Presentation is loading. Please wait.

Presentation is loading. Please wait.

S.S. Yau 1CSE465-591 Fall 2006 Administrative Security Procedural Controls.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "S.S. Yau 1CSE465-591 Fall 2006 Administrative Security Procedural Controls."— Presentation transcript:

1 S.S. Yau 1CSE465-591 Fall 2006 Administrative Security Procedural Controls

2 S.S. Yau 2CSE465-591 Fall 2006 Contents Information Storage Information Storage Passwords Passwords Password introduction Password introduction Biometric passwords Biometric passwords Password attack methods Password attack methods Managing passwords Managing passwords Auditing Auditing Auditing systems Auditing systems Audit process Audit process

3 S.S. Yau 3CSE465-591 Fall 2006 Information Storage Information can be stored in various format on various storage media: Information can be stored in various format on various storage media: Written documents and images on papers or negatives Written documents and images on papers or negatives Voice records on tapes Voice records on tapes Digital format information on Digital format information on Floppy disc Floppy disc Zip disk Zip disk Flash memory (e.g. USB key drive, CF card, SD card) Flash memory (e.g. USB key drive, CF card, SD card) Hard drive Hard drive CD - (R, RW) CD - (R, RW) DVD (+R, -R, -RW, +RW) DVD (+R, -R, -RW, +RW) Tape Tape

4 S.S. Yau 4CSE465-591 Fall 2006 Information Storage (Cont.) Information storage management includes Information storage management includes External marking of media External marking of media Destruction of media Destruction of media Sanitization of media Sanitization of media Transportation of media Transportation of media Emergency destruction Emergency destruction

5 S.S. Yau 5CSE465-591 Fall 2006 Passwords A password is information associated with an entity that confirms the entity’s identity. A password is information associated with an entity that confirms the entity’s identity. Has been widely used for long time Has been widely used for long time Bank card PIN Bank card PIN SSN associated with your mother’s maiden name SSN associated with your mother’s maiden name Computer account login, … Computer account login, … T1: ch11.2, T2: ch12.2

6 S.S. Yau 6CSE465-591 Fall 2006 Biometric Passwords Face recognition Face recognition Voice recognition Voice recognition Iris codes Iris codes Fingerprints Fingerprints Handwritten signatures Handwritten signatures Keystroke Keystroke Combinations Combinations T1: ch11.4, T2: ch12.4

7 S.S. Yau 7CSE465-591 Fall 2006 Biometric Passwords (cont.) Advantages: Advantages: Automatic identification of an individual Automatic identification of an individual Better results than token or pin Better results than token or pin Problems: Problems: Performance: Performance: Take large computing resources Take large computing resources Public acceptance Public acceptance People are afraid of giving their fingerprints or iris patterns for security records People are afraid of giving their fingerprints or iris patterns for security records

8 S.S. Yau 8CSE465-591 Fall 2006 Password Attack Methods Password Guessing Password Guessing Most common attack Most common attack Attacker knows a login (from email/web page, etc) Attacker knows a login (from email/web page, etc) Attempts to guess password Attempts to guess password Success of attack depends on password chosen by user Success of attack depends on password chosen by user Some categories of passwords that are easy to guess:  Based on account names  Based on user names  Based on computer names  Dictionary words  Reversed dictionary words  Dictionary words with some or all letters capitalized

9 S.S. Yau 9CSE465-591 Fall 2006 Password Attack Methods (cont.) Password Capture Password Capture Watching over shoulder as password is entered Watching over shoulder as password is entered Using Trojan horse (virus-infected) program Using Trojan horse (virus-infected) program Attacks on password entry due to faulty system design Attacks on password entry due to faulty system design Eavesdropping: The password characters are plaintext Eavesdropping: The password characters are plaintext The login screen is faked The login screen is faked Unlimited password retries Unlimited password retries Storage Attack Storage Attack Analyze un-encrypted audit trails Analyze un-encrypted audit trails Password is stored as plain text Password is stored as plain text

10 S.S. Yau 10CSE465-591 Fall 2006 Managing Passwords Need password policies and good user education Need password policies and good user education Ensure every account has a default password Ensure every account has a default password Ensure users change the default passwords to something they can remember Ensure users change the default passwords to something they can remember Protect password file from general access Protect password file from general access Set technical policies to enforce good passwords Set technical policies to enforce good passwords Minimum length (>6) Minimum length (>6) Require a mix of upper & lower case letters, numbers, punctuation Require a mix of upper & lower case letters, numbers, punctuation Block known dictionary words Block known dictionary words Require change of password periodically Require change of password periodically

11 S.S. Yau 11CSE465-591 Fall 2006 Auditing Auditing is a technique for determining security violations Auditing is a technique for determining security violations Logging is the recording of events or statistics to provide information about system use and performance Logging is the recording of events or statistics to provide information about system use and performance Auditing is the analysis of log records to present information about the system in a clear and understandable manner Auditing is the analysis of log records to present information about the system in a clear and understandable manner T1: ch21.1 T2: ch24.1

12 S.S. Yau 12CSE465-591 Fall 2006 Auditing (cont.) Generally, to support auditing, the automated information system generates logs that indicate: Generally, to support auditing, the automated information system generates logs that indicate: What happened What happened Who did it Who did it What went wrong What went wrong How far some information spreads How far some information spreads Who had access to some information Who had access to some information … … … …

13 S.S. Yau 13CSE465-591 Fall 2006 Auditing Systems An auditing system consists of three components: An auditing system consists of three components: The logger: collect data The logger: collect data The analyzer: analyze the collected data The analyzer: analyze the collected data The notifier: report the results of analysis The notifier: report the results of analysis T1: ch21.2 T2: ch24.2

14 S.S. Yau 14CSE465-591 Fall 2006 Auditing Systems (cont.) Logger : Logger : The type and quantity of information are decided by system or program configuration parameters The type and quantity of information are decided by system or program configuration parameters Information may be recorded in binary or human-readable form or transmit directly to an analysis system Information may be recorded in binary or human-readable form or transmit directly to an analysis system

15 S.S. Yau 15CSE465-591 Fall 2006 Auditing Systems (cont.) Logger (cont.) : Logger (cont.) : Examples of auditable events: Examples of auditable events: Login Login Logoff Logoff Operating system changes Operating system changes User-invoked operating system commands User-invoked operating system commands User-invoked applications User-invoked applications Read of data Read of data Creation of objects Creation of objects Network events Network events

16 S.S. Yau 16CSE465-591 Fall 2006 Auditing Systems (cont.) Analyzer: Analyzer: An analyzer takes a log as input and analyzes it. An analyzer takes a log as input and analyzes it. The results of analysis may lead to changes in the data being recorded, or detection of some events or problems, or both. The results of analysis may lead to changes in the data being recorded, or detection of some events or problems, or both. Example: Example: Audit analysis mechanism used by an intrusion detection system to detect attacks by analyzing log records Audit analysis mechanism used by an intrusion detection system to detect attacks by analyzing log records

17 S.S. Yau 17CSE465-591 Fall 2006 Auditing Systems (cont.) Notifier: Notifier: The notifier informs the analyst and other entities of the results of the audit. The notifier informs the analyst and other entities of the results of the audit. Actions may be taken in response to these results. Actions may be taken in response to these results. Example: Example: Consider a login system, in which three consecutive failed login attempts disable the user’s account. When a user’s failed login attempts reaches 3 times, audit system will invoke the notifier, which will report the problem to administer and disable the account. Consider a login system, in which three consecutive failed login attempts disable the user’s account. When a user’s failed login attempts reaches 3 times, audit system will invoke the notifier, which will report the problem to administer and disable the account.

18 S.S. Yau 18CSE465-591 Fall 2006 Audit Process Audits team Audits team Accountants + people who are fascinated in auditing Accountants + people who are fascinated in auditing Needed expertise varies Needed expertise varies CISA - Certified Information Systems Auditor CISA - Certified Information Systems Auditor CISM - Certified Information Systems Manager CISM - Certified Information Systems Manager Check www.isaca.org (Information Systems Audit and Control Organization) for further information www.isaca.org

19 S.S. Yau 19CSE465-591 Fall 2006 Steps of Audit Process 1. Planning Phase 2. Testing Phase 3. Reporting Phase

20 S.S. Yau 20CSE465-591 Fall 2006 Planning Phase Entry Meeting Entry Meeting Define Scope Define Scope Learn Controls Learn Controls Historical Incidents Historical Incidents Past Audits Past Audits Site Survey Site Survey Review Current IA Policies Review Current IA Policies Questionnaires Questionnaires Define Objectives Define Objectives Develop Audit Plan / Checklist Develop Audit Plan / Checklist

21 S.S. Yau 21CSE465-591 Fall 2006 Testing Phase Evaluate Audit Plan Evaluate Audit Plan What data will be collected What data will be collected How/when it will be collected How/when it will be collected Site employees’ involvement Site employees’ involvement Other relevant questions Other relevant questions Data Collection Data Collection Based on scope/objectives Based on scope/objectives Types of Data Types of Data Activities involving physical security Activities involving physical security Interview staff Interview staff Vulnerability assessments Vulnerability assessments Access control assessments Access control assessments

22 S.S. Yau 22CSE465-591 Fall 2006 Reporting Phase Exit Meeting - Short Report Exit Meeting - Short Report Immediate problems Immediate problems Questions & answer for site managers Questions & answer for site managers Preliminary findings Preliminary findings NOT able to give in depth information NOT able to give in depth information Long Report After Going Through Data Long Report After Going Through Data Objectives/scope Objectives/scope How data was collected How data was collected Summary of problems Summary of problems In depth description of problems In depth description of problems Glossary of terms Glossary of terms References References Any computer misuse or abuse should be reported and law enforcement may be involved if needed Any computer misuse or abuse should be reported and law enforcement may be involved if needed

23 S.S. Yau 23CSE465-591 Fall 2006 References M. Merkow, J. Breithaupt, Information Security: Principles and Practices, Prentice Hall, August 2005, ISBN 0131547291 M. Merkow, J. Breithaupt, Information Security: Principles and Practices, Prentice Hall, August 2005, ISBN 0131547291 Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2004, ISBN: 0321247442 Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2004, ISBN: 0321247442 Matt Bishop, Computer Security: Art and Science, Addison- Wesley, 2002, ISBN: 0201440997 Matt Bishop, Computer Security: Art and Science, Addison- Wesley, 2002, ISBN: 0201440997

Download ppt "S.S. Yau 1CSE465-591 Fall 2006 Administrative Security Procedural Controls."

Similar presentations

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Input to the Computer * Input * Keyboard * Pointing Devices

Input to the Computer * Input * Keyboard * Pointing Devices
S.S. Yau CSE465-591 Fall 2006 1 Classified Systems.

S.S. Yau CSE Fall Classified Systems.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
IT Security Auditing Martin Goldberg.

IT Security Auditing Martin Goldberg.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Stephen S. Yau 1CSE465-591 Fall 2006 IA Policies.

Stephen S. Yau 1CSE Fall 2006 IA Policies.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Security-Authentication

Security-Authentication
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.

Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.

Similar presentations

Ads by Google