2. 1: Desktop Security
Introduction:
Desktop is the primary access to the organization’s
resources and business applications. It is the
gateway to the organization’s highly valuable and
confidential information assets.
If the security of the desktop is weak, potential
intruders can easily by-pass the confidential
information.
For this reason, we require principles of information
security confidentiality, integrity and availability – is
strictly maintained.
3. Some of the ways with which desktop users are
continuously communicating
1) Bad password management
- Weak password, sharing password, never change password
2) Guest accounts or open accounts
3) Virus and other malicious code attacks
4) Unsolicited email attachments
5) Downloading software from untrusted Internet sites
6) Installing software from untrusted sources
7) Bad desktop management
- no anti-virus, outdated virus signature, no backups, no desktop
lock, open folder
shares without password
4. Technology used to support desktop
security:
1) Centralized management
2) Password protection
3) Single sign-on (SSO)
a. With SSO, passwords for multiple applications are captured
once and permanently stored.
b. Authentication for subsequent access to separate applications is
auto-verified.
c. Users just have to log-in into the organization’s network and
access to all authorized applications are automatically granted.
d. They don’t have to remember many passwords for all the
applications which they require access.
4) Desktop lock
5) Virus detection
6) File encryption
7) Personal firewall
5. 2: email Security- SMIME &PGP
Definition:
Email security refers to the collective measures used
to secure the access and content of an email
account or service. It allows an individual or
organization to protect the overall access to one or
more email addresses/accounts.
Spam email you did not ask for and usually do not
want, usually used to persuade you to buy
something.
Phishing email is used to try to steal your identity;
this may be done by asking you to enter details into
web page installs software on your computer to
gather personal information about you.
6. There are two ways to encrypt or sign
messages.
•S/MIME
•PGP
7. Quick E-mail History:
SMTP and RFC 822
only ASCII messages (7-bit)
MIME (Multipurpose Internet Mail Extensions)
content type
Almost any type of information can appear in an email
message
transfer encoding
specifies how the message body is encoded into textual
form (radix64 is common)
S/MIME: Secure MIME
new content types, like signature, encrypted data
8. SMIME:
•/MIME (Secure/Multipurpose Internet Mail Extensions) is
standard for public key encryption and signing of MIME
data.
•It is essentially used to prove that the email came from the
person says it is from.
9. S/MIME provides the following cryptographic security services
for electronic messaging applications:
Authentication
Message integrity
Non-repudiation of origin (using digital signatures)
Privacy and data security (using encryption).
S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a
secure method of sending email that uses the Rivest-Shamir-
Adleman (RSA) encryption system.
S/MIME is included in the latest versions of the Web browsers
from Microsoft and Netscape.
S/MIME describes how encryption information and a digital
certificate can be included as part of the message body.
S/MIME follows the syntax provided in the Public-Key
Cryptography Standard format.
10.
11. PGP
Pretty Good Privacy.
PGP is similar to S/MIME in that both use public key
cryptography.
However, with PGP you don't rely on a central
authority.
Instead, you create your own private/public key pair
using the PGP software.
PGP is actually an implementation of the OpenPGP
standard.
OpenPGP defines its own encryption methods and
encoding formats.
In, PGP each user is a CA (Certification Authority)
12.
13. 3: Web Security
Web application security is a branch of Information
Security that deals specifically with security of websites,
web applications and web services. At a high level, Web
application security draws on the principles of application
security but applies them specifically to Internet and Web
systems.
Web server security is the protection of information
assets that can be accessed from a Web server.
Web sites are unfortunately prone to security risks. And
so are any networks to which web servers are connected.
Setting aside risks created by employee use or misuse of
network resources, your web server and the site it hosts
present your most serious sources of security risk.
14. Web servers by design open a window between your
network and the world. The care taken with server
maintenance, web application updates and your web site
coding will define the size of that window, limit the kind of
information that can pass through it and thus establish
the degree of web security you will have.
A Web server is a program that uses HTTP (Hypertext
Transfer Protocol) to serve the files that form Web pages
to users, in response to their requests, which are
forwarded by their computers' HTTP clients. Dedicated
computers and appliances may be referred to as Web
servers as well
15. Web Authentication
Web authentication enables data security, identity theft
protection and a secure user experience.
The strength of an organization’s Web authentication
method should match the value of the information and
resources opened for access.
Web-authentication, (also known as Captive Portal), is a
simple way to provide secure guest user access to a
network.
It is used in a wide range of environments including Wi Fi
hot spots, hotels, universities, and business centres.
In basic terms, if the switch detects an unauthorised user
web browsing, then irrespective of the IP configuration on
their PC, they are re-directed to a Web-authentication
login page.
16. At this point, the user is required to enter a username
and password before they can begin to web browse. The
main benefits of this solution come from not requiring
additional customer knowledge, software or special
configuration.
Users are able to quickly and easily gain access to the
network regardless of the type of device or operating
system used.
17. SSL(Secure Socket Layaer)
Why use SSL? To Encrypt Sensitive Information
The primary reason why SSL is used is to keep sensitive
information sent across the Internet encrypted so that
only the intended recipient can understand it.
This is important because the information you send on
the Internet is passed from computer to computer to get
to the destination server.
Any computer in between you and the server can see
your credit card numbers, usernames and passwords,
and other sensitive information if it is not encrypted with
an SSL certificate.
When an SSL certificate is used, the information
becomes unreadable to everyone except for the server
you are sending the information to.
This protects it from hackers and identity thieves.
18. Authentication
In addition to encryption, a proper SSL certificate also
provides authentication.
This means you can be sure that you are sending
information to the right server and not to a criminal’s
server.
Why is this important? The nature of the Internet means
that your customers will often be sending information
through several computers.
Any of these computers could pretend to be your website
and trick your users into sending them personal
information.
It is only possible to avoid this by using a proper Public
Key Infrastructure (PKI), and getting an SSL Certificate
from a trusted SSL provider.
19. What Is SSL?
SSL (Secure Sockets Layer) is a standard security
technology for establishing an encrypted link between a
server and a client—typically a web server (website) and
a browser; or a mail server and a mail client (e.g.,
Outlook).
SSL allows sensitive information such as credit card
numbers, social security numbers, and login credentials
to be transmitted securely.
Normally, data sent between browsers and web servers
is sent in plain text—leaving you vulnerable to
eavesdropping.
If an attacker is able to intercept all data being sent
between a browser and a web server they can see and
use that information.
20. SSL is a security protocol. Protocols describe how
algorithms should be used; in this case, the SSL protocol
determines variables of the encryption for both the link
and the data being transmitted.
21. Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET) is a system for
ensuring the security of financial transactions on the
Internet.
It was supported initially by Mastercard, Visa, Microsoft,
Netscape, and others.
With SET, a user is given an electronic wallet (digital
certificate) and a transaction is conducted and verified
using a combination of digital certificates and digital
signatures among the purchaser, a merchant, and the
purchaser's bank in a way that ensures privacy and
confidentiality.
22. Secure Electronic Transaction (SET) was a
communications protocol standard for securing
credit card transactions over insecure networks,
specifically, the Internet.
SET was not itself a payment system, but rather a set of
security protocols and formats that enabled users to
employ the existing credit card payment infrastructure on
an open network in a secure fashion.
However, it failed to gain attraction in the market. VISA
now promotes the 3-D Secure scheme.
23. How it Works
Both cardholders and merchants must register with
CA (certificate authority) first, before they can buy or
sell on the Internet, which we will talk about later.
Once registration is done, cardholder and merchant
can start to do transactions, which involve 9 basic
steps in this protocol, which is simplified.
1. Customer browses website and decides on what
to purchase
2. Customer sends order and payment information,
which includes 2 parts in one message:
a. Purchase Order – this part is for merchant
b. Card Information – this part is for merchant’s bank only.
24. 1. Merchant forwards card information (part b) to
their bank
2. Merchant’s bank checks with Issuer for payment
authorization
3. Issuer send authorization to Merchant’s bank
4. Merchant’s bank send authorization to merchant
5. Merchant completes the order and sends
confirmation to the customer
6. Merchant captures the transaction from their bank
7. Issuer prints credit card bill (invoice) to customer
25. 4: Database Security
Every company needs places to store
institutional knowledge and data.
Frequently that data contains proprietary
information
Personally Identifiable Data
Employee HR Data
Financial Data
The security and confidentiality of this data is of
critical importance.
26. Definition - What does Database Security mean?
Database security refers to the collective measures
used to protect and secure a database or database
management software from illegitimate use and
malicious threats and attacks.
27. Security Overview
There are four key issues in the security of
databases just as with all security systems
Availability
Authenticity
Integrity
Confidentiality
Availability
Data needs to be available at all necessary times
Data needs to be available to only the appropriate
users
Need to be able to track who has access to and who
has accessed what data
28. Authenticity
Need to ensure that the data has been edited by an authorized
source
Need to confirm that users accessing the system are who they say
they are
Need to verify that all report requests are from authorized users
Need to verify that any outbound data is going to the expected
receiver.
Integrity
Need to verify that any external data has the correct formatting and
other metadata
Need to verify that all input data is accurate and verifiable
Need to ensure that data is following the correct work flow rules for
your institution/corporation
Need to be able to report on all data changes and who authored them
to ensure compliance with corporate rules and privacy laws.
29. Confidentiality
Need to ensure that confidential data is only available to correct
people
Need to ensure that entire database is security from external and
internal system breaches
Need to provide for reporting on who has accessed what data and
what they have done with it
Mission critical and Legal sensitive data must be highly security at
the potential risk of lost business and litigation