Security



COMPUTER SECURITY

Computer security is a field of computer science concerned with the control of risks related to computer use.

• A reference model is a system component that enforces access controls on an object. The security Kernel implements the concept.

• The reference model must mediate all processes, it must be protected from modification, and it must be verifiable as correct.

Type I: Something you know ( passwords, pins )
Type II: Something you have ( Token, ATM card )
Type III: Something you are ( Biometrics )

Before a user can access a resource, several levels of security must be passed:

1. Identify
2. Authenticate
3. Authorize


Access Control

MAC, DAC, RBAC

MAC Mandatory Access Control (MAC): Highest level of Control. Permissions are explicitly denied unless otherwise changed. Resources are assigned security labels and if the labels do not match, access is then denied.

DAC Discretionary Access Control (DAC): Allows owners of data to specify what users can access data used most. Access control is based on discretion of data owners. Most common model. Users themselves can assign access to their own data.

Role Based Access Control (RBAC): (also called Non-discretionary access control), centrally controlled model allows access based on the role the user holds in the organization; often hierarchical. Access is given to a group of users that perform a similar function. Based on the separation of duties. Access Control lists are the most common form of RBDAC.

Authentication

Is the process of finding out if something is exactly what it appears to be? For example, you can be authenticated into a windows network based on credentials such as username and password. The network authenticates you and provides to you if you are who you say you are and if you have the proper credentials.

Kerberos

• A trusted, third party authentication protocol developed under project developed at MIT
• Rather than sharing a password, communication partners share a cryptographic key, and they use knowledge of this key to verify one another's identity. For the technique to work the shared key must be symmetric — a single key must be capable of both encryption and decryption. One party proves knowledge of the key by encrypting a piece of information, the other by decrypting it.
• Kerberos use a Single Sign On (SSO) Policy
• Kerberos lets a user request an encrypted ticket form the authentication process that can be used to request a particular service from a server

Biometrics

Fingerprint Biometric


• Authentication based on human characteristics

• Biometric Characteristics include: Fingerprints, retina, iris, facial, palm scans, hand geometry, voice, handwritten signature, body composition and keystrokes pattern

Biometric Software


Smartcards / Tokens

RSA Key fob


• Used to supply static or dynamic passwords
• Type II: Something you have. Smartcard is Encrypted with RSA or MDA


Worms, T-Horses and Viruses
• Worm: parasitic, self-contained computer program that replicates itself or smaller parts of itself, but unlike viruses do not infect computer files. Worms create copies of it selves on the same computer or send themselves to other computers via IRC, internet relay, email.
• Trojan horse: Malicious program that pretends to be a benign application. Trojans do not replicate. Hides in computer until called on to perform a certain task.
• Virus: A computer program capable of attaching itself to disks or files and replicating itself without user knowledge or prevention. Polymorphic Viruses change each time a new infection occurs. Boot Sector, Executable, File Infector, Macro: (attach to Word or Excel), metamorphic, logic bombs, and stealth are the kinds of viruses present.


Anti-Virus Software


Accounts and Password Management

• Naming conventions: complex and never simple
• Limit Logon attempts
• Expiration Dates: Have your accounts expire
• Disable account when employee leaves company or goes on vacation
• Time restrictions
• Machine restrictions
• PASSWORD POLICIES
• Minimum password length
• Password rotation: systems remember old passwords, cannot reuse
• Password aging: Force users to change password regularly

Password Management should be heavily enforced. Passwords should be change often and kept as strong as possible preferably as random strings of characters and numbers.

How to configure Password and Security Policies
• Start>Settings>Control Panel>Administrative tools>Local Security Settings>Account Policies>Password Policies
• Start>Settings>Control Panel>Administrative tools>Local Security Settings>Local Policies>Security Options
• Start>Settings>Control Panel>Administrative tools>Local Security Settings>IP Security Policies on Local Computer

WEP and WPA



• WEP: Wired Equivalency Protocol
• Uses RC4, a stream cipher operates by expanding a short key into a stream. The sender combines the key stream with the plain text to product the cipher text. Shared Key. Key changes on every packet.
• Weakness: If an eavesdropper intercepts two ciphers text encrypted with the same key stream they can obtain the exclusive OR (XOR) of the two plain texts and find the key.
• WAP: Wireless Application Protocol; The WAP, by means of the WTLS, provides end-to-end security between the WAP protocol endpoints. Actually the end points are the mobile terminal and the WAP gateway. When the WAP gateway makes the request to the origin server, it will use the SSL below HTTP to secure the request. This means that the data is decrypted and again encrypted at the WAP gateway
• WAP defines a set of protocols in the transport, the session, and the application layers. It also specifies an application framework


Wireless client configuration issues
• appropriate network SSID
• appropriate encryption (WEP or WPA)
• MAC filtering
• Appropriate network key


Hashes

• Hash: Cryptographic hash is a one-way function that takes an input of a variable size and produces a fixed-size output which is commonly referenced to as "hash" or "digest". It is "one-way", which means that when given:, an input, it is easy to compute its hash; a hash, it is hard to compute the corresponding input; a block of data as an input, it is hard to find another block of data with the same hash Another important requirement to hash functions in cryptography is the collision-resistance: it is hard to find two random inputs with the same hash.
• MD4 (Message Digest 4) Produces 128 bit message digest, very fast and appropriate for medium security usage.
• MD5 (Message Digest 5) Produces 128 message digest, fast (not as fast as MD4) more secure. MD5 is a hash function designed by Ron Rivest and widely used in cryptographic applications. It is an improved version of MD4. However, there are some known problems with MD5 - in particular there is an attack that produces collisions using the compression function in MD5.
• SHA-1 160 bit MD ( standard for US GOVT ) slower than MD 5
Message Digest Function


Four goals of Cryptography

• Provide data Confidentiality
• Data integrity
• Identification and Authentication
• Non- repudiation
• Other facts:
o Large amounts of data use shared-secret symmetric encryption to provide confidentiality.
o Asymmetric Encryption can be used to generate a digital signature which can be attached to email to provide non-repudiation.
Cryptography

Digital Signatures

• Digital Signature is usually the encryption of a message or message digest with the sender's private key. To verify the digital signature, the recipient uses the sender's public key. Good digital signature scheme provides:
o authentication
o integrity
o non-repudiation
• RSA algorithm can be used to produce and verify digital signatures; another public-key signature algorithm is DSA.
Digital Signature

Key and Certificate Management:

• M of N Control can be used for certificate revocation – two different entities are needed to agree to revoke a certificate. M of N also refers to a method of storing a private key, protected and encrypted with a separate unique key. The key used for recovery is split into two or more parts and distributed to various individuals. To recover the key, all the individuals must be present. Just like launching a nuclear missile.
• Key Escrow: Third party holds additional key (on top of public/ private pair). This third key is used to encrypt the private key; which is then stored. A common key escrow entity can be a CA.
• Key Life Cycle is broken into several stages: Certificate: Enrollment, Distribution, validation, revocation, renewal, destruction and auditing.
• Multiple Key Pairs: Dual purpose, multiple key pairs exist when forged digital signatures are a concern. Secondly, a dual key pair can be used to satisfy Security and Back-up requirements. One key pair can be used for encryption and decryption and the other key pair can be used for digital signatures and no-repudiation.
• Single Key: A single Key used for multiple purposes violates non-repudiation.
Certificates

Email Security

• S/MIME: Secure Multi Purpose Internet Mail Extension was developed by RSA Data; it is based on PKCS data format for messages and the X.509v3 format for certificates. S/Mime is used for send confidential emails. Symmetric encryption, 3DES DES, and RC2. S/MIME looks to the headers to determine how data encryption and digital certificates are to be handled.
• PGP/MIME: based on PGP, distributed freely. Another great way to secure email. Unlike S/MIME, Individual users are responsible for exchanging their keys with each other and deciding they trust the public key both use SHA-1 for hash. Key Ring held locally. Weakness is Chosen Cipher text. Uses combo of Public and private keys.

SSL

• SSL Secure Sockets Layer: Runs above TCP below Application layer of the OSI model. SSL/TLS is an encryption system used by most web pages to secure ecommerce.
• SSL Provides for mutual authentication using the public key digital signatures such as RSA
• SSL Server Authentication – SSL client enabled software uses a public key to check server’s certificate and public ID against a CA.
• SSL contains two sub-protocols:
o SSL RECORD protocol, it defines the format used to transmit data.
o SSL HANDSHAKE PROTOCOL, it uses the SSL record protocol to exchange messages between SSL server & SSL client when they first establish a connection: this exchange of messages facilitates the flowing actions:
 Authenticate Server to Client.
 Allow server and client to select cryptography ciphers they both support
 Optionally authenticate client to server
 use public key encryption to generate shared secrets
Secure Socket Layer

VPN / Tunnel

• There are two types of VPN:
o Site to Site,
o Remote Access
• Tunneling requires 3 Protocols:
o Carrier Protocol, like IP
o Encapsulating Protocol, PPTP, L2TP
o Passenger Protocol, the data that is being tunneled.
VPN
In any secure environment it is very important to have a basic local security policy regarding mandating levels of access. These policies allow administrators to define users by their rights on the system and then assigned resources to groups or users based on these rights.
Whenever possible, the strongest encryption technologies should be used. Each type of encryption technologies is defined by the algorithm it uses to encrypt and decrypt data.


Data Migration or the movement of massive amounts of information from one system to another should be done in a closed environment to prevent sensitive information from leaking out

If a bios boot password becomes lost or forgotten it can recovered or reset by setting jumpers or removing the CMOS battery

Update Security policy
Windows updates and service packs (NT SP6, 2K SP4 and XP SP2)

Symmetric Encryption Algorithms
• In symmetric cryptosystems, the same key is used to encrypt and decrypt data and in symmetric authentication schemes the same key is used to sign and verify documents. This means that symmetric cryptography is based on the notion of "shared secret".
• Advantages: Speed & Strength Disadvantages: Poor Key distribution, Single key
• DES stands for Data Encryption Standard, the most popular symmetric encryption algorithm (block cipher) in the past years. It was designed by IBM and the U.S. government.
• Triple DES (3DES) is a symmetric encryption algorithm based on repeating encryption with DES. It uses 168-bit long keys which are considered as sets of three independent keys for triple encryption with DES. 3DES is more secure than DES but also considerably slower.

Asymmetric Algorithms
• Asymmetric systems and schemes use key pairs which consist of a public key and private key. The former is made public (for example, by publishing it in a directory) and the latter is kept secret. So the asymmetric cryptography does not involve shared secrets.
• Advantages: Provides a secure way to communicate; provides method of validation; non-repudiation
• Disadvantages: Slower than Symmetric


Unattended computer should be locked down. Laptops should be put in cases with a key and desktops should have the operating system engaged by pressing Ctrl + Alt + Del and clicking the lock computer button.


Social Engineering
-is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most (but not all) cases the attacker never comes face-to-face with the victim.

Firewall

A firewall is an information technology (IT) security device which is configured to permit, deny or proxy data connections set and configured by the organization's security policy. Firewalls can either be hardware and/or software based.

Firewall
A firewall's basic task is to control traffic between computer networks with different zones of trust. Typical examples are the Internet which is a zone with no trust and an internal network which is (and should be) a zone with high trust. The ultimate goal is to provide controlled interfaces between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle and separation of duties.
Proper configuration of firewalls demands skill from the firewall administrator. It requires considerable understanding of network protocols and of computer security. Small mistakes can render a firewall worthless as a security tool.

Windows XP Service Pack 2 comes with a firewall built-in

Start>Settings>Control Panel>Windows Firewall

Auditing and Event Logging

A computer security audit is a manual or systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems.
Start>Settings>Control Panel>Administrative tools>Local Security Settings>Local Policies>Audit Policies
Start>Settings>Control Panel>Administrative Tools>Computer Management>System Tools>Event Viewer>Security


File System Conversion
How to convert FAT to NTFS
Start>Run>cmd>convert drive:/fs:ntfs

Attacks

• Birthday Attack: Probability of two different messages using the same hash function that produces a common message digests. Birthday comes from the fact that in a room of 30 people, the probability of two people having the same birthday is greater than 50%.
• Man-in-the-Middle attack: Intercepting messages and forwarding modified versions of the original message while attempting secure communications between the hosts.
• Denial of Service (DoS) Attack: common attacks include: filling up a targets hard drive by huge email attachments or file transfer. Using up all ports on a web server
• SYN attack: The SYN (TCP connection request) attack is a common denial of service (DoS) technique characterized by the following pattern: Using a spoofed IP address not in use on the Internet, an attacker sends multiple SYN packets to the target machine. For each SYN packet received, the target machine allocates resources and sends an acknowledgement (SYN-ACK) to the source IP address. When an attacker uses this technique repeatedly, the target machine eventually runs out of resources and is unable to handle any more connections, thereby denying service to legitimate users.
• Smurf Attack: uses a combo of IP spoofing and ICMP to saturate a target network with traffic. Smurf consists of three elements; source site, bounce site and target site. The attacker (source site) sends a modified ping to the broadcast address of a large network (bounce site). The modified packet contains a source address of the target site; everyone at the bounce site replies to the target site.
• Brute Force: trying every possible key/combo, longer the key, the longer this attack takes.
• Dictionary: A type of brute force that uses a program that tries common words.
• Replay: using a network capture; replay username/password

Solution to Network Attacks
• DoS: Disable ICMP in your network
• Backdoor: use anti-virus, personal firewalls, no modems
• Spoofing: Router or Firewall needs to be set to disallow internal IP entering from outside
• Smurf Attack: Disable IP broadcast or IP re-directs
• Man-in-the-middle: Unique server host key / new SSL
• Replay: Use timestamps : Kerberos
• Birthday/Brute Force: Use long 128 bit keys
• Brute Force: Limit Logon attempts
• Password guessing: Use 8-12 upper/lower case letters and numbers
• Social Engineering: Educate Employees


Physical Security – Physical protection of your networks

Caged Servers

Camera

Security Guard

Data Center

 

Copyright © 2012 Escotal.Com