FORESEC Academy FORESEC Academy Security Essentials (II)

Slides:

Advertisements

Similar presentations

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.

Advertisements

Password Cracking Lesson 10. Why crack passwords?

Access Control Chapter 3 Part 3 Pages 209 to 227.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

Access Control Methodologies

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

Security Models and Architecture

Security+ Guide to Network Security Fundamentals, Fourth Edition

Access Control Intro, DAC and MAC System Security.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

Verifiable Security Goals

1 Clark Wilson Implementation Shilpa Venkataramana.

Information Systems Security Security Architecture Domain #5.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

SE571 Security in Computing

User Domain Policies.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

ACCESS CONTROLS SZABIST – Spring Access Controls This chapter presents the following:  Identification methods and technologies  Authentication.

MANDATORY FLOW CONTROL Xiao Chen Fall2009 CSc 8320.

CIS 450 – Network Security Chapter 8 – Password Security.

© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.

Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.

Access Control Systems A means of ensuring a system’s C.I.A given the threats, vulnerabilities, & risks its infrastructure.

Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.

Chapter 5 Network Security

Networking and Health Information Exchange Unit 9b Privacy, Confidentiality, and Security Issues and Standards.

Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.

Security Chapter 9 Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

File System Security Robert “Bobby” Roy And Chris “Sparky” Arnold.

Component 9 – Networking and Health Information Exchange Unit 9-2 Privacy, Confidentiality, and Security Issues and Standards This material was developed.

Trusted OS Design and Evaluation CS432 - Security in Computing Copyright © 2005, 2010 by Scott Orr and the Trustees of Indiana University.

Access Controls Henry Parks SSAC 2012 Presentation Outline Purpose of Access Controls Access Control Models –Mandatory –Nondiscretionary/Discretionary.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

INTRODUCTION TO BIOMATRICS ACCESS CONTROL SYSTEM Prepared by: Jagruti Shrimali Guided by : Prof. Chirag Patel.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

Access Control: Policies and Mechanisms Vinod Ganapathy.

Privilege Management Chapter 22.

Lesson 2-General Security Concepts

Computer Security: Principles and Practice

COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

Chapter 8: Principles of Security Models, Design, and Capabilities

My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.

Chapter 14: Controlling and Monitoring Access. Comparing Access Control Models Comparing permissions, rights, and privileges Understanding authorization.

Chapter 13: Managing Identity and Authentication.

CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.

By Matt Norris. Physical Security - Threats -User Authentication Techniques Information Security - Threats -User Authentication Techniques Good Authentication.

Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.

Chap5: Designing Trusted Operating Systems.  What makes an operating system “secure”? Or “trustworthy”?  How are trusted systems designed, and which.

Understanding Security Policies Lesson 3. Objectives.

CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.

Access control Presented by: Pius T. S. : Christian C. : Gabes K. : Ismael I. H. : Paulus N.

SECURITY Prepared By: Dr. Vipul Vekariya.. 2 S ECURITY Secure system will control, through use of specific futures, access to information that only properly.

Understanding Security Policies

Secure Connected Infrastructure

Access Control Model SAM-5.

Protection and Security

Chapter One: Mastering the Basics of Security

CompTIA Security+ Study Guide (SY0-401)

Operating Systems 15 - security

SECURITY IN THE LINUX OPERATING SYSTEM

Managing User Security

CS703 - Advanced Operating Systems

COEN 351 Authentication.

Presentation transcript:

FORESEC Academy FORESEC Academy Security Essentials (II)

FORESEC Academy Agenda  Access Control - Techniques - Models  Passwords - Password Cracking - Password Management

FORESEC Academy Key Terms & Principles  Data Owner  Data Custodian  Separation of duties  Least Privilege

FORESEC Academy Access Control Techniques  Discretionary (DAC)  Mandatory (MAC)  Role-based  Rule-based  List-based  Token-based

FORESEC Academy Lattice Techniques  Access Matrix - Objects - Subjects  Bell-LaPadula  Biba  Clark-Wilson

FORESEC Academy Lattice Techniques (2) Bell-LaPadula  Designed for Military Environment  Address only Confidentiality  Rules - Simple Security Property - Star Property (* Property) - Strong Star Property

FORESEC Academy Lattice Techniques (3) Biba  Model for Integrity  Suited for Commercial Environment  Rules - Simple Integrity Property - Integrity Start Property  Information only flow downwards

FORESEC Academy Lattice Techniques (4) Clark-Wilson  Integrity Model  Use an access triple - Subject, Program, Object  Prevent loss or corruption of data  Ensure well formed transactions

FORESEC Academy Access Management  Account administration  Maintenance  Monitoring  Revocation

FORESEC Academy Access Control Models  State machine  Information flow  Covert channels  Non-interference

FORESEC Academy Protocols  Password Authentication Protocol (PAP)  Challenge Handshake Authentication Protocol (CHAP)

FORESEC Academy Centralized Control  TACACS  RADIUS  Domains & Trusts  Active Directory  Kerberos

FORESEC Academy Access Control: Biometrics  Hand: Fingerprint, hand geometry  Eye: retina, iris  Face: Thermograms, Photo  Voice print  Mannerisms: keystroke, tread, handwriting

FORESEC Academy Access Control: Biometrics (2) Key factors in selecting biometrics:  Reliability - FRR, FAR, CER, EER  User friendliness  Cost

FORESEC Academy Single Sign-On (SSO)  User only have to log on once  Credentials are carried with user  Simplifies User management  Allow centralized management  User only has to remember one set of credentials

FORESEC Academy Single Sign-On (2)  Can take different forms: - Scripts - Directory Services - Kerberos - Thin Clients  Security Issues  Interoperability Issues

FORESEC Academy Access Control: Passwords

FORESEC Academy What is Password Cracking? Discovering a plan text password given an encrypted password.

FORESEC Academy Methods of Password Cracking  Dictionary attack  Hybrid attack  Brute force attack

FORESEC Academy Unix Password Cracking - Crack  Name: Crack  Operating System: Unix  Brief Description: Crack is a "password guessing" program that is designed to quickly identify accounts having weak passwords given a Unix password file.

FORESEC Academy Crack  Available from ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack  Features - Configurable password cracking - Modular approach with various scripts - Combining and extracting password files - Works with any crypt() implementation

FORESEC Academy Configuring Crack  Download Crack file  Unzip the file using gzip - gunzip -r crack5.0.tar.gz  Untar the file - tar -xvf crack5.0.tar  Read manual.txt  Edit the script file  Compile program - Crack -makeonly - Crack -makedict

FORESEC Academy Running Crack  Run Crack with a password file - Crack [options] [-fmt format] [file...] - Crack myfile  Pipe output to a file - Crack myfile > output  Run Reporter script to see results -./Reporter [-quiet] [-html]

FORESEC Academy Effectiveness of Crack  User Eric password eric – CRACKED  User John password john1234  User Mike password  User Mary password #57adm7#  User Sue password sue – CRACKED  User Lucy password – CRACKED  User Pat no password – CRACKED  User Tim password password – CRACKED  User Cathy password – CRACKED  User Frank password abcde – CRACKED  User Tom password mnopqr  User Karen password bbbbbbbb - CRACKED

FORESEC Academy How to Protect Against it  Enforce a strong password policy  Use shadow passwords  Use one-time passwords  Use passwd to enforce strong passwords