1 / 28

Security

Security. Lecture 11, May 14, 2003 Mr. Greg Vogl Data Communications and Networks Uganda Martyrs University. Sources. Networks 1999, Ch. 9 and Appendix A Computers in Your Future modules 10B, C Burgess Section 8 Solomon Parts 12, 13 Ritchie Ch. 14. Overview. Problems and causes

mohawk
Télécharger la présentation

Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Lecture 11, May 14, 2003 Mr. Greg Vogl Data Communications and Networks Uganda Martyrs University

  2. Sources • Networks 1999, Ch. 9 and Appendix A • Computers in Your Future modules 10B, C • Burgess Section 8 • Solomon Parts 12, 13 • Ritchie Ch. 14 Data Communications and Networks: Lecture 11: Security

  3. Overview • Problems and causes • Threats, attackers, responsible people • Prevention and recovery • Physical security, software security, viruses • Data security, long-term storage and retrieval • Disaster recovery • Human security • Authentication and passwords • Encryption Data Communications and Networks: Lecture 11: Security

  4. Threats, damages and costs • Natural disaster (e.g. flood, fire, lightning) • Deliberate sabotage/vandalism (e.g. viruses) • Damaged or stolen hardware • Damaged/deleted/leaked data/information • Net downtime/overload; use of staff time • Lost privacy, confidentiality; public safety • Reputation/appearance of no security/safety Data Communications and Networks: Lecture 11: Security

  5. Categories of threats • Unauthorised disclosure • Viewing information with no rights to see • Unauthorised updates • Making changes with no rights to change • Denial of service • Interference with legitimate user access Data Communications and Networks: Lecture 11: Security

  6. Attackers and their motives • Hobbyists: crackers, virus authors, thieves • Challenge, ego, financial gain • Employees: terminated, disgruntled, corrupt • Financial gain, organisational harm/revenge • Corporate spies: competitors • Market competition • Information terrorists • Harm state governments Data Communications and Networks: Lecture 11: Security

  7. Types of attacks • Cracking programs: try passwords • Eavesdropping: watching users, wiretapping • Spoofing: pretending to be a client or server Data Communications and Networks: Lecture 11: Security

  8. Who is responsible for security? • Managers • Design general policies • System designers • Create mechanisms to enforce specific policies • System administrators • Design and enforce specific policies • Users • Adhere to general and specific policies Data Communications and Networks: Lecture 11: Security

  9. Physical security • Equipment protection, protective equipment • Door locks, burglar bars, armed guards • Dust, AC, surge protector, UPS, standby power • Alarms: temperature, burglar • Physically separate equipment, data • secure and non-secure • Investment appropriate to nature of business Data Communications and Networks: Lecture 11: Security

  10. Software security • File and directory access control (rwx) • Network services can be security loopholes • E.g. finger, sendmail, remote login, dial-up • Use tools to log & audit use of existing services • Disable or turn off all unused network services • Use firewall software e.g. ZoneAlarm • Use loophole detection tools e.g. SATAN Data Communications and Networks: Lecture 11: Security

  11. Secure software design principles • Public design • No secret algorithms; weaknesses revealed • Default = no access • Minimum privileges; add only when needed • Timely checks • Security of passwords “wear out” over time • Simple, uniform mechanisms • Appropriate levels of security Data Communications and Networks: Lecture 11: Security

  12. Viruses • Malicious self-replicating program • infects programs with copies of itself • spread by running programs • Types: boot sector, program, macro • variations: worm, Trojan horse, time bomb • Locations: memory/files, programs/data • Transmission methods • Floppies, installing software, downloads, email Data Communications and Networks: Lecture 11: Security

  13. Virus prevention and recovery • Install anti-virus software on all computers • Schedule automatic virus scans • Keep active auto-protect features enabled • Keep virus software and definitions updated • Repair, quarantine or delete infected files • Educate users about viruses • Causes, prevention, removal • Specific, current, serious threats Data Communications and Networks: Lecture 11: Security

  14. Data security • Backups and archiving • Antivirus software • Encryption of sensitive information • Disposal of obsolete, sensitive information • Erase (possibly reformat) disks • Shred paper documents Data Communications and Networks: Lecture 11: Security

  15. Long-term storage and retrieval • Daily backups (and possibly mirroring) • Document info removal/purge procedures • Test equipment & procedures for restoration • Keep storage media physically secure • Store backup copies at remote locations Data Communications and Networks: Lecture 11: Security

  16. Disaster recovery preparation • Create a disaster recovery plan • Discuss, document, communicate, test • List and categorise possible disasters • Minor, major, catastrophic • Prepare for these disasters • Minimum: backup, inventory, net docs • Spares, maintenance contracts, recovery site • Research user needs/tolerances Data Communications and Networks: Lecture 11: Security

  17. Human security • Educate users, receptionists, “gatekeepers” • Encourage securing passwords, accounts • Be careful when giving out information • “Helpful” employees may leak important info • Know who has rights to what info • Be aware of threats and ask questions first • Background checks, ID cards/badges Data Communications and Networks: Lecture 11: Security

  18. Authentication • Permit access to authorised users • Username/password combination is valid • Deny access to unauthorised users • Display error message “invalid login” • Regulate/authorise user actions after login • E.g. read/write/execute access to files/folders Data Communications and Networks: Lecture 11: Security

  19. Access terminology • Objects (what to access) • Hardware, software (files, databases, processes) • Principals (users, owners of objects) • People, groups, projects, roles (admin) • Rights (permissions to use operations) • Read, write, update, delete, execute, etc. • Domains (set of rights; location of objects) Data Communications and Networks: Lecture 11: Security

  20. Access matrix Data Communications and Networks: Lecture 11: Security

  21. Secure passwords • Not crackable (blank, short, words, names) • Not guessable (phone, birthdate, username) • Not written down • Except admin passwords kept physically secure • Use numbers, symbols, mix case • Memorable (so no need to write down) Data Communications and Networks: Lecture 11: Security

  22. Account security • Require users to change password regularly • Log password attempts, limit no. of failures • Run crack programs to find poor passwords • Audit account status and usage regularly • Delete or disable accounts when people go • Archive and safeguard old account data Data Communications and Networks: Lecture 11: Security

  23. Encryption • The sender encrypts (encodes) a message • Substitute unreadable data, apparently nonsense • Only some receivers can decrypt/decode it • Translate coded data into readable data • Coding and decoding require using keys • Encoding/decoding algorithms plus secret text • Encryption only useful if the key is secure • Anyone who intercepts the key can decrypt Data Communications and Networks: Lecture 11: Security

  24. Password file • User-readable file, but passwords encrypted • /etc/passwd in older UNIX; now /etc/shadow • Data Encryption Standard (DES) • One-way algorithm: key + password  code • Encrypt password attempt, compare with code • If two codes match, login is valid, else not • System holds key; passwords never revealed • Powerful computers can crack passwords • A 56 bit key is unsafe; 128 bits is reasonable Data Communications and Networks: Lecture 11: Security

  25. Public Key Encryption (PKE) • Receiver announces his/her public key • Sender encrypts a message with public key • Receiver decrypts using his/her private key • No danger of private key being intercepted • Enables criminals to communicate secretly • Governments need access to combat crime • Key escrow/recovery allows access to some Data Communications and Networks: Lecture 11: Security

  26. RSA public key encryption • Choose two large prime numbers p and q • Choose e relatively prime to (p-1)(q-1) • They have no common divisors • Calculate d such that ed = 1 mod (p-1)(q-1) • Calculate n = pq • Public key is (n, e); private key is d • p and q must be kept secret • Long computation to decrypt by factoring n Data Communications and Networks: Lecture 11: Security

  27. Encryption in Windows • Many programs can password protect files • E.g. Word, Excel, Access, WinZip • Windows NTFS can encrypt files, folders • Right-click, Properties, General, Advanced • E-mail and web pages can be encrypted • Passwords, messages, attachments • Microsoft Point to Point Encryption • Point to Point Tunneling Protocol for PPP Data Communications and Networks: Lecture 11: Security

  28. Some other uses of encryption • Authentication, confidentiality, integrity, non-repudiation • Pretty Good Privacy • High security free 128-bit RSA PKE algorithm • Secure Sockets Layer • Secure electronic financial Web transactions • Secure HTTP (HTTPS) and .shtml files • Digital IDs, signatures, certificates Data Communications and Networks: Lecture 11: Security

More Related