Computer Security

3,855
-1

Published on

F. Questier, Computer security, workshop for Lib@web international training program 'Management of Electronic Information and Digital Libraries', university of Antwerp, October 2015

Published in: Technology, Education

Computer Security

  1. 1. Computer security Prof. dr. Frederik Questier - Vrije Universiteit Brussel Workshop for Lib@web 2015 - International Training Program @ University of Antwerp Management of Electronic Information and Digital Libraries
  2. 2. This presentation can be found at http://questier.com http://www.slideshare.net/Frederik_Questier
  3. 3. Main objectives of computer security ➢ Confidentiality ➢ of data (secrecy) ➢ of persons (privacy) ➢ access only by authorized parties ➢ Integrity ➢ data only correctly modified or deleted by authorized parties ➢ Availability ➢ correctly accessible in a timely manner ➢ the failure to meet this goal is called a denial of service
  4. 4. Assignment 1 personal computer security ➢ Throughout this workshop: write down all possible ways how your personal computer system could be compromised. What are the possible attack vectors?
  5. 5. Assignment 2: institutional data security Congratulations! You are elected member of the newly established computer and data security team in your institution. 1) Make a list of all possible risks that can have an impact on the security and stability of your data and internal and external Information & Technology services. 2) Make a list of recommendations to lower the risks.
  6. 6. What can go wrong? Nature ➢ lightning strike ➢ fire ➢ flood ➢ heat wave – cold wave ➢ storm weather, hurricane ➢ earthquake ➢ tsunami ➢ volcano eruption ➢ electro magnetic pulse from the sun ➢ disease of key employees
  7. 7. What can go wrong? Evil actions by people ➢ break in (hackers - crackers) ➢ social engineering ➢ phishing ➢ (identity) theft ➢ vandalism ➢ unhappy employees ➢ sabotage (time bomb) ➢ cyber attack, e.g. (Distributed) Denial of Service ➢ terrorism ➢ war ➢ nuclear bomb
  8. 8. What can go wrong? Malware (malicious software) ➢ virus ➢ worm ➢ trojan horse ➢ rootkit ➢ spyware ➢ ransomware ➢ keylogger ➢ network sniffer ➢ back door ➢ dialer
  9. 9. What can go wrong? Infrastructure or services problems ➢ Failure of ➢ software (bugs) ➢ hardware ➢ electricity ➢ power outage or power surge ➢ network (cable cut – saturation) ➢ airconditioning ➢ water pipes –> leak ➢ system upgrades ➢ service providers (e.g. cloud) ➢ Overload of CPU, memory, storage, network (spam)
  10. 10. What can go wrong? Human errors ➢ Weak security ➢ Loss of laptops, smartphones, USB-sticks, … ➢ No encryption ➢ Passwords leaks or cracks ➢ Computer console left unlocked ➢ Misunderstanding computer interface or other mistakes ➢ Deleting data ➢ Corrupting data ➢ Confiscation of machines
  11. 11. Tools for computer security
  12. 12. Tools for confidentiality Overview ➢ Authorization - Access policies - access control ➢ Authentication – identification ➢ Passwords ➢ … ➢ Encryption ➢ Virtual private networking ➢ Auditing – logging ➢ ...
  13. 13. Tools for integrity Overview ➢ Backups ➢ Checksums ➢ Antivirus ➢ ...
  14. 14. Tools for availability Overview ➢ Disaster recovery planning ➢ Physical protections ➢ Anti-theft ➢ Uninterruptible Power Supply ➢ Redundancies ➢ Intrusion-detection systems ➢ Antivirus software ➢ Firewall ➢ ...
  15. 15. TOOLS FOR CONFIDENTIALITY
  16. 16. Passwords ➢ Don't share them ➢ Not even with computer administrators ➢ Don't write them down ➢ Don't reuse them among different sites ➢ Change them often ➢ Select wise: ➢ Easy to remember ➢ Hard to guess (resistant to dictionary attacks) ➢ Password length ➢ Large set of characters (caps, lower case, numbers, symbols)
  17. 17. Some notorious password leaks ➢ 2014: 5M Gmail passwords ➢ 2013: 38M Adobe passwords (and source code) ➢ 2013: 250K Twitter passwords ➢ 2012: 12M Apple User IDs stolen by FBI, 1M leaked ➢ 2012: 6M LinkedIn passwords ➢ 2012: 450K plaintext Yahoo passwords ➢ 2012: 1.5M plaintext Youporn passwords ➢ 2009: 10K MS Hotmail, MSN and Live passwords
  18. 18. Johannes Weber, http://blog.webernetz.net/2013/07/30/password-strengthentropy-characters-vs-words/
  19. 19. Biometric identification ➢ Finger print ➢ Voice print ➢ Iris scan ➢ Retinal scan ➢ Convenient ➢ Relative safe ➢ But...
  20. 20. Danger of biometric identification?
  21. 21. Danger of biometric identification? ➢ You can't change your biometric password once it got leaked ➢ You can't legally refuse to give it, unlike a password (US fifth amendment)
  22. 22. Lock your screen when you leave
  23. 23. Security issues in communication PrivacyPrivacy IntegrityIntegrity AuthenticationAuthentication Non-repudiationNon-repudiation Interception Spoofing Modification Proof of parties involved
  24. 24. Cryptography = secret writing
  25. 25. Cipher algorithm for performing encryption or decryption ➢ Example: Caesar cipher
  26. 26. Great if we can exchange our messages encrypted! But how can we safely exchange our keys?
  27. 27. Symmetric encryption Sender and receiver must both know the same secret key How to exchange that key over distance??? Asymmetric encryption Sender only needs to know the public key of receiver!
  28. 28. Public key encryption The private key can unlock (decrypt) what is locked (encrypted) with the public key
  29. 29. Public key encryption Creation of keys
  30. 30. Man-in-the-middle attack ➢ How can Bob know that Alice's key is really Alice's key (and not Mallory's)?
  31. 31. Digital certificates Version # Serial # Signature Algorithm Issuer Name Validity Period Subject Name Subject Public Key Issuer Unique ID Subject Unique ID Extensions Digital Signature
  32. 32. HTTPS SSL exchange
  33. 33. ➢ CAcert.org is a community-driven certificate authority that issues free public key certificates to the public (unlike other certificate authorities which are commercial and sell certificates). ➢ CAcert has over 200,000 verified users. ➢ These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet.
  34. 34. Web of trust Keysigning parties
  35. 35. Avoid non-encrypted protocols! ➢ Encrypted protocols ➢ HTTPS ➢ SFTP ➢ SSH ➢ TOR ➢ VPN ➢ WEP (Wired Equivalent Protocol. Weak!) ➢ WPA - WPA2 Wi-Fi Protected Access ➢ Non-encrypted protocols ➢ HTTP ➢ FTP ➢ TELNET ➢ BitTorrent
  36. 36. Full disk encryption
  37. 37. Full disk encryption
  38. 38. Android encryption
  39. 39. Virtual drive in file container Encrypted file container.txt Mountable as virtual drive /media/encrypted-disk /Volumes/encrypted-disk E:
  40. 40. Virtual Private Networks extends a private (hospital) network across a public (internet) network encrypted to protect against network sniffing
  41. 41. Internet use through a VPN provider Sarah A. Downey, http://www.abine.com/blog/2012/petraeuss-emails-werent-private-and-neither-are-yours/
  42. 42. Firewall Private versus Demilitarized zone
  43. 43. Private browsing
  44. 44. Task: check http://donttrack.us/
  45. 45. = The Onion Router Free Open Source software for anonymity network
  46. 46. ➢ Bitcoin = distributed peer-to-peer crypto-currency ➢ Log of chain of digitally-signed transactions to prevent double spending
  47. 47. Edward Snowden: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”
  48. 48. You can't trust software if its source code is hidden ➢ From the European Parliament investigation into the Echelon system (05/18/2001): “If security is to be taken seriously, only those operating systems should be used whose source code has been published and checked, since only then can it be determined with certainty what happens to the data.” ➢ Cryptographer, computer security expert Bruce Schneier: “Secrecy and security aren't the same, even though it may seem that way. Only bad security relies on secrecy; good security works even if all the details of it are public." “If researchers don’t go public, things don’t get fixed. Companies don't see it as a security problem; they see it as a PR problem.” “Demand open source code for anything related to security”
  49. 49. The Borland Interbase example ➢ 1992-1994: Borland inserted intentional back door into Interbase (closed source database server) allowing local or remote users root access to the machine ➢ 07/2000: Borland releases source code (→ Firebird) ➢ 12/2000: Back door is discovered
  50. 50. Be aware of phishing attacks!
  51. 51. TOOLS FOR INTEGRITY
  52. 52. Make backups! Example: centralized over network
  53. 53. Backups ➢ Use off-site data protection = vaulting ● e.g. remote backup (compression, encryption!) ➢ First time and sometimes: full backup ➢ Most often: only incremental backup ➢ Use a good data retention scheme ➢ e.g. 7 daily, 4 weekly, 12 monthly, all yearly backups ➢ Reflect about your time for full restore ➢ Test the restore procedure! ➢ “80% of backups fail to restore”
  54. 54. Error detection - Checksum - cryptographic hash e.g. CRC32 (cyclic redundancy check) MD5 (message digest) SHA-3 (Secure Hash Algorithm)
  55. 55. Scan for malware!
  56. 56. Install software from trusted sources! (avoid if possible P2P or web downloads)
  57. 57. Apply software updates and upgrades!
  58. 58. For import documents save daily new versions as: Thesis20131030.odt Thesis20131031.odt Thesis20131101.odt ...
  59. 59. TOOLS FOR AVAILABILITY
  60. 60. Prepare for disasters! Business continuity planning = how to stay in business in the event of disaster? ➢ Disaster recovery ● Preventive measures ● Detective measures ● Corrective measures
  61. 61. Uninterruptible Power Supply UPS 1)Flywheel 2)Diesel generators 3)Batteries (UPS)
  62. 62. fault tolerance high availability redundancy fail over
  63. 63. RAID: Redundant Array of Independent Disks
  64. 64. DDoS Distributed Denial of Service
  65. 65. Questions? Thanks! Questier.com Frederik AT Questier.com www.linkedin.com/in/fquestie www.diigo.com/user/frederikquestier www.slideshare.net/Frederik_Questier
  66. 66. Credits ➢ Hacker - Hacking – Symbol.jpg, CC BY-SA, www.elbpresse.de ➢ Internet Archive, Copyright Bibliotheca Alexandrina, International School of Information Science (ISIS), http://www.bibalex.org/isis/large/000.jpg ➢ Password Strength, Creative Commons BY-NC http://xkcd.com/936/ ➢ Security, Creative Commons BY-NC http://xkcd.com/538/ ➢ Zimmermann Telegram, 1917, no known copyright restrictions ➢ Assymetric and symmetric encryption by Jeremy Stretch, http://packetlife.net/blog/2010/nov/23/symmetric-asymmetric-encryption-hashing/ ➢ Orange blue public key cryptography, Creative Commons CC0 by Bananenfalter ➢ HTTPS SSL Exchange by Robb Perry, http://coding.smashingmagazine.com/2012/05/17/backpack-algorithms-and-public-key-cryptography-made-easy/ ➢ Bitcoin logo, Public Domain by bitboy ➢ Bitcoin Transaction Visual, Creative Commons CC0 by Graingert ➢ Social Icons by Iconshock http://www.iconshock.com/social-icons/
  67. 67. This presentation was made with 100% Free Software No animals were harmed
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×