Presentation is loading. Please wait.

Presentation is loading. Please wait.

FORESEC Academy FORESEC Academy Security Essentials (II)

Published byMark Small Modified over 8 years ago

Similar presentations

Presentation on theme: "FORESEC Academy FORESEC Academy Security Essentials (II)"— Presentation transcript:

1 FORESEC Academy FORESEC Academy Security Essentials (II)

2 FORESEC Academy Agenda  Access Control - Techniques - Models  Passwords - Password Cracking - Password Management

3 FORESEC Academy Key Terms & Principles  Data Owner  Data Custodian  Separation of duties  Least Privilege

4 FORESEC Academy Access Control Techniques  Discretionary (DAC)  Mandatory (MAC)  Role-based  Rule-based  List-based  Token-based

5 FORESEC Academy Lattice Techniques  Access Matrix - Objects - Subjects  Bell-LaPadula  Biba  Clark-Wilson

6 FORESEC Academy Lattice Techniques (2) Bell-LaPadula  Designed for Military Environment  Address only Confidentiality  Rules - Simple Security Property - Star Property (* Property) - Strong Star Property

7 FORESEC Academy Lattice Techniques (3) Biba  Model for Integrity  Suited for Commercial Environment  Rules - Simple Integrity Property - Integrity Start Property  Information only flow downwards

8 FORESEC Academy Lattice Techniques (4) Clark-Wilson  Integrity Model  Use an access triple - Subject, Program, Object  Prevent loss or corruption of data  Ensure well formed transactions

9 FORESEC Academy Access Management  Account administration  Maintenance  Monitoring  Revocation

10 FORESEC Academy Access Control Models  State machine  Information flow  Covert channels  Non-interference

11 FORESEC Academy Protocols  Password Authentication Protocol (PAP)  Challenge Handshake Authentication Protocol (CHAP)

12 FORESEC Academy Centralized Control  TACACS  RADIUS  Domains & Trusts  Active Directory  Kerberos

13 FORESEC Academy Access Control: Biometrics  Hand: Fingerprint, hand geometry  Eye: retina, iris  Face: Thermograms, Photo  Voice print  Mannerisms: keystroke, tread, handwriting

14 FORESEC Academy Access Control: Biometrics (2) Key factors in selecting biometrics:  Reliability - FRR, FAR, CER, EER  User friendliness  Cost

15 FORESEC Academy Single Sign-On (SSO)  User only have to log on once  Credentials are carried with user  Simplifies User management  Allow centralized management  User only has to remember one set of credentials

16 FORESEC Academy Single Sign-On (2)  Can take different forms: - Scripts - Directory Services - Kerberos - Thin Clients  Security Issues  Interoperability Issues

17 FORESEC Academy Access Control: Passwords

18 FORESEC Academy What is Password Cracking? Discovering a plan text password given an encrypted password.

19 FORESEC Academy Methods of Password Cracking  Dictionary attack  Hybrid attack  Brute force attack

20 FORESEC Academy Unix Password Cracking - Crack  Name: Crack  Operating System: Unix  Brief Description: Crack is a "password guessing" program that is designed to quickly identify accounts having weak passwords given a Unix password file.

21 FORESEC Academy Crack  Available from ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack  Features - Configurable password cracking - Modular approach with various scripts - Combining and extracting password files - Works with any crypt() implementation

22 FORESEC Academy Configuring Crack  Download Crack file  Unzip the file using gzip - gunzip -r crack5.0.tar.gz  Untar the file - tar -xvf crack5.0.tar  Read manual.txt  Edit the script file  Compile program - Crack -makeonly - Crack -makedict

23 FORESEC Academy Running Crack  Run Crack with a password file - Crack [options] [-fmt format] [file...] - Crack myfile  Pipe output to a file - Crack myfile > output  Run Reporter script to see results -./Reporter [-quiet] [-html]

24 FORESEC Academy Effectiveness of Crack  User Eric password eric – CRACKED  User John password john1234  User Mike password 5369421  User Mary password #57adm7#  User Sue password sue – CRACKED  User Lucy password 12345 – CRACKED  User Pat no password – CRACKED  User Tim password password – CRACKED  User Cathy password 55555 – CRACKED  User Frank password abcde – CRACKED  User Tom password mnopqr  User Karen password bbbbbbbb - CRACKED

25 FORESEC Academy How to Protect Against it  Enforce a strong password policy  Use shadow passwords  Use one-time passwords  Use passwd to enforce strong passwords

Download ppt "FORESEC Academy FORESEC Academy Security Essentials (II)"

Similar presentations

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Fundamentals of Information Systems Security.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Access Control Methodologies

Access Control Methodologies
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Security Models and Architecture

Security Models and Architecture
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Verifiable Security Goals

Verifiable Security Goals
1 Clark Wilson Implementation Shilpa Venkataramana.

1 Clark Wilson Implementation Shilpa Venkataramana.
Information Systems Security Security Architecture Domain #5.

Information Systems Security Security Architecture Domain #5.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
SE571 Security in Computing

SE571 Security in Computing
User Domain Policies.

User Domain Policies.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Similar presentations

Ads by Google