Your SlideShare is downloading. ×
0
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security

1,717

Published on

Published in: Education, Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,717
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
109
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • SARA JOHANNA GLENN S. BUCAYU
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • CATHLENE L. BABARAN
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • RICAJOY O. TURQUEZA
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • RBAC is an approach to restricting system access to authorized users. Roles are created and are assigned to each user.
  • JUN ARVIE T. RIVO
  • JUN ARVIE T. RIVO
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • POLINA VALERIE G. CORBE
  • Transcript

    • 1. 1. Computer Security THREATS a. Computer Security Concepts b. Threats, Attacks and Assets c. d. Intruders Malicious Software Overview SECURITY e. Viruses, Worms and Bots f. Rootkits2. Computer Security TECHNIQUES a. Authentication b. Access Control c. Intrusion Detection d. Malware Defense e. Dealing with Buffer Overflow Attacks
    • 2. Computer Security The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources.
    • 3. THREE KEY OBJECTIVES that are at the of computer security:1. Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.• Data confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals.• Privacy: Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.
    • 4. THREE KEY OBJECTIVES that are at the of computer security:2. Integrity: Guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity.• Data integrity: Assures that information and programs are changed only in a specified and authorized manner.• System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.
    • 5. THREE KEY OBJECTIVES that are at the of computer security:3. Availability — Ensuring timely and reliable access to and use of information.
    • 6. THE SECURITY REQUIREMENTS TRIAD
    • 7. ADDITIONAL CONCEPTSAuthenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. BACK
    • 8. FOUR KINDS OF THREAT CONSEQUENCES1. Unauthorized Disclosure A circumstance or event whereby an entity gains access to data for which the entity is not authorized.2. Deception A circumstance or event that may result in an authorized entity receiving false data and believing it to be true.
    • 9. FOUR KINDS OF THREAT CONSEQUENCES3. Disruption A circumstance or event that interrupts or prevents the correct operation of system services and functions.4. Usurpation A circumstance or event that results in control of system services or functions by an unauthorized entity.
    • 10. KINDS OF ATTACKS(Unauthorized disclosure) 1. Exposure: Sensitive data are directly released to an unauthorized entity. 2. Interception: An unauthorized entity directly accesses sensitive data travelling between authorized sources and destinations.
    • 11. KINDS OF ATTACKS 3. Inference: A threat action whereby anunauthorized entity indirectly accessessensitive data by reasoning fromcharacteristics or byproducts ofcommunications.4. Intrusion: An unauthorized entity gainsaccess to sensitive data
    • 12. KINDS OF ATTACKS(Deception) 1. Masquerade: An unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity. 2. Falsification: False data deceive an authorized entity. 3. Repudiation: An entity deceives another by falsely denying responsibility for an act.
    • 13. KINDS OF ATTACKS(Disruption) 1. Incapacitation: Prevents or interrupts system operation by disabling a system component. 2. Corruption: Undesirably alters system operation by adversely modifying system functions or data. 3. Obstruction: A threat action that interrupts delivery of system services by hindering system operation.
    • 14. KINDS OF ATTACKSUsurpation 1. Misappropriation: An entity assumes unauthorized logical or physical control of a system resource. 2. Misuse: Causes a system component to perform a function or service that is detrimental to system security.
    • 15. THREATS AND ASSETSAssets of a computer can be categorized as:• Hardware• Software• Data• Communication Lines and Networks BACK
    • 16. THREE CLASSES OF NTRUDERS1. Masquerader: An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account.2. Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges.
    • 17. THREE CLASSES OF NTRUDERS3. Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.
    • 18. EXAMPLES OF INTRUSION• Performing a remote root compromise of an e-mail server• Defacing a Web server• Guessing and cracking passwords• Copying a database containing credit card numbers
    • 19. EXAMPLES OF INTRUSION• Viewing sensitive data, including payroll records and medical information, without authorization• Running a packet sniffer on a workstation to capture usernames and passwords• Using a permission error on an anonymous FTP server to distribute pirated software and music files• Dialing into an unsecured modem and gaining internal network access
    • 20. EXAMPLES OF INTRUSION• Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password• Using an unattended, logged-in workstation without permission
    • 21. INTRUDER BEHAVOR PATTERNS• Hackers• Criminals• Insider Attacks
    • 22. INTRUDER BEHAVOR PATTERNS - HACKERS
    • 23. INTRUDER BEHAVOR PATTERNS - CRIMINALS
    • 24. INTRUDER BEHAVOR PATTERNS – INSIDER ATTACKS BACK
    • 25. TERMINOLOGY OF MALICIOUS PROGRAMSVirusMalware that, when executed, tries to replicate itself into other executable code; when it succeeds the code is said to be infected. When the infected code is executed, the virus also executes.WormA computer program that can run independently and can propagate a complete working version of itself onto other hosts on a network.
    • 26. TERMINOLOGY OF MALICIOUS PROGRAMSLogic BombA program inserted into software by an intruder. A logic bomb lies dormant until a predefined condition is met; the program then triggers an unauthorized act.Backdoor (trapdoor)Any mechanisms that bypasses a normal security check; it may allow unauthorized access to functionality.
    • 27. TERMINOLOGY OF MALICIOUS PROGRAMSTrojan HorseA computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the Trojan horse program.
    • 28. TERMINOLOGY OF MALICIOUS PROGRAMSMobile CodeSoftware (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.ExploitsCode specific to a single vulnerability or set of vulnerabilities.
    • 29. TERMINOLOGY OF MALICIOUS PROGRAMSDownloadersProgram that installs other items on a machine that is under attack. Usually, a downloader is sent in an e-mail.Auto-rooterMalicious hacker tools used to break into new machines remotely.Kit (virus generator)Set of tools for generating new viruses automatically.
    • 30. TERMINOLOGY OF MALICIOUS PROGRAMSSpammer programsUsed to send large volumes of unwanted e- mail.FloodersUsed to attack networked computer systems with a large volume of traffic to carry out a denial-of-service (DoS) attack.KeyloggersCaptures keystrokes on a compromised system
    • 31. TERMINOLOGY OF MALICIOUS PROGRAMSRootkitSet of hacker tools used after attacker has broken into a computer system and gained root-level access.Zombie, botProgram activated on an infected machine that is activated to launch attacks on other machines.
    • 32. TERMINOLOGY OF MALICIOUS PROGRAMSSpywareSoftware that collects information from a computer and transmits it to another system.AdwareAdvertising that is integrated into software. It can result in pop-up ads or redirection of a browser to a commercial site.
    • 33. MULTIPLE-THREAT MALWAREA multipartite virus infects in multiple ways. Typically, the multipartite virus is capable of infecting multiple types of files, so that virus eradication must deal with all of the possible sites of infection.A blended attack uses multiple methods of infection or transmission, to maximize the speed of contagion and the severity of the attack. Some writers characterize a blended attack as a package that includes multiple types of malware. BACK
    • 34. Viruses A computer virus is a piece of software that can “infect” other programs by modifying themNature of Viruses A virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is running.
    • 35. THREE PARTS OF COMPUTER VIRUSInfection Mechanism – the means bywhich a virus spreads, enabling it toreplicate.Trigger – event or condition that determineswhen the payload is activated or delivered.Payload – what the virus does, besidesspreading
    • 36. FOUR PHASES OF VIRUSDormant Phase – the virus idlePropagation Phase – the virus places anidentical copy of itself into other programs orinto certain system areas on the diskTriggering Phase – the virus is activated toperform the function for which it was intended.Execution Phase – the functioned is performed.
    • 37. Virus Structure - A virus can be prepended or postpended to an executable program, or it can be embedded in some other fashion.Initial Infection - Once a virus has gained entry to a system by infecting a single program, it is in a position to potentially infect some or all other executable files on that system when the infected program executes.
    • 38. VIRUS CLASSIFICATION by targetBoot sector infector – infects a master bootrecordFile Infector – infects files that the OS or shellconsider to be executableMacro Virus – infects files with macro code thatis interpreted by an application.
    • 39. VIRUS CLASSIFICATION by concealment strategy Encrypted virus – a typical approach is as follows. A portion of the virus creates a random encryption key and encrypts the remainder of the virus. Stealth virus – a form of virus explicity designed to hide itself from by antivirus software. Polymorphic virus – a virus that mutates with every infection, making detection by the “signature” of the virus impossible. Metamorphic virus – a virus mutates with every infection. The difference is that it rewrites completely at each iteration, increasing the difficulty of detection.
    • 40. Virus Kits – another weapon in the virus writers’ armory is the virus-creation toolkitMacro Viruses – is platform independent – infect Microsoft Word documents or other Microsoft Office documents. – infect documents, not executable portions of code – are easily spread. A very common method is by electronic mail.
    • 41. E-Mail Viruses – a more recent development in malicious software is the email virusIf the recipient opens the email attachment, the Word macro is activated. Then1. The e-mail virus sends itself to everyone on the mailing list in the user’s e-mail package.2. The virus does local damage on the user’s system.
    • 42. WORMSIt is a program that can replicate itselfand send copies from computer tocomputer across network connections.
    • 43. BOTS A bot (robot), also known as a zombie ordrone, is a program that secretly takes overanother Internet-attached computer and thenuses that computer to launch attacks that aredifficult to trace to the bot’s creator.
    • 44. USES OF BOTSDistributed denial-of-service attacks: a DDoSattack is an attack on a computer system ornetwork that causes a loss of service to users.Spamming: with the help of a botnet andthousands of bots, an attacker is able to sendmassive amounts of bulk e-mail (spam).Sniffing traffic: bots can also use a packet snifferto watch for interesting cleartext data passing bya compromised machine.
    • 45. USES OF BOTSKeylogging: if the compromised machine usesencrypted communication channels, then justsniffing the network packets on the victim’scomputer is useless because the appropriate keyto decrypt the packets is missing.Spreading new malware: botnets are used tospread new bots.Installing advertisement add-ons and browserhelper objects (BHOs): botnets can also be usedto gain financial advantages.
    • 46. USES OF BOTSInstalling advertisement add-ons andbrowser helper objects (BHOs): botnets canalso be used to gain financial advantages.Attacking IRC chat networks: Botnets arealso used for attacks against Internet relaychat (IRC) networks.Manipulating online polls/games: onlinepolls/games are getting more and moreattention and it is rather easy to manipulatethem with botnets. BACK
    • 47. Rootkit - a set of programs installed on a system to maintain administrator (or root) access to that system.
    • 48. Rootkits can be classified based on whether they can survive a reboot and execution mode.A rootkit may be:1. Persistent: Activates each time the system boots. The rootkit must store code in a persistent store, such as the registry or file system, and configure a method by which the code executes without user intervention.2. Memory based: Has no persistent code and therefore cannot survive a reboot.
    • 49. 3. User mode: Intercepts calls to APIs (application program interfaces) and modifies returned results. For example, when an application performs a directory listing, the return results don’t include entries identifying the files associated with the rootkit.4. Kernel mode: Can intercept calls to native APIs in kernel mode. The rootkit can also hide the presence of a malware process by removing it from the kernel’s list of active processes.
    • 50. Rootkit Installation - unlike worms or bots, rootkits do not directly rely on vulnerabilities or exploits to get on a computer.The following sequence is representative of a hacker attack to install a rootkit.1. The attacker uses a utility to identify open ports or other vulnerabilities.2. The attacker uses password cracking, malware, or a system vulnerability to gain initial access and, eventually, root access.
    • 51. 3. The attacker uploads the rootkit to the victim’s machine.4. The attacker can add a virus, denial of service, or other type of attack to the rootkit’s payload.5. The attacker then runs the rootkit’s installation script.6. The rootkit replaces binaries, files, commands, or system utilities to hide its presence.7. The rootkit listens at a port in the target server, installs sniffers or keyloggers, activates a malicious payload, or takes other steps to compromise the victim. BACK
    • 52. User Authentication - is the fundamental building block andthe primary line of defense in most computersecurity environments. It is the basis for mosttypes of access control and for useraccountability.(RFC 2828 definition) - the process of verifying an identityclaimed by or for a system entity.
    • 53. An authentication process consists of twosteps:• Identification step: Presenting an identifier to the security system.• Verification step: Presenting or generating authentication information that validates the binding between the entity and the identifier.
    • 54. IDENTIFICATION (example)User User Identifier PasswordSara Bucayu SJGSBUCAYU 12345• The password is kept secret (known only to Sara and to the system).• Sara’s user ID and password enables administrators to set up Sara’s access permissions and review or check her activity.
    • 55. AUTHENTICATIONIdentification is the means by which a user provides aclaimed identity to the system.User authentication is the means of establishing the validityof the claim.
    • 56. MEANS OF AUTHENTICATION4 General means of authenticating a user’s identity, whichcan be used alone or in combination:1. Something the individual knows: Examples: password, personal identification number (PIN), or answers to a prearranged set of questions2. Something the individual possesses: Examples: electronic keycards, smart cards, and physical keys.
    • 57. MEANS OF AUTHENTICATION3. Something the individual is (static biometrics): Examples: recognition by fingerprint, retina, and face.4. Something the individual does (dynamic biometrics): Examples: recognition by voice pattern, handwriting characteristics, and typing rhythm.
    • 58. PASSWORD-BASED AUTHENTICATION The system compares the password to apreviously stored password for that user ID,maintained in a system password file. Thepassword serves to authenticate the User ID ofthe individual logging on to the system. USER ID Stored Password Password Input Sara ●●●●●● ●●●●●●
    • 59. PASSWORD-BASED AUTHENTICATIONThe User ID provides security in the following ways:• The ID determines whether the user is authorized to gain access to a system.• The ID determines the privileges accorded to the user.• The ID is used in what is referred to as discretionary access control.
    • 60. THE USE OF HASHED PASSWORDS A widely used password security techniqueis the use of hashed passwords and a saltvalue. This scheme is found on virtually allUNIX variants as well as on a number of otheroperating systems.
    • 61. UNIX PASSWORD SCHEME Password Salt Valueae08wi930ks… Hash Slow Function sjgbucayu 0219
    • 62. UNIX PASSWORD SCHEME
    • 63. THE USE OF HASHED PASSWORDSThe salt serves three purposes:User ID Salt Value Password Hashed Password• It prevents duplicate passwords from beingSara 3982 12345 ae02thd403odk..Ricavisible in the password12345 3210 file. jd893sjs1qjz63j..• It greatly increases the difficulty of offline dictionary attacks.• It becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them.
    • 64. UNIX IMPLEMENTATIONSSince the original development of UNIX, mostimplementations have relied on the followingpassword scheme:Scheme Max Password length No. of Encryptions Salt Value Hash Value (Length) (Length)DES Algorithm 8 characters 25 12 bits 64 bitsMD5 Secure No limitation 1000 48 bits 128 bitsHash AlgorithmBlowfish 55 characters 128 bits 192 bitssymmetricblock cipher*The most secure version of the UNIX hash/salt scheme was developedfor OpenBSD, another widely used open source UNIX. This scheme uses ahash function based on the Blowfish symmetric block cipher.
    • 65. TOKEN-BASED AUTHENTICATIONTokens - Objects that a user possesses for the purpose of user authentication.1. Memory Cards Memory cards can store but not process data. The most common such card is the bank card with a magnetic stripe on the back. A magnetic stripe can store only a simple security code, which can be read by an inexpensive card reader.
    • 66. TOKEN-BASED AUTHENTICATIONPotential drawbacks for memory cards:• Requires special reader - This increases the cost of using the token and creates the requirement to maintain the security of the reader’s hardware and software.• Token loss - A lost token temporarily prevents its owner from gaining system access.• User dissatisfaction - Although users may have no difficulty in accepting the use of a memory card for ATM access, its use for computer access may be deemed inconvenient.
    • 67. TOKEN-BASED AUTHENTICATION2. Smart Cards • Physical characteristics Smart tokens include an embedded microprocessor. A smart token that looks like a bank card is called a smart card. Other smart tokens can look like calculators, keys, or other small portable objects. • Interface Manual interfaces include a keypad and display for human/token interaction. • Authentication protocol The purpose of a smart token is to provide a means for user authentication.
    • 68. TOKEN-BASED AUTHENTICATIONThree categories of authentication protocols usedwith smart tokens :1. Static With a static protocol, the user authenticates himself or herself to the token and then the token authenticates the user to the computer.
    • 69. TOKEN-BASED AUTHENTICATION2. Dynamic password generator The token generates a unique password periodically. This password is then entered into the computer system for authentication, either manually by the user or electronically via the token.3. Challenge-response In this case, the computer system generates a challenge, such as a random string of numbers. The smart token generates a response based on the challenge.
    • 70. BIOMETRIC AUTHENTICATION (STATIC) A biometric authentication systemattempts to authenticate an individual basedon his or her unique physical characteristicsDifferent types of physical characteristics forusers authentication:1. Facial characteristics Facial characteristics are the most common means of human-to-human identification.
    • 71. BIOMETRIC AUTHENTICATION (STATIC)2. Fingerprints Fingerprints have been used as a means of identification for centuries, and the process has been systematized and automated particularly for law enforcement purposes.3. Hand geometry Hand geometry systems identify features of the hand, including shape, and lengths and widths of fingers.
    • 72. BIOMETRIC AUTHENTICATION (STATIC)4. Retinal pattern The pattern formed by veins beneath the retinal surface is unique and therefore suitable for identification.5. Iris Another unique physical characteristic is the detailed structure of the iris.
    • 73. BIOMETRIC AUTHENTICATION (DYNAMIC)6. Signature Each individual has a unique style of handwriting, and this is reflected especially in the signature, which is typically a frequently written sequence.7. Voice Voice patterns are more closely tied to the physical and anatomical characteristics of the speaker. BACK
    • 74. An Access Control Policy dictates what types of accessare permitted, under what circumstances, and bywhom.Access control policies are generally grouped into thefollowing categories:• Discretionary access control (DAC) Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do. - Implemented using Access Control List (ACL). - Default access control mechanism for most desktop operating systems
    • 75. Windows ACL
    • 76. • Mandatory access control (MAC) Controls access based on comparing security label with security clearances. This policy is termed mandatory because an entity that has clearance to access a resource may not, just by its own volition, enable another entity to access that resource.• Role-based access control (RBAC) Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.
    • 77. • Mandatory access control (MAC) Controls access based on comparing security label with security clearances. This policy is termed mandatory because an entity that has clearance to access a resource may not, just by its own volition, enable another entity to access that resource.• Role-based access control (RBAC) Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.
    • 78. ROLE-BASED ACCESS CONTROL Users, Roles, and Resources
    • 79. ACCESS CONTROL POLICIES BACK
    • 80. Security intrusion A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system without having authorization to do so.Intrusion detection A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real- time warning of, attempts to access system resources in an unauthorized manner.
    • 81. INTRUSION DETECTION SYSTEMIDSs can be classified as follows:• Host-based IDS Monitors the characteristics of a single host and the events occurring within that host for suspicious activity• Network-based IDS: Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity
    • 82. INTRUSION DETECTION SYSTEMAn IDS comprises three logical components:• Sensors – responsible for collecting data• Analyzers – receive input from one or more sensors or from another analyzer• User Interface – enables a user to view output from the system or control the behavior of the system.
    • 83. INTRUSION DETECTION SYSTEMBasic Principles of IDS:
    • 84. False positives – authorized users identified as intruders False negatives – intruders not identified as intruders
    • 85. HOST-BASED INTRUSION DETECTION TECHNIQUES Two General Approaches to ID: • Anomaly detection - Involves the collection of data relating to the behavior of legitimate users over a period of time  Threshold detection  Profile based • Signature detection - Involves an attempt to define a set of rules or attack patterns that can be used to decide that a given behavior is that of an intruder.
    • 86. AUDIT RECORDS A fundamental tool for intrusiondetection is the audit record. Some record ofongoing activity by users must be maintainedas input to an IDS.
    • 87. AUDIT RECORDSTwo plans are used in Audit Records:1. Native audit records - virtually all multiuser operating systems include accounting software that collects information on user activity. Advantage : no additional collection software is needed Disadvantage: may not contain the needed information or may not contain it in a convenient form
    • 88. AUDIT RECORDS2. Detection-specific audit records – a collection facility can be implemented that generates audit records containing only that information required by the IDS. Advantage : it could be made vendor independent and ported to a variety of systems Disadvantage: extra overhead involved in having, in effect, two accounting packages running on a machine BACK
    • 89. ANTIVIRUS APPROACHES• The ideal solution to the threat of viruses is prevention.• The next best approach is to be able to do the following: Detection Identification: Removal
    • 90. GENERIC DECRYPTION• GD technology enables the antivirus program to easily detect even the most complex polymorphic viruses while maintaining fast scanning speeds• GD scanner contains the ff elements: CPU emulator Virus signature scanner Emulation control module
    • 91. DIGITAL IMMUNE SYSTEM• The digital immune system is a comprehensive approach to virus protection developed by IBM and subsequently refined by Symantec.• The success of the digital immune system depends on the ability of the virus analysis machine to detect new and innovative virus strains. By constantly analyzing and monitoring the viruses found in the wild, it should be possible to continually update the digital immune software to keep up with the threat.
    • 92. DIGITAL IMMUNE SYSTEMTwo major trends in Internet technology have had an increasing impact on the rate of virus propagation in recent years: – Integrated mail systems Systems such as Lotus Notes and Microsoft Outlook make it very simple to send anything to anyone and to work with objects that are received. – Mobile-program systems Capabilities such as Java and ActiveX allow programs to move on their own from one system to another.
    • 93. DIGITAL IMMUNE SYSTEM
    • 94. BEHAVIOR-BLOCKING SOFTWARE• It Integrates with the operating system of a host computer and monitors program behavior in real time for malicious actions.• It blocks potentially malicious actions before they have a chance to affect the system
    • 95. BEHAVIOR-BLOCKING SOFTWAREMonitored behaviors can include: Attempts to open, view, delete, and/or modify files; Attempts to format disk drives and other unrecoverable disk operations; Modifications to the logic of executable files or macros; Modification of critical system settings, such as start-up settings; Scripting of e-mail and instant messaging clients to send executable content; and Initiation of network communications.
    • 96. BEHAVIOR-BLOCKING SOFTWARE
    • 97. WORM COUNTERMEASURERequirements for an effective wormcountermeasure scheme: Generality Timeliness Resiliency Minimal denial-of-service costs Transparency Global and local coverage
    • 98. BOT COUNTERMEASURE Intrusion Detection System Digital Immune SystemBut the primary objective is to try to detectand disable the botnet during its constructionphase.
    • 99. ROOTKIT COUNTERMEASURE• Rootkits can be extraordinarily difficult to detect andneutralize, particularly so for kernel-level rootkits. Many ofthe administrative tools that could be used to detect arootkit or its traces can be compromised by the rootkitprecisely so that it is undetectable.• Another approach is to do some sort of file integritycheck. An example of this is RootkitRevealer, a freewarepackage from SysInternals• If a kernel-level rootkit is detected, by any means, the onlysecure and reliable way to recover is todo an entire new OS install on the infected machine. BACK
    • 100. BUFFER OVERFLOW ATTACK DEFENSEThere is consequently a need to defendsystems against buffer overflow by eitherpreventing them, or at least detecting andaborting such attacks.2 Categories of Implementing Protections:  Compile-time defenses  Run-time defenses
    • 101. BUFFER OVERFLOW ATTACK DEFENSECompile-time defense - aims to harden programs to resistattacks in new programsRun-time defense - aims to detect and abort attacks inexisting programs

    ×