Professional Documents
Culture Documents
Chapter-2
Password Selection
For many years, computer intruders have relied on users selecting poor passwords
to help them gain unauthorized access to a system or network. If attackers could obtain
a list of the users’ names, chances were good chance they could eventually access the
sys tem. Users pick passwords that are easy for them to remember and what easier
1
Chapter-2 : Computer Security – Gscheme -- 2014
password could there be than the same sequence of characters that they use for their
user ID?
If a system had an account with the username of jdoe, a reasonable first guess of
the account’s password would be jdoe. If this didn’t work, then variations on the
same would be tried: doej, johndoe, johnd, or eodj. All of which would be
reasonable possibilities.
If variations on the username did not yield the correct password all was not lost—
more information was simply needed. Users also frequently pick names of family
members, pets, or favorite sports team.
If the user lived in San Antonio, TX, for example, a possible password might be
gospurs in honor of their professional basketball team. If these didn’t work, then
hobbies of the user might be tried, or the names of their favorite make or model of
car, or similar pieces of information.
The key is that the user often picks something easy for them to remember, which
means that the more you know about the user, the better your chance of
discovering their password.
In an attempt to complicate the attacker’s job organizations have encouraged their
users to mix upper- and lowercase characters and to include numbers and special
characters in their password.
While this does make it harder, the basic problem still re mains: users will pick
something that is easy for them to remember. Thus, our user in San Antonio may
select the password GO* Spurs, capitalizing two of the letters, inserting a special
character, and substituting the number zero for the letter 0.
This has made the password harder to crack, but there are a finite number of
variations on the basic gospurs password so, while the attacker’s job has been
made more difficult, it is still possible to guess the password.
2
Chapter-2 : Computer Security – Gscheme -- 2014
Writing them down and pulling them in a secure place is one thing, but all too
often users will write them on a slip of paper and keep them in their calendar,
wallet, or purse. Most security consultants generally agree that if they are given
physical access to an office they will be able to find a password somewhere—the
top drawer of a desk, inside of a desk calendar, attached to the underside of the
keyboard, or even simply on a yellow ―stickie‖ attached to the monitor.
With the proliferation(is always a great word to know) of computers, networks, and
users, the password dilemma(A difficult situation or problem) has gotten worse.
Today, the avenge Internet user probably has at least a half dozen different
accounts and passwords to remember.
Selecting a different password for each account, following the guidelines
mentioned previously regarding character selection and frequency of changes, only
aggravates the problem of remembering the passwords. This results in users all
too frequently using the same password for all accounts. If a user does this, and
then one of the accounts is broken, all other accounts are subsequently also
vulnerable to attack.
As a final comment good password selection and the protection of passwords
also applies to another common feature of today’s electronic world.
Most people have at least one Personal Identification Number (PIN) associated with
things such as their automated teller machine, or a security code to gain physical
access to a room.
Again, users will invariably select numbers that are easy to remember, Specific
numbers, such as the individual’s birth year, or their spouse’s birth year, or the-
date of some other significant event are all common numbers to select.
Other people will pick patterns that are easy to remember—2580, for example,
uses all of the center numbers on a standard numeric pad on a telephone.
Attackers know this, and guessing PINs follows the same sort of process that
guessing a password does.
Dumpster Diving
Attackers need a certain amount of information before launching their attack. One
common place to find this information, if the attacker is in the vicinity of the target, is to
go through the target’s trash in order to find little bits of information that could be
useful. This process of going through a target’s trash is known in the computer
community as dumpster diving.
3
Chapter-2 : Computer Security – Gscheme -- 2014
If the attackers are very lucky, and the target’s security procedures are very poor,
they may actually find user IDs and passwords. Users sometimes write their password
down. If, when the password is changed, they discard the paper the old password was
written on without shredding it, the lucky dumpster diver can gain a valuable clue.
Even if the attacker isn’t lucky enough to obtain a password directly, employee
names will undoubtedly be found and from that it’s not hard to determine user IDs.
Manuals from hardware or software that have been purchased may also provide clues as
-to what vulnerabilities exist on the target’s computer systems and networks.
The attacker may gather a variety of information which can be useful in a social
engineering attack. With the cost of shredders being so small today, there is no excuse
for not properly disposing of trash, no matter how small the organization.
Access by Non-Employees
If an attacker can gain physical access to a facility; chances are very good that
enough information can be obtained to penetrate computer systems and networks. Many
organizations require employees to wear identification badges when at work. This is an
easy method to quickly spot who has permission to have physical access to the
organization and who does not.
While this method is easy to implement and can be a significant deterrent to
unauthorized individuals, it also requires that employees actively challenge individuals
who are not wearing the required identification badge. This is one area where
organizations fail.
Combine an attacker who slips in by piggybacking off of an authorized individual
and an environment where employees have not been encouraged to challenge
4
Chapter-2 : Computer Security – Gscheme -- 2014
individuals without appropriate credentials and you have a situation where you might as
well not have any badges in the first place.
Organizations also frequently become complacent when faced with what appears
to be a legitimate reason to access the facility, such as when an individual shows up
with a warm pizza claiming it was ordered by an employee.
It has often been stated by security consultants that it is amazing what yell can
obtain access to with a pizza box or a vase of flowers. If the organization doesn’t enforce
good password policies, a casual stroll through an office may yield passwords or other
important information.
Another aspect that must be considered is personnel who have
legitimate(Conforming to the law or to rules) access to a facility but may not have the
same regard for the intellectual property rights bf the organization that their coworkers
do.
Physical access provides an easy opportunity for individuals to look for the
occasional piece of critical information carelessly left out. With the proliferation of
devices such as cell phones with built-in cameras, an individual could easily photograph
information without it being obvious to employees.
Contractors, consultants, and partners frequently not on have physical access to
the facility but may also have network access. Other individuals that typically have
unrestricted access to the facility when no one is around are nighttime custodial crew
members and security guards. Such positions are often contracted out. As a result,
hackers have been known to take temporary custodial jobs simply to gain access to
facilities.
Social Engineering
Social engineering is a technique in which the attacker uses various deceptive
(Giving an appearance or impression different from the true one; misleading) practices to
obtain information they would normally not be privileged to, or to convince the target of
the attack to do something they normally wouldn’t.
Social engineering is very successful because of two general reasons.
Reason No -1
The basic desire by many to be helpful. When somebody asks a question for which
we know the answer, our normal response is not to be suspicious but rather to answer
the question. The problem with this is that seemingly innocuous information can be
used either directly in an attack or to build, a bigger picture that can be used to create
an aura of authenticity for the attacker.
The more information an individual has about an organization, the easier it will be
to convince others that he is part of the company and has a right to even sensitive
information. This type of reasoning can be further broken down into one of three
categories.
The attacker may simply ask a question hoping to immediately- obtain the
desired information. For the most basic of information that is not considered sensitive,
this generally will work. An example of this might be to call and ask who the IT manager
is. If the attacker’s desired information might be even slightly sensitive in nature, and
possibly arouse suspicion then another technique may be tried.
The attacker may first attempt to engage the target in conversation and try
to evoke sympathy so the target feels sorry for the individual and may more freely
release the information. An example might be an attacker who calls and claims to be
under some deadline from a supervisor who is upset for some reason.
5
Chapter-2 : Computer Security – Gscheme -- 2014
The target, feeling sorry for a fellow worker, may give up the information
thinking that by doing so they are helping the attacker keep out of trouble. The attacker
may also try another approach, appealing to the individual’s ego. An example might be
an individual who calls the IT department, claiming to have some sort of problem, and
praising them for work they supposedly did to help another worker.
After having somebody tell you how great you are and how much you helped
somebody else, you will often be tempted to supply the same level of help to another
individual.
Reason No -2
Social engineering is successful is that individuals will normally seek to avoid
confrontation and trouble, lithe attacker attempts to intimidate the target, threatening to
call the targets supervisor because of a lack of help, the target may give in and provide
the information to avoid confrontation. This variation on the attack is often successful in
organizations that have a strict hierarchical structure.
In the military, for example, a lower ranking individual may be coerced into
providing information from an individual claiming to be of higher rank or who claims to
be working for another individual higher up in the chain of command.
A variation on social engineering uses means other than direct contact between
the target and the attacker. An example of this type of attack might be a forged
electronic mail or a bogus web site to obtain information from an individual or convince
the individual to accomplish some action.
Again, the goal in social engineering is to convince the target to provide
information or accomplish some act that they normally would not do. An example
of a slightly different attack that is generally still considered a social engineering attack
is an attacker who replaces the blank deposit slips in a bank’s lobby with ones
containing his or her own account number but no name. When an unsuspecting
customer uses one of the slips, a teller who is not observant may end up crediting the
attacker’s account with the deposit.
Social engineering has been discussed in the context of an outsider attempting to
gain information about the organization. This does not have to be the case. Insiders may
also attempt to gain information they are not authorized to have. In many cases, the
insider may be much more successful since they will already have a certain level of
information regarding the organization.
When talking of social engineering attacks is that people are not only the biggest
problem and security risk but they are also the best tool in defending against a social
engineering attack. The first step a company should take to fight potential social
engineering attacks is to create the policies and procedures that establish the roles and
responsibilities for not only security administrators but for all users. What is it that
management expects, security-wise, from all employees? What is it that the organization
is trying to protect, and what mechanisms are important for that protection?
Security Awareness
Probably the single most effective method to counter potential social engineering
attacks after establishment of the organization’s security goals and policies is an active
security awareness program. The extent of the training will vary depending on the
organization’s environment and the level of threat, but initial employee training on social
engineering at the time a person is hired is important, as well as periodic refresher
training.
Many government organizations have created security awareness posters to
constantly remind individuals of this possible avenue of attack. Security newsletters,
often in the form of e-mail, have also been used to remind employees of their security
responsibilities.
An important element that should be stressed in training about social engineering
is the type of information that the organization considers sensitive and which may be
the target-of a social engineering attack.
There are undoubtedly signs that the organization could point to as indicative of
an attacker attempting to gain access to sensitive corporate information. All employees
should be aware of these indicators.
7
Chapter-2 : Computer Security – Gscheme -- 2014
employees, especially supervisors, may complain to their spouse about other
employees or problems that are occurring at work)
Protecting laptops that contain sensitive or important organization information
wherever the laptop may be stored or left (it’s a good idea to ensure that sensitive
information is encrypted on the laptop so that should the equipment be lost or
stolen, the information remains safe)
Being aware of who is around you when discussing sensitive corp information.
Does everybody within earshot have the need to hear this information?
Enforcing corporate access control procedures. Be alert to, and do riot allow,
piggybacking, shoulder surfing, or access without the proper credentials.
Being aware of the correct procedures to report suspected or actual violations of
security policies
Establishing procedures to enforce good password security practices that all
employees should follow. Passwords are such a critical element that they are
frequently the ultimate target of a social engineering attack. Though such
password procedures may seem too oppressive or strict, they are often the best
line of defense.
Finally what….
On user responsibilities, corporate security officers must cultivate an environment of
trust in their office, as well as an understanding of the importance of security. If users
fee! that security personnel are on there to make their life difficult or dredge up
information that will result in an employee’s termination, the atmosphere will quickly
turn adversarial and be transformed into an ―us versus them‖ situation.
Security personnel need the help of all users and should strive to cultivate a team
environment where users when faced with a questionable situation, will not hesitate to
call the security office. In situations like this, security officers should remember the old
adage of ―don’t shoot the messenger.‖
Security Policies
Prevention technologies are designed to keep individuals from being able to gain
access to systems or data they are not authorized to use. Originally, this was the sole
approach to security. In an operational environment, prevention was extremely difficult
and relying on prevention technologies alone was not sufficient. This led to the rise of
technologies to detect and respond to events that occur when prevention failed. This
gave rise to the operational model for computer security.
Prevention technologies are static in the sense that they are put in place and generally
left alone. This is not to say that they are not periodically updated as needed, but they
are generally designed to serve in some way as a static barrier to intruders.
Detection and response technologies, on the other hand, are dynamic in the sense that
they acknowledge that security is an ongoing process. Systems and networks are
constantly changing. They therefore need to be constantly monitored.
Monitoring the operation of the various components that make up your security
perimeter is an essential part of any organization’s security program.
8
Chapter-2 : Computer Security – Gscheme -- 2014
An important part of any organization’s approach to implementing security are the
policies, procedures, standards, and guidelines that are established to detail what users
and administrators should be doing to maintain the security of the systems and
network.
Policies – General management Statement
Standard – Specific Mandatory
Guideline – Recommendation/Best Practice
Procedure – Step by Step instruction
Policies are high-level, broad statements of what the organization wants to accomplish.
They are made by management when laying out the organizations position on some
issue.
Standards are mandatory elements regarding the implementation of a policy. They are
accepted specification providing specific details on how a policy is to be enforced. Some
standards may be externally driven. Regulations for banking and financial institutions,
for example, may require certain security measures be taken by law. Other standards
maybe set by the organization for its own goals.
Guidelines are recommendations relating to a policy. The key term in this case is
recommendation—guide lines are not mandatory steps.
Physical Security
Physical security is the protection of personnel hardware, programs, networks,
and data from physical circumstances and events that could cause serious losses
or damage to an enterprise, agency, or institution. This includes protection from fire,
natural disasters, theft and terrorism.
Physical security describes both measures that prevent or deter attackers from
accessing a facility, resource, or information stored on physical media and guidance on
how to design structures to resist various hostile acts.
Security at the physical level is a must. It should be provided to physically protect
the assets and resources in the secured perimeter.
Control against natural calamities
Using fire resistant and water resistant material
Implementation of fire monitoring, fire alarm and fire control system
Using fire extinguishers
Proper site design
Insurance cover
10
Chapter-2 : Computer Security – Gscheme -- 2014
Controls for data protection
Data redundancy measures such as mirroring shadowing and RAID
configurations
Regular onsite and offsite data backups
Access Controls
Q.What is Access Control?List Different types of it?
Ans. The term access control has been used to describe a variety of protection schemes.
It is sometimes used to refer to all security features used to prevent unauthorized access
to a computer system or network. In this sense, it may be confused with authentication.
More properly, access is the ability of a subject (such as an individual or a process
running on a computer system) to interact with an object (such as a file or hardware
device).
Authentication, on the other hand, deals with verifying the identity of a subject. To
help understand the difference, consider the example of an individual attempting to log
in to a computer system or network. Authentication is the process used to verify to the
computer system or network that the individual is who they claim to be. The most
common method to do this is through the use of a userid and password. Once the
individual has verified their identity, access controls regulate what the individual can
actually do on the system. Just because a person is granted entry to the system, that
does not mean that they should have access to all data the system contains.
Process 1 can read both File 1 and File 2 but can write only to File 1. Process 1 cannot
access
11
Chapter-2 : Computer Security – Gscheme -- 2014
Process 2, but Process 2 can execute Process 1. Both processes have the ability to write
to the printer. While simple to understand, the access control matrix is seldom used in
computer systems because it is extremely costly in terms of storage space and
processing. Imagine the size of an access control matrix for a large network with
hundreds of users and thousands of files. The actual mechanics of how access controls
are implemented in a system varies, though access control lists (ACLs) are common. An
ACL is nothing more than a list that contains the subjects that have access rights to a
particular object. The list will identify not only the subject but the specific access that
that subject has for the object. Typical types of access include read, write, and execute
as indicated in our example access control matrix.
No matter what specific mechanism is used to implement access controls in a
computer system or network, the controls should be based on a specific model of access.
Several different models are discussed in security literature, including discretionary
access control (DAC), mandatory access control (MAC), and role-based access control
(RBAC).
12
Chapter-2 : Computer Security – Gscheme -- 2014
Mandatory Access Control
A less frequently employed system for restricting access is mandatory access control.
This system, generally used only in environments where different levels of security
classifications exist, is much more restrictive of what a user is allowed to do. Again
referring to the Orange Book, we can find a definition for mandatory access controls,
which is ―a means of restricting access to objects based on the sensitivity (as
represented by a label) of the information contained in the objects and the formal
authorization (i.e., clearance) of subjects to access information of such sensitivity.‖
In this case, the owner or subject can’t determine whether access is to be granted
to another subject; it is the job of the operating system to decide. In MAC, the security
mechanism controls access to all objects and individual subjects cannot change that
access. The key here is the label attached to every subject and object. The label will
identify the level of classification for that object and the level that the subject is entitled
to. Think of military security classifications such as Secret and Top Secret. A file that
has been identified as Top Secret (has a label indicating that it is Top Secret) may be
viewed only by individuals with a Top Secret clearance.
It is up to the access control mechanism to ensure that an individual with only a
Secret clearance never gains access to a file labeled as Top Secret. Similarly, a user
cleared for Top Secret access will not be allowed by the access control mechanism to
change the classification of a file labeled as Top Secret to Secret or to send that Top
Secret file to a user cleared only for Secret information. The complexity of such a
mechanism can be further understood when you consider today’s windowing
environment. The access control mechanism will not allow a user to cut a portion of a
Top Secret document and paste it into a window containing a document with only a
Secret label.
It is this separation of differing levels of classified information that results in this
sort of mechanism being referred to as multilevel security. A final comment should be
made: just because a subject has the appropriate level of clearance to view a document,
that does not mean that they will be allowed to do so. The concept of ―need to know,‖
which is a discretionary access control concept, also exists in mandatory access control
mechanisms.
14
Chapter-2 : Computer Security – Gscheme -- 2014
BioMetrics
Biometrics" means "life measurement" but the term is usually associated with the
use of unique physiological characteristics to identify an individual. The application
which most people associate with biometrics is security. However, biometrics
identification has eventually a much broader relevance as computer interface becomes
more natural. Knowing the person with whom you are conversing is an important part of
human interaction and one expects computers of the future to have the same
capabilities.
A number of biometric traits have been developed and are used to authenticate the
person's identity. The idea is to use the special characteristics of a person to identify
him. By using special characteristics we mean the using the features such as face, iris,
fingerprint, signature etc.
The method of identification based on biometric characteristics is preferred over
traditional passwords and PIN based methods for various reasons such as: The person
to be identified is required to be physically present at the time-of-identification.
Identification based on biometric techniques obviates the need to remember a password
or carry a token. A biometric system is essentially a pattern recognition system which
makes a personal identification by determining the authenticity of a specific
physiological or behavioral characteristic possessed by the user. Biometric technologies
are thus defined as the "automated methods of identifying or authenticating the identity
of a living person based on a physiological or behavioral characteristic".
Verification - One to One: Biometrics can also be used to verify a person's identity. For
example, one can grant physical access to a secure area in a building by using finger
scans or can grant access to a bank account at an ATM by using retinal scan.
15
Chapter-2 : Computer Security – Gscheme -- 2014
In this phase of processing is to extract the distinguishing characteristics from
the raw biometric sample and convert into a processed biometric identifier record
(sometimes called biometric sample or biometric template).
In this phase of enrollment the processed sample (a mathematical representation
of the biometric - not the original biometric sample) is stored / registered in a storage
medium for future comparison during an authentication.
In many commercial applications, there is a need to store the processed biometric
sample only. The original biometric sample cannot be reconstructed from this identifier.
Type of Biometrics
Biometrics refers study of methods for uniquely recognizing humans based upon one of
more intrinsic physical or behavioral characteristics
Biometric identification Is used on the basis of some unique physical attribute of the
user that positively identifies the user.
Examples: Finger print recognition, retina scan techniques, palm capillary mapping,
voice synthesis and recognition, face recognition.
16
Chapter-2 : Computer Security – Gscheme -- 2014
Biometric characteristics can be divided in two main classes Physiological are related to
the shape of the body.
For example, finger print face recognition, DNA, Palm print, hand geometry, iris
recognition, which has largely replaced retina, and odor/scent.
For example, typing rhythm, gait, signature and voice. This class of biometrics is termed
as behaviometrics.
The first time an individual uses a biometric system is called an enrollment. During
the enrollment, biometric information from an individual is stored. In subsequent uses,
biometric information Is detected and compared with the information stored at the time
of enrollment.
The (sensor) is the interface between the real world and the system; it has to
acquire all the necessary data.
The next it performs all the necessary pre-processing: it has to remove artifacts
from the sensor, to enhance the input (For example, removing background noise),
to use some kind of normalization, etc.
After preprocessing system extracts necessary features. This step is an important
step as the correct features need to be extracted in the optimal way. A vector of
numbers or an image with particular properties Is used to create a template. A
template is a synthesis of the relevant characteristics extracted from the source.
Elements of the biometric measurement that are not used in the comparison
algorithm are source. Elements of the biometric measurement that are not used in
the comparison algorithm are discarded in the template to reduce the file size and
to protect the identity of the enrollee.
If enrollment is being performed, the template is simply stored somewhere (on a
card or within a database or both). If a matching phase is being performed, the
18
Chapter-2 : Computer Security – Gscheme -- 2014
obtained template is passed to a matcher that compares it with other existing
templates, estimating the distance between them using any algorithm (For
example, Hamming distance). The matching program will analyze the template
with the input. This will then be output for any specified use or purpose (For
example, entrance in a restricted area).
Hand Geometry
Background
Hand geometry is a form of physiological biometrics
that uses the shape of the hand for authentication purposes.
Various traits of the hand, such as finger length, width and
curvature, as well as unique features may be used for
identification. Hand geometry scan require that users place
their hands onto a surface with 5 pegs. This aligns the hand
so that the scanner can get a consistent reading on each
scan. The scan is then compared to the database for
verification. A typical scan will take two pictures of the hand:
one of the top and one of the side.
Another type of biometric scan can be done to identify
the dorsal venous network of the hand. This essentially
shows the blood vessels on the back of the hand and may be another useful factor for
verification.
Studies on the use of hand geometry have been performed by Michigan State
University. In their tests, users interacted with hand verification systems to grant access
to web-based services. The use of hand verification as opposed to another form of
biometric security might be favorable due to the sensitive nature of fingerprint, DNA, or
iris-based systems.
19
Chapter-2 : Computer Security – Gscheme -- 2014
identification system. A system where hand geometry was used to verify the fingerprint
input would add an additional layer of security and create a very effective identification
system.
Hand geometry is currently in use for physical security purposes, namely building
access, due to its ease of use, low cost and relatively impersonal data it uses.
Implementing a security system based on hand geometry alone would not be a viable
security system, however when combined with fingerprint biometrics it is a suitable
security system for almost any business need.
Eye Biometric
Background
As early as the 1930’s researchers began to notice that the blood vessels on the back of
a human eye are unique to every person. Even identical twins have different patterns of
these blood vessels. In the thirties, however, there was not sufficient technology to
implement these retinal characteristics into a form of advanced security. Once the
correct technology was acquired, retina biometrics, one of the most sophisticated forms
of security, was born.
How it Works
Today, there are many different machines designed to perform retina scans but all follow
the same basic principles. These machines require a person to take off any glasses they
may be wearing and stand with their eyes very close to a scanner. The machine takes
around ten seconds to shine a ―low intensity coherent light source‖ onto the retina to
illuminate the blood vessels.The individual being scanned must remain still and stare at
a specific point while the device is processing the scan. Once the machine has a copy of
the scan, it compares the picture to all the different scans on file, looks for a match, and
identifies the individual.
Machine Scanning an Eye:
Example of a scanned retina:
Advantages
A few advantages to Retina Biometrics include:
No two retinas will ever be exactly alike
Even after deceased, the blood vessels cannot be
imitated since they decay rapidly
Fast, accurate scan
Implementation
Since the retina scan machines are fairly expensive, a popular use of this type of
security is with government agencies to identify employees. Also, some companies (both
large and small) use the retina scan machines to keep track of attendance of employees
and control access areas within a building.Since these machines are extremely accurate,
they tend to be used in highly protected areas. Companies use retina scans to limit
access to, usually, the top employees only. This ensures that important data will only be
seen by the people with clearance. Companies also like to use these retina scanning
machines since they are highly accurate in a short amount of time. Employees only have
to spend around ten seconds at the machine to be granted access or denied.
20
Chapter-2 : Computer Security – Gscheme -- 2014
Facial BioMetrics
Background
Facial recognition Biometrics was introduced in the 1960’s. The US government hired a
man named Woodrow W. Bledsoe to create the very first semi-automated face
recognition system. The machine located key features on the face and calculated the
ratios between them for identification. A decade later three men named Goldstein,
Harmon, and Lesk joined forces to enhance the existing machines. They developed a 21
point check for the machines to identify and calculate the ratios between these facial
structures. The 21 points included very intricate features of the face such as thickness
of the lips and color of the hair. In the 1980’s facial recognition systems were beginning
to become available in commercial retail.
How it Works
Facial recognition starts by using a digital video camera to record a person’s face as they
enter a certain area. This type of biometrics does not require anyone to physically touch
a machine, just stand within a designated space. The picture is then analyzed by
―comparing distances between things like the eyes, nose, mouth, and jaw edges‖ of a
person. This method compares angles and ratios of a person’s face to a database of
previously collected ratios to correctly identify the individual.
Application in Business
Facial recognition biometrics is slowly creeping into many aspects of today’s world. For
example, starting in 1988, a sheriff’s department in Los Angeles started the first
commercial facial recognition system to combine a database of digital mug shots to help
ensure arresting the correct suspect. Also, after the terrorist attack of September 11th,
many airports have implemented a facial recognition system. This seems like the ideal
place for this type of security since it can process the large amount of traffic moving
through an airport. Another system implemented after 9/11 was at the Super Bowl of
2001. The staff scanned everyone hoping to be able to identify anyone with any sort of
criminal record. Other ideal locations for facial recognition systems are places like
―casinos, public transportation, financial institutions‖ or anywhere with numerous
people.
DNA Biometics
What is DNA?
21
Chapter-2 : Computer Security – Gscheme -- 2014
Deoxyribonucleic acid (DNA) is the genetic material found in most organisms,
including humans. Each individual human is identifiable by hereditary traits found in
their DNA, which is located in the nucleus of the cells as well as the mitochondria. DNA
serves as a genetic code that is unique to every organism, no two being exactly alike;
only identical twins are an exact DNA match. An organism’s DNA code is comprised of
four bases: adenine (A), guanine (G), cytosine (C), and thymine (T). These bases combine
in a specific sequence to form base pairs that determine the anatomy and physiology of
the organism. Each base pair is attached to a sugar and phosphate molecule creating a
nucleotide. Nucleotides compose two long strands connected by the base pairs in a
ladder-like formation that form the common spiral
known as the double helix.
In the case of human beings, there are about 3 million
bases, 99% of which are the same from person to
person. The variations found in the final 1% are the
means by which DNA becomes unique to each
individual. The final 1% also serves as the foundation
for DNA biometrics, being the location of the unique
traits by which DNA recognition can identify or verify
the identification of an individual person. Image:
How DNA recognition works?
The cells that contain DNA share genetic material (information) through chromosomes.
Humans have 23 chromosomes that house a person’s DNA and their genes. Of the 46
total chromosomes, 23 come from each parent of an offspring. 99.7% of an offspring’s
DNA is shared with their parents. The remaining .3% of an individuals DNA is variable
repetitive coding unique to an individual. This repetitive coding is the basis of DNA
biometrics. DNA recognition uses genetic profiling, also called genetic fingerprinting, to
isolate and identify these repetitive DNA regions that are unique to each individual to
either identify or verify a person’s identity.
The basic steps of DNA profiling include:
1. Isolate the DNA (sample can originate from blood, saliva, hair, semen, or tissue)
2. Section the DNA sample into shorter segments containing known variable number
tandem repeats (VNTRs)—identical repeat sequences of DNA
3. Organize the DNA segments by size
4. Compare the DNA segments from various samples
The more repeats of sequences there are for a given sample, the more accurate the DNA
comparison will be, thus decreasing the likelihood of the sample matching multiple
individuals. In other words, the more detailed the sample is, the more precise the
comparison is in identifying the individual who possesses the DNA from the sample. A
few drawbacks of this technique are the depth of the procedure, the physical
invasiveness of obtaining the DNA sample, and the time required to perform a DNA
comparison. Also contamination of the sample renders the comparison impossible.
Most often, DNA biometrics is used for identification purposes as opposed to verification
because the technique has yet to automate through technological advances. DNA
sequencing, the process of generating a DNA profile, is compared to DNA samples
previously acquired and catalogued in a database. The most common DNA database in
existence is the CODIS System used by the Federal Bureau of Investigation. DNA
biometrics technology is not advanced enough for universal use. Current DNA
biometrics is far from that depicted in the movies.
22
Chapter-2 : Computer Security – Gscheme -- 2014
KeyStrokes
Introduction
Keystroke Dynamics are the behavioral study of how
individual humans type on a keyboard, considering
factors such as Flight Time (the time it takes to move
from one key to another) and Dwell time (the time a
person spends on any given key).
The history of keystroke as a field of study dates back
to early days of the telegraph, where operators learned
the ―voices‖ of other operators as they transmitted
messages. During World War II, as part of the
cryptanalysis of the British, female code breakers learned the ―voices‖ of telegraph
transmitters in the German military.This allowed the Allies to point when transmissions
were highly important or likely falsified information. The identification mark, an
individual rhythmic pattern to transmitting signals known as the ―fist of the sender‖
became the cornerstone for the study of Keystroke Dynamics.
Disadvantages
The failure of ease in regards to using this system is what inhibits its uses from the
public arena. Setting up a series of accepted users is time consuming and based on the
studies of one particular study, may be hard to duplicate by that user than by that of
23
Chapter-2 : Computer Security – Gscheme -- 2014
another user. Also, the failure of the system to easily identify new acceptable user while
in place limits its use. Although developments are being made to prepare the system for
such intelligence, it has not yet been incorporated.
Applications
One of the most likely possible uses for Keystroke Dynamics in the business and
information world today would be for user identification purposes. By having the specific
user calibrated to typing a specific phrase or password, the analytical software would be
able to decipher whether or not the user is the allowed source based upon hesitation
and rapidity of the stroke. Thus simply typing the password or pasting it within the
appropriate filed would not work because the flight time and dwell times would not
match. This would eliminate security threats to an information system even if the actual
text or character combination was revealed to an outside source.
Additionally, this software could be used to distinguish one person from another in
signal based communications, such as typing or telegraphing, where the user is
manually inputting the signals according to their own rhythmic patterns. Although not
able to identify new users, the software can compare input signals to established
templates and determine whether or not the desired user is the one transmitting the
signal.
Signature
Signature
Introduction
Dynamic Signature Verification refers to the process of analyzing one’s signature
according to the speed, pressure, and
timing that the user takes to complete the
signature. The process is ideal for security
purposes because it allows a frequently
used writing (the signature) that is unique
to each user based upon the amount of
time and effort that they specifically put
into their writing.
History
Signatures date back to the early
beginnings of written language, which
began in the Sumerian civilization.It wasn’t until the Romans, under Valentitian III,
began using the subscripto(a short phrase used to verify wills), that the signature had
its birth. It quickly spread to other legal documents as a unique verification tool to
ascertain several key elements: message authentication, message/data integrity, and
non-repudiation (legal aspect of events). From this base, the signature has become a
staple of western civilization, to the point that today, the signature is a legally binding
entity.
Advantages
The key advantage to this particular system of behavioral biometrics is that it is based
on an already accepted form of identification. Incorporation of a security system based
24
Chapter-2 : Computer Security – Gscheme -- 2014
on Dynamic Signature Verification would require a certain amount of investment in
equipment and software to analyze the inputs, but no real cost to train people on how to
input signals. At the same time, it is reliant upon unique characteristics that are not
easily duplicable, with even the same users having slight (neglible) differences between
their own signatures. Many companies, such as IBM, are already offering software that
provides this service, easily comparing the input signature to six given templates by the
authenticated user. Not only does it boast a low total error rate (1.5%) but it also
requires little time (1 sec/signature), cheap equipment cost, and low storage space.
Applications
Signature Verification itself is used and has been successfully
incorporated into the public domain. Each time a user signs on a digital
notepad to approve a credit card transaction, they are using a form of
signature verification. The difference though is that this form does not
take into account the pressure, timing, and speed with which the user inputs the signal,
it only compares the input signature to the one on file. This is due to the simplicity of
the system, which often uses only a simple scanner. Thus a forger who can reasonably
reproduce the signature of a copy submitted electronically can easily be mistaken for the
authentic. Dynamic Signature Verification would require the use of a scanner, a camera
to observe how the signature is being made(speed and timing), and a pen with sensors
or that uses ultrasonic sensing to observe the pressure. By incorparating these elements
into the observed cateogory, the percentage of successful forging attempts is
significantly reduced.
Voice Biometrics
Background Information
Much like the uniqueness of fingerprints, voice can also be used as a form of security for
identifying an individual.
25
Chapter-2 : Computer Security – Gscheme -- 2014
Voice is able to be used because of each individuals tone, pitch, and atonality of words.
The voice is unique because of the individual shape of the vocal cavities and the way the
individual moves their mouth when they speak
Matching Techniques
The wave patterns in the voice and the measurement of physiological
characteristics, such as the nasal passages and vocal chords, as well as the frequency,
cadence and duration of the vocal pattern are all included in considering a voiceprint.
The voiceprint is a biometric voice identifier not a recording or a sound file; so an
imposter could not record one’s words and replay them into the system and get access
granted. A voiceprint allows the user to gain access to information or give authorization
without being physically present; this way the user can give authorization by way of a
simple phone call.
Advantages
A couple major advantages of Voice biometrics are:
Security
Accuracy
Convenience
Shortened Verification/ Speeds
Protects Privacy
All of these reasons demonstrate voice biometrics as an easy, quick, and safe method for
identifying individuals.
26
Chapter-2 : Computer Security – Gscheme -- 2014
Disadvantages
Voiceprints are not a perfected technology; as in every technology based system,
there are still glitches still to be worked out. A way has been configured for unauthorized
users to hack the system by simply obtaining a recording of the authorized person's
password (this is usually by way of phone). To counteract this fraudulent activity, many
systems have randomly chosen passwords or general voiceprints instead of prints for
specific words to decrease possibility of access.
Business Applications
Many companies have freed up a lot of space on their hard drives by the
implementation of voice printing; due to the fact that voice printing eliminates the need
for passwords. Companies such as VoiceVault have created special filters and
algorithms to eliminate background noise as well as to aid in detecting and rejecting any
attempt to use voice recordings . Another good example of this ―special filter‖ is
automated voicemail systems. Many companies have utilized voiceprints to help them in
dealing with their many customers by allowing the voiceprint to acknowledge and
understand what the customer is saying and transfer them to the right department
accordingly.
27
Chapter-2 : Computer Security – Gscheme -- 2014
Q.Describe methods of Defense
Security is the process of ensuring the confidentiality, integrity, authenticity, non-
repudiation, and availability of electronic communications and transactions. To ensure
the security of an e-business and e-commerce it is necessary to implement security
policies and technologies that enable trusted electronic transactions and
communalizations. The methods for ensuring security in systems include:
Authentication
Authentication is the process of determining whether someone or something is, in fact,
who or what it is declared to be. In private and public computer networks (including the
Internet), authentication is commonly done through the use of logon pas words.
Knowledge of the password is assumed to guarantee that that user is authentic. Each
user registers initially (or is registered by someone else), using an assigned or self-
declared password. On each subsequent use, the user must know and use the
previously declared password. The weakness in this system for transactions that are-
significant (such as the exchange of money) is that passwords can often be stolen,
accidentally revealed, or forgotten.
For this reason, Internet business and many other transactions require a more stringent
authentication process. The use of digital certificates issued and verified by a Certificate
Authority (CA) as part of a PM is considered likely to become the standard way to
perform authentication on the Internet. Logically, authentication precedes authorization
(although they may often seem to be combined).
Authorization:
Authorization is the process of giving someone permission to do or have something. In
multi-u4er computer systems, a system administrator defines for the system which
users are allowed access to the system and what privileges of use (such as access to
which file directories, hours of access, amount of allocated storage space, and so forth).
Assuming that someone has logged in to a computer operating system or aç4plication,
the system or application may want to identify what resources the user can be given
during this session. Thus, authorization is sometimes seen as both the preliminary
setting up of permissions by a system administrator and the actual checking of the
permission values that have been set up when a user is getting access. Logically,
authorization is preceded by authentication.
Cryptography:
Cryptography mathematical methods and techniques are used to ensure the
confidentiality, integrity and non-repudiation of communications and transactions.
Cryptography will be discussed in detail in next chapter.
Risks Analysis:
In order for an effective security strategy to be implemented, assets must be identified,
probable risks determined, and an approximate value placed on organizational assets.
Value in an intangible electronic medium can sometimes be difficult to determine.
However the enterprise must assess the value of issues like reputation, customer
confidence, financial fraud, disclosure of proprietary information, and trade secrets.
After a detailed risk analysis is conducted, cost- effective e-business and e-commerce
enabling policies, processes, and procedures can be developed to minimize the risk of
unauthorized access and disclosure of organizational assets. Costs associated with
minimizing risks should never exceed the cost of replacing the asset.
Security Policy:
28
Chapter-2 : Computer Security – Gscheme -- 2014
It is essential that easy-to-understand and enforceable security policies be documented
and disseminated to all e-business and e-commerce constituencies including employees,
customers, partners, and suppliers. Security policies should clearly define the proper
use of network resources and e-business assets. Roles and responsibilities- need to be
defined for policy creation, revision, and implementation. Security technologies are
designed to implement, monitor, and verify organizational security policies. Processes
and procedures need to be established for the implementation and - maintenance of
authentication, authorization, accounting, and cryptography standards in support of the
e business and e-commerce. In order for a secure e-business and e-commerce initiative
to be effective it Is critical that an organization establish simple and effective ground
rules for the proper use of network resources and assets.
Legal framework:
To fight against the crime the cyber laws has been adopted by the various
countries of the world. In 1996, the United Nations Commission on International Trade
Law (UNCITRAL) adopted the UNCITRAL Model Law on Electronic Commerce. Its
consent is to harmonize and unify international trade law to remove unnecessary legal
obstacles. The Model Law is prepared to serve as a model to countries for the evaluation
and modernization of certain aspects of their laws and practices in the field of
commercial relationship involving the use of computerized or other modern
communication technique, and for the establishment of relevant legislation where none
presently exist.
The model law enables or facilitates the use of electronic commerce and provides
equal treatment to users of paper-based documentation and to the users of computer-
based information. Depending on the situation in each enacting State, the Model Law
could be implemented in various ways, either as a single statute or in several pieces of
legislation
In addition to information technology act of .the respective countries the
international rules and regulate has strengthen the power against cyber crimes. The
International Corporation for Assigned Names and Numbers (ICANN) has adopted
Uniform Domain Name Dispute Resolution Policy to resolve domains name disputes.
World Intellectual Property Organization (WIPO) has prepared new copyright treaties viz,
the Copyright treaty, and the Performance and Phonograms treaty to fight against
Intellectual Property and Licensing.
Controls:
Above mentioned methods of defense like authentication, authorization and
cryptography are implemented using various Hardware and Software controls.
Different hardware controls like smart cards, firewalls, intrusion detection system, locks
or cables limiting access, devices to verify user’s identities etc. are used.
Software controls that aids in a secure computing environment are internal
program controls that are themselves parts of the program and enforce security
restrictions, operating system and network. System controls are the limitations enforced
29
Chapter-2 : Computer Security – Gscheme -- 2014
by operating systems or networks. Independent control programs are the application
programs which verifies passwords, detect intrusion, scans viruses etc. Quality
standards that are enforced in software development like cycle to prevent software faults
from becoming exploitable vulnerabilities.
30
Chapter-2 : Computer Security – Gscheme -- 2014
Q.What is Kerberos and CHAP describe
Ans. Kerberos
Developed as part of MIT’s project Athena, Kerberos is a network authentication protocol
designed for a client/server environment. Taking its name from the three-headed
dog of Greek mythology, Kerberos is designed to work across the Internet, an inherently
insecure environment. Kerberos uses strong encryption so that a client can prove its
identity to a server and the server can in turn authenticate itself to the client. The basis
for authentication in a Kerberos environment is something known as a ticket. Tickets are
granted by the authentication server, which is an entity trusted by both the client and
the server the client wishes to access. The client can then present this ticket to the
server to provide proof of identity. Since the entire session can be encrypted, this will
eliminate the inherently insecure transmission of items such as a password that can be
intercepted on the network. Since the tickets are time-stamped, attempting to reuse
them will not be successful. To illustrate how the Kerberos authentication service works,
think about the common driver’s license. You have received a license that you can
present to other entities to prove you are who you claim to be. Because these other
entities trust the state the license was issued in, they will accept your license as proof of
your identity. The state the license was issued in is analogous to the Kerberos
authentication service. It is the trusted entity both sides rely on to provide valid
identifications. This analogy is not perfect, because we all probably have heard of
individuals who obtained a phony driver’s license, but it serves to illustrate the basic
idea behind Kerberos.
CHAP
CHAP, the Challenge Handshake Authentication Protocol, is used to provide
authentication across a point-to-point link using the Point-to-Point Protocol (PPP). In
this protocol, authentication after the link has been established is not mandatory. CHAP
is designed to provide authentication periodically through the use of a
challenge/response system sometimes described as a three-way handshake, as
illustrated in Figure . The initial challenge (a randomly generated number) is sent to the
client.
The client uses a one-way hashing function to calculate what the response should be
and then sends this back. The server compares the response with what it calculated the
response should be. If it matches, communication continues. If the two values don’t
match, then the connection is terminated. This mechanism relies on a shared secret
between the two entities so that the correct values can be calculated.
Certificates
31
Chapter-2 : Computer Security – Gscheme -- 2014
Certificates are a method to establish authenticity of specific objects such as an
individual’s public key (more on this specific subject in Chapter 10) or downloaded
software. A digital certificate is generally seen as an attachment to a message and is
used to verify that the message did indeed come from the entity it claims to have come
from. The digital certificate can also contain a key that can be used to encrypt further
communication.
Tokens
A token is a hardware device that can be used in a challenge/response authentication
process. In this way, it functions as both a something-you-have and something- you-
know authentication mechanism. There have been several variations on this type of
device, but they all work on the same basic principles. The device has an LCD screen
and may or may not have a numeric keypad. Devices without a keypad will display a
password (often just a sequence of numbers) that changes at a constant interval, usually
about every 60 seconds. When an individual attempts to log in to a system, they enter
their own user identification number and then the number that is showing on the LCD.
The system knows which device they have and is synchronized with it so that it will
know the number that should have been displayed. Since this number is constantly
changing, a potential attacker who is able to see the sequence will not be able to use it
later, since the code will have changed. Devices with a keypad work in a similar fashion
(and may also be designed to function as a simple calculator). The individual who wants
to log in to the system will first type their personal identification number into the
calculator. They will then attempt to log in. The system will then provide a challenge;
the user must enter that challenge into the calculator and press a special function key.
The calculator will then determine the correct response and display it. The user provides
the response to the system they are attempting to log in to, and the system verifies that
this is the correct response. Since each user has a different PIN, two individuals
receiving the same challenge will have different responses. The device can also use the
date or time as a variable for the response calculation so that the same challenge at
different times will yield different responses, even for the same individual.
Multifactor
Multifactor is a term used to describe the use of more than one authentication
mechanism at the same time. An example of this is the hardware token, which requires
both a personal identification number or password and the device itself to determine the
correct response in order to authenticate to the system. This means that both the
something- you-have and something-you-know mechanisms are used as factors in
verifying authenticity of the user. Biometrics are also often used in conjunction with a
personal identification number so that they too can be used as part of a multifactor
authentication scheme, in this case something you are as well as something you know.
The purpose of multifactor authentication is to increase the level of security, since more
than one mechanism would have to be spoofed in order for an unauthorized individual
to gain access to a computer system or network. The most common example of
multifactor security is the common ATM card most of us have in our wallets.
Mutual Authentication
32
Chapter-2 : Computer Security – Gscheme -- 2014
Mutual authentication is a term used to describe a process in which each side of an
electronic communication verifies the authenticity of the other. We are used to the idea
of having to authenticate ourselves to our Internet service provider (ISP) before we
access the Internet, generally through the use of a user identification/password pair,
but how do we actually know that we are really communicating with our ISP and not
some other system that has somehow inserted itself into our communication (a man-in-
the-middle attack). Mutual authentication would provide a mechanism for each side of a
client/ server relationship to verify the authenticity of the other to address this issue.
B
o
a
r
d
Q
u
e
s
t
i
o
n
P
a
p
e
r
S
o
l
u
t
i
o
n
Sample Paper -1
a. List and Describe basic components of computer security
Ans.Refer Q.No.
33
Chapter-2 : Computer Security – Gscheme -- 2014
Ans.Refer Q.No.
Sample Paper – II
a. Describe Criminal organization and Terrorist and Information warfare.
Ans.Refer Q.No.
Winter 2008
a. Describe the following terms:
(i)Overwriting viruses (ii)Stealth viruses
Ans.Refer Q.No.
Summer 2009
a. Describe the term authentication. Explain authenticity
Ans. Refer Q.No.
Winter 2009
a. Compare Intruders and Insiders.
34
Chapter-2 : Computer Security – Gscheme -- 2014
Ans. Refer Q.No.
Summer 2010
a. List and describe basic component of computer security.
Ans. Refer Q.No.
b. Define the terms data security, information security n/w security and
computer security
Ans. Refer Q.No.
Question Bank
Chapter-1
Q1. Describe the basic components of Computer Security.
Q2. Differentiate between Viruses and Worms.
Q3. Describe the term Viruses.
Q4. Describe the term Worms,
Q5. Describe the term Trojan Horse.
Q6. Describe the term Logic Bombs.
Q7. Discuss why insiders are considered such a threat to organization?
Q8. What is Threats? Describe all types of Threats.
Q9. Describe the importance of Security.
Q10. What are the main types of PC Viruses?
Q11. Describe the term Polymorphic Virus.
Q12. List different types of attacks.
Q13. Describe the two categories of Viruses.
Q14. List the Triggers of the Virus Attack,
Q15. Describe the steps for protection against viruses.
Q16. Draw the structure of a worm.
Q17. Describe two example of worm.
Q18. What is meant by Attacks? List the types of Attack.
35
Chapter-2 : Computer Security – Gscheme -- 2014
Q19. What is meant by Backdoors Attack?
Q20. What is meant by Trapdoors Attack?
Q21. Explain the operational model of computer security?
Q22. Explain in why the criminal organizations are to flow into the structured threat
category?
Q23. What is Information warfare? Why many nations are conducting Information
warfare?
Q24. What are different possible ways of attack?
Q25. Explain the Backdoor and Trapdoor attacks?
Q26. What are different ways of spoofing?
Q27. Describe the term Denial of Service (DOS) Attack.
Q28. Describe the term Sniffing.
Q29. Describe the term Spooling Attack.
Q30. Draw and describe the Man-in-the Middle Attack.
Q31. What is TCP/IP Hijacking?
Q32. What is CIA of a security?
Q33. what are layers of security?
Q34. Explain different models of access controls?
Q35. Explain different methods of authentication?
Q36. Describe the basic components of Computer Security?
Q37. Differentiate between Viruses And Worms.
Q38. What is Threats? Describe all types of Threats.
Q39. What are the main types of PC Viruses?
Q40. Describe the two categories of Viruses.
Q41. List the triggers of the Virus Attack.
Q42. Describe the steps for protection against viruses.
Q43. Describe the term TCP/IP Hijacking
Q44. Describe the term Boot Sector Viruses.
Q45. Describe the layers of the Computer Security.
Q46. Describe the two methods used in Mandatory Access Control.
Q47. Describe two Access Control Techniques.
Q48. Describe the term Memory Resident Viruses.
Q49. Describe the term TCP/IP Hijacking.
Q50. Describe the term Encryption Attacks.
Q51. Describe the term Malware.
Q52. List the types of Malicious Code.
Q53. List the characteristics of Virus.
Q54. Describe the term Boot Sector Viruses.
Q55. Describe the term Memory Resident Viruses.
Q56. Describe the details of Security Basics.
Q57. Describe the layers of Computer Security.
Q58. Describe two Access Control Techniques.
Q59. What are the two concept in Discretionary Access Control?
Q60. Describe the two methods used in Mandatory Access Control.
Q61. Describe the three primary rules for role Based Access Control
Q62. What is Authentication? List the two example.
Q63. Write a short note on
- DOS
- Sniffing
36
Chapter-2 : Computer Security – Gscheme -- 2014
- Viruses
- Man-In-Middle attack
37