Đang tải... (xem toàn văn)
Authentication And Threats and Attacks to information security, polices and laws includes about Definition, Some basic authentication methods, Authentication Protocols, Kerberos-An security protocols in the real world.
AUTHENTICATION AND THREATS AND ATTACKS TO INFORMATION SECURITY, POLICES AND LAWS • Lê Quốc Thắng • Nguyễn Minh Tân AUTHENTICATION OUTLINE Definition Some basic authentication methods Authentication Protocols KerberosAn security protocols in the real world DEFINITION Access control is concern with access system resources includes: Authentication :deal with the problem of determining whether a user should be allowed access to particular system or resource Authorization restrict the action of authenticated user AUTHENTICATION METHODS Base on any combination of the following: Something you know Something you have Something you are SOMETHING YOU KNOW Password Ex: Your ATM PIN number Your date of birth Pro: User often choose bad passwords >easy to crack… But: Cost Convenient PASSWORD CRACKING Consider the key search problems Here we use 64bit cryptographic key Trudy must try possible keys to find the correct one If we construct a pass with 8 chars ,with 256 possible choices for each char The complexity of both problems is the same But: Password kf&Yw!a[ So with a good dictionary of pass Trudy can crack your pass Consider the chance of success / CHOOSING PASSWORDS Frank Pikachu 10251960 AustinStamp Replace by: jfIej(43jEmmL+y 09864376537263 P0kem0N FSa7Yago Passphrase “four score and seven years ago” ATTACKING SYSTEMS VIA PASSWORDS Outsider → normal user → administrator > one weak pass and our system… Password attack and system response Systems often lock after three bad passwords attempts? >How long? Some other password issues: Password reuse Social engineering Keystroke logging software SOMETHING YOU ARE Biometrics Universal Distinguishing Permanent Collectable Reliable, robust, and userfriendly There are two phase in a Biometric system: enrollment phase recognition phase 10 5. CHOOSE & EVALUATE Control categories: avoidance, assurance, detection and recovery Cost/benefit analysis 53 INFORMATION SECURITY POLICIES highlevel statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area Internal External 54 OVERALL INFORMATION SECURITY POLICIES 55 THREATS TO INFORMATION SECURITY 56 CONTENT Overview of Information security Common threats Errors and Omissions Fraud and Theft Malicious Hackers Malicious Code Denial of Service attacks Social Engineering 57 1.OVERVIEW OF INFORMATION SECURITY Security policy Organizational security Asset classification Personal security Physical security Communication & operation Access control Development, maintenance & continuity planning 58 2. COMMON THREATS Goals of IS: Integrity Confidentiality Availability Faulttolerant (RAID) Load balancing System failover 59 2.1 ERRORS AND OMISSIONS Number one threat to integrity Defense: Least privilege backup 60 2.2 FRAUD AND THEFT Difficult to find Defense Well define policies Computer forensics (firewalls, server logs, client workstation) MD5 61 62 2.3 MALICIOUS HACKERS Primary groups: Hackers Crackers Phreaks Process: Reconnaissance Scanning Gaining access Maintaining access Covering tracks 63 2.4 MALICIOUS CODE What is malicious code ? Type of malicious code Virus Worm (Nimda) Trojan horses Logic bomb (Michelangelo) 64 2.5 DENIAL OF SERVICE ATTACKS DOS : designed to overwhelm the target server’s hardware resources Type of DOS : One to one: SYN floods, FIN floods, Smurfs and Fraggle DDOS many to one attack: Trinoo, TFN2K, stacheldraht 65 2.6 SOCIAL ENGINEERING The acquisition of sensitive information or inappropriate access privileges by an outsider Common types of SE: humanbased interaction Impersonation and Important User Dumpster diving and shoulder surfing thirdparty authorization and tech support computerbased methods 66 Q&A 67 ... AUTHENTICATION 45 THREATS? ?AND? ?ATTACKS? ?TO? ? INFORMATION? ?SECURITY,? ? POLICES? ?AND? ?LAWS 46 AGENDA Risk analysis? ?and? ?risk management Information? ?security policies Threat? ?to? ?information? ?security Q&A... SOMETHING YOU HAVE 16 AUTHENTICATION? ?PROTOCOLS o Basic requirements Simple Security Protocols Authentication? ?protocols Simple? ?Authentication? ?Protocols Authentications using Symmetric Keys Authentications using Public Keys... Simple? ?Authentication? ?Protocols Authentications using Symmetric Keys Authentications using Public Keys Session Keys 22 SIMPLE? ?AUTHENTICATION? ? PROTOCOLS 23 SIMPLE? ?AUTHENTICATION? ? PROTOCOLS