Presentation on theme: "September 18-19, 2006 – Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development Current Issues in Maintaining a Secure System:"— Presentation transcript:
September 18-19, 2006 – Denver, Colorado Sponsored by the U.S. Department of Housing and Urban Development Current Issues in Maintaining a Secure System: PKI Options, Cryptography and Current Threats David Canavan, Canavan Associates David A. Crist, Permovio, Inc. (Moderator)
Overview Learning Objectives PKI, Cryptography, and Hashing Virus Protection MalWare Firewalls Disposal System Monitoring
Learning Objectives To provide participants with a cursory understanding of PKI and Public/Private Key technology. To introduce and provide examples of virus protection, firewalls and spyware to help protect your computer from hackers. To explain other terms frequently used with system security and examples of how they fit into the big picture.
PKI- What Is It? Why Do I Have to Work With It? Public Key Infrastructure In cryptography, a public key infrastructure (PKI) is an arrangement that provides for trusted third party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This is usually carried out by software at a central location together with other coordinated software at distributed locations. The public keys are typically in certificates.
Based on the Mathematical Field of Cryptography Cryptography (or cryptology; derived from Greek κρυπτός kryptós "hidden," and γράφειν gráfein "to write") is a discipline of mathematics concerned with information security and related issues, particularly encryption, authentication, and access control. Its purpose is to hide the meaning of a message rather than its existence. In modern times, it has also branched out into computer science. Cryptography is central to the techniques used in computer and network security for such things as access control and information confidentiality. Cryptography is used in many applications that touch everyday life; the security of ATM cards, computer passwords, and electronic commerce all depend on cryptography
(Caesar Cipher) What??
Slowly We Got Better
Then There Is the Hash
How Do We Know It Works? Basically because very smart people say it does. In general Hash Functions should have the following qualities: –The block cipher is secure. –The resulting hash size is big enough. 64-bit is too small, 128-bit might be enough. –The last block is properly length padded prior to the hashing. –Length padding is normally implemented and handled internally in specialised hash functions like SHA-1 etc.
What If I Don’t Believe You? That’s okay. There are plenty of resources to help you understand. Cryptography has been around for about 2500 years and is well understood by those who choose to study it.
Ron Rivest (one of the inventors of the RSA algorithm) Like This Guy
MD5 Hash Algorithm (also invented by Ron Rivest, wicked smart) Who Create Things That Look Like This
Which Produce Things Like This The hash sums seen here (in hexadecimal format) are actually the first four bytes of the SHA-1 hash sums of those text examples.
What Does That Mean? One analogy is that of a locked store front door with a mail slot. The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key. Anyone knowing the street address can go to the door and drop a written message through the slot. However, only the person who posseses the matching private key, the store owner in this case, can open the door and read the message.
What Does That Get Me? Well it all depends on how it is implemented. –PKI can provide many benefits to your organization if it is implemented with an eye towards those benefits. –It also makes you compliant with the HUD Data and Technical Standards. Anyone here implemented a PKI? How did you do it?
What PKI Should I Use? Short answer is whatever one works for you. There are many different products out there and any one of them might be the right one. Like any other process you should evaluate what your community needs and what is the most cost effective way to meet that need.
(Of course neither HUD nor I am endorsing or recmmending any of these products) Their inclusion is purely illustrative. Different Implementations Red Hat Certificate Management System Computer Associates eTrust PKI Entrust Microsoft US Government External Certificate Authority (ECA) Nexus OpenCA (an open source publicly available PKI scheme including server software) RSA Security phpki GenCerti ejbca newpki Papyrus CA Software pyCA IDX-PKI EuropePKI (not available) TinyCA ElyCA SimpleCA SeguriData Safelayer Secure Communications Australian Government AGIMO Gatekeeper system
The technology of the PKI is not difficult. Ask Ron.
It’s the people that make it challenging
So What Do I Do? Identify resources that will help you make the right decision. –Those can be on the Web. Almost every slide so far in this show is taken from Wikipedia. On purpose. –Resources can be technical assistance from National TA team. Which conveniently, I am on. –Can be peer communities that have done this already. –Could be your HMIS solution provider.
Virus Protection Significant growth in number and variety of virus technology –Proliferation of automated attacks Allows for constant attempts across a broad set of vulnerabilities Truly undermines the argument that any installation is too small to be noticed –Microsoft has acknowledged “recovery from malware becoming impossible”
Malware Change in Language MALicious softWARE Software designed to destroy, aggravate, wreak havoc, hide incriminating information, disrupt, or damage computer systems Includes all different types of viruses, spyware, and adware
Malware Protection All major software packages offer spyware, popup, and adware detection tools Microsoft has a beta version spyware detection and removal software available Reinforces the importance of automated protection and monitoring
Malware Prevention Many companies are blocking employees from non- business related web browsing with technology rather than policy. –General Electric bars instant messaging, file sharing programs, and access to personal . –JP Morgan Chase blocks any traffic it can’t trace and analyze including phone, messaging, and programs
Disposal Johnson County, Kansas –Stopped auction of old equipment in 2004 after 12 machines discovered to still have social security numbers and other private information still on them. –Has yet to implement a disposal policy –Some departments have drilled hard drives –Some have reformatted –Do you have a disposal policy? Does it meet the standard?
System Monitoring Greatest area of growth in the coming years. –Audits becoming more common –Data Trust and Accountability Act coming up Specifically mandates that organizations make known and unauthorized disclosures of clients/customers information Allows FTC to audit companies for 5 years after disclosure
Sources Wikipedia! “Bullers, Finn. “Purging Computers a Priority” The Kansas City Star 11 Dec 2005 : B1 Nareine, Ryan. “Microsoft Says Recovery from Malware Becoming Impossible” eWeek.com 4 Apr 2006
Contact Info David Canavan Managing Director, Canavan Associates (413)