Chapter 2.

IDENTIFICATION, AUTHENTICATION AND

OPERATIONAL SECURITY

Q.1 Components of good password

ANS :
1. Password should be at least eight characters in length.
2. Password should have at least three of the following four elements:
i. one or more uppercase letters(A-Z)
ii. one or more lowercase letters(a-z)
iii. one or more numerical (0 to9)
iv. one or more special character(!,@,#,$,&,:,.,;,?)
v. Password should not consist of dictionary words
vi. Password should not at all be the same as login name.
vii. Password should not consist of user's first or last name, family members name, birth
dates, and pet names.

The following guidelines will guard against someone finding out your password and using
your account illegally:

1. Make your password as long as possible. The longer it is, the more difficult it will be to
attack the password with a brute-force search. Always use at least 6 characters in your
password, at least two of which are numeric.
2. Use as many different characters as possible when forming your password. Use
numbers, punctuation characters and, when possible, mixed upper and lower-case letters.
Choosing characters from the largest possible alphabet will make your password more
secure.
3. Do not use personal information in your password that someone else is likely to be able
to figure out. Obviously, things like your name, phone number, and address are to be
avoided. Even names of acquaintances and the like should not be used.
4. Do not use words, geographical names, or biographical names that are listed in standard
dictionaries.
5. Never use a password that is the same as your account number.
6. Do not use passwords that are easy to spot while you're typing them in. Passwords like
12345, qwerty (i.e., all keys right next to each other), or nnnnnn should be avoided.
7. Change your password on a regular basis. Changing your password every 30 days is a
good rule-of-thumb, and you should never go longer than 90 days before picking a new
password. Do not reuse any previous password you have used. The longer you wait
before changing passwords, the more difficult it will be to get used to the new one.

Q. 2. Password selection strategies:

Ans :
There are four basic strategies to select a password
a. User Education
b. Computer generated password
c. Reactive password checking
d. Proactive password checking

1|Page
User Education - Tell the importance of hard-to-guess passwords to the users and provide
guidelines for selecting strong passwords. - This strategy is unlikely to be successful at most
installations, particularly where there is a large user population or a lot of turnover. - Many users
will simply ignore the guidelines, which may not be good judgment of what is a strong password.
For example, many users think that reversing a word or making a last letter capital makes a
password un-guessable.

Computer generated password - Computer-generated passwords also have some problems. If

the passwords are reasonably random in nature, users will not be able to remember it. - Even
though the password is pronounceable, the user may have difficulty in remembering it and so
many times they write it down. - Normally these schemes are less accepted by users.

Reactive password checking - In this scheme the system periodically runs its own password
cracker program to find out guessable passwords. - If the systems find any such a password, then
system cancels it and notifies the user. - This method has a number of drawbacks - It is resource
intensive if the job is done right. Because a strong-minded opponent who is able to steal a
password file can dedicate full CPU time to the task for hours or even days. - Furthermore, any
existing passwords remain vulnerable until the reactive password checker finds them.

Proactive password checking - It is the most promising approach to improved password

security. In this scheme, a user is allowed to select his/her own password. - However, at the time
of selection, the system checks the password if the password is allowable then allow or reject it.
- The trick with a proactive password checker is to strike a balance between acceptability and
strength of user.
- If the system continuously rejects many passwords, then users will complain that it is very hard
to select a password.
- If the system uses some simple algorithm to define what is acceptable, then it - provides
direction to password crackers to process their guessing technique.

Q3. Role of people in security

Ans :
Password selection:
The importance of picking a good, secure password can't be emphasized enough. It is
extremely important that users change the passwords associated with their computer accounts
frequently, and that they change them to something that cannot be guessed by someone else. This
is because to the password is the way the computer verifies that someone logging in with your
account (also known as your login or netid) is really you.
If someone else obtains your password, they can use your account to peruse your private
data, including electronic mail; alter or destroy your files; and perform illegal activities in your
name. And, in such cases, it is difficult to find out who the culprit is.

Backdoor
An avenue that can be used to access a system while circumventing normal security
mechanisms and can often be used to install additional executable files that can lead to more
ways to access the compromised system

Dumpster diving
The process of going through a target's trash in hopes of finding valuable information that
might be used in a penetration attempt

2|Page
Peer-to-peer (P2P)
A network connection methodology involving direct connection from peer to peer

Phishing
A type of social engineering in which an attacker attempts to obtain sensitive information
from a user by masquerading as a trusted entity in an e-mail or instant message sent to a large
group of often random users

Piggybacking
The simple tactic of following closely behind a person who has just used their own access
card or PIN to gain physical access to the facility without having to know the access code or
having to acquire an access card

Reverse social engineering

When the attacker hopes to convince the target to initiate the contact

Shoulder surfing
Involves the attacker directly observing the individual entering sensitive information on a
form, keypad, or keyboard

Social engineering
The process of convincing an authorized individual to provide confidential information or
access to an unauthorized individual

SPAM
Bulk unsolicited e-mail

Tailgating
The simple tactic of following closely behind a person who has just used their own access
card or PIN to gain physical access to the facility without having to know the access code or
having to acquire an access card

Vishing
A variation of phishing that uses voice communication technology to obtain the
information the attacker is seeking

Q 4. Describe piggybacking & shoulder surfing.

Ans :
Piggybacking is the simple process of following closely behind a person who has just used their
own access card or PIN to gain physical access to a room or building. An attacker can thus gain
access to the facility without having to know the access code or having to acquire an access card.
for example:
Access of wireless internet connection by bringing one's own computer within range of
another wireless connection & using that without explicit permission

Shoulder surfing is a similar procedure in which attackers position themselves in such away as
to be able to observe the authorized user entering the correct access code.
3|Page
 Both of these attack techniques can be easily countered by using simple procedures to
ensure nobody follows you too closely or is in a position to observe your actions.
Shoulder surfing is using direct observation techniques, such as looking over someone's
shoulder, to get information. Shoulder surfing is an effective way to get information in crowded
places because it's relatively easy to stand next to someone and watch as they fill out a form,
enter a PIN number at an ATM machine. Shoulder surfing can also be done long distance with
the aid of binoculars or other vision enhancing devices

Q.5 what is dumpster diving? How it can be avoided.

Ans:
In general, dumpster diving involves searching through trash or garbage looking for
something useful. This is often done to uncover useful information that may help an individual
get access to a particular network. So, while the term can literally refer to looking through trash,
it is used more often in the context of any method (especially physical methods) by which a
hacker might look for information about a computer network. When dumpster diving, hackers
look for:
Phone lists
Helps map out the power structure of the company, and gives possible account
names, and is essential in appearing as a member of the organization.
Memos
Reveal activities inside the target organization.
Policy manuals
Today's employee manuals give instructions on how not to be victimized by
hackers, and likewise help the hacker know which attacks to avoid, or at least try
in a different manner than specified in the policy manual.
Calendars of events
Tells the hackers when everyone will be elsewhere and not logged into the
system. Best time to break in.
System manuals, packing crates
Tells the hackers about new systems that they can break into.
Print outs
Source code is frequently found in dumpsters, along with e-mails (revealing
account names), and PostIt&tm; notes containing written passwords.
Disks, tapes, CD-ROMs
People forget to erase storage media, leaving sensitive data exposed. These days,
dumpsters may contain larger number of "broken" CD-Rs. The CD-ROM
"burning" process is sensitive, and can lead to failures, which are simply thrown
away. However, some drives can still read these disks, allowing the hacker to read
a half-way completed backup or other sensitive piece of information.
Old hard drives
Like CD-ROMs, information from broken drives can usually be recovered. It depends
only upon the hacker's determination.
Organizational changes, such as mergers, acquisitions, and "re-orgs" leave the company
in disarray that can be exploited by hackers (in much the same way that hacker look upon
January 1, 2000 as a prime hacking day).
In order to prevent this attack from being successful against yourself, you should do the
reverse. Shred as much as you can; you can buy bulk shredders fairly cheap. Simply institute a
policy that all paper should be shredded and recycled.

4|Page
 Note that strip shredders often result in documents that can be reconstructed, because the
strips are usually in close physical proximity in the trash. Use cross-cut shredders whenever
possible.
Erase all media. Simple erasure is sometimes not efficient; most crypto programs come
with a "wipe" feature that will overwrite 8 or more times. CD-Rs cannot be erased.
The best solution for them is to put them in a microwave for 15 seconds (though disposal
should still be careful, because even then a dedicated hacker might still be able to glean some
information).

How can you prevent dumpster diving

Destroy all sensitive information including junk mail and paperwork that includes:
 Account numbers
 Addresses
 Birth dates
 E-mail addresses
 Names
 Passwords and PINs
 Phone numbers
 Signatures
 Social Security Numbers

Below is a list of specific items you should shred:

 Address labels from junk mail and magazines
 ATM receipts
 Bank statements
 Birth certificate copies
 Canceled and voided checks
 Credit and charge card bills, carbon copies, summaries and receipts
 Credit reports and histories
 Employee pay stubs
 Employment records
 Expired credit and identification cards including driver’s licenses, college IDs, military
IDs, employee badges, medical insurance cards, etc. (If your shredder can’t handle
plastic, cut up cards with a scissors before discarding them.)
 Expired passports and visas
 Insurance documents
 Investment, stock and property transactions
 Legal documents
 Luggage tags
 Medical and dental records
 Papers with a Social Security number
 Pre-approved credit card applications
 Receipts with checking account numbers
 Report cards
 Résumés or curriculum vitae
 Signatures (such as those found on leases, contracts, letters)
 Tax forms
 Transcripts
 Travel itineraries

5|Page
  Used airline tickets
 Utility bills (telephone, gas, electric, water, cable TV, Internet)

Q. 6. state problems with installing of unauthorized software.

Ans
Following are the problems with installing of unauthorized software.-

1) Malware:
a) Freeware and low-cost software downloaded from the Internet or distributed on floppy disks
or CDs can contain viruses that will infect your system and spread to other computers on the
network.
b) Lack of knowledge about the source

2) Spyware
Unauthorized software may contain sypware that will capture information

3) Quality and Compatibility

a) You type and send it to marketers or criminals.

b) Any software not known and supported by an organization can conflict with other applications
or change crucial configuration information
c) Unlicensed software may cause incompatibility between programs that would normally
function together seamlessly.
d) "There are support issues, there are compatibility issues. With version control and all the
things associated with managing the desktop come cost factors in terms of having stray software
or different software out.

4) Piracy of Unlicensed software

a) Unauthorized software might be pirated (copied illegally), which could subject the University
to penalties in case of a software audit.
b) Impact - subject to legal action and penalties

5) Unsupported

a) Unauthorized software, once installed is seldom kept current. The software may not contain
known security flaws when installed but hackers may discover and exploit flaws. The software
company corrects these security flaws and releases an updated version. Most users never update
the software once it is installed and is vulnerable to the security flaws.
b) you can expect no warranties or support for illegal software, leaving your company on its own
to deal with any problems.

c) Impact
-If you have a technical issue in need of resolution, often times a work-stopping issue, the
district would not have the resources needed to rectify the situation. In addition, product
upgrades – less expensive upgrades of existing products – are not available to the district.

-By violating or ignoring standard procedures, users create diversity among corporate
desktops and ultimately cause help desk headaches.
-It's not unusual for a help desk to come to the aid of users complaining of applications
6|Page
that won't open, buggy versions of software, or machines that are out of memory, and then
discover that a great deal of the software isn't even supposed to be there.

Q7. which are the individual user responsibility in security?

Ans :
1. Lock the doors and workspace
2. Do not leave sensitive information inside your car unprotected
3. Secure storage media in a secure storage device which contain sensitive information
4. Shredding paper containing organizational information before discarding it
5. Do not expose sensitive information to individuals that do not have an authorized need to
know it
6. Do not discuss sensitive with family member
7. Protect the laptop which contain sensitive or important organization information
whenever the laptop may be stored or left
8. Enforce corporate access control procedure. Be alert to, and do not allow, piggybacking,
shoulder surfing, or access without the proper identifications.
9. Be aware of the correct procedures to report suspected or actual violation of security
policies.
10. Establish different procedures to implement good password security practices that all
employees should follow.

Q8. what is access control ? List and explain.

Ans :
Access is the ability of a subject to interest with an object. Authentication deals with verifying
the identity of a subject. It is ability to specify, control and limit the access to the host system or
application, which prevents unauthorized use to access or modify data or resources. It can be
represented using Access Control matrix or List:
Process 1 Process 2 File 1 File 2 Printer
Amit Read, --- Read Read Write
Write,
Execute
Raja Execute Read, Read Read, Write
Write, Write
Execute

Various access controls are:

Discretionary Access control (DAC): Restricting access to objects based on the identity of
subjects and or groups to which they belongs to , It is conditional, basically used by military to
control access on system. UNIX based System is common method to permit user for read/write
and execute
Mandatory Access control (MAC): It is used in environments where different levels of security
are classified. It is much more restrictive. It is sensitivity based restriction, formal authorization
subject to sensitivity. In MAC the owner or User can not determine whether access is granted to
or not. i.e. Operating system rights. Security mechanism controls access to all objects and
individual can not change that access.

7|Page
Role Based Access Control (RBAC): Each user can be assigned specific access permission for
objects associated with computer or network. Set of roles are defined. Role in-turn assigns access
permissions which are necessary to perform role.

Different User will be granted different permissions to do specific duties as per their
classification.

Q.9. Different methods in biometrics access control.

Ans:
Each person has a set of unique characteristics that can be used for authentication. Biometrics
uses these unique characteristics for authentication. Today’s Biometric systems examine retina
patterns, iris patterns, fingerprints, handprints, voice patterns, keystroke patterns etc for
authentication. But most of the biometric devices which are available on the market, only retina
pattern, iris patterns, fingerprint and handprint systems are properly classified as biometric
systems. Others are more classified as behavioral systems.
Biometric identification systems normally work by obtaining unique characteristics from
you, like a handprint, a retina pattern etc. The biometric system then compares that to the
specimen data stored in the system.
Biometrics authentication is much better when compared with other types of
authentication methods. But the users are reluctant in using biometric authentication. For
example, many users feel that retina scanner biometric authentication system may cause loss of
their vision. False positives and false negatives are a serious problem with Biometric
authentication.

Working :

Any biometric access control system will consists of a biometric access control reader or
scanner. This is the unit which captures the raw data in the form of fingerprint or information
from iris scan, etc. This data is then analyzed & compared to the person's characteristics against
the previously enrolled record. If the two records match, the person is authenticated. And if the
time is within the authorized period for entry, the device will signal & release the electric door
lock.

8|Page
 The most common aspect of biometrics being used for access control is fingerprints.
Though in more secure areas like defense areas and airports, government areas, etc. iris scanning
systems, and other hi-tech approaches are being used.
Retina Pattern Biometric Systems
Everybody has a unique retinal vascular pattern. Retina Pattern Biometric system uses an
infrared beam to scan your retina. Retina pattern biometric systems examine the unique
characteristics of user’s retina and compare that information with stored pattern to determine
whether user should be allowed access. Some other biometric systems also perform iris and pupil
measurements. Retina Pattern Biometric Systems are highly reliable. Users are often worried in
using retina scanners because they fear that retina scanners will blind or injure their eyes.

Iris Scans Biometric Systems

Iris scan verify the identity by scanning the colored part of the front of the eye. Iris scan is is
much easier and very accurate.

Fingerprints Biometric Systems

Fingerprints are used in forensic and identification for
long time. Fingerprints of each individual are unique.
Fingerprint Biometric Systems examine the unique
characteristics of your fingerprints and use that information
to determine whether or not you should be allowed access.
The theoretical working of the fingerprint scanner is
as described below. The user’s finger is placed on the scanner
surface. Light flashes inside the machine, and the reflection is
captured by a scanner, and it is used for analysis and then
verified against the original specimen stored in the system. The user is allowed or denied based
on the result of this verification.

Handprints Biometric Systems

As in the case of finger print, everybody has unique handprints. A handprint Biometric
Systems scans hand and finger sand the data is compared with the specimen stored for you in the
system. The user is allowed or denied based on the result of this verification.

Voice Patterns Biometric Systems

Voice Patterns Biometric Systems can also be used for user authentication. Voice Patterns
Biometric Systems examine the unique characteristics of user’s voice.

Keystrokes Biometric Systems

Keystroke Biometric Systems examine the unique characteristics of user’s keystrokes and
use that information to determine whether the user should be allowed access.

9|Page