Presentation is loading. Please wait.

Presentation is loading. Please wait.

September 18-19, 2006 – Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development Current Issues in Maintaining a Secure System:

Similar presentations

Presentation on theme: "September 18-19, 2006 – Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development Current Issues in Maintaining a Secure System:"— Presentation transcript:

1 September 18-19, 2006 – Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development Current Issues in Maintaining a Secure System: PKI Options, Cryptography and Current Threats David Canavan, Canavan Associates David A. Crist, Permovio, Inc. (Moderator)

2 Overview Learning Objectives PKI, Cryptography, and Hashing Virus Protection MalWare Firewalls Disposal System Monitoring

3 Learning Objectives To provide participants with a cursory understanding of PKI and Public/Private Key technology. To introduce and provide examples of virus protection, firewalls and spyware to help protect your computer from hackers. To explain other terms frequently used with system security and examples of how they fit into the big picture.

4 PKI- What Is It? Why Do I Have to Work With It? Public Key Infrastructure In cryptography, a public key infrastructure (PKI) is an arrangement that provides for trusted third party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This is usually carried out by software at a central location together with other coordinated software at distributed locations. The public keys are typically in certificates.

5 Based on the Mathematical Field of Cryptography Cryptography (or cryptology; derived from Greek κρυπτός kryptós "hidden," and γράφειν gráfein "to write") is a discipline of mathematics concerned with information security and related issues, particularly encryption, authentication, and access control. Its purpose is to hide the meaning of a message rather than its existence. In modern times, it has also branched out into computer science. Cryptography is central to the techniques used in computer and network security for such things as access control and information confidentiality. Cryptography is used in many applications that touch everyday life; the security of ATM cards, computer passwords, and electronic commerce all depend on cryptography

6 (Caesar Cipher) What??

7 Huh?

8 Slowly We Got Better

9 Then There Is the Hash

10 How Do We Know It Works? Basically because very smart people say it does. In general Hash Functions should have the following qualities: –The block cipher is secure. –The resulting hash size is big enough. 64-bit is too small, 128-bit might be enough. –The last block is properly length padded prior to the hashing. –Length padding is normally implemented and handled internally in specialised hash functions like SHA-1 etc.

11 What If I Don’t Believe You? That’s okay. There are plenty of resources to help you understand. Cryptography has been around for about 2500 years and is well understood by those who choose to study it.

12 Ron Rivest (one of the inventors of the RSA algorithm) Like This Guy

13 MD5 Hash Algorithm (also invented by Ron Rivest, wicked smart) Who Create Things That Look Like This

14 Which Produce Things Like This The hash sums seen here (in hexadecimal format) are actually the first four bytes of the SHA-1 hash sums of those text examples.

15 What Does That Mean? One analogy is that of a locked store front door with a mail slot. The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key. Anyone knowing the street address can go to the door and drop a written message through the slot. However, only the person who posseses the matching private key, the store owner in this case, can open the door and read the message.

16 What Does That Get Me? Well it all depends on how it is implemented. –PKI can provide many benefits to your organization if it is implemented with an eye towards those benefits. –It also makes you compliant with the HUD Data and Technical Standards. Anyone here implemented a PKI? How did you do it?

17 What PKI Should I Use? Short answer is whatever one works for you. There are many different products out there and any one of them might be the right one. Like any other process you should evaluate what your community needs and what is the most cost effective way to meet that need.

18 (Of course neither HUD nor I am endorsing or recmmending any of these products) Their inclusion is purely illustrative. Different Implementations Red Hat Certificate Management System Computer Associates eTrust PKI Entrust Microsoft US Government External Certificate Authority (ECA) Nexus OpenCA (an open source publicly available PKI scheme including server software) RSA Security phpki GenCerti ejbca newpki Papyrus CA Software pyCA IDX-PKI EuropePKI (not available) TinyCA ElyCA SimpleCA SeguriData Safelayer Secure Communications Australian Government AGIMO Gatekeeper system

19 The technology of the PKI is not difficult. Ask Ron.


21 It’s the people that make it challenging


23 So What Do I Do? Identify resources that will help you make the right decision. –Those can be on the Web. Almost every slide so far in this show is taken from Wikipedia. On purpose. –Resources can be technical assistance from National TA team. Which conveniently, I am on. –Can be peer communities that have done this already. –Could be your HMIS solution provider.

24 Virus Protection Significant growth in number and variety of virus technology –Proliferation of automated attacks Allows for constant attempts across a broad set of vulnerabilities Truly undermines the argument that any installation is too small to be noticed –Microsoft has acknowledged “recovery from malware becoming impossible”

25 Malware Change in Language MALicious softWARE Software designed to destroy, aggravate, wreak havoc, hide incriminating information, disrupt, or damage computer systems Includes all different types of viruses, spyware, and adware

26 Malware Protection All major software packages offer spyware, popup, and adware detection tools Microsoft has a beta version spyware detection and removal software available Reinforces the importance of automated protection and monitoring

27 Malware Prevention Many companies are blocking employees from non- business related web browsing with technology rather than policy. –General Electric bars instant messaging, file sharing programs, and access to personal email. –JP Morgan Chase blocks any traffic it can’t trace and analyze including phone, messaging, and email programs

28 Firewalls Not As Solid As They Used to Be Increased permeability of firewalls means they are not as effective as they used to be in blocking attacks. Some products being marketed as “firewall friendly” which actually means they circumvent the firewall More and more web protocols designed to bypass typical firewall configurations (IPP and WebDAV) ActiveX, Java, JavaScript make detection more difficult

29 Disposal Johnson County, Kansas –Stopped auction of old equipment in 2004 after 12 machines discovered to still have social security numbers and other private information still on them. –Has yet to implement a disposal policy –Some departments have drilled hard drives –Some have reformatted –Do you have a disposal policy? Does it meet the standard?

30 System Monitoring Greatest area of growth in the coming years. –Audits becoming more common –Data Trust and Accountability Act coming up Specifically mandates that organizations make known and unauthorized disclosures of clients/customers information Allows FTC to audit companies for 5 years after disclosure

31 Sources Wikipedia! “Bullers, Finn. “Purging Computers a Priority” The Kansas City Star 11 Dec 2005 : B1 Nareine, Ryan. “Microsoft Says Recovery from Malware Becoming Impossible” 4 Apr 2006 { "@context": "", "@type": "ImageObject", "contentUrl": "", "name": "Sources Wikipedia. Bullers, Finn.", "description": "Purging Computers a Priority The Kansas City Star 11 Dec 2005 : B1 Nareine, Ryan. Microsoft Says Recovery from Malware Becoming Impossible 4 Apr 2006

32 Contact Info David Canavan Managing Director, Canavan Associates (413) 584-0894

Download ppt "September 18-19, 2006 – Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development Current Issues in Maintaining a Secure System:"

Similar presentations

Ads by Google