Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?"— Presentation transcript:

1 SECURITY Chapter 15 CNS 3660

2 Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems? Also: Does it matter what their motivations are?

3 Motivation a challenge notoriety ideological "cyber warfare" steal money free goods and services fun

4 Stopping crackers Back up important information Have hiring policies that attract honest and loyal staff Choose secure software and keep it up to date Train staff to identify weaknesses Use audits and logs to detect break-ins

5 "Most successful attacks on computer systems take advantage of well-known weaknesses such as easily guessed passwords, common misconfigurations, and old versions of software."

6 How important is your information? Hobby user Business Bank Military Why would crackers break into a hobby system?

7 "Even the computer with the least interesting data still has significant appeal as an anonymous launching pad for attacks on other systems."

8 Security Threats Exposure of confidential data Loss of data Repudiation Modification of data Denial of service Errors in software

9 Exposure of confidential data Don't store secret info on web server –Info that is provided to the public –Info that has recently been collected from the public Remove unnecessary services Design, configure, code and test carefully Require authentication Use encryption More on these two subjects later

10 Loss of data Break-ins, careless employees, hard drive crash Back up your data Keep back ups away from your computer –Safe deposit boxes in two different cities –Source code, compiler, OS, etc. –Copy of thesis in seven different places (car, freezer, etc.) Test your recovery procedure

11 Modification of data Prevent: File permission facilities of OS Encryption Detect: can be difficult Checksums Store off-line Recover: Logs and back-ups

12 Denial of service (DoS) someone's actions make it difficult or impossible to users to access a service Year 2000 attacks on eBay, Amazon, Yahoo!, etc. "one of the most difficult threats to guard against" Why?

13 Errors in software Web projects often have short development times Effects of errors in software –service unavailability –security breaches –financial losses –poor service to customers

14 Common causes of errors Poor specifications Assumptions made by developers –Data will be valid, will not contain unusual characters, or will be less than a certain size –Assumptions about timing of events Poor testing

15 Secure coding Is the strcpy function in C and C++ a security problem?

16 "Historically, the operating system or application level weaknesses exploited by crackers have usually been related either to buffer overflows or race conditions."

17 Repudiation "when a party involved in a transaction denies having taken part" Issues: –Authentication –Tamperproof messages E-commerce companies get certificates Customers do not have certificates

18 Balancing Usability, Performance, Cost, and Security Competing goals Ask yourself: –How valuable is your information? –What is your budget? –How many visitors do you expect to serve? –What obstacles will users put up with?

19 Authentication Principles Authentication: proving that someone is who they claim to be What authentication techniques are you familiar with? Which are in common use on the web?

20 Authentication techniques passwords digital signatures biometric techniques hardware –smart cards, keys, etc. documents –passport, driver's license, etc. What are biometric techniques?

21 Authentication techniques passwords digital signatures biometric techniques hardware –smart cards, keys, etc. documents –passport, driver's license, etc. Only these two are commonly used with web applications.

22 Passwords Simple concept that is widely used. Secure as long as no one else finds out the password. What are the advantages and disadvantages of using passwords?

23 Advantages of passwords Simple, cheap, and easy Relatively effective

24 Disadvantages of passwords Passwords can be captured from file or network traffic (especially unencrypted) Many passwords are easily guessed –Educate users –Enforce password selection policy What happens if you force selection of hard-to-remember passwords?

25 user name fred password k3%mq9 How users remember hard-to-remember passwords

26 Creating passwords Random character strings Combination of two short words with special characters or digits First letter in phrase or line from song Diceware http://world.std.com/~reinhold/diceware.html

27 HTTP basic authentication Server requests authentication info Browser stores details and gives to server with each request Transmits user id and password in clear Set up realm name, user names, passwords

28 Problems with basic authentication No secure identification of host Cracker can replay request Cracker can capture packets and obtain password –HTTP provides digest authentication which uses MD5 to "disguise the details"--slightly more secure than plaintext

29 Basic authentication with Apache Can use.htaccess file in directory –Server must parse file with every request Can also use httpd.conf file –more efficient than.htaccess Use htpasswd command to create password file –encrypts passwords

30 Encryption basics "An encryption algorithm is a mathematical process to transform information into a seemingly random string of data." Plain Text Encryption Algorithm Cypher Text

31 One-way encryption Encryption algorithm is not reversible for one-way encryption. When is one-way encryption useful? Plain Text Encryption Algorithm Cypher Text

32 Two-way encryption Decryption algorithm recovers plain text. Encryption and decryption require same key Encryption Algorithm Cypher Text Plain Text Decryption Algorithm Plain Text Key

33 Public key encryption Two keys: –Private key is secret –Public key is distributed freely Encryption Algorithm Cypher Text Plain Text Decryption Algorithm Plain Text Public key Private key

34 Digital signature Encrypt with private key –Usually only encrypt message digest (hash) Decrypt with public key to verify Encryption Algorithm Cypher Text Plain Text Decryption Algorithm Plain Text Public key Private key

35 Digital Certificates Issued by certifying authority (CA) –e.g. Verisign, etc. Signed by CA (encrypted with private key) Includes server's public key More later with secure transactions

36 Other security issues Auditing and logging Firewalls Data backups Physical security

Download ppt "SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?"

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
CSA 223 network and web security Chapter one

CSA 223 network and web security Chapter one
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Risks, Controls and Security Measures

Risks, Controls and Security Measures
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Chapter 19 Security.

Chapter 19 Security.

Similar presentations

Ads by Google