220 likes | 357 Views
DePaul University . DePaul Information Security. Today . Microsoft Baseline Security Analyzer (MBSA) Using Internet Explorer securely Email Privacy and File Integrity Using email encryption Spam. Outline. What is MBSA? How to get it? Installation Features Demonstration.
E N D
DePaul University DePaul Information Security
Today • Microsoft Baseline Security Analyzer (MBSA) • Using Internet Explorer securely • Email Privacy and File Integrity • Using email encryption • Spam
Outline • What is MBSA? • How to get it? • Installation • Features • Demonstration
Securing Windows Systems • Operating System Updates • Use a Host Based Firewall • Account and Password Security • File Sharing • Microsoft Applications
What is MBSA? • Created for Microsoft Systems specifically • Tool to make Windows based systems and server applications more secure. • MBSA points out known flaws which are not fixed on the tested system • Shows ways to patch security holes • Explains correct security guidelines • Current version MBSA 2.0 • Presents a security snapshot
How to get it? • Microsoft Web Site • http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx • Search on Google • Microsoft Baseline Security Analyzer
Installation • Wizard for easy installation
Features • Graphical User Interface (GUI) options • Scan local computer • Scan for common administrative vulnerabilities • Scan for missing security updates against the Microsoft Update catalog • Creates reports in MBSA
Supports • Checks for common administrative vulnerabilities for: • Windows 2000, XP, 2003 • Windows Server 2003 • IIS 5.0, 6.0 • SQL Server 7.0, 2000 • IE 5.01+ • Office 2000, XP, 2003
Scans for common vulnerabilities • Is Windows Firewall enabled? • Are Automatic Updates enabled? • Are strong passwords enforced? • Are unsecured Guest accounts enabled?
Pretty Good Privacy - PGP • What is pgp and why use it • Cryptography • Key Pairs • Using PGP software • Exporting, Importing and Backing up Keys • Public Key Servers • Encrypt/Decrypt Mail • Encrypt/Decrypt Files • Symmetric (secret or conventional) encryption • Demonstration
Encryption Software • What is PGP • Originally Authored by Philip Zimmermann in 1991 • Strong encryption software • De-facto standard for email encryption today • Originally free software now owned by Network Associates – www.pgp.com • In 1997, OpenPGP working group formed to develop an open non-proprietary standard for PGP • GnuPG is completely free and compliant with OpenPGP • Email should not be considered private • PGP Allows for privacy and integrity
Cryptography • Communicating in or deciphering secret writings or ciphers • Cipher Text • Unreadable information – jumbled data • Encryption • Process of scrambling informationconverting ordinary plaintext information to cipher test • Decryption • Recovering the plaintext back from the cipher text • Public Key cryptography (asymmetric) • Encryption and Decryption are performed using different keys • Secret Key cryptography (symmetric) • Same key is used for encryption and decryption
How does it work? • Two Keys needed – Public and Private • To send someone mail or verify their signature, you need to know their public key • Using a public key, you encode or “encrypt” a chunk of data (file or email message) • Using a private key, you decode or “decrypt” the data to read the file or email
Generating PGP keys • The software will generate a public/private key pair • You specify the size of the key (1024, 2048 bits) • Need to provide a password to protect your key
Public Key – 2048 bits -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> mQGiBERx5hsRBADsidrkWqSRLKM3VS2wZf74X5JwSrOJzJmBNWATdU/CNxC5Ip9m d9NsNGEKeaX81FGs4JDUhqbuXSG8F939B0nN4M4jmiySlgHm/9NbQoMAHx4W0a71 wN05f2UFxWrIsMSBOEWTAsEh3WJ5IcWklohLCnHQjatdeZdoUgL5/4uLzwCg/xLU soKchra6xS5mZju+5wkZa4EEAIqKyXJPfOmQ3+dfaTEJiJASs3MCrDWOcfU4LsE9 jeJKu8bc2Y9NyaJm/GFGRofa8pPf9C0rmTP1pX9enhq0OYUvspulmQjFDvVyiYrG Ixy6au6mFZL4R4/Q306lpqpqTmwi6DEQx0fkwrUrhlj5v04Tofd2U1VYLPvYGXjy RYecA/9xWPmGX+Dca4EAngMyZ1y0GzJnR59bvgtc2eNX0fqesQTrU+coF2gBCdxP CZNtEXyZiEZQ7o8tGEQ5GrvKZM+/W4wAlY0P72GuGhuz1q4+e5NrI7wOGjMd9EXU RTwSlq3qdmv5N/uGmePQ0wj8Eri0cqZjEP3MHhPoKht60BuB2LQWdGVzdCA8dGVz dEBkZXBhdWwuZWR1PokATgQQEQIADgUCRHHmGwQLAwIBAhkBAAoJEMY+hoiF0arf hmAAoL8H0JVdJ9X5CiTMikOyYK9AcbgMAJ4zZhwt22z3Z9CdmmM4KmIOnKc63bkC DQREceYbEAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV 89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50 T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknb zSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdX Q6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbT CD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAggAyxVy81TbGHYNV9Mfh5Dfi9Iu vsva8BiGrJFpY0jhfWfDlmGPEtqLZ6YzI++uAXQfuk2xLQsICy9RFflvtmeTNei8 k/2f6l89Pw4Dh+fI5WzMMuXUGW8g7hvSoQ878ffoFL8mQAMD9xntURVFLhne8364 qWTf1JSk0ftdMj0SyK2rXn+3JQPMB0R6x8DW4gM56cLKf09GyWlUqmAn/EXtc9iU L6WfWYywhlJ+VBG22EKnJp+gHY6ib8swmiRK/LvCfY7fNgKAVyJj9M8F0/axm0H9 9bpX3JD36SkfrrUKXacfPJUvJR0ulXwr58PGMvhK04nxXQaMetqqPO/uRLLNIokA RgQYEQIABgUCRHHmGwAKCRDGPoaIhdGq33HdAJ9VXtpQKmnI6RBZ3O6f31fqVMI0 3wCgxMkE2HsZ7+RKieDGNCsH3KFJof0= =oMO0 -----END PGP PUBLIC KEY BLOCK-----
Encrypted Text • Plain text • Hello world • Encrypt with public key • Cipher text -----BEGIN PGP MESSAGE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> qANQR1DBwU4DSTJMC1F2PksQB/0bmezbfmj/1NUYt5qM8TbOOl7uZH8wYNrsVFnF ALv+wwdYFTMhT/DBoSWwnizkY31k0bTei57EjlNjg4z9mqgabm4OCj1s0O3GVQDP tIafYzDmdOrojgZ2jrszExFARL47ygXZA5qnDxoI3W5RiSbn5iQpp66wucJETAey cGQ6dTsnySTtmV9uB/tMyAPPnPQ+FP+Hd1bpBP000R+ySteLHjEKjMV752k= =ScLD -----END PGP MESSAGE----- • Decrypt with private key • Plain text • Hello World
Getting encryption applications • PGP • Commercial applications • http://www.pgp.com/ • GnuPG • Complete and Free implementation • http://www.gnupg.org/ • For Windows use gpg4win – www.gpg4win.org
Using GnuPG software • Exporting, Importing and Backing up keys • text or ASCII file • BACKUP, I said BACKUP your keys • Public Key Servers • http://www.keyserver.net/en • http://pgp.mit.edu/ • Encrypting Email and Files • Using Symmetric Encryption • Demonstration
The End … Questions