Professional Documents
Culture Documents
2) Trojan
- An executable program that act as performing a benign activity but
actually does something malicious.
- Eg. Downloading a program that is advertised for being a calculator,
but actually is a malware that scans user info
1) Backdoor
- Gives access to computer, program, service that avoid normal security
protections.
- Once installed in computer, it allows attacker to return later and bypass
security settings.
- Is a common practice by developers when do not want to be hindered by
continual requests for passwords.
- Backdoor should be remove once app is finalized, but attackers left it
installed to bypass security later.
2) Logic Bomb
- Difficult to detect before they are triggered.
- Often embedded in large computer programs and trusted employee can
easily enter few lines of computer code into a long program without
being detected
- Programs not routinely scanned for containing malicious actions.
- Purpose: to seek revenge against company.
3) Rootkits
- Can hide its presence on the computer.
- By accessing lower layers of the operating system
- Enable it to become undetectable by operating system.
- A collection of tools that allow hacker to mask their intrusion and get
admin level access to computer or network.
- Done by exploiting known vulnerability or crack passwords.
- Rootkit can:
○ Monitor traffic & keystrokes, create backdoor, alter log files.
1) Internal:
- Fire threats, prevented with automatic fire detectors & extinguishers
- Backup tapes, stored in fireproof safe
- Unstable power supply, prevented with voltage controllers
- Humidity in computer room, controlled with air conditioner
2) External:
- Lightning protection systems, reduce chances of lightning causing dmg
- House computer systems in highlands, prevent dmg caused by flood
3) Humans:
- Computer systems locked in secure room with as few people to access as possible.
- Old backup tapes, destroyed b4 disposal
1. Malware scanners
- Prevent malware from infecting system.
- Match files with any signature from a list of known malware definitions.
- Look for malware-like behaviour, eg. Manipulating registry.
2. Firewalls
- A barrier between computers of networks
- Should be turned on and installed with right configuration.
- Filter incoming packets based on certain parameters such as packet size & source IP addr
- Prevents DoS attack.
i. Stateless packet filtering
- Check to see if packet meets firewall rules.
- Criteria checked eg.: protocol, port, IP address.
ii. Stateful packet inspection (SPI)
- Examine packet based on data derived from previous packets
- Less susceptible to ping floods, SYN floods and spoofing
- Eg. Determine as DoS attack when alot of packets continuously coming from same
source IP.
iii. Application Gateway
- It connects client program to proxy.
- Proxy establishes connection with destination behind firewall on behalf of client, to
hide and protect individual computers on the network.
3. Antispyware
- Scans device whether there is any spyware running.
- Check against a list of known spyware included in antimalware solutions.
4. VPN
- Creates virtual connection between remote user or site and a central location.
- Packets transmitted in the connection are encrypted, making it private.
- VPN must emulate a direct network connection.
Cryptography:
- Practice of transforming info so that it cant be understood by unauthorized parties
- Scramble the info so that only approved recipients understand it.
Encryption:
- The process of changing original text into a scrambled msg
- Plaintext to ciphertext.
Decryption:
- The process of changing the msg back to its original form.
- Ciphertext to plaintext.
1. Must be reversible
- No practical use if info cant be unscramble after it has been scrambled
2. Secrecy and length of the key
- Security dependent on the secrecy and length of key, not details of algorithm.
- Longer key provides better security.
3. Subjected to substantial cryptanalysis
- Algorithms have to be analysed completely to make sure no serious or exploitable weakness. Should not be easy for
attacker to crack the cipher. Best case is that the strength of cipher is same as the key length.
Categories of ciphers
1. Substitution cipher
- Exchange 1 character for another
- Caesar cipher:
§ Replace each letter of the alphabet with a letter standing x place further, shifting
§ Eg. Shift to the right 3 times, ABC -> DEF, BCD -> EFG
§ Formula: (x+n) % 26
3 states of data
- Data in processing
- Data in transit
- Data at rest
Symmetric cryptography
Weakness:
- Key/algorithm has to be shared.
- Not well suited for spontaneous communication.
- Provides no process for authentication or non-repudiation.
- Has complex administration.
1. Block Cipher
○ Convert plaintext into ciphertext in fixed-size blocks
1. Stream Cipher
○ Encrypts a continuous string of binary digits
○ Data cannot be chopped
○ Encryption is done 1 bit or byte at a time
○ Combines a key and a nonce digit to produce keystream
○ Key + name = keystream
DES
○ Block cipher, divides plain text into 64-bit blocks and encrypts each block.
○ The small key size is not good enough to defend against brute-force attacks
AES
○ Used to replace DES
○ Block cipher, works on 128-bit blocks
○ Can have one of the three key sizes: 128, 192, 256 bits.
○ Strong enough to protect military top secret data.
RC
○ RC4 - stream cipher, accepts keys up to 128 bits
○ RC5 - block cipher, has variable key length up to 2040 bits.
Link encryption
End-to-End encryption
Key distribution:
• Session key: for establishing logical connection. Encrypt user data with a one-time session key.
• Permanent key: used between entities to distribute session keys.
• Key distribution center (KDC):
○ determine which systems are allowed to communicate with each other.
○ Establish connection by providing a one-time session key for that connection.
• Steps:
a. Transmits connection request packet when a host wish to set up connection with another host.
b. SSM saves the packet and applies to the KDC to establish connection.
c. Encrypt communication between SSM and KDC. If connection approved, KDC generate session key and deliver to 2
appropriate SSMs using a permanent key.
d. The requesting SSM release connection request packet, connection set up between 2 end systems.
Asymmetric cryptography
Asymmetric algorithms
a. RSA
§ Algorithm (factoring) :
□ Block cipher, key size typically is 1024 bits
□ Multiplies 2 large prime numbers, p and q, to computer product n = pq
□ Use a new number, e, that is less than n and not sharing a prime factor to (p-1)(q-1) denoted as m
□ Another number, d is determined so that (ed-1) is divisible by m
□ Public key is (n,e) . Private key is (n,d)
§ Used in web browsers, email, VPNs, chat, communication channels.
§ Make secure connections between VPN clients and servers.
b. ECC
§ Algorithm:
□ Unlike RSA, ECC is not using factoring
□ Uses an obscure branch of mathematics, called elliptic curves.
□ It is a set of points that satisfy a specific mathematical equation.
□ Uses sloping curves, by adding values of 2 points on curve, get 3rd point on curve, which the inverse is used.
§ ECC is more difficult to break, making it more secured.
§ ECC has smaller key sizes as compared to RSA.
§ ECC is faster in computations and lower in power consumption.
c. DSA
§ Used to provide proofs to be certain of who's the sender.
§ Helps in authentication, non-repudiation and integrity.
§ Able to verify sender, as digital signature confirms the sender identity.
§ Prevent sender from disowning the msg, sender can't claim that the signature was forged.
§ Prove the message integrity, a digital signature proves that the msg is not altered.
§ Steps:
1) After sender create and has the msg, generates a digest on it.
2) Sender encrypts digest with his private key. Encrypted digest is the digital key for the msg.
3) Sender send both msg and digital signature to recipient.
4) Recipient decrypt the digital signature using sender's public key, reveal the digest. Can decrypt = verified sender
5) Recipient has the memo with the same hash algorithm received from sender. If same = msg not altered.
Hash Algorithm
Authentication Process
User authentication:
- basic for most types of access control and for user accountability.
- Is the process of verifying an identity claimed for a system entity.
- Steps:
1. Identification step: present an identifier to the security system, eg. Username
2. Verification step: present an authentication information, eg. Password
Password authentication
Token-Based Authentication
- Approved user have a specific item in his possession, used along with passwords.
- Often called multifactor authentication (MFA)
- 1 type auth: single-factor auth. 2 types: two-factor auth (2FA)
- Most common items: specialized devices, smartphones, security keys.
1. Smart cards
○ inserted into card reader
○ Or contactless smart cards that require to be in close proximity
○ uses NFC/RFID
○ Must have magnetic strip
2. Windowed token
○ Display a dynamic value, is an OTP, authentication code used only once for a limited time
○ 2 types:
- Time based, TOTP: changes after a period of time
- HMAC, HOTP: change when specific event occurs, event driven
3. Smartphones
○ Once enter username & password, auth with smartphone by
- Phone call, SMS, authentication app (approve / deny)
○ Convenience but not considered to be a secure option
4. Security keys
○ A dongle inserted into USB port or near endpoint using NFC
○ Contains all necessary cryptographic info to authenticate user
○ Do not transmit OTP, easier to use
Biometric Authentication
- Physiological biometrics
- Cognitive biometrics
Access Control
○ Grant or deny specific requests either to obtain data or enter specific physical facilities
○ A process where system resources usage are regulated according to a security policy
○ Specifies who or what may have access to system resource
○ Specifies the type of access that is permitted in each instance.
○ Authentication: verify whether user is valid
○ Authorization: determine the permission granted to user for system resources.
○ Audit: independent review of system records and activities.
a. DAC
§ Based on the identity of the requestor and on access rules.
§ Assign RWX permissions to file owners
§ Generally used for OS and dbs management system
§ Often provided using an access control matrix
§ List subjects on row and objects on columns
2. MAC
§ Based on comparing security labels with security clearances
§ Is more secure than DAC
§ Security admin define a central policy
§ Strive to defend against trojan horse
§ Labels eg. General, secret, top secret
3. RBAC
§ Based on user's role
§ Many to many relationship btw roles to resources
4. ABAC
§ Based on attributes of the user, resource and other conditions
§ Solves RBAC limitation in the digital environment complexity
§ Attributes:
□ Subject
® User attribute, eg. Username, age
□ Action
® Action to perform, eg. Read, transfer
□ Object
® Resource such as file, eg. File name, creation date
□ Contextual
® Requested time and place, eg. In past 24hrs.
IT Security Management
- provides info to decide what management, operational, and technical controls needed to reduce
risks.
- A process used to maintain CIA + accountability, authenticity and reliability.
- Used to determine org. IT security objectives, strategies & policies.
- Determines IT security requirements, threats and risks.
- Not undertaken once. It is a cyclic process that must be repeated constantly to keep pace with
rapid changes in both IT technology and risk environment.
1. Plan:
- Establish security policy, objectives, processes & procedures.
- Perform risk assessment and develop risk treatment plan
2. Do:
- Implement the risk treatment plan.
3. Check:
- Monitor and maintain the risk treatment plan.
4. Act:
- Maintain and improve the info security risk management process in response to identified
changes.
Risk likelihood
Risk consequences
a. Insignificant - minor security breach in a single area. Require only minor expenditure.
b. Minor - security breach in 1 or 2 areas.
c. Moderate - Limited systemic security breaches.
d. Major - Ongoing systemic security breach.
e. Catastrophic - Major systemic security breach.
f. Doomsday - multiple instances of major systemic security breaches. Substantial loss of
business
Security Control:
- A safeguard or countermeasure employed to protect CIA of system.
- Limit exposure to danger.
Control Classes
1. Management controls
- Address management issues
- Security policies, planning, guidelines, standards to protect organization
2. Operational controls
- Address correct implementation and use of security policies
- Relate to mechanisms and procedures implemented
3. Technical controls
- Involve the correct use of hardware and software security capabilities in systems
- Eg. Use anti virus, firewall, pop-up blocker
Inherit risk: current risk level given the existing set of controls.
Residual risk: risk level that remains after additional controls are applied.
- Reach a balance between achieving an acceptable level of risk and expense while minimizing
losses
IT security plan
- Goal: detail the actions needed to improve the identified deficiencies in the risk profile.
- Details to be included:
- Risks, recommended controls, action priority
- Selected controls, resources needed
- Responsible personnel, implementation dates
- Maintenance requirements
- Risk
○ Combinations of asset, threat and vulnerability
- Recommended controls
○ What can be done from the risk assessment
- Priority
○ Whether low or high priority, action to be taken immediate or not
- Selected control:
○ What action is to be taken based on cost-benefit analysis