Professional Documents
Culture Documents
https://www.techtarget.com/searchnetworking/definition/network-
security
Any incident not properly contained can escalate into bigger problem that lead to
damaging data breach, large expense or system collapse.
Responding to an incident quickly will help an organization minimize losses,
mitigate exploited vulnerabilities, restore services/processes and reduce risk that
future incidents pose.
● Strong Authentication
○ Traditional user ID + password authentication has known weakness
○ Stronger types of authentication available (strong authentication)
● Authentication Issues
○ Password quality
○ Consistency of user credentials across multiple environments
○ Too many user IDs and passwords
○ Handling password resets
○ Dealing with compromised passwords
○ Staff terminations
● Degree of Authority
○ Mandatory Access Controls (MAC) Security Model
■ Data classification scheme/model
■ Data owners classify information assets
■ Reviews periodically
■ Rate collection of info and user with sensitivity levels
■ User and data owners have limited control over access
■ Security clearance structure
■ Each user assigned an authorization level
■ Roles and corresponding security clearances
○ Discretionary Access Controls (DAC) Security Model
■ The owner of an object controls who and what may access it
■ Access is at the owner's discretion
■ Most personal computer operating systems are designed
based on the DAC model
○ Role Based Access Controls (RBAC) Security Model
■ Non Discretionary Control
■ An improvement over the MAC security model
■ Role-based controls
■ Task-based controls
■ Simplifies management in a complex system with many users
and objects
1. Buffer Overflow
○ Cause malfunction in a way that permits illicit access
○ Send more data than application was design to handle properly
○ Countermeasure:
■ safe coding that limits length of input data
■ Filter input data to remove unsafe characters
2. Script Injection
○ Insertion of scripting language characters into application input fields
○ Execute script on side
○ Execute script on client side -- trick user or browser
○ Countermeasure:
■ Strip "unsafe" characters from input
3. Data Remanence
○ Data that remains after it has been deleted
○ Deleted hard drive files, erased files, discarded/lost media: USB keys,
backup tapes, CDs
○ Countermeasures:
■ Improve media physical controls (post Wikileaks controls)
4. Denial of Service (DoS)
○ Actions that cause target system to fail, thereby denying service to
legitimate user
○ Distributed Denial of Service (DDoS)
○ Countermeasures:
■ Input filters
■ Patches
■ High capacity
5. Eavesdropping
○ Interception of data transmissions
○ Countermeasure:
■ Encryption
■ Stronger encryption
6. Spoofing and Masquerading
○ Specially crafted network packets that contain forged address of
origin
○ Countermeasure:
■ Router/firewall configuration to drop forged packets,
■ Judicious use of e-mail for signaling or data transfer
7. Social Engineering
○ Tricking people into giving out sensitive information by making them
think they are helping someone
○ Countermeasures:
■ Security awareness training
8. Phishing
○ Incoming, fraudulent e-mail messages designed to give the
appearance of origin from a legitimate institution
○ Tricks user into providing sensitive data via forged web site or return
e-mail
○ Countermeasure:
■ Security awareness training
9. Pharming
○ Redirection of traffic to a forged website
○ Countermeasure:
■ User awareness training
■ Patches
■ Better controls
10. Malicious Code
○ Viruses, worms, trojan horses, spyware, key logger
○ Harvest data or cause system malfunction
○ Countermeasures:
■ Anti-virus
■ Anti-spyware
■ Security awareness training
Network
● Consist of two or more devices that are linked in order to share resources
or allow communications
E.x.
1. Computer Networks
2. Phone Networks
3. Satellite Network
Security
● Act of protecting a person, property or organization from an attack
Cryptography
● The science of secret or hidden writing
● The process of converting a message into a secret code (cipher text) and
changing the encoded message back to regular text (plain text)
● Two main Components:
○ Encryption
- practice of hiding messages so that they cannot be read by anyone
other than the intended recipient
- Conversion of the original message into a secret code or cipher text
using a key
● Decryption
- conversion of encoded message or plain text back to the original
message using the same key
● Authentication & Integrity -ensuring that users of data/resources are the
persons they claim to be and that a message has not been surreptitiously
altered
Cipher
● Method for encrypting messages
● Encryption algorithms are standardized and published
● The key which is an input to the algorithm is a secret
○ Key - string of numbers or characters
○ Symmetric - same key is used for encryption and decryption
○ Asymmetric - different keys are used for encryption and decryption
Symmetric Algorithms
● Types
1. Block Ciphers - encrypt data one block at a time (64 or 128 bits)
- used for a single message
1. Stream Ciphers - encrypt data one bit/byte at a time
- used if data is a constant stream of information
● Key Strengths
1. Strength of algorithm is determined by the size of the key
■ The longer the key the more difficult it is to crack
2. Key length is expressed in bits
■ Typical key sizes vary between 48 and 448 bits
3. Key space - set of possible keys for a cipher
■ 40-bit key (
■ 128-bit key (
■ Each additional bit added to the key length doubles the
security
4. To crack the key the hacker has to use brute-force
■ Try all the possible keys till a key that works is found
Substitution Ciphers
1. Caesar Cipher
○ Method in which each letter in the alphabet is rotated by three
letters
2. Monoalphabetic Cipher
○ Any letter can be substituted for any other letter
○ Each letter has to have a unique substitute
○ Brute force approach would be time consuming
○ Statistical analysis would make it feasible to crack the key
3. Polyalphabetic Caesar Cipher
○ Developed by Blaise de Vigenere. A.k.a "Vigenere Cipher)
○ Uses a sequence of monoalphabetic ciphers in tandem
4. Using a key to shift alphabet
○ Obtain a key for the algorithm and then shift the alphabet
E.x
Key - word (4 letters)
*shift all the letter by four and remove letters w, o, r, d from
encryption
Encryption Systems
● Properties of Trustworthy Systems
1. It is based on sound mathematics - good cryptographic algorithms
are derived from solid principles
2. It has been analyzed by competent experts and found to be sound - is
hard for the writers to envisage all possible attacks
3. It has stood the "test of time" - review both mathematical
foundations of an algorithm and the way it builds upon those
foundations
Authentication: Basics
● Authentication - process of validating the identity of a user or the integrity
of a piece of data
● Three(3) technologies that provides authentication
○ Message Digest / Message Authentication Codes
○ Digital Signatures
○ Public Key Infrastructure
● Two(2) types of user authentication
○ Identity presented by a remote or application participating in a
session
○ Sender's identity is presented along with a message
AUTHENTICATION
● Personal Tokens
○ Hardware devices that generate unique strings that are usually used
in conjunction with passwords for authentication
○ Different physical of tokens: hand-held devices, smart cards, PCMCIA
cards, USB tokens
○ Different types
■ Storage Token
■ Secret value that is stored on a token and is available
after the token has been unlocked using a PIN
■ Synchronous one-time password generator
■ Generate new password periodically based on time and
a secret code stored in the token
■ Challenge-response
■ Token computes a number based on a challenge value
sent by the server
■ Digital Signature Token
■ Contains the digital signature private key and computes
a digital signature on a supplied data value
● Biometrics
○ Uses certain biological characteristics for authentication
○ Biometric reader measures physiological indicia and compares them
to specified values
○ Not capable of securing information over the network
○ Different techniques
■ Fingerprint recognition
■ Voice recognition
■ Handwriting recognition
■ Retinal scan
■ Hand geometry recognition
● Iris Recognition
○ Takes advantage of the natural pattern in people's irises
○ Facts
■ Probability of two irises producing exactly the same code: 1 in
10 to the 78th power
■ Independent variable (degrees of freedom) extracted: 266
■ Iris code record size: 512 bytes
■ Operating system compatibility: DOS and windows
● Digital Signatures
○ A data item which accompanies or logically associated with a digitally
encoded message
○ Has two goals
■ A guarantee of the source of the data
■ Proof that the data has not been tampered with
● Digital Certificates
○ A signed statement by a trusted party that another party's public key
belongs to them
○ Allows one certificate authority to be authorized by a different
authority
○ Top level certificate must be self signed
● Certificate Chaining
○ The practice of signing a certificate with another private key that has
a certificate for its public key
○ A person's public key and some identifying information signed by an
authority's private key verifying the person's identity
○ Authorities public key can be used to decipher the certificate
○ Certificate authority (trusted party)