Professional Documents
Culture Documents
The following guidelines will guard against someone finding out your password and using
your account illegally:
1. Make your password as long as possible. The longer it is, the more difficult it will be to
attack the password with a brute-force search. Always use at least 6 characters in your
password, at least two of which are numeric.
2. Use as many different characters as possible when forming your password. Use
numbers, punctuation characters and, when possible, mixed upper and lower-case letters.
Choosing characters from the largest possible alphabet will make your password more
secure.
3. Do not use personal information in your password that someone else is likely to be able
to figure out. Obviously, things like your name, phone number, and address are to be
avoided. Even names of acquaintances and the like should not be used.
4. Do not use words, geographical names, or biographical names that are listed in standard
dictionaries.
5. Never use a password that is the same as your account number.
6. Do not use passwords that are easy to spot while you're typing them in. Passwords like
12345, qwerty (i.e., all keys right next to each other), or nnnnnn should be avoided.
7. Change your password on a regular basis. Changing your password every 30 days is a
good rule-of-thumb, and you should never go longer than 90 days before picking a new
password. Do not reuse any previous password you have used. The longer you wait
before changing passwords, the more difficult it will be to get used to the new one.
1|Page
User Education - Tell the importance of hard-to-guess passwords to the users and provide
guidelines for selecting strong passwords. - This strategy is unlikely to be successful at most
installations, particularly where there is a large user population or a lot of turnover. - Many users
will simply ignore the guidelines, which may not be good judgment of what is a strong password.
For example, many users think that reversing a word or making a last letter capital makes a
password un-guessable.
Reactive password checking - In this scheme the system periodically runs its own password
cracker program to find out guessable passwords. - If the systems find any such a password, then
system cancels it and notifies the user. - This method has a number of drawbacks - It is resource
intensive if the job is done right. Because a strong-minded opponent who is able to steal a
password file can dedicate full CPU time to the task for hours or even days. - Furthermore, any
existing passwords remain vulnerable until the reactive password checker finds them.
Backdoor
An avenue that can be used to access a system while circumventing normal security
mechanisms and can often be used to install additional executable files that can lead to more
ways to access the compromised system
Dumpster diving
The process of going through a target's trash in hopes of finding valuable information that
might be used in a penetration attempt
2|Page
Peer-to-peer (P2P)
A network connection methodology involving direct connection from peer to peer
Phishing
A type of social engineering in which an attacker attempts to obtain sensitive information
from a user by masquerading as a trusted entity in an e-mail or instant message sent to a large
group of often random users
Piggybacking
The simple tactic of following closely behind a person who has just used their own access
card or PIN to gain physical access to the facility without having to know the access code or
having to acquire an access card
Shoulder surfing
Involves the attacker directly observing the individual entering sensitive information on a
form, keypad, or keyboard
Social engineering
The process of convincing an authorized individual to provide confidential information or
access to an unauthorized individual
SPAM
Bulk unsolicited e-mail
Tailgating
The simple tactic of following closely behind a person who has just used their own access
card or PIN to gain physical access to the facility without having to know the access code or
having to acquire an access card
Vishing
A variation of phishing that uses voice communication technology to obtain the
information the attacker is seeking
Shoulder surfing is a similar procedure in which attackers position themselves in such away as
to be able to observe the authorized user entering the correct access code.
3|Page
Both of these attack techniques can be easily countered by using simple procedures to
ensure nobody follows you too closely or is in a position to observe your actions.
Shoulder surfing is using direct observation techniques, such as looking over someone's
shoulder, to get information. Shoulder surfing is an effective way to get information in crowded
places because it's relatively easy to stand next to someone and watch as they fill out a form,
enter a PIN number at an ATM machine. Shoulder surfing can also be done long distance with
the aid of binoculars or other vision enhancing devices
4|Page
Note that strip shredders often result in documents that can be reconstructed, because the
strips are usually in close physical proximity in the trash. Use cross-cut shredders whenever
possible.
Erase all media. Simple erasure is sometimes not efficient; most crypto programs come
with a "wipe" feature that will overwrite 8 or more times. CD-Rs cannot be erased.
The best solution for them is to put them in a microwave for 15 seconds (though disposal
should still be careful, because even then a dedicated hacker might still be able to glean some
information).
5|Page
Used airline tickets
Utility bills (telephone, gas, electric, water, cable TV, Internet)
1) Malware:
a) Freeware and low-cost software downloaded from the Internet or distributed on floppy disks
or CDs can contain viruses that will infect your system and spread to other computers on the
network.
b) Lack of knowledge about the source
2) Spyware
Unauthorized software may contain sypware that will capture information
a) Unauthorized software might be pirated (copied illegally), which could subject the University
to penalties in case of a software audit.
b) Impact - subject to legal action and penalties
5) Unsupported
a) Unauthorized software, once installed is seldom kept current. The software may not contain
known security flaws when installed but hackers may discover and exploit flaws. The software
company corrects these security flaws and releases an updated version. Most users never update
the software once it is installed and is vulnerable to the security flaws.
b) you can expect no warranties or support for illegal software, leaving your company on its own
to deal with any problems.
c) Impact
-If you have a technical issue in need of resolution, often times a work-stopping issue, the
district would not have the resources needed to rectify the situation. In addition, product
upgrades – less expensive upgrades of existing products – are not available to the district.
-By violating or ignoring standard procedures, users create diversity among corporate
desktops and ultimately cause help desk headaches.
-It's not unusual for a help desk to come to the aid of users complaining of applications
6|Page
that won't open, buggy versions of software, or machines that are out of memory, and then
discover that a great deal of the software isn't even supposed to be there.
Discretionary Access control (DAC): Restricting access to objects based on the identity of
subjects and or groups to which they belongs to , It is conditional, basically used by military to
control access on system. UNIX based System is common method to permit user for read/write
and execute
Mandatory Access control (MAC): It is used in environments where different levels of security
are classified. It is much more restrictive. It is sensitivity based restriction, formal authorization
subject to sensitivity. In MAC the owner or User can not determine whether access is granted to
or not. i.e. Operating system rights. Security mechanism controls access to all objects and
individual can not change that access.
7|Page
Role Based Access Control (RBAC): Each user can be assigned specific access permission for
objects associated with computer or network. Set of roles are defined. Role in-turn assigns access
permissions which are necessary to perform role.
Different User will be granted different permissions to do specific duties as per their
classification.
Working :
Any biometric access control system will consists of a biometric access control reader or
scanner. This is the unit which captures the raw data in the form of fingerprint or information
from iris scan, etc. This data is then analyzed & compared to the person's characteristics against
the previously enrolled record. If the two records match, the person is authenticated. And if the
time is within the authorized period for entry, the device will signal & release the electric door
lock.
8|Page
The most common aspect of biometrics being used for access control is fingerprints.
Though in more secure areas like defense areas and airports, government areas, etc. iris scanning
systems, and other hi-tech approaches are being used.
Retina Pattern Biometric Systems
Everybody has a unique retinal vascular pattern. Retina Pattern Biometric system uses an
infrared beam to scan your retina. Retina pattern biometric systems examine the unique
characteristics of user’s retina and compare that information with stored pattern to determine
whether user should be allowed access. Some other biometric systems also perform iris and pupil
measurements. Retina Pattern Biometric Systems are highly reliable. Users are often worried in
using retina scanners because they fear that retina scanners will blind or injure their eyes.
9|Page