Beruflich Dokumente
Kultur Dokumente
Security Overview
Elements of Security
Security
A state of well-being information and infrastructure in which the possibility of successful yet undetected theft, tampering and disruption of information and services is kept low and tolerable
Any hacking event will affect any one or more of the essential security elements
There are two major types of attacks : Social Engineering Attacks Network Attacks
Computer-based :
Social engineering is carried out with the aid of computers
Hoax letters are emails that issue warnings to user on new virus, Trojans and worms that may harm the users system Chain letters are emails that offer free gifts such as money and software on the condition that if the user forwards the mail to said number of persons
Spam email
Email sent to many recipients without prior permission intended for commercial purposes Irrelevant, unwanted and unsolicited email to collect financial information, social security numbers and network information
Spam filters, anti-phising tools integrated with web browsers can be used to protect from Phisers
Network-Based Attacks
Most types of attacks are considered network-based attacks where the hacker performs the attack from a remote system There are number of different types of network attacks:
Eavesdropping attack: This widely used type of attack typically involves the use of network monitoring tools to analyze and read communications on the network Spoof attack : in this attack, the hacker modifies the source address of the packets he or she is sending so that they appear to be coming from someone else. This may be an attempt to bypass your firewall rules Hijack attack : in this attack, a hacker takes over a session between you and another individual and disconnects the other individual from communication. You still believe that you are talking to the original party and may send private information to the hacker unintentionally
Network-Based Attacks
Buffer overflow : this attack is when the attacker send more data to an application than is expected. A buffer overflow attack usually results in the attacker gaining administrative access to the system in a command prompt or shell Exploit attack : in this type of attack, the attacker knows of the security problem within the operating system or piece of software and leverages that knowledge by exploiting the vulnerability Denial of service : This is a type of attack that causes the system or its services to crash. As a result, the system cannot performs its purpose and provide those services Password attack : an attacker tries to crack passwords stored in a network account database or password-protected file
Network-Based Attacks
Distributed denial of service (DDOS): The hacker uses multiple systems to attack a single target system A good example is the SMURF attack in which the hacker pings a number of computers but modifies the source address of those packets so that they appear to come from other system (the victim in this case). When all the systems receive the ping request, all the systems will reply to the same address, essentially overburdening that system with data.
http://arstechnica.com/security/2007/05/massive-ddosattacks-target-estonia-russia-accused/
Physical Security
Gates
Security Guards
Smart cards
Security Token
Wiretapping
Remote Access
Defense in-Depth
is an information assurance (IA) concept in which multiple layer of security control (defense) are placed throughout an Information Technology (IT) system. Its intent to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the systems life cycle
The idea behind the defense in-depth approach is to defend a system against any particular attack using several, varying methods
Integrity
They will expect quoted prices and product availability to be accurate, the quantities they order at the prices to which they agreed to not be changed and anything downloaded to be authentic and complete
Availability
Customers will expect to be able to place orders when convenient for them and the employer will want revenue stream to continue without disruption
IDENTITY, AUTHENTICATION & AUTHORIZATION Dont Authentication and Identity mean same thing? If we have a authentication and identity do we need authorization?
Authentication
is the process of confirming the correctness of the claimed identity
Authorization
means the approval, permission or empowerment for someone or something to do something
A motorist identifies himself to a police officer and presents a drivers license for confirmation. The officer compares the photograph , description and signature with that of the motorist to authenticate the identity
Authentication
Based on
Something you know
Something you know, should be
something only you know and can keep to your self This might be the PIN to your bank account or a password
Authentication
The method used to authenticate a user depends on the network environment and can assume forms such as the following: Username and password : when the users start the computer or connect to the network, they type a username and password that is associated with their particular network user account Smartcard : Using a smartcard for logon is very similar to accessing your bank account at a teller machine To log on to the network you insert a device similar to a debit card, known as a smartcard into a smartcard reader and then supply a PIN. To be authenticated, you must have the smartcard and know its password Biometrics : the user would provide a retina scan or fingerprint as a credential. It is becoming a very popular solution in highly secure environments where special biometric devices would be used When users provide credentials such as a username and a password, the username and password are passed to the server using an authentication method
AUTHORIZATION
Once you have been authenticated to the network, you will then be authorized to access the network resources
Permission is your level of access to a resource such as a file, folder or object. The permission is a characteristic of the resource and not characteristic of the user account For example : if you would like to give Bob read permission to a file, you would go to the properties of that file and set the permissions. Notice that you dont go to the user account to assign the permissions A right is your level privilege within the operating system to perform a task For example : When companies deploy Windows XP Prof to all client systems on the network, users are surprised that they cant change the time on the computer if they want to. This is because they dont have The Change System Time right
Data Classification
We classify data with differing levels of sensitivity
Top Secret - The highest level of protection are given to this data; it is critical to protect Secret - this data is important and it is release could harm national security Confidential - this is important and it could be detrimental to national security if release
Sensitive But Unclassified(SBU) This generally is information that is sensitive and should not be released
Unclassified They prefer to keep it from being released but the nation would not be harmed if it were
Vulnerability
Existence of weakness, design or implementation error that can lead to an unexpected and undesirable event compromising the security system
Security Policies