1 / 31

2.Role of people in Security

Explore the crucial role that people play in ensuring security measures are effective. Examine common poor security practices, such as weak password selection and social engineering, and learn how to mitigate these risks.

salgado
Download Presentation

2.Role of people in Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2.Role of people in Security

  2. Why people come in picture of security? • Can’t we rely on technologies? • Firewalls, access control, Intrusion Detection Systems etc. • In all above technologies people play vital role. • It is the human who makes a mistake. • Lack of security policies, procedures, or trainings to users. Poor security practices

  3. Poor Security Practices • Password Selection • Piggybacking and Shoulder Surfing • Dumpster Diving • Installing Unauthorized Hardware and Software • Access by Non-Employees • Social Engineering • Reverse Social Engineering

  4. Password Selection • Hackers rely on users selecting poor passwords. • Users pick passwords which are easy to remember, easier like your user ID.E.g. If user-ID is name, password will be: name • Users pick names of family members, pets, favorite sport team. • Favorite car model or first car model or similar piece of information. • User pick something easier for them remember. • The more you know about the user, the better your chances of discovering their password.

  5. Password Selection (cont…) • Organization’s Policy: Select strong password such as mixing Uppercase, lowercase, numbers and special characters. • Users poor password selection: (easy to remember)E.g. User ID ‘name ’ Password: name1l#(making i to 1, o to 0, s to $ and so on) • It makes hackers job difficult but not impossible. • Organization’s Policy: Change passwords frequently. • Users poor password selection: (easy to remember) E.g. User ID ‘namel’ Password: Name1l#1 next time: Name1l#2, and then Name1l#3 and then Name1l#4

  6. Password Selection (cont…) • Organization’s Policy: Password should not be written anywhere. • Users write it down to remember. • Password Dilemma • The more difficult we make it for attackers to guess the passwords and the more frequently we force the password changes, the more difficult the password to remember and the more likely users are to write them down. • Writing on slip of paper, desk calendar, underside of keyboard etc... • Hackers are always looking for such opportunities. • Password for ATM Pin: car/bike number, your birth year, spouse birth year, or 1234, 4321, 1111. These are always easy to guess.

  7. Piggybacking and Shoulder Surfing • In hurry people do not swap the cards and go ahead. Attacker know this and may attempt to exploit this characteristics. • Piggybacking: closely follow the next fellow who has just swapped the card and enter into the premises. • Shoulder surfing: looking above the shoulders of next person when he enters access code. • How to stop it?Ensure that nobody follows you or observe your action.

  8. Dumpster Diving • Attackers need certain amount of information before launching their attack. One common place is target’s trash. • Process if going through a target’s trash is known as Dumpster Diving. • Users may trash papers containing old password after password change. Old password can give hint to attacker to guess new one. • Hardware and software manuals give idea about their use in environment. Attacker can then find the vulnerabilities in those hardware/software to launch the attack. • How to stop it?Dispose the trash properly.

  9. Installing Unauthorized Hardware and Software • Unauthorized hardware and software may have many known vulnerabilities which helps attackers to launch their attack. • Best example: Working from home. And your laptop has unauthorized software. • Free games available on internet (malicious code) • Email attachments (executable hostile program) • How to stop it?1. Organization’s policy about installing hardware/software2. No game playing3. filter email attachment at mail server only.

  10. Access by Non-Employees • People entering into premises who are not employees of organizations. • Contractors, repair-man, pizza boy may have physical access. • Physical access provides an easy opportunity for individuals to look for the occasional piece of critical information carelessly left out. • Proliferation devices such as mobile phones with camera. • How to stop it?Provide Identity batch to each employee. Force them to wear always.Challenge the unknown person.Do not leave anything unattended on desk or in printer tray.Avoid piggybackingkeep close eye on non-employees.

  11. Social Engineering • It is a technique in which attacker uses various deceptive practices to obtain information they would normally not to be privileged to or to convince the target of the attack do to something they normally wouldn’t. • Somebody ask the question and we answer it. In this way attacker can keep you in talking to get information of his interest. • Attacker try to evoke sympathy • Appealing somebody’s ego, praising him… • Pretend to be the higher level officer and … • Direct contact between target and attacker – forged email, bogus web site, convince user to provide information

  12. Reverse Social Engineering • In this technique attacker hopes to convince the target to initiate the contact. • Easiest as attacker don’t have to convince the target. • Possible methods:Spoofed / forged emails claiming to be from reputable source.Forged tech supportbogus website. • Target end up in providing information to wrong person. • Attackers may use this technique when two companies merged.

  13. People as Security Tool • In terms of social engineering attacks, people are not only the biggest problem and security risk but they are also the best security tool. • Organization need to create policies and procedures that establishes the roles and responsibilities for security administrators as well as for users. • Organization should conduct active security awareness program. • Security Awareness Program: • Training to all employees related to security. • Training contents may vary depending upon organization’s policies and goals. • Periodic refreshing trainings. • Security newsletters and bulletins in the form of emails. • Posters reminding about security policies and guidelines.

  14. Individual User Responsibilities • Locking the door to your office or workspace. • Not leaving sensitive information inside your car unprotected / at your desk / in printer’s tray. • Securing storage media containing sensitive information in a secure storage device. • Shredding paper containing organizational information before discarding it. • Not discuss / disclose sensitive information to individuals (including other employees) and also not to your family members. • Protecting laptops that contain sensitive information. Keep the information in encrypted format. • Being aware of who is around you when discussing sensitive information.

  15. Individual User Responsibilities (cont…) • Enforcing corporate access control procedures. Be alert to and do not allow piggybacking, shoulder surfing or access without proper credentials. • Being aware of the correct procedures to report suspected or actual violations of security policies. • Establishing procedures to enforce good password security practices that all employees should follow. There should not be “us versus them” situations between security personnel and employees. Follow the rule “don’t shoot the messenger”.

  16. Biometrics

  17. Physical Security • It consist of all mechanism used to ensure that physical access to the computer systems and networks is restricted to only authorized users. • Physical security can be applied by following ways: • Access Controls • Biometrics • Physical Barriers

  18. Access Controls • To restrict the access to those who are authorized to have it. • Access Control methods: • Old age methods: Mechanical Lock and keys • Human security guards • Identity batches • Authentication using username/password

  19. Authentication • Access controls define what actions a user can perform or what objects a user can have access to. • Verify the identity of the user. • Authentication means to prove that you are who you claim to be. • Three methods used in authentications to verify your identity: • Something you know • Something you have • Something that you are (something about you)

  20. Authentication (cont…) • Something you know: • Username and password • Drawbacks: • User chooses weak password. • Something you have: • Key of the lock • Drawbacks: • User can loose the key • Combination of both: • Your ATM Card with PIN

  21. Authentication (cont…) • Something that you are: • Something that is unique about you – fingerprints, DNA, voice etc. • This is called as Biometrics. The field of authentication that uses something about you or something that you are is known as Biometrics.

  22. Biometrics • Every person has a set of unique physiological, behavioral, and morphological characteristics that can be examined and quantified. Biometrics is the use of these characteristics to provide positive personal identification. • Biometric Methods: (most secure to least secure) • Retina pattern • Fingerprint • Handprint • Voice pattern • Keystroke pattern • Signature

  23. Retina pattern • Everybody has a unique retinal vascular pattern • A retina pattern verification system uses an infrared beam to scan your retina, measuring the intensity of light as it is reflected from different points and producing a digital profile of the blood vessel patterns in the retina. • The system allows access only if your retina pattern sufficiently matches those of the retina pattern stored for you in the system. • The newer systems also perform iris and pupil measurements. • Advantages: • Retina systems are very reliable. • used successfully in national laboratories, office buildings, and prisons • Disadvantages: • Not well-accepted because public fear that scanners will blind or otherwise injure them. • affected by serious injuries and a few rare diseases such as diabetes.

  24. Fingerprints • Everybody has a unique set of fingerprints. • How it works: • you place one finger on a glass plate. Light flashes inside the machine, reflects off the fingerprint, and is captured by a scanner, which transmits the fingerprint information to the computer for analysis. • The fingerprint system digitizes the ridges and other characteristics of the fingerprint and compares these characteristics against the fingerprint templates stored in the system. • The system allows access only if your fingerprint sufficiently matches the template. • New technique with 3-D analysis also ensure that pulse is present in your finger. • Advantages: • historically been used as a law-enforcement tool • in criminal justice organizations, in the military, in high-security organizations such as defense plants, and, increasingly, in banks. • Disadvantages: • Burns or other physical problems to finger (including dust, grease, glue) • gelatin coatings can allow someone to "forge" a fingerprint

  25. Handprints • Everybody has unique handprints. • How it works: • you place your hand on a reader, aligning all of your fingers along narrow grooves with glass between. • A sensor beneath the plate scans the fingers, recording light intensity from an overhead light, and measuring fingers from tip to palm to within 1/10,000 of an inch. • The information is digitized and compared against a handprint template stored for you in the system. The system allows access only if your handprint sufficiently matches that of the stored template. • Advantages: • pretty well-accepted because it's not considered to be as intrusive as other types of biometric systems. • Disadvantages: • depends on the physical condition of the hand. • Injuries, swelling, or the presence of rings, or even nail polish, on your fingers may affect the system's ability to match a handprint. • Hence less reliable than fingerprints.

  26. Voice Patterns • Everybody has a unique vocal and acoustic pattern. • How it works: • you speak a particular phrase. The system converts the acoustic strength of a speaker's voice into component frequencies and analyzes how they're distributed. • The system compares your voice to a stored voiceprint. The voiceprint is a "voice signature" constructed by sampling, digitizing, and storing several repetitions of a particular phrase. • The system allows access only if your voice signature sufficiently matches those of the stored voiceprint. • Advantages: • well-accepted, they are viewed as being non-threatening. • in financial organizations such as banks (particularly vaults), credit card authorization centers, and certain types of ATMs. • Disadvantages: • depends to some extent on the physical condition of the larynx. • Respiratory diseases, injuries, stress, and background noises may affect the system's ability to match a voiceprint.

  27. Keystrokes • Everybody has a unique pattern or rhythm of typing. • How it works: • With a keystroke system, you must type until the system can construct a reliable template of your keyboard rhythm. • Once a template is available, the system will be able to examine the speed and timing of your typing during the login process, and compare it to the keystroke template stored for you. • The system will allow access only if your keystroke patterns sufficiently match those of the stored template. • Certain keystroke systems are passive systems that continuously sample your keystrokes. The goal is to determine whether in fact, the person who logged onto your system under your account (presumably that would be you) remains in that position, or whether an intruder has somehow supplanted you to gain access.

  28. Signature and Writing Patterns • Everybody has a unique signature and signature-writing pattern. • How it works: • You sign your name, using a biometric pen, typically attached by a cable to a workstation. • The pen, or the pad on which you write, converts your signature into a set of electrical signals that store the dynamics of the signing process (e.g., changes in pressure as you press down lightly on one stroke and more forcefully on another). • The system compares the signature to a signature template stored for you. • It may also analyze various timing characteristics, such as pen-in-air movements, that are unique to you and that are much more difficult to forge than the actual static signature on a page. • The system allows access only if your signature and related characteristics sufficiently match those of the stored template • Advantages: • very well-accepted type of biometric system because people are accustomed to having their signatures scrutinized. • Cheaper than other biometric methods.

  29. Why biometrics are not reliable? • Biometrics take an analog signal and attempt to digitize it and then match it against the digits that are in database. • The problem with analog is that it may not encode the exact same twice. • Again it mostly depends on physical condition of your organ. • If it applies exact check then it never grant access as it cannot scan the exact same biometric twice. • Hence engineers allows certain amount of errors in the scan. • This leads to concept of false positive and false negative. • False positive: when a biometric is scanned and allows access to someone who is not authorized. E.g. two people may have similar fingerprints. • False negative: when system denies access to someone who is authorized. For example, you forget the ring of your finger which you always carry. • Need to balance between exacting and error which allow little physical variance but not too much. • Multiple-factor authentication (what you know/have/are)

  30. Physical Barriers • More common security feature. • It is like layered security. • The outermost layer contains more public activities such as guard at the gate who is visible by all. • Next layer becomes less public to make it more difficult for observers to determine what mechanism is in place. • Walls and fences. • Next might be Open space: For intruders to cross this open space takes time, time in which they are vulnerable and their presence is discovered. • Concrete barriers that will stop vehicles from getting too close. • Like concrete circles or walls.

  31. Questions!!! ? ? ?

More Related