410 likes | 443 Views
SECURITY in IT. ~Shikhar Agarwal. DEFINITION. Computer security is a branch of computer science that addresses enforcement of 'secure' behavior on the operation of computers.
E N D
SECURITY in IT ~Shikhar Agarwal
DEFINITION • Computer security is a branch of computer science that addresses enforcement of 'secure' behavior on the operation of computers. • The definition of 'secure' varies by application, and is typically defined implicitly or explicitly by a security policy that addresses confidentiality, integrity and availability of electronic information that is processed by or stored on computer systems.
Security in IT context Computing Security Physical Security Information Security Secure computer and networks from malicious use. Prevent users from accessing facility, resource or information stored on physical media Prevent unauthorized and unwarranted access of data or information in any form
What Information Security means Availability Confidentiality Non-repudiation Integrity Digital Credentials Authentication Auditing Risk assessment Compliance/Regulations Administration Governance
Common Fraudulent Practices
Online Fraud • Common types of fraud • Phishing • Identity theft • Man-In-the-Middle Attacks • Denial of Service (Dos) • Password Attack • Data Theft
To Secure Systems we need • Physical Security • Technological Security • Policies and Procedures
Securing Systems (cont’d) • Technological security is just one part of security problem • Physical security of systems is important • Only right people (authorized users) have access to the systems • First priority is to make systems physically secure • Technological Security • Network security: • To secure systems over network • Only valid packets delivered to web server • Application security: Web servers, Apps are secure • Operating system security • Policies and Procedures • Ensure systems are secure overall • Every employee should be asked not to give out passwords • To anybody within or outside organization • For example n-strikes policies for passwords • Document Shredding • Sensitive papers to be shredded
Key Security Concepts • Authentication • Authorization • Confidentiality • Data/Message Integrity • Accountability • Availability • Non-Repudiation
Key Concepts 1.Authentication
Authentication • Authentication • Verifies identity • is a process by which an entity proves that it is who it claims to be • Three general ways of authentication: • Something we know (i.e., Passwords) • Something we have (i.e., Tokens) • Something we are (i.e., Biometrics)
Something weKNOW • Something we know • Example: • Passwords, Pass phrase, PIN • Pros • Simple to implement • Simple for us to understand • Cons • Easy to crack (unless we choose strong ones) • Hacker can try common login names, concatenations of words etc. • We need to be forced to choose strong passwords for example, by setting password policies • Passwords are reused many times • Each time we enter a password to access the system, the attacker listens-in every time
Something we HAVE – A Token • Smart Cards • ATM Cards • SecurID • USB Tokens
Something we ARE • Biometrics • Techniques used: • Palm scan • Retinal scan • Iris scan • Fingerprint • Voice Id • Facial Recognition • Signature Dynamics • Pros • Provides a strong authentication solution • Raise the bar for authentication • Cons • Difficulty in terms of deployment and management • Social acceptance • Key management • If a bad guy is able to copy a fingerprint – then how are the secret pieces of info actually managed?
Two Factor Authentication • Two Factor Authentication (T-FA) requires two independent ways to establish identity and privileges • Combination of “what we know” and “what we have” factors • Example: ATM Cards + What we have What we know
Types of Authentication • Person to computer • Computer to Computer • There are three types of authentication • Server Authentication – who is the client • Client Authentication – who is the server • Mutual Authentication (Client and Server) • Authenticated user is the “Principal”
Server Authentication • Server authentication is the process in which the server authenticates to the client, thus helping the client to verify the server • Server authentication is very important in Financial Institutions and Home Banking systems • Example, Personal Assurance Message (PAM) which identifies the server to the user, and helps prevent phishing attacks
Client Authentication • Client authentication involves proving the identity of the client to a server on the web • Client generally communicates with the server using Hypertext Transfer Protocol (HTTP) • HTTP being a stateless, sessionless protocol, the client must provide an authentication token
Mutual Authentication • Mutual authentication refers to a client/user authenticating themselves to the server and that server authenticating itself to the user in such a way that both parties are assured of the other’s identity • This is done for a client process and a server process without user interaction
Key Concepts 2. Authorization
Authorization • Authorization is the process of granting or denying user’s access to a resource • Authorization is a step next to authentication, in which the users access to various system is based on the permissions granted to them
Key Concepts 3. Confidentiality
Shared key access Confidentiality • Protecting the communication/data from the unintended recipients • Keep the contents of the communication secret by using a shared secret between the communicating parties • Confidentiality can be achieved through • Cryptography • Access Controls • Database views
KeyConcepts 4. Message/Data Integrity
Message/Data Integrity • Data integrity is the process of ensuring non-alteration of data during the transit • Techniques used to check the data integrity are • Hashing algorithms • Checksums • Message Authentication Codes (MAC)
Key Concepts 5. Accountability
Accountability • Logging & Audit Trials • Logging all the activities carried out by the system user • Auditing is a surveillance mechanism that watches over access to all sensitive information contained within the database • Requirements to implement Logging and Audit Trails • Secure Time stamping (OS vs. Network) • Data integrity in logs / audit trials
Key Concepts 6. Availability
Availability • The period for which the system / network is available to the user • Example • Dial tone availability, System Downtime limit, Web server response time • Solutions • Add redundancy to eliminate single point of failure • Impose limits that legitimate users can use
KeyConcepts 7. Non-Repudiation
Non-Repudiation • Non-repudiation provides evidence of the message source, so that the sender cannot refuse its origin. • Generate evidence / receipts (digitally signed documents)
Privileges • A privilege in a computer system is a permission to perform an action. • Privileges can be • Automatic • Granted • Applied for • Examples of various privileges include • the ability to create a file in a directory • to read or delete a file • access a device • have read or write permission to a socket for communicating over the Internet
Principle of least privilege • A user/computer program is given the least amount of privileges necessary to accomplish his/its task. • Example: • Use of Valet keys in the car • Allows the valet only to start the car and drive down to the parking lot, these keys do not allow the valet to access the store part in the car where the valuables are kept. • The idea of the valet key is to provide access only to the required resources
Secure Defaults • Only enable 20% features of the product that will be used by 80% of the users • Harden systems – switch of all unnecessary services by default
What is Cryptography? • The conversion of data into a secret code for protection of privacy using a specific algorithm and a secret key • The original text, or “plaintext”, is converted into a coded equivalent called “ciphertext” via an encryption algorithm • Cryptography is used in many software security systems to achieve high level of security • The ciphertext can only be decoded (decrypted) using a predefined secret key