1 / 14

January 2011

January 2011. As a precaution, re-check the exam time in early January. Various rooms are used, your room will be on your personal timetable, available via myUWE . Exam Format: Section A 1compulsory question worth 40 marks. This is the browser security Section B

Download Presentation

January 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. January 2011 • As a precaution, re-check the exam time in early January. • Various rooms are used, your room will be on your personal timetable, available via myUWE. • Exam Format: • Section A 1compulsory question worth 40 marks. This is the browser security • Section B Answer 3 questions from 5, 20 marks each

  2. Question Format • With the exception of the browser security question, all questions are in 2 or 3 parts. • Approximately speaking, 40% (ish) of the marks for the question (i.e. part 1) ask you to demonstrate underpinning knowledge • i.e. what? type questions • The second part (60%) asks you to evaluate the underpinning knowledge and/or asks you to apply the knowledge to solve a problem • Why?/what if? type questions

  3. Section A: Browser Security • Web browsers can be the hacker’s window in to your computer. With reference to TWO of the following browsers: • MicroSoftIternet Explorer v 7 • Mozilla FireFox v 3.5 • Google Chrome v 4 • Apple Safari v4 • Discuss the range of vulnerabilities that the browsers are subject to and the steps that the vendors have taken to address these vulnerabilities. Your discussion should include a consideration of the treatment of the threat posed by mobile code and plug-ins. Draw a conclusion about which, if either, of your chosen browsers is the more secure. Marks will be awarded for: • The depth and coherence of your discussion • The use of evidence to support your assertions. • Reference to professional and academic literature. Note that you are not expected to use full Harvard referencing but you are expected to give sufficient detail that your reference could be verified. 40 marks

  4. Revision Sources • Lecture slides • Tutorial/lab worksheets • Your notes • Text book • On-line resources as indicated during the module.

  5. Threats, Countermeasures and Over-arching Security Aims • Types of attack • Insider/outsider • Threats • Possible counter measures • Aims of Security • Services • Authentication • Access Control • Confidentiality • Data Integrity • Non-repudiation • Availability • Underpinned by mechanisms

  6. Encryption and Message Confidentiality • Symmetric Encryption (aka secret-key/single-key/conventional) • Same key for both encryption and decryption • Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm • Fiestel cipher structure • DES (Data Encryption Standard) + others • strengths/weaknesses (key distribution) • operations used

  7. Authentication and Public-Key Cryptography • Authentication • Message authentication code • Encrypted message part • Hash functions • Without/without encryption • Public key encrytion • Useful for? • Weaknesses? • X509 certificates • Key management

  8. Kerberos • General function • Authentication Service • Enables servers to restrict access to authorised users • Enables servers to authenticate service requests and to prove their identity to clients • Protocol • Single login • Uses an authentication server and the notion of “tickets” • How does the ticket server know that the ticket belongs to the entity presenting it? • Uses symmetric encryption • Why?? • How?

  9. PGP (and S/MIME) • General function • E-mail Security by providing an authentication and/or confidentiality service (+ others) • Freely available • Platform independent • 4 types of key • Protocol details • Integrity checks • Key management – Web of trust. How does this work?

  10. IPsec • General function • Provides low-level (IP layer) security (what can of “security??” to some or all IP traffic (how?) • Advantages/disadvantages • Uses for • Anti-replay achieved by? • Components of IPSec • AH/ESP • Transport mode • Tunnel mode

  11. Web Security • General function • Allows security services to be tailored to the requirements of a particular application • Secure Socket Layer (SSL) • TSL • Handshake protocol • Effectiveness of SSL? • What security attacks does it protect against? • Secure Electronic Transaction (SET) • Participating parties? • Differences compared to SSL?

  12. Viruses and Malicious Software • General function • “Classic” virus structure • Co-evolution of virus/anti-virus writing • Types of malicious software • Approaches to virus detection • Signature scanner • Heuristic scanner • Activity trap • Combination • Countermeasures

  13. Security Policy • Reasons for • Steps involved in the establishment • General contents

  14. Good Luck!

More Related