SlideShare a Scribd company logo

Access_Control_Systems_and_methodology

A
Arti Ambokar

This document discusses access control systems and methodologies. It covers security clearances used by the federal government, multifactor authentication/biometrics, and passwords. Specific access control methods like fingerprints, voiceprints, retina scanning, iris scanning, and face recognition are explained. The document also discusses password cracking techniques and applications used to crack passwords like John the Ripper, Rainbow Crack, and Cain & Abel.

1 of 37
Download to read offline
ACCESS CONTROL SYSTEMS AND METHODOLOGY
INTRODUCTION ● JERMAINE ROBINSON M.S. Information Systems ● CHIBUZO OBIOHA M.S. Telecommunications Systems and Networks ● ARTI AMBOKAR M.S. Information Systems
OVERVIEW • ACCESS CONTROLS ARE USED IN ORDER TO PROTECT INFORMATION SYSTEMS AND DATA • 3 TYPES OF ACCESS CONTROL METHODOLOGIES ARE: • SECURITY CLEARANCES (FEDERAL GOVERNMENT) • MULTIFACTOR AUTHENTICATION/BIOMETRICS • PASSWORDS • PASSWORD CRACKING IS A METHOD OF GETTING PAST ACCESS CONTROLS • DEMONSTRATION OF JAVA PROGRAM TO CREATE PASSWORD REQUIREMENTS
WHAT IS A SECURITY CLEARANCE? SPECIAL PERMISSION THAT IS GRANTED BY FEDERAL GOVERNMENT TO PERSONNEL THAT HAVE APPROVAL TO ACCESS NETWORKS, DATA, AND INFORMATION SYSTEMS CLEARANCE LEVELS ARE CONFIDENTIAL, SECRET, AND TOP SECRET NETWORKS, DATA, AND INFORMATION SYSTEMS ALSO RECEIVE CORRESPONDING DESIGNATIONS APPLIES TO MILITARY, FEDERAL EMPLOYEES, AND FEDERAL CONTRACTORS
GETTING A CLEARANCE CLEARANCES ARE GIVEN TO PERSONNEL ON A NEED TO HAVE BASIS BIOMETRICS ARE USED AS A MEANS OF GAINING SPECIFIC INFORMATION ABOUT APPLICANTS AND ALL DATA IS STORED FOR THE DURATION OF MILITARY CAREER THE INVESTIGATION PROCESS MUST BE COMPLETED BEFORE A PERMANENT CLEARANCE IS GAINED HOWEVER TEMPORARY CLEARANCES CAN BE ISSUED INVESTIGATIONS COST FROM $200 - $15,000 REINVESTIGATIONS ARE DONE PERIODICALLY AND CLEARANCES HAVE AN EXPIRATION DATE OF 5-15 YEARS REVOCATION CAN OCCUR AT ANY TIME
SCREENING PROCESS SECURITY CLEARANCE SCREENING VIDEO ● SECURITY CLEARANCE SCREENINGS ARE USUALLY CONDUCTED UPON ENTRANCE INTO THE MILITARY ● THE MOS/AFSC/RATING (JOB) THAT ONE IS ENTERING THE MILITARY TO DO OR THE LOCATION OF THEIR PERMANENT DUTY STATION DETERMINES THE CLEARANCE LEVEL THEY WILL BE CONSIDERED FOR EXAMPLE: IF YOU ARE ENTERING THE MILITARY TO DO A NON CLEARANCE JOB BUT ARE ASSIGNED TO A LOCATION WHERE A CERTAIN CLEARANCE LEVEL IS REQUIRED YOU WILL HAVE TO RECEIVE THAT CLEARANCE BEFORE BEING SENT TO THAT DUTY STATION ● A FAIR CHANCE IS GIVEN TO DISCLOSE ALL BACKGROUND INFORMATION BEFORE IT IS DISCOVERED ● CRIMINAL,FINANCIAL, AND MENTAL HEALTH ARE EXAMPLES OF INFORMATION THAT IS LOOKED INTO
DESIGNATIONS GIVEN SECURITY DESIGNATIONS THAT ARE GIVEN TO NETWORKS, DATA, AND INFORMATION SYSTEMS ARE DONE SO WITH THE FOLLOWING GUIDELINES: -CONFIDENTIAL: REASONABLY COULD BE EXPECTED TO CAUSE DAMAGE TO THE NATIONAL SECURITY IF DISCLOSED -SECRET: REASONABLY COULD BE EXPECTED TO CAUSE SERIOUS DAMAGE TO THE NATIONAL SECURITY IF DISCLOSED -TOP SECRET: REASONABLY COULD BE EXPECTED TO CAUSE EXCEPTIONALLY GRAVE DAMAGE TO THE NATIONAL SECURITY IF DISCLOSED
PROTECTING THE ASSETS -EXAMPLE: IF AN OFFICE IS DEEMED AS “SECRET” THE OFFICE CAN CONTAIN A VAULT OR SPECIAL OFFICE WITHIN IT WHERE “TOP SECRET” ASSETS ARE STORE INCLUDING COMPUTERS -ANYTHING FROM AN ENTIRE MILITARY BASE, TO A BUILDING, TO AN OFFICE,TO A COMPUTER, TO A FILE CAN BE GRANTED A SECURITY DESIGNATION -ACCESS TO SECURE ASSETS CAN BE GRANTED ON A NEED TO ACCESS BASIS NOT JUST ON THE BASIS OF HAVING A CLEARANCE LEVEL
WAR ZONES -ANYTIME MILITARY OPERATIONS ARE BASED IN “ENEMY TERRITORY” THERE IS A LARGER RISK INVOLVED -EASIER FOR TERRORISTS TO INFILTRATE NETWORKS BASED IN THEIR HOMELAND VERSUS DOING IT HERE IN AMERICA -ACCESS TO AMERICAN INFORMATION SYSTEMS, DATA, AND NETWORKS IS AT AN EVEN HIGHER PROTECTION LEVEL
ALL ABOUT CLEARANCES ● SECURITY CLEARANCES ARE THE FEDERAL GOVERNMENT’S WAY OF CONTROLLING ACCESS TO INFORMATION SYSTEMS, NETWORKS, AND DATA ● THE PROGRAM PROVIDES A STANDARD THAT CAN BE USED ACROSS THE BOARD SO NATIONAL SECURITY CAN BE AT ITS HIGHEST ● BILLIONS OF DOLLARS ARE SPENT EVERY YEAR ON COMING UP WITH STRATEGIC NATIONAL SECURITY PLANS ● OUR NATION'S SECURITY DEPENDS ON PROTECTING ACCESS TO OUR INFORMATION SYSTEMS, DATA, AND NETWORKS
MULTIFACTOR AUTHENTICATION WHAT IS MULTIFACTOR AUTHENTICATION? WHY WE NEED MULTIFACTOR AUTHENTICATION? HOW TO REGISTER AND CONFIGURE ACCESS? Multifactor Authentication Computer Access Control Granted Access Pieces of Evidence Authentication Mechanism
WHAT IS MULTIFACTOR AUTHENTICATION? MULTI FACTOR AUTHENTICATION: A METHOD THAT CONTROLS COMPUTER ACCESS WHICH CONTAINS A SYSTEM WHERE A USER IS GIVEN ACCESS AFTER PRESENTING NUMEROUS SEPARATE PIECES OF EVIDENCE AUTHENTICATE THEMSELVES TYPICALLY CAN BE EITHER TWO OR THREE TYPES: ● KNOWLEDGE(SOMETHING THAT IS KNOWN) ● POSSESSION(SOMETHING THAT IS PRESENT) ● INHERENCE(SOMETHING THAT THEY ARE)
TWO & THREE-FACTOR AUTHENTICATION TWO-FACTOR AUTHENTICATION: REQUIRE A PASSWORD AND USERNAME IN ADDITION TO SOMETHING THAT IS ONLY KNOWN TO THE USER: EXAMPLE:A PIECE OF INFORMATION ONLY THE USER SHOULD KNOW (PHYSICAL TOKEN) THREE-FACTOR AUTHENTICATION: IS NOTHING BUT SOMETHING A USER IS: EXAMPLE: ALL TYPES OF BIOMETRICS Multifactor Authentication Two-factor Authentication (something which is only known to user) Three-factor Authentication (something a user is)
BIOMETRICS - THE DEFINITION OF ‘BIO’ IS LIFE - THE DEFINITION OF ‘METRICS’ IS MEASURE - IN BIOMETRICS TECHNOLOGY IS USED TO MEASURE SOMETHING THAT IS RELATED TO LIFE EXAMPLE: PHYSICAL TRAITS THAT AN INDIVIDUAL POSSESS MAIN TYPES OF BIOMETRIC IDENTIFIERS: ● PHYSIOLOGICAL CHARACTERISTICS: FINGERPRINTS ,DNA, FACE, HAND, RETINA OR EAR FEATURES; AND ODOR ● BEHAVIORAL CHARACTERISTICS: TYPING RHYTHM, GESTURES, VOICE , MONITORING KEYSTROKES
BIOMETRIC TECHNIQUES FINGERPRINT RECOGNITION VOICE PRINTS SIGNATURE DYNAMICS RETINA SCANNING IRIS SCANNING FACE RECOGNITION
FINGERPRINT ● THERE ARE 3 BASIC PATTERNS OF FINGERPRINTS ● MINUTIAE: THE MATCHING OF TWO HUMAN FINGERPRINTS MINUTIAE REFERS TO SPECIFIC POINTS IN A FINGERPRINT, THAT CONTAIN SMALL DETAILS IN A FINGERPRINT THAT IS MOST IMPORTANT FOR FINGERPRINT RECOGNITION
THREE BASIC PATTERNS OF FINGERPRINT RIDGES ARCH LOOP WHORL ARCH: RIDGES ENTER FROM ONE SIDE OF THE FINGER, AND RISE IN THE CENTER FORMING AN ARC, AND THEN EXIT THE OTHER SIDE OF THE FINGER LOOP: RIDGES ENTER FROM ONE SIDE OF A FINGER, FORM A CURVE, AND THEN EXIT ON THAT SAME SIDE WHORL: RIDGES FORM CIRCULARLY AROUND A CENTRAL POINT ON THE FINGER
MINUTIAE RIDGE ENDING: SPOT WHERE RIDGE ENDS BIFURCATION: SPOT WHERE RIDGE SPLITS INTO TWO RIDGES SHORT RIDGE(DOT): THOSE RIDGES WHICH ARE SIGNIFICANTLY SHORTER THAN OTHER RIDGES FINGERPRINTS RECOGNITION VIDEO
Shape of Vocal Cavities Mouth Movements While Speaking Unique Voice VOICE PRINTS VOICEPRINT SYSTEM: EXACT WORDS ARE NEEDED FOR ACCESS OR A SPECIFIC EXTENDED SAMPLE IS LOGGED IN THE SYSTEM SO ONLY YOUR VOICE CAN BE PICKED UP WHEN YOU SAY THE WORDS VOICEPRINTS ARE STORED IN A SPECTROGRAM(GRAPH THAT SHOWS SOUND'S FREQUENCY ON VERTICAL AXIS AND TIME ON HORIZONTAL AXIS.
SIGNATURE DYNAMICS DONE BY ANALYZING THE SHAPE, SPEED, STROKE, PEN PRESSURE AND TIMING INFORMATION DURING SIGNING PROCESS SIGNATURE DYNAMICS VIDEO
RETINA SCANNING ● RETINA: LAYER AT THE BACK OF THE EYEBALL THAT CONTAINS CELLS THAT ARE SENSITIVE TO LIGHT AND TRIGGER NERVE IMPULSES THAT PASS THROUGH THE OPTIC NERVE TO THE BRAIN AT WHICH POINT A VISUAL IMAGE IS CREATED ● THERE ARE UNIQUE PATTERNS ON A PERSON'S RETINA BLOOD VESSELS PROCESS: 1. RETINA SCAN 2. CAST A BEAM OF INFRARED LIGHT 3. TRACE THE RETINA 4. BLOOD VESSEL ABSORB LIGHT 5. IMAGE STORED TO DATABASE
IRIS SCANNING IRIS: FLAT, COLORED, RING-SHAPED MEMBRANE BEHIND THE CORNEA OF THE EYE, WITH AN ADJUSTABLE CIRCULAR OPENING (PUPIL) IN THE CENTER. THE COLORED PATTERN OF IRIS IS GENETICAL AND COMES FROM PIGMENT CALLED MELANIN MORE MELANIN: BROWNER LESS MELANIN: BLUER TWO PEOPLE CANNOT HAVE SAME PATTERNS IRIS SCANNING VIDEO
FACE RECOGNITION 1. IDENTIFY OR VERIFY A PERSON 2. DIGITAL IMAGE OR VIDEO FRAME FROM VIDEO SOURCE 3. ALGORITHM IS USED TO MATCH FACE
SINGLE SIGN ON ● MULTIPLE SYSTEMS REQUIRE MULTIPLE SIGN-ON DIALOGUE ● CAN BE HEADACHE TO ADMINISTRATORS AND USERS ● INCREASES SIGN-ON DIALOGUE (USER MUST REPEATEDLY LOGIN TO EVERY SYSTEM)
KERBEROS KERBEROS: A COMPUTER NETWORK COMMUNICATION PROTOCOL THAT USES A ‘TICKET’ TO ALLOW NODES TO COMMUNICATE OVER A NETWORK THAT IS NOT SECURE IN ORDER TO PROVE A USER'S IDENTITY IN A SECURE WAY User logs in to gain access Ticket is generation is passed on to key distribution center Key distribution center sends response to user to decrypt TGT by password hash User response is now send to authentication service in which request for ticket is made Ticket granting service sends the reply by sending ticket
PASSWORDS -WHAT IS A USERNAME AND PASSWORD -PASSWORD STORAGE -PASSWORD CRACKING -METHODS FOR CRACKING PASSWORD -PASSWORD CRACKING APPLICATIONS -PREVENTION
WHAT IS A USERNAME AND PASSWORD? -USERNAMES ARE CREATED TO IDENTIFY YOURSELF AS A USER OF A COMPUTER DOMAIN OR SYSTEM -PASSWORDS ARE SYSTEM DESIGNED AND ARE CREATED TO PROVIDE AUTHENTICATION -PASSWORD ARE INTENDED TO BE COMPLEX AND STRONG (PASSWORDS WHICH THAT ARE ALPHANUMERIC, AND CONTAIN SPECIAL CHARACTERS) -PASSWORDS SHOULD TAKE DAYS AND YEARS TO BRING OUT THE PLAINTEXT FROM HASH
AUTHENTICATION THE 3 DIFFERENT WAYS TO AUTHENTICATE USERS OF A SYSTEM: 1. USERS PRESENT A PHYSICAL OBJECT SUCH AS A KEY CARD 2. USERS PROVE IDENTITY USING A PERSONAL CHARACTERISTIC(BIOMETRICS) 3. USERS ANSWER QUESTION ONLY THEY KNOW THE ANSWER IN THE EVENT OF YOUR PASSWORD BECOMES COMPROMISED IT CAN BE EASILY CHANGED.(I.E. A STRONG BENEFIT OF USING AUTHENTICATION THROUGH A PASSWORD)
PASSWORD STORAGE WINDOWS PASSWORD FILE: WINDOWS SYSTEM FOR STORING PASSWORD FILES, WHICH IS SIMILAR TO THE WAY UNIX DOES ITS STORING. PASSWORD FILE FOR WINDOWS, IS KNOWN AS THE SECURITY ACCOUNT MANAGER(SAM) FILE, IS LOCATED IN: C:WINDOWSSYSTEM32CONFIGSAM. ONLINE PASSWORD STORAGE: MOST WEBSITES AND ONLINE SERVICES REQUIRE USERS TO LOG IN WITH A TYPICAL PASSWORD SCHEME AND PASSWORD IS STORED ON WEBSITE PASSWORD SALT: STORING THE HASHED OR ENCRYPTED VALUES FOR PASSWORDS. METHOD IS MUCH MORE SECURE THAN STORING THE PLAIN TEXT IN A PASSWORD FILE
WHAT IS PASSWORD CRACKING PASSWORD CRACKING: THE PROCESS OF EITHER GUESSING OR RECOVERING A PASSWORD FROM A STORED LOCATIONS OR FROM A DATA TRANSMISSION SYSTEM. PURPOSE: ● TO RECOVER FORGOTTEN PASSWORDS BUT WITH MALICIOUS INTENT ● USED TO GAIN UNAUTHORIZED ACCESS TO A COMPUTER SYSTEM PASSWORD CRACKING INVOLVES TWO DISTINCT PHASES: 1. ATTACKER’S INTENTION IS TO DUMP THE HASHES OF THE PASSWORDS 2. TRIES TO CRACK THOSE ACQUIRED HASHES
PASSWORD CRACKING METHODOLOGIES 1. PHISHING: EASIEST AND MOST POPULAR HACKING METHOD AND IS USED BY HACKERS TO GET SOMEONE’S ACCOUNT DETAILS. EX: DISGUISING EMAIL REQUESTS AS ONE THAT CAME FROM A REAL WEBSITE 2. SOCIAL ENGINEERING: PROCESS OF MANIPULATING SOMEONE TO TRUST YOU AND GET INFORMATION FROM THEM. EX: IF HACKER WAS TRYING TO GET THE COMPUTER PASSWORD OF A CO-WORKER OR FRIEND, HE COULD CALL HIM PRETENDING TO BE FROM THE IT DEPARTMENT AND SIMPLY ASK FOR HIS LOGIN DETAILS 3. MALWARE: KEY LOGGER OR SCREEN SCRAPER IS INSTALLED BY MALWARE. KEYLOGGER RECORDS EVERYTHING YOU TYPE AND SCREEN SCRAPER TAKES SCREEN SHOTS DURING A LOGIN PROCESS, AND THEN FORWARDS A COPY OF FILES TO HACKER 4. OFFLINE CRACKING: GUESSING WITHIN THE RESTRICTION OF THREE OR FOUR WRONG GUESSES AND LOGGING OUT OR WAITING ALLOTTED TIME PERIOD TO AVOID THE BLOCKS IN PLACE BY AN AUTOMATED GUESSING APPLICATION 5. GUESSING: MAKING INFORMED GUESSES BASED ON THE PREDICTABILITY OF THE USER.
PASSWORD CRACKING METHODOLOGIES(CONT) 6. DICTIONARY ATTACK: A BIG WORD DICTIONARY IS LOADED INTO THE CRACKING TOOL TO TEST THESE WORDS AGAINST THE USER ACCOUNT PASSWORD 7. BRUTE FORCE ATTACK: ALL POSSIBLE KEY COMBINATIONS ARE TRIED AGAINST THE PASSWORD DATABASE UNTIL THE CORRECT KEY IS DISCOVERED. USUALLY TAKES A LONG TIME 8. RAINBOW TABLE ATTACK: A VERY LARGE LIST OF PRE-COMPUTED HASHES ARE COMPARED WITH THE PASSWORD FILE TO DISCOVER ALL PASSWORDS 9. SHOULDER SURFING: HACKERS TAKE DISGUISE POSING AS A PARCEL COURIER ,MAINTENANCE SERVICE TECHNICIAN OR ANYONE ELSE THAT CAN GAIN ACCESS TO AN OFFICE SPACE OR BUILDING 10. SPIDERING : SAVVY HACKERS HAVE REALIZED THAT MANY CORPORATE PASSWORD ARE MADE OF WORDS THAT ARE CONNECTED TO THE BUSINESS ITSELF
PASSWORD CRACKING APPLICATIONS ● JOHN THE RIPPER: OPEN SOURCE PASSWORD CRACKING TOOL FOR LINUX, UNIX AND MAC OS X. A WINDOWS VERSION IS ALSO AVAILABLE. USED TO DETECT WEAK PASSWORDS(FREE) ● RAINBOW CRACK: HASH CRACKER TOOL THAT USES A LARGE SCALE TIME MEMORY TRADE OFF PROCESS FOR FASTER PASSWORD CRACKING THAN TRADITIONAL BRUTE FORCE TOOLS. TIME MEMORY TRADE OFF IS A COMPUTATIONAL PROCESS IN WHICH ALL PLAIN TEXT AND HASH PAIRS ARE CALCULATED BY USING A SELECTED HASH ALGORITHM. AFTER COMPUTATION, RESULTS ARE STORED IN THE RAINBOW TABLE (VERY TIME CONSUMING) ● CAIN & ABEL: PASSWORD CRACKING TOOL THAT IS CAPABLE OF HANDLING A VARIETY OF TASKS. WORKS AS A SNIFFER IN THE NETWORK, CRACKING ENCRYPTED PASSWORDS USING THE DICTIONARY ATTACK, RECORDING VOIP CONVERSATIONS, BRUTE FORCE ATTACKS, CRYPTANALYSIS ATTACKS, REVEALING PASSWORD BOXES, UNCOVERING CACHED PASSWORDS, DECODING SCRAMBLED PASSWORDS, AND ANALYZING ROUTING PROTOCOLS (ONLY FOR WINDOWS) ● BRUTUS: REMOTE ONLINE PASSWORD CRACKING TOOL THAT CLAIMS TO BE THE FASTEST AND MOST FLEXIBLE PASSWORD CRACKING TOOL. TOOL IS FREE, ONLY FOR WINDOWS SYSTEMS, AND WAS RELEASED OCTOBER 2000 (VERY POPULAR)
WEBSITES THAT CRACK THERE ARE MANY WEBSITES THAT HACKERS USE TO DO QUICK HACKING WHERE SIMPLE INFORMATION LIKE A URL IS SUPPOSED TO LEAD TO PASSWORDS BEING CRACKED. THESE SITES HAVE VARYING DEGREES OF SUCCESS: FACEBOOK CRACKED VIDEO
4 WAYS OF PREVENTION(s) 1. USE A PASSPHRASE 2. CHANGE PASSWORDS REGULARLY(ABOUT EVERY 3 MONTHS) 3. DO NOT USE THE SAME PASSWORD ON DIFFERENT MULTIPLE SITES 4. AVOID DICTIONARY WORDS AND NAMES
CONCLUSION ACCESS CONTROL IS VITAL TO THE PROTECTION OF ASSETS, DATA, AND INFORMATION TECHNOLOGY SECURITY CLEARANCES, PASSWORDS, MULTIFACTOR AUTHENTICATION, AND BIOMETRICS ARE ALL METHODOLOGIES THAT ARE USED TO CONTROL ACCESS IT’S IMPORTANT TO REMEMBER HACKERS ARE ALWAYS TRYING TO GET IN REGULATING ACCESS DOES NOT ALWAYS ELIMINATE THE PROBLEM BUT IT HELPS
QUESTIONS ?

Recommended

Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
8 Access Control
8 Access Control8 Access Control
8 Access ControlAlfred Ouyang
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access controlElimity
 
Physical access control
Physical access controlPhysical access control
Physical access controlAhsin Yousaf
 
Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
Physical security
Physical securityPhysical security
Physical securityTariq Mahmood
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 

Recommended

Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
8 Access Control
8 Access Control8 Access Control
8 Access ControlAlfred Ouyang
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access controlElimity
 
Physical access control
Physical access controlPhysical access control
Physical access controlAhsin Yousaf
 
Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
Physical security
Physical securityPhysical security
Physical securityTariq Mahmood
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
2. access control
2. access control2. access control
2. access control7wounders
 
Physical Security.ppt
Physical Security.pptPhysical Security.ppt
Physical Security.pptmaritesalcantara5
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentGary Bahadur
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Physical Security
Physical SecurityPhysical Security
Physical SecurityKriscila Yumul
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplacedougfarre
 
Managing your access control systems
Managing your access control systemsManaging your access control systems
Managing your access control systemsWalter Sinchak,
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Physical security
Physical securityPhysical security
Physical securityDhani Ahmad
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
7. physical sec
7. physical sec7. physical sec
7. physical sec7wounders
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Unit v
Unit vUnit v
Unit vbharatnaruka90
 
Cyber security review paper
Cyber security review paperCyber security review paper
Cyber security review paperMaheshSwami19
 

More Related Content

What's hot

2. access control
2. access control2. access control
2. access control7wounders
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentGary Bahadur
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplacedougfarre
 
Managing your access control systems
Managing your access control systemsManaging your access control systems
Managing your access control systemsWalter Sinchak,
 
Physical security
Physical securityPhysical security
Physical securityDhani Ahmad
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
7. physical sec
7. physical sec7. physical sec
7. physical sec7wounders
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 

What's hot (20)

2. access control
2. access control2. access control
2. access control
 
Physical Security.ppt
Physical Security.pptPhysical Security.ppt
Physical Security.ppt
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Physical Security
Physical SecurityPhysical Security
Physical Security
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplace
 
Managing your access control systems
Managing your access control systemsManaging your access control systems
Managing your access control systems
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Physical security
Physical securityPhysical security
Physical security
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security Assessments
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
Security policies
Security policiesSecurity policies
Security policies
 
7. physical sec
7. physical sec7. physical sec
7. physical sec
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
 

Similar to Access_Control_Systems_and_methodology

Cyber security review paper
Cyber security review paperCyber security review paper
Cyber security review paperMaheshSwami19
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
NIS-CH 1-PART 1 (1).pptx
NIS-CH 1-PART 1 (1).pptxNIS-CH 1-PART 1 (1).pptx
NIS-CH 1-PART 1 (1).pptxchandutidake
 
I MSc CS CNS Day 1.pptx
I MSc CS CNS Day 1.pptxI MSc CS CNS Day 1.pptx
I MSc CS CNS Day 1.pptxArumugam90
 
Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxPuskar Bhandari
 
Basic Security Chapter 1
Basic Security Chapter 1Basic Security Chapter 1
Basic Security Chapter 1AfiqEfendy Zaen
 
Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1abdifatah said
 
Survey of file protection techniques
Survey of file protection techniquesSurvey of file protection techniques
Survey of file protection techniquesG Prachi
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanAsad Zaman
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating systemG Prachi
 
It security
It securityIt security
It securityavi2607
 

Similar to Access_Control_Systems_and_methodology (20)

Unit v
Unit vUnit v
Unit v
 
Cyber security review paper
Cyber security review paperCyber security review paper
Cyber security review paper
 
security of information systems
security of information systems security of information systems
security of information systems
 
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKINGIMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
 
Network security
Network securityNetwork security
Network security
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
 
NIS-CH 1-PART 1 (1).pptx
NIS-CH 1-PART 1 (1).pptxNIS-CH 1-PART 1 (1).pptx
NIS-CH 1-PART 1 (1).pptx
 
Information Security
Information SecurityInformation Security
Information Security
 
I MSc CS CNS Day 1.pptx
I MSc CS CNS Day 1.pptxI MSc CS CNS Day 1.pptx
I MSc CS CNS Day 1.pptx
 
P3 m2
P3 m2P3 m2
P3 m2
 
Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptx
 
Basic Security Chapter 1
Basic Security Chapter 1Basic Security Chapter 1
Basic Security Chapter 1
 
Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1
 
Survey of file protection techniques
Survey of file protection techniquesSurvey of file protection techniques
Survey of file protection techniques
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _Zaman
 
Class paper final
Class paper finalClass paper final
Class paper final
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
 
What Is "Secure"?
What Is "Secure"?What Is "Secure"?
What Is "Secure"?
 
It security
It securityIt security
It security
 
Chap 1 general introduction to computer forensics
Chap 1 general introduction to computer forensicsChap 1 general introduction to computer forensics
Chap 1 general introduction to computer forensics
 

Access_Control_Systems_and_methodology

  • 2. INTRODUCTION ● JERMAINE ROBINSON M.S. Information Systems ● CHIBUZO OBIOHA M.S. Telecommunications Systems and Networks ● ARTI AMBOKAR M.S. Information Systems
  • 3. OVERVIEW • ACCESS CONTROLS ARE USED IN ORDER TO PROTECT INFORMATION SYSTEMS AND DATA • 3 TYPES OF ACCESS CONTROL METHODOLOGIES ARE: • SECURITY CLEARANCES (FEDERAL GOVERNMENT) • MULTIFACTOR AUTHENTICATION/BIOMETRICS • PASSWORDS • PASSWORD CRACKING IS A METHOD OF GETTING PAST ACCESS CONTROLS • DEMONSTRATION OF JAVA PROGRAM TO CREATE PASSWORD REQUIREMENTS
  • 4. WHAT IS A SECURITY CLEARANCE? SPECIAL PERMISSION THAT IS GRANTED BY FEDERAL GOVERNMENT TO PERSONNEL THAT HAVE APPROVAL TO ACCESS NETWORKS, DATA, AND INFORMATION SYSTEMS CLEARANCE LEVELS ARE CONFIDENTIAL, SECRET, AND TOP SECRET NETWORKS, DATA, AND INFORMATION SYSTEMS ALSO RECEIVE CORRESPONDING DESIGNATIONS APPLIES TO MILITARY, FEDERAL EMPLOYEES, AND FEDERAL CONTRACTORS
  • 5. GETTING A CLEARANCE CLEARANCES ARE GIVEN TO PERSONNEL ON A NEED TO HAVE BASIS BIOMETRICS ARE USED AS A MEANS OF GAINING SPECIFIC INFORMATION ABOUT APPLICANTS AND ALL DATA IS STORED FOR THE DURATION OF MILITARY CAREER THE INVESTIGATION PROCESS MUST BE COMPLETED BEFORE A PERMANENT CLEARANCE IS GAINED HOWEVER TEMPORARY CLEARANCES CAN BE ISSUED INVESTIGATIONS COST FROM $200 - $15,000 REINVESTIGATIONS ARE DONE PERIODICALLY AND CLEARANCES HAVE AN EXPIRATION DATE OF 5-15 YEARS REVOCATION CAN OCCUR AT ANY TIME
  • 6. SCREENING PROCESS SECURITY CLEARANCE SCREENING VIDEO ● SECURITY CLEARANCE SCREENINGS ARE USUALLY CONDUCTED UPON ENTRANCE INTO THE MILITARY ● THE MOS/AFSC/RATING (JOB) THAT ONE IS ENTERING THE MILITARY TO DO OR THE LOCATION OF THEIR PERMANENT DUTY STATION DETERMINES THE CLEARANCE LEVEL THEY WILL BE CONSIDERED FOR EXAMPLE: IF YOU ARE ENTERING THE MILITARY TO DO A NON CLEARANCE JOB BUT ARE ASSIGNED TO A LOCATION WHERE A CERTAIN CLEARANCE LEVEL IS REQUIRED YOU WILL HAVE TO RECEIVE THAT CLEARANCE BEFORE BEING SENT TO THAT DUTY STATION ● A FAIR CHANCE IS GIVEN TO DISCLOSE ALL BACKGROUND INFORMATION BEFORE IT IS DISCOVERED ● CRIMINAL,FINANCIAL, AND MENTAL HEALTH ARE EXAMPLES OF INFORMATION THAT IS LOOKED INTO
  • 7. DESIGNATIONS GIVEN SECURITY DESIGNATIONS THAT ARE GIVEN TO NETWORKS, DATA, AND INFORMATION SYSTEMS ARE DONE SO WITH THE FOLLOWING GUIDELINES: -CONFIDENTIAL: REASONABLY COULD BE EXPECTED TO CAUSE DAMAGE TO THE NATIONAL SECURITY IF DISCLOSED -SECRET: REASONABLY COULD BE EXPECTED TO CAUSE SERIOUS DAMAGE TO THE NATIONAL SECURITY IF DISCLOSED -TOP SECRET: REASONABLY COULD BE EXPECTED TO CAUSE EXCEPTIONALLY GRAVE DAMAGE TO THE NATIONAL SECURITY IF DISCLOSED
  • 8. PROTECTING THE ASSETS -EXAMPLE: IF AN OFFICE IS DEEMED AS “SECRET” THE OFFICE CAN CONTAIN A VAULT OR SPECIAL OFFICE WITHIN IT WHERE “TOP SECRET” ASSETS ARE STORE INCLUDING COMPUTERS -ANYTHING FROM AN ENTIRE MILITARY BASE, TO A BUILDING, TO AN OFFICE,TO A COMPUTER, TO A FILE CAN BE GRANTED A SECURITY DESIGNATION -ACCESS TO SECURE ASSETS CAN BE GRANTED ON A NEED TO ACCESS BASIS NOT JUST ON THE BASIS OF HAVING A CLEARANCE LEVEL
  • 9. WAR ZONES -ANYTIME MILITARY OPERATIONS ARE BASED IN “ENEMY TERRITORY” THERE IS A LARGER RISK INVOLVED -EASIER FOR TERRORISTS TO INFILTRATE NETWORKS BASED IN THEIR HOMELAND VERSUS DOING IT HERE IN AMERICA -ACCESS TO AMERICAN INFORMATION SYSTEMS, DATA, AND NETWORKS IS AT AN EVEN HIGHER PROTECTION LEVEL
  • 10. ALL ABOUT CLEARANCES ● SECURITY CLEARANCES ARE THE FEDERAL GOVERNMENT’S WAY OF CONTROLLING ACCESS TO INFORMATION SYSTEMS, NETWORKS, AND DATA ● THE PROGRAM PROVIDES A STANDARD THAT CAN BE USED ACROSS THE BOARD SO NATIONAL SECURITY CAN BE AT ITS HIGHEST ● BILLIONS OF DOLLARS ARE SPENT EVERY YEAR ON COMING UP WITH STRATEGIC NATIONAL SECURITY PLANS ● OUR NATION'S SECURITY DEPENDS ON PROTECTING ACCESS TO OUR INFORMATION SYSTEMS, DATA, AND NETWORKS
  • 11. MULTIFACTOR AUTHENTICATION WHAT IS MULTIFACTOR AUTHENTICATION? WHY WE NEED MULTIFACTOR AUTHENTICATION? HOW TO REGISTER AND CONFIGURE ACCESS? Multifactor Authentication Computer Access Control Granted Access Pieces of Evidence Authentication Mechanism
  • 12. WHAT IS MULTIFACTOR AUTHENTICATION? MULTI FACTOR AUTHENTICATION: A METHOD THAT CONTROLS COMPUTER ACCESS WHICH CONTAINS A SYSTEM WHERE A USER IS GIVEN ACCESS AFTER PRESENTING NUMEROUS SEPARATE PIECES OF EVIDENCE AUTHENTICATE THEMSELVES TYPICALLY CAN BE EITHER TWO OR THREE TYPES: ● KNOWLEDGE(SOMETHING THAT IS KNOWN) ● POSSESSION(SOMETHING THAT IS PRESENT) ● INHERENCE(SOMETHING THAT THEY ARE)
  • 13. TWO & THREE-FACTOR AUTHENTICATION TWO-FACTOR AUTHENTICATION: REQUIRE A PASSWORD AND USERNAME IN ADDITION TO SOMETHING THAT IS ONLY KNOWN TO THE USER: EXAMPLE:A PIECE OF INFORMATION ONLY THE USER SHOULD KNOW (PHYSICAL TOKEN) THREE-FACTOR AUTHENTICATION: IS NOTHING BUT SOMETHING A USER IS: EXAMPLE: ALL TYPES OF BIOMETRICS Multifactor Authentication Two-factor Authentication (something which is only known to user) Three-factor Authentication (something a user is)
  • 14. BIOMETRICS - THE DEFINITION OF ‘BIO’ IS LIFE - THE DEFINITION OF ‘METRICS’ IS MEASURE - IN BIOMETRICS TECHNOLOGY IS USED TO MEASURE SOMETHING THAT IS RELATED TO LIFE EXAMPLE: PHYSICAL TRAITS THAT AN INDIVIDUAL POSSESS MAIN TYPES OF BIOMETRIC IDENTIFIERS: ● PHYSIOLOGICAL CHARACTERISTICS: FINGERPRINTS ,DNA, FACE, HAND, RETINA OR EAR FEATURES; AND ODOR ● BEHAVIORAL CHARACTERISTICS: TYPING RHYTHM, GESTURES, VOICE , MONITORING KEYSTROKES
  • 15. BIOMETRIC TECHNIQUES FINGERPRINT RECOGNITION VOICE PRINTS SIGNATURE DYNAMICS RETINA SCANNING IRIS SCANNING FACE RECOGNITION
  • 16. FINGERPRINT ● THERE ARE 3 BASIC PATTERNS OF FINGERPRINTS ● MINUTIAE: THE MATCHING OF TWO HUMAN FINGERPRINTS MINUTIAE REFERS TO SPECIFIC POINTS IN A FINGERPRINT, THAT CONTAIN SMALL DETAILS IN A FINGERPRINT THAT IS MOST IMPORTANT FOR FINGERPRINT RECOGNITION
  • 17. THREE BASIC PATTERNS OF FINGERPRINT RIDGES ARCH LOOP WHORL ARCH: RIDGES ENTER FROM ONE SIDE OF THE FINGER, AND RISE IN THE CENTER FORMING AN ARC, AND THEN EXIT THE OTHER SIDE OF THE FINGER LOOP: RIDGES ENTER FROM ONE SIDE OF A FINGER, FORM A CURVE, AND THEN EXIT ON THAT SAME SIDE WHORL: RIDGES FORM CIRCULARLY AROUND A CENTRAL POINT ON THE FINGER
  • 18. MINUTIAE RIDGE ENDING: SPOT WHERE RIDGE ENDS BIFURCATION: SPOT WHERE RIDGE SPLITS INTO TWO RIDGES SHORT RIDGE(DOT): THOSE RIDGES WHICH ARE SIGNIFICANTLY SHORTER THAN OTHER RIDGES FINGERPRINTS RECOGNITION VIDEO
  • 19. Shape of Vocal Cavities Mouth Movements While Speaking Unique Voice VOICE PRINTS VOICEPRINT SYSTEM: EXACT WORDS ARE NEEDED FOR ACCESS OR A SPECIFIC EXTENDED SAMPLE IS LOGGED IN THE SYSTEM SO ONLY YOUR VOICE CAN BE PICKED UP WHEN YOU SAY THE WORDS VOICEPRINTS ARE STORED IN A SPECTROGRAM(GRAPH THAT SHOWS SOUND'S FREQUENCY ON VERTICAL AXIS AND TIME ON HORIZONTAL AXIS.
  • 20. SIGNATURE DYNAMICS DONE BY ANALYZING THE SHAPE, SPEED, STROKE, PEN PRESSURE AND TIMING INFORMATION DURING SIGNING PROCESS SIGNATURE DYNAMICS VIDEO
  • 21. RETINA SCANNING ● RETINA: LAYER AT THE BACK OF THE EYEBALL THAT CONTAINS CELLS THAT ARE SENSITIVE TO LIGHT AND TRIGGER NERVE IMPULSES THAT PASS THROUGH THE OPTIC NERVE TO THE BRAIN AT WHICH POINT A VISUAL IMAGE IS CREATED ● THERE ARE UNIQUE PATTERNS ON A PERSON'S RETINA BLOOD VESSELS PROCESS: 1. RETINA SCAN 2. CAST A BEAM OF INFRARED LIGHT 3. TRACE THE RETINA 4. BLOOD VESSEL ABSORB LIGHT 5. IMAGE STORED TO DATABASE
  • 22. IRIS SCANNING IRIS: FLAT, COLORED, RING-SHAPED MEMBRANE BEHIND THE CORNEA OF THE EYE, WITH AN ADJUSTABLE CIRCULAR OPENING (PUPIL) IN THE CENTER. THE COLORED PATTERN OF IRIS IS GENETICAL AND COMES FROM PIGMENT CALLED MELANIN MORE MELANIN: BROWNER LESS MELANIN: BLUER TWO PEOPLE CANNOT HAVE SAME PATTERNS IRIS SCANNING VIDEO
  • 23. FACE RECOGNITION 1. IDENTIFY OR VERIFY A PERSON 2. DIGITAL IMAGE OR VIDEO FRAME FROM VIDEO SOURCE 3. ALGORITHM IS USED TO MATCH FACE
  • 24. SINGLE SIGN ON ● MULTIPLE SYSTEMS REQUIRE MULTIPLE SIGN-ON DIALOGUE ● CAN BE HEADACHE TO ADMINISTRATORS AND USERS ● INCREASES SIGN-ON DIALOGUE (USER MUST REPEATEDLY LOGIN TO EVERY SYSTEM)
  • 25. KERBEROS KERBEROS: A COMPUTER NETWORK COMMUNICATION PROTOCOL THAT USES A ‘TICKET’ TO ALLOW NODES TO COMMUNICATE OVER A NETWORK THAT IS NOT SECURE IN ORDER TO PROVE A USER'S IDENTITY IN A SECURE WAY User logs in to gain access Ticket is generation is passed on to key distribution center Key distribution center sends response to user to decrypt TGT by password hash User response is now send to authentication service in which request for ticket is made Ticket granting service sends the reply by sending ticket
  • 26. PASSWORDS -WHAT IS A USERNAME AND PASSWORD -PASSWORD STORAGE -PASSWORD CRACKING -METHODS FOR CRACKING PASSWORD -PASSWORD CRACKING APPLICATIONS -PREVENTION
  • 27. WHAT IS A USERNAME AND PASSWORD? -USERNAMES ARE CREATED TO IDENTIFY YOURSELF AS A USER OF A COMPUTER DOMAIN OR SYSTEM -PASSWORDS ARE SYSTEM DESIGNED AND ARE CREATED TO PROVIDE AUTHENTICATION -PASSWORD ARE INTENDED TO BE COMPLEX AND STRONG (PASSWORDS WHICH THAT ARE ALPHANUMERIC, AND CONTAIN SPECIAL CHARACTERS) -PASSWORDS SHOULD TAKE DAYS AND YEARS TO BRING OUT THE PLAINTEXT FROM HASH
  • 28. AUTHENTICATION THE 3 DIFFERENT WAYS TO AUTHENTICATE USERS OF A SYSTEM: 1. USERS PRESENT A PHYSICAL OBJECT SUCH AS A KEY CARD 2. USERS PROVE IDENTITY USING A PERSONAL CHARACTERISTIC(BIOMETRICS) 3. USERS ANSWER QUESTION ONLY THEY KNOW THE ANSWER IN THE EVENT OF YOUR PASSWORD BECOMES COMPROMISED IT CAN BE EASILY CHANGED.(I.E. A STRONG BENEFIT OF USING AUTHENTICATION THROUGH A PASSWORD)
  • 29. PASSWORD STORAGE WINDOWS PASSWORD FILE: WINDOWS SYSTEM FOR STORING PASSWORD FILES, WHICH IS SIMILAR TO THE WAY UNIX DOES ITS STORING. PASSWORD FILE FOR WINDOWS, IS KNOWN AS THE SECURITY ACCOUNT MANAGER(SAM) FILE, IS LOCATED IN: C:WINDOWSSYSTEM32CONFIGSAM. ONLINE PASSWORD STORAGE: MOST WEBSITES AND ONLINE SERVICES REQUIRE USERS TO LOG IN WITH A TYPICAL PASSWORD SCHEME AND PASSWORD IS STORED ON WEBSITE PASSWORD SALT: STORING THE HASHED OR ENCRYPTED VALUES FOR PASSWORDS. METHOD IS MUCH MORE SECURE THAN STORING THE PLAIN TEXT IN A PASSWORD FILE
  • 30. WHAT IS PASSWORD CRACKING PASSWORD CRACKING: THE PROCESS OF EITHER GUESSING OR RECOVERING A PASSWORD FROM A STORED LOCATIONS OR FROM A DATA TRANSMISSION SYSTEM. PURPOSE: ● TO RECOVER FORGOTTEN PASSWORDS BUT WITH MALICIOUS INTENT ● USED TO GAIN UNAUTHORIZED ACCESS TO A COMPUTER SYSTEM PASSWORD CRACKING INVOLVES TWO DISTINCT PHASES: 1. ATTACKER’S INTENTION IS TO DUMP THE HASHES OF THE PASSWORDS 2. TRIES TO CRACK THOSE ACQUIRED HASHES
  • 31. PASSWORD CRACKING METHODOLOGIES 1. PHISHING: EASIEST AND MOST POPULAR HACKING METHOD AND IS USED BY HACKERS TO GET SOMEONE’S ACCOUNT DETAILS. EX: DISGUISING EMAIL REQUESTS AS ONE THAT CAME FROM A REAL WEBSITE 2. SOCIAL ENGINEERING: PROCESS OF MANIPULATING SOMEONE TO TRUST YOU AND GET INFORMATION FROM THEM. EX: IF HACKER WAS TRYING TO GET THE COMPUTER PASSWORD OF A CO-WORKER OR FRIEND, HE COULD CALL HIM PRETENDING TO BE FROM THE IT DEPARTMENT AND SIMPLY ASK FOR HIS LOGIN DETAILS 3. MALWARE: KEY LOGGER OR SCREEN SCRAPER IS INSTALLED BY MALWARE. KEYLOGGER RECORDS EVERYTHING YOU TYPE AND SCREEN SCRAPER TAKES SCREEN SHOTS DURING A LOGIN PROCESS, AND THEN FORWARDS A COPY OF FILES TO HACKER 4. OFFLINE CRACKING: GUESSING WITHIN THE RESTRICTION OF THREE OR FOUR WRONG GUESSES AND LOGGING OUT OR WAITING ALLOTTED TIME PERIOD TO AVOID THE BLOCKS IN PLACE BY AN AUTOMATED GUESSING APPLICATION 5. GUESSING: MAKING INFORMED GUESSES BASED ON THE PREDICTABILITY OF THE USER.
  • 32. PASSWORD CRACKING METHODOLOGIES(CONT) 6. DICTIONARY ATTACK: A BIG WORD DICTIONARY IS LOADED INTO THE CRACKING TOOL TO TEST THESE WORDS AGAINST THE USER ACCOUNT PASSWORD 7. BRUTE FORCE ATTACK: ALL POSSIBLE KEY COMBINATIONS ARE TRIED AGAINST THE PASSWORD DATABASE UNTIL THE CORRECT KEY IS DISCOVERED. USUALLY TAKES A LONG TIME 8. RAINBOW TABLE ATTACK: A VERY LARGE LIST OF PRE-COMPUTED HASHES ARE COMPARED WITH THE PASSWORD FILE TO DISCOVER ALL PASSWORDS 9. SHOULDER SURFING: HACKERS TAKE DISGUISE POSING AS A PARCEL COURIER ,MAINTENANCE SERVICE TECHNICIAN OR ANYONE ELSE THAT CAN GAIN ACCESS TO AN OFFICE SPACE OR BUILDING 10. SPIDERING : SAVVY HACKERS HAVE REALIZED THAT MANY CORPORATE PASSWORD ARE MADE OF WORDS THAT ARE CONNECTED TO THE BUSINESS ITSELF
  • 33. PASSWORD CRACKING APPLICATIONS ● JOHN THE RIPPER: OPEN SOURCE PASSWORD CRACKING TOOL FOR LINUX, UNIX AND MAC OS X. A WINDOWS VERSION IS ALSO AVAILABLE. USED TO DETECT WEAK PASSWORDS(FREE) ● RAINBOW CRACK: HASH CRACKER TOOL THAT USES A LARGE SCALE TIME MEMORY TRADE OFF PROCESS FOR FASTER PASSWORD CRACKING THAN TRADITIONAL BRUTE FORCE TOOLS. TIME MEMORY TRADE OFF IS A COMPUTATIONAL PROCESS IN WHICH ALL PLAIN TEXT AND HASH PAIRS ARE CALCULATED BY USING A SELECTED HASH ALGORITHM. AFTER COMPUTATION, RESULTS ARE STORED IN THE RAINBOW TABLE (VERY TIME CONSUMING) ● CAIN & ABEL: PASSWORD CRACKING TOOL THAT IS CAPABLE OF HANDLING A VARIETY OF TASKS. WORKS AS A SNIFFER IN THE NETWORK, CRACKING ENCRYPTED PASSWORDS USING THE DICTIONARY ATTACK, RECORDING VOIP CONVERSATIONS, BRUTE FORCE ATTACKS, CRYPTANALYSIS ATTACKS, REVEALING PASSWORD BOXES, UNCOVERING CACHED PASSWORDS, DECODING SCRAMBLED PASSWORDS, AND ANALYZING ROUTING PROTOCOLS (ONLY FOR WINDOWS) ● BRUTUS: REMOTE ONLINE PASSWORD CRACKING TOOL THAT CLAIMS TO BE THE FASTEST AND MOST FLEXIBLE PASSWORD CRACKING TOOL. TOOL IS FREE, ONLY FOR WINDOWS SYSTEMS, AND WAS RELEASED OCTOBER 2000 (VERY POPULAR)
  • 34. WEBSITES THAT CRACK THERE ARE MANY WEBSITES THAT HACKERS USE TO DO QUICK HACKING WHERE SIMPLE INFORMATION LIKE A URL IS SUPPOSED TO LEAD TO PASSWORDS BEING CRACKED. THESE SITES HAVE VARYING DEGREES OF SUCCESS: FACEBOOK CRACKED VIDEO
  • 35. 4 WAYS OF PREVENTION(s) 1. USE A PASSPHRASE 2. CHANGE PASSWORDS REGULARLY(ABOUT EVERY 3 MONTHS) 3. DO NOT USE THE SAME PASSWORD ON DIFFERENT MULTIPLE SITES 4. AVOID DICTIONARY WORDS AND NAMES
  • 36. CONCLUSION ACCESS CONTROL IS VITAL TO THE PROTECTION OF ASSETS, DATA, AND INFORMATION TECHNOLOGY SECURITY CLEARANCES, PASSWORDS, MULTIFACTOR AUTHENTICATION, AND BIOMETRICS ARE ALL METHODOLOGIES THAT ARE USED TO CONTROL ACCESS IT’S IMPORTANT TO REMEMBER HACKERS ARE ALWAYS TRYING TO GET IN REGULATING ACCESS DOES NOT ALWAYS ELIMINATE THE PROBLEM BUT IT HELPS