovirus: an anti-antivirus, attack your antivirussoftware and potentially destroy the virus definition fileof your antivirus software.
Multipartite Virus: attacks your system in multiple ways
54
-
8/3/2019 Attackers and Their Attacks Security Basic
49/105
Viruses (continued)
Antivirus software defends against viruses.
Drawback of antivirus software is that it must beupdated to recognize new viruses
55
Updates (definition files or signature files) can bedownloaded automatically from the Internet to ausers computer
-
8/3/2019 Attackers and Their Attacks Security Basic
50/105
Worms
Although similar in nature, worms are different from
viruses in two regards:
A virus attaches itself to a computer document, such
56
- ,
with the document
A virus needs the user to perform some type of action,such as starting a program or reading an e-mailmessage, to start the infection
-
8/3/2019 Attackers and Their Attacks Security Basic
51/105
Worms (continued)
Worms are usually distributed via e-mail attachments
as separate executable programs
In many instances, reading the e-mail message starts
57
e worm
If the worm does not start automatically, attackerscan trick the user to start the program and launch the
worm
-
8/3/2019 Attackers and Their Attacks Security Basic
52/105
Logic Bombs
Computer program that lies dormant until triggered by
a specific event, for example:
A certain date being reached on the system calendar
58
A persons rank in an organization dropping below aspecified level
-
8/3/2019 Attackers and Their Attacks Security Basic
53/105
Trojan Horses
Programs that hide their true intent and then reveals
themselves when activated
59
Common strategies:
Combining two or more executable programs into asingle filename
-
8/3/2019 Attackers and Their Attacks Security Basic
54/105
Trojan Horses (continued)
Defend against Trojan horses with the following
products:
Antivirus tools, which are one of the best defenses
60
Special software that alerts you to the existence of aTrojan horse program
Anti-Trojan horse software that disinfects a computer
containing a Trojan horse
-
8/3/2019 Attackers and Their Attacks Security Basic
55/105
Back Doors
Secret entrances into a computer of which the user is
unaware
Hidden account, unmonitored, unlogged
61
Created by software manufacturer or crackers Many viruses and worms install a back door allowing
a remote user to access a computer without thelegitimate users knowledge or permission
-
8/3/2019 Attackers and Their Attacks Security Basic
56/105
Summary
Six categories of attackers: hackers, crackers, script
kiddies, spies, employees, and cyberterrorists
Password guessing is a basic attack that attempts to
63
earn a user s passwor y a var e y o means
Cryptography uses an algorithm and keys to encryptand decrypt messages
-
8/3/2019 Attackers and Their Attacks Security Basic
57/105
Summary (continued)
Identity attacks attempt to assume the identity of a
valid user
Denial of service (DoS) attacks flood a server or
64
ev ce w reques s, ma ng una e o respon o
valid requests
Malicious code (malware) consists of computer
programs intentionally created to break into
computers or to create havoc on computers
-
8/3/2019 Attackers and Their Attacks Security Basic
58/105
Security Basics
-
8/3/2019 Attackers and Their Attacks Security Basic
59/105
-
8/3/2019 Attackers and Their Attacks Security Basic
60/105
3
Identifying Who Is Responsible forInformation Security
When an organization secures its information, it completes a
few basic tasks:
It must analyze its assets and the threats these assets face
from threat agents
It identifies its vulnerabilities and how they might beexploited
It regularly assesses and reviews the security policy to
ensure it is adequately protecting its information
-
8/3/2019 Attackers and Their Attacks Security Basic
61/105
4
Identifying Who Is Responsible forInformation Security (cont.)
Although the tasks involved in securing information is clear, in
many organizations the responsibility for performing it is not.
Because the threat of security attacks is huge and an attack can
cost a lot of money in lost productivity, organizations should
identify personnel who perform security tasks, and make these
tasks a primary responsibility.
-
8/3/2019 Attackers and Their Attacks Security Basic
62/105
5
Identifying Who Is Responsible forInformation Security (cont.) Bottom-up approach: major tasks of securing information are
accomplished from the lower levels(grassroots workers) of theorganization upwards
This approach has one key advantage: the bottom-level
employees have the technical expertise to understand how to
secure information It has a weakness: without approval from top levels of
management, security schemas created by grassroots workers
has small chance of success.
-
8/3/2019 Attackers and Their Attacks Security Basic
63/105
6
Identifying Who Is Responsible forInformation Security (cont.)
-
8/3/2019 Attackers and Their Attacks Security Basic
64/105
7
Identifying Who Is Responsible forInformation Security (cont.)
Top-down approach: starts at the highest levels of the
organization and works its way down
Advantage: the security plan initiated by top-level managers has
the backing to make the plan work (funding and timing has the
high level of support)
-
8/3/2019 Attackers and Their Attacks Security Basic
65/105
8
Identifying Who Is Responsible forInformation Security (cont.)
Chief information security officer (CISO): helps develop the
security plan and ensures it is carried out
Human firewall: describes the security-enforcing role of each
employee
-
8/3/2019 Attackers and Their Attacks Security Basic
66/105
9
Understanding Security Principles
Ways information can be attacked:
Crackers can launch distributed denial-of-service (DDoS)
attacks through the Internet
Spies can use social engineering
Employees can guess other users passwords
Hackers can create back doors
-
8/3/2019 Attackers and Their Attacks Security Basic
67/105
10
Understanding Security Principles (cont.)
Protecting against the wide range of attacks calls for a wide
range of defense mechanisms:
Layering
Limiting
Diversity
Obscurity
Simplicity
-
8/3/2019 Attackers and Their Attacks Security Basic
68/105
11
Layering
Layered security approach has the advantage of creating a
barrier of multiple defenses that can be coordinated to prevent avariety of attacks
Information security likewise must be created in layers
All the security layers must be properly coordinated to be
effective
-
8/3/2019 Attackers and Their Attacks Security Basic
69/105
-
8/3/2019 Attackers and Their Attacks Security Basic
70/105
13
Limiting
Limiting access to information reduces the threat against it
Only those who must use data should have accessto it
Access must be limited for a subject (a person or a computer
program running on a system) to interact with an object (a
computer or a database stored on a server) The amount of access granted to someone should be limited to
what that person needs to know or do
-
8/3/2019 Attackers and Their Attacks Security Basic
71/105
14
Limiting (cont.)
-
8/3/2019 Attackers and Their Attacks Security Basic
72/105
15
Diversity
Diversity is closely related to layering
You should protect data with diverse layers of security, so if
attackers penetrate one layer, they cannot use the same
techniques to break through all other layers
Using diverse layers of defense means that breaching one
security layer does not compromise the whole system
-
8/3/2019 Attackers and Their Attacks Security Basic
73/105
16
Diversity (cont.)
You can set a firewall to filter a specific type of traffic, such as all
inbound traffic, and a second firewall on the same system tofilter another traffic type, such as outbound traffic
Using firewalls produced by different vendors creates even
greater diversity
Using both physical and electronic security measures.
-
8/3/2019 Attackers and Their Attacks Security Basic
74/105
17
Obscurity
Obscuring what goes on inside a system or organization and
avoiding clear patterns of behavior make attacks from theoutside difficult
It is some time criticized as being weak (when used alone)
-
8/3/2019 Attackers and Their Attacks Security Basic
75/105
18
Simplicity
Complex security systems can be difficult to understand,
troubleshoot, and feel secure about
The challenge is to make the system simple from the inside but
complex from the outside
-
8/3/2019 Attackers and Their Attacks Security Basic
76/105
19
Using EffectiveAuthentication Methods
Information security rests on three key pillars (AAA):
Authentication: prove your identity
Identification vs. Authentication:
Identification is the process whereby a network element
recognizes a valid user's identity.
Authentication is the process of verifying the claimed identity of
a user.
Authorization/Access control: what you are permitted to do Accounting/Auditing: tracks what has been done
-
8/3/2019 Attackers and Their Attacks Security Basic
77/105
20
Using Effective AuthenticationMethods (cont.)
Authentication:
Process of providing identity
i.e. are you Sara?
Can be classified into three main categories:
what you know (password)
what you have (key, card, token)
what you are (fingerprint)
-
8/3/2019 Attackers and Their Attacks Security Basic
78/105
21
Authentication Methods
Username and Password
Biometric
Certificate
Kerberos
CHAP
Token
Mutual Authentication
Multifactor Authentication
-
8/3/2019 Attackers and Their Attacks Security Basic
79/105
22
Username and Password
Most popularmethod and weakest.
ID management (Single-Sign-On, SSO):
Users single authenticated ID is shared across multiple
networks or online businesses
Attempts to address the problem of users having individual
usernames and passwords for each account (thus, resorting
to simple passwords that are easy to remember)
Can be for users and for computers that share data
-
8/3/2019 Attackers and Their Attacks Security Basic
80/105
23
Username and Password (cont.)Issues:
Retention (How long to keep the same password!)
Guessing Spyware/ Keylogger
How to improve?
Long password/ passphrase Combination of numbers, letters, Symbol
Different password to different accounts
Change frequently
Do not share it!
Do not write it down next to the access point
-
8/3/2019 Attackers and Their Attacks Security Basic
81/105
-
8/3/2019 Attackers and Their Attacks Security Basic
82/105
25
Tokens (cont.)
Proximity card: plastic card with an embedded, thin metal strip
that emits a low-frequency, short-wave radio signal
-
8/3/2019 Attackers and Their Attacks Security Basic
83/105
26
Tokens (cont.)
Drawback:
Can be stolen.
Solution:
BIN & password
-
8/3/2019 Attackers and Their Attacks Security Basic
84/105
27
Biometrics
Uses a persons unique characteristics to authenticate them
Is an example of authentication based on whatyou are
Human characteristics that can be used for identificationinclude:
Fingerprint Face
Hand geometry Iris
Retina Voice
-
8/3/2019 Attackers and Their Attacks Security Basic
85/105
28
Biometrics (cont.)
-
8/3/2019 Attackers and Their Attacks Security Basic
86/105
29
Biometrics (cont.)
Drawback:
Expensive
Sometime in accurate (False positive, false negative)
Human characteristics can be stolen
C tifi t
-
8/3/2019 Attackers and Their Attacks Security Basic
87/105
30
Certificates
The key system does not prove that the senders are actually
who they claim to be Certificates let the receiver verify who sent the message
Certificates link or bind a specific person to a key
Digital certificates are issued by a certification authority (CA), anindependent third-party organization
C tifi t ( t )
-
8/3/2019 Attackers and Their Attacks Security Basic
88/105
31
Certificates (cont.)
K b
-
8/3/2019 Attackers and Their Attacks Security Basic
89/105
32
Kerberos
Authentication system developed by the
Massachusetts Institute of Technology (MIT) Used to verify the identity of networked users, like
using a drivers license to cash a check
Typically used when someone on a network
attempts to use a network service and the servicewants assurance that the user is who he says he
is
K b ( t )
-
8/3/2019 Attackers and Their Attacks Security Basic
90/105
33
Kerberos (cont.) A state agency, such as the DMV, issues a drivers license that
has these characteristics:
It is difficult to copy
It contains specific information (name, address, height, etc.)
It lists restrictions (must wear corrective lenses, etc.)
It expires on a specified date
The user is provided a ticket that is issued by the Kerberos
authentication server (AS), much as a drivers license is issued
by the DMV
Achieve Single-Sign-On (SSO) or the ability to log on once and
access all necessary resources without having to log on again
K b ( t )
-
8/3/2019 Attackers and Their Attacks Security Basic
91/105
34
Kerberos (cont.)
Weakness:
Single point of failure (availability)
Vulnerable to password guessing
Challenge Handshake
A th ti ti P t l (CHAP)
-
8/3/2019 Attackers and Their Attacks Security Basic
92/105
35
Authentication Protocol (CHAP)
Considered a more secure procedure for connecting to a
system than using a password User enters a password and connects to a server; server
sends a challenge message to users computer
Users computer receives message and uses a specific
algorithm to create a response sent back to the server Server checks response by comparing it to its own
calculation of the expected value; if values match,authentication is acknowledged; otherwise, connection isterminated
Challenge Handshake Authentication
P t l (CHAP) ( t )
-
8/3/2019 Attackers and Their Attacks Security Basic
93/105
36
Protocol (CHAP) (cont.)
Mutual Authentication
-
8/3/2019 Attackers and Their Attacks Security Basic
94/105
37
Mutual Authentication
Two-way authentication (mutual authentication) can be used to
combat identity attacks, such as man-in-the-middle and replayattacks
The server authenticates the user through a password, tokens,
or other means; and the server is likewise authenticated.
Mutual Authentication (cont )
-
8/3/2019 Attackers and Their Attacks Security Basic
95/105
38
Mutual Authentication (cont.)
Multifactor Authentication
-
8/3/2019 Attackers and Their Attacks Security Basic
96/105
39
Multifactor Authentication
Multifactor authentication: implementing two or more types of
authentication Being strongly proposed to verify authentication of cell phone
users who use their phones to purchase goods and services
Controlling Access to Computer
Systems
-
8/3/2019 Attackers and Their Attacks Security Basic
97/105
40
Systems
After using Authentication to verify that a user is who he claims
to be, restricting the user to access only resources he needs todo his job (access control) is needed.
Restrictions to user access are stored in an access control list
(ACL)
An ACL is a table in the operating system that contains theaccess rights each subject (a user or device) has to a particular
system object (a folder or file)
Controlling Access to Computer
Systems (cont )
-
8/3/2019 Attackers and Their Attacks Security Basic
98/105
41
Systems (cont.)
In Microsoft Windows, an ACL has one or more access control entries
(ACEs) consisting of the name of a subject or group of subjects
Inherited rights: user rights based on membership in a group
Read, write, executeRead, write, executeRead, write, executeAdministrator
ReadUser2
ReadRead, writeRead, writeUser1
File-CFile-BFile-A
Access Control Models
-
8/3/2019 Attackers and Their Attacks Security Basic
99/105
42
Access Control Models
Mandatory Access Control (MAC)
Role Based Access Control (RBAC)
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
-
8/3/2019 Attackers and Their Attacks Security Basic
100/105
43
Mandatory Access Control (MAC)
A more restrictive model
The subject is not allowed to give access to another subject touse an object
If applied right, network can be truly locked down
For highly sensitive data. It requires a lot of administrative overhead to manage and
maintain.
Role Based Access Control (RBAC)
-
8/3/2019 Attackers and Their Attacks Security Basic
101/105
44
Role Based Access Control (RBAC)
Instead of setting permissions for each user
or group, you can assign permissions to aposition or role and then assign users and
other objects to that role
Users and objects inherit all of the
permissions for the role
Discretionary Access Control (DAC)
-
8/3/2019 Attackers and Their Attacks Security Basic
102/105
45
Discretionary Access Control (DAC)
Least restrictive model
One subject can adjust the permissions for other subjects overobjects
Type of access most users associate with their personal
computers
Auditing Information
Security Schemes
-
8/3/2019 Attackers and Their Attacks Security Basic
103/105
46
Security Schemes
Two ways to audit a security system
Logging records which user performed a specific activity andwhen
System scanning to check permissions assigned to a user or
role; these results are compared to what is expected to
detect any differences
Summary
-
8/3/2019 Attackers and Their Attacks Security Basic
104/105
47
Summary Creating and maintaining a secure environment cannot be
delegated to one or two employees in an organization
Major tasks of securing information can be accomplished usinga bottom-up approach, where security effort originates with low-
level employees and moves up the organization chart to the
CEO
In a top-down approach, the effort starts at the highest levels ofthe organization and works its way down
Summary (cont.)
-
8/3/2019 Attackers and Their Attacks Security Basic
105/105
48
Summary (cont.) Basic principles for creating a secure environment: layering,
limiting, diversity, obscurity, and simplicity
Basic pillars of security:
Authentication: verifying that a person requesting access to
a system is who he claims to be
Access control: regulating what a subject can do with anobject
Auditing: review of the security settings
top related