Access Control : Defense Strategies and Techniques: Part II
Module I of Advanced System Security and Digital Forensics.Authentication Protocols & Category
Access Control : Defense Strategies and Techniques: Part II
Module I of Advanced System Security and Digital Forensics.Authentication Protocols & Category
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?SahilRao25
Let's take a look at implementations of AI or machine learning in the cybersecurity world. To know more: https://www.softwarefirms.co/blog/ai-and-machine-learning-in-cybersecurity-a-saviour-or-enemy?utm_source=Social+media&utm_medium=Traffic&utm_campaign=SR
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
From machine learning to deepfakes - how AI is revolutionizing cybersecurityInfosec
Artificial intelligence (AI) and machine learning are changing how cybercriminals carry out cyberattacks — and how cybersecurity professionals defend against them.
Join Infosec Skills author Emmanuel Tsukerman to get an inside look at these new technologies, their impact on cybersecurity and what it means for your career, including:
-Different attack methods that leverage machine learning
-Current and future uses of machine learning and AI within cybersecurity
-New skills and roles for cybersecurity professionals
-A live deepfake demonstration
Challenges in Applying AI to Enterprise CybersecurityTahseen Shabab
Applying AI/ML in live Cybersecurity environments can be challenging. We share some of our learnings and identify common pitfalls.
Bibu Labs is a leading Cybersecurity company leveraging AI to solve complex problems faced by Enterprise clients.
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
Presented at BSides Perth 2019
Synopsis:
Although the practice of collecting and using intelligence has been studied and conducted by governments and the military for centuries, it’s relative application to Cyber Security has only recently been highlighted. This area of infosec has been termed Cyber Threat Intelligence, where the marriage of traditional intelligence techniques and analysis with deep technical understanding within the Cyber domain are used to predict future actions by threats through long term analysis and modelling. This approach is then used to support both proactive and reactive cyber security actions, from incident response to penetration testing. This presentation focuses on threat intelligence from a practical data perspective, moving away from just the commercial concept of threat intelligence feeds (although these form one part of the equation). This presentation will approach threat intelligence from an analysts perspective of what questions needs to be answered to effectively investigate an incident, using the Diamond Model and Cyber Kill Chain as framing devices. These questions will then lead to examples of the data that can be used to answer these questions. Although traditionally data collection has focused on external cyber information, more often than not however, it’s actions outside of those seen within an organisations network, or even outside cyberspace that can provide context to the actions a threat takes. Finally, we provide a number of use cases on which the results of threat intelligence processes can be applied within a Security Operations Centre, including Incident Response as well as traditional Penetration Testing and Red Teaming.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
“AI is the new electricity” proclaims Andrew Ng, co-founder of Google Brain. Just as we need to know how to safely harness electricity, we also need to know how to securely employ AI to power our businesses. In some scenarios, the security of AI systems can impact human safety. On the flip side, AI can also be misused by cyber-adversaries and so we need to understand how to counter them.
This talk will provide food for thought in 3 areas:
Security of AI systems
Use of AI in cybersecurity
Malicious use of AI
Some organizations have the resources and skills to secure their IT infrastructure against security threats; however, many organizations cannot do so. Organizations have a state-of-the-art security software solution or pay thousands of dollars for security tools. Even after that, no organization is entirely secure. Certified Threat Intelligence Analyst (C|TIA) allows cybersecurity professionals to enhance their skills in building sufficient organizational cyber threat intelligence. It is a specialist-level program. CTIA is an examination that tests the individuals’ skills and prepares them to make useful threat intelligence in the organization.
Read more: https://www.infosectrain.com/blog/ctia-course-outline/
The Future of Security: How Artificial Intelligence Will Impact UsPECB
For decades, the security profession has relied on the best technology we had at the time to deflect the onslaught of what we faced daily in the way of virus and malware attacks. Now, as predicted by Thomas Kuhn in his book “The Structure of Scientific Revolutions, we’re seeing the dawn of a new day where AI’s machine learning and advanced mathematical algorithms now offer validated deflection rates, pre-execution, in the realm of 99%. This session will explore this new paradigm and how it will impact our future.
Main points covered:
• How did our profession change in the world of reactive detection?
• How to escape the inertia that held us, prisoners?
• What is the power of AI and machine learning?
• What are the risks of this new technology?
Presenter:
Our presenter for this webinar, John McClurg serves as Vice President and Ambassador-At-Large of Cylance, where he is responsible for building Security and Trust programs & operational excellence efforts. Prior to Cylance, he served as the CSO of Dell, Honeywell, and Lucent and in the U.S. Intelligence Community, as a twice-decorated member of the Federal Bureau of Investigation (FBI). He also served as a Deputy Branch Chief of CIA where he helped to establish the new Counterespionage Group and was responsible for the management of complex counterespionage investigations. McClurg was voted one of America’s 25 most influential security professionals.
Organizer: Ardian Berisha
Date: October 25th, 2018
Recorded webinar link:
AI for security or security for AI - Sergey GordeychikSergey Gordeychik
Machine learning technologies are turning from rocket science into daily engineering life. You no longer have to know the difference between Faster R-CNN and HMM to develop a machine vision system, and even OpenCV has bindings for JavaScript allowing to resolve quite serious tasks all the while remaining in front end. On other hand massive implementation of AI in various areas brings about problems, and security is one of the greatest concerns. In the broader context security is really all about trust.
Do we trust AI? I don’t, personally.
What is “state of the art” in AI security? Yesterday it was a PoC, not a product, today becoming a We will fix it later, tomorrow it will be a if it works, don’t touch it. And tomorrow is too late.
But what we can do for Trustworthy AI? There are just no simple answers.
You can’t install antivirus or calculate hashes to control integrity of annotated dataset. Traditional firewalls and IDS are almost useless in ML cloud internal SDN Infiniband network. Event C-level Compliance such as PCI DSS and GDPR doesn’t work for massive country-level AI deployments. What about vulnerability management for TensorFlow ML model? How it will impact ROC and AUC?..
To make it better we should rethink Cyber Resilience for AI process, systems and applications to make sure that they continuously deliver the intended outcome despite adverse cyber events. Make sure that security is genuinely integrated into innovation that AI brings into our lives. To trust AI and earn his trust, perhaps?
For more classes visit
www.snaptutorial.com
PLEASE CHECK ALL INCLUDED PRODUCTS IN THIS TUTORIAL AS SOME QUIZ MAY BE MISSING
CIS 333 Week 1 Discussion Providing Security Over Data
CIS 333 Week 2 Discussion Risk Management and Malicious Attacks
CIS 333 Week 2 Lab 1 Performing Reconnaissance
Cognitive automation with machine learning in cyber securityRishi Kant
These slides deck is from # HITBGSEC Singapore 2018, It consists of integration of cognitive automation and machine learning in different cyber security processes
We are living in security era, where we are securing all our belongings under different modes of lock but it’s different in the case of system security. We are carelessly leaving our datas and softwares unlocked. The state of security on the internet is bad and getting worse. One reaction to this state of affairs is termed as Ethical Hacking which attempts to increase security protection by identifying and patching known security vulnerabilities on systems owned by other parties. As public and private organizations migrate more of their critical functions to the Internet, criminals have more opportunity and incentive to gain access to sensitive information through the Web application. So, Ethical hacking is an assessment to test and check an information technology environment for possible weak links and vulnerabilities. Ethical hacking describes the process of hacking a network in an ethical way, therefore with good intentions. This paper describes what ethical hacking is, what it can do, an ethical hacking methodology as well as some tools which can be used for an ethical hack.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?SahilRao25
Let's take a look at implementations of AI or machine learning in the cybersecurity world. To know more: https://www.softwarefirms.co/blog/ai-and-machine-learning-in-cybersecurity-a-saviour-or-enemy?utm_source=Social+media&utm_medium=Traffic&utm_campaign=SR
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
From machine learning to deepfakes - how AI is revolutionizing cybersecurityInfosec
Artificial intelligence (AI) and machine learning are changing how cybercriminals carry out cyberattacks — and how cybersecurity professionals defend against them.
Join Infosec Skills author Emmanuel Tsukerman to get an inside look at these new technologies, their impact on cybersecurity and what it means for your career, including:
-Different attack methods that leverage machine learning
-Current and future uses of machine learning and AI within cybersecurity
-New skills and roles for cybersecurity professionals
-A live deepfake demonstration
Challenges in Applying AI to Enterprise CybersecurityTahseen Shabab
Applying AI/ML in live Cybersecurity environments can be challenging. We share some of our learnings and identify common pitfalls.
Bibu Labs is a leading Cybersecurity company leveraging AI to solve complex problems faced by Enterprise clients.
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
Presented at BSides Perth 2019
Synopsis:
Although the practice of collecting and using intelligence has been studied and conducted by governments and the military for centuries, it’s relative application to Cyber Security has only recently been highlighted. This area of infosec has been termed Cyber Threat Intelligence, where the marriage of traditional intelligence techniques and analysis with deep technical understanding within the Cyber domain are used to predict future actions by threats through long term analysis and modelling. This approach is then used to support both proactive and reactive cyber security actions, from incident response to penetration testing. This presentation focuses on threat intelligence from a practical data perspective, moving away from just the commercial concept of threat intelligence feeds (although these form one part of the equation). This presentation will approach threat intelligence from an analysts perspective of what questions needs to be answered to effectively investigate an incident, using the Diamond Model and Cyber Kill Chain as framing devices. These questions will then lead to examples of the data that can be used to answer these questions. Although traditionally data collection has focused on external cyber information, more often than not however, it’s actions outside of those seen within an organisations network, or even outside cyberspace that can provide context to the actions a threat takes. Finally, we provide a number of use cases on which the results of threat intelligence processes can be applied within a Security Operations Centre, including Incident Response as well as traditional Penetration Testing and Red Teaming.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
“AI is the new electricity” proclaims Andrew Ng, co-founder of Google Brain. Just as we need to know how to safely harness electricity, we also need to know how to securely employ AI to power our businesses. In some scenarios, the security of AI systems can impact human safety. On the flip side, AI can also be misused by cyber-adversaries and so we need to understand how to counter them.
This talk will provide food for thought in 3 areas:
Security of AI systems
Use of AI in cybersecurity
Malicious use of AI
Some organizations have the resources and skills to secure their IT infrastructure against security threats; however, many organizations cannot do so. Organizations have a state-of-the-art security software solution or pay thousands of dollars for security tools. Even after that, no organization is entirely secure. Certified Threat Intelligence Analyst (C|TIA) allows cybersecurity professionals to enhance their skills in building sufficient organizational cyber threat intelligence. It is a specialist-level program. CTIA is an examination that tests the individuals’ skills and prepares them to make useful threat intelligence in the organization.
Read more: https://www.infosectrain.com/blog/ctia-course-outline/
The Future of Security: How Artificial Intelligence Will Impact UsPECB
For decades, the security profession has relied on the best technology we had at the time to deflect the onslaught of what we faced daily in the way of virus and malware attacks. Now, as predicted by Thomas Kuhn in his book “The Structure of Scientific Revolutions, we’re seeing the dawn of a new day where AI’s machine learning and advanced mathematical algorithms now offer validated deflection rates, pre-execution, in the realm of 99%. This session will explore this new paradigm and how it will impact our future.
Main points covered:
• How did our profession change in the world of reactive detection?
• How to escape the inertia that held us, prisoners?
• What is the power of AI and machine learning?
• What are the risks of this new technology?
Presenter:
Our presenter for this webinar, John McClurg serves as Vice President and Ambassador-At-Large of Cylance, where he is responsible for building Security and Trust programs & operational excellence efforts. Prior to Cylance, he served as the CSO of Dell, Honeywell, and Lucent and in the U.S. Intelligence Community, as a twice-decorated member of the Federal Bureau of Investigation (FBI). He also served as a Deputy Branch Chief of CIA where he helped to establish the new Counterespionage Group and was responsible for the management of complex counterespionage investigations. McClurg was voted one of America’s 25 most influential security professionals.
Organizer: Ardian Berisha
Date: October 25th, 2018
Recorded webinar link:
AI for security or security for AI - Sergey GordeychikSergey Gordeychik
Machine learning technologies are turning from rocket science into daily engineering life. You no longer have to know the difference between Faster R-CNN and HMM to develop a machine vision system, and even OpenCV has bindings for JavaScript allowing to resolve quite serious tasks all the while remaining in front end. On other hand massive implementation of AI in various areas brings about problems, and security is one of the greatest concerns. In the broader context security is really all about trust.
Do we trust AI? I don’t, personally.
What is “state of the art” in AI security? Yesterday it was a PoC, not a product, today becoming a We will fix it later, tomorrow it will be a if it works, don’t touch it. And tomorrow is too late.
But what we can do for Trustworthy AI? There are just no simple answers.
You can’t install antivirus or calculate hashes to control integrity of annotated dataset. Traditional firewalls and IDS are almost useless in ML cloud internal SDN Infiniband network. Event C-level Compliance such as PCI DSS and GDPR doesn’t work for massive country-level AI deployments. What about vulnerability management for TensorFlow ML model? How it will impact ROC and AUC?..
To make it better we should rethink Cyber Resilience for AI process, systems and applications to make sure that they continuously deliver the intended outcome despite adverse cyber events. Make sure that security is genuinely integrated into innovation that AI brings into our lives. To trust AI and earn his trust, perhaps?
For more classes visit
www.snaptutorial.com
PLEASE CHECK ALL INCLUDED PRODUCTS IN THIS TUTORIAL AS SOME QUIZ MAY BE MISSING
CIS 333 Week 1 Discussion Providing Security Over Data
CIS 333 Week 2 Discussion Risk Management and Malicious Attacks
CIS 333 Week 2 Lab 1 Performing Reconnaissance
Cognitive automation with machine learning in cyber securityRishi Kant
These slides deck is from # HITBGSEC Singapore 2018, It consists of integration of cognitive automation and machine learning in different cyber security processes
We are living in security era, where we are securing all our belongings under different modes of lock but it’s different in the case of system security. We are carelessly leaving our datas and softwares unlocked. The state of security on the internet is bad and getting worse. One reaction to this state of affairs is termed as Ethical Hacking which attempts to increase security protection by identifying and patching known security vulnerabilities on systems owned by other parties. As public and private organizations migrate more of their critical functions to the Internet, criminals have more opportunity and incentive to gain access to sensitive information through the Web application. So, Ethical hacking is an assessment to test and check an information technology environment for possible weak links and vulnerabilities. Ethical hacking describes the process of hacking a network in an ethical way, therefore with good intentions. This paper describes what ethical hacking is, what it can do, an ethical hacking methodology as well as some tools which can be used for an ethical hack.
Are you a tech-savvy individual interested in the world of cybersecurity? Do you possess a passion for problem-solving and a curiosity to explore the depths of computer networks? If so, pursuing an ethical hacking course after completing your 12th grade could be a rewarding and fulfilling path for you. In this article, we will delve into the world of ethical hacking, explore its significance in today’s digital landscape, and provide you with a comprehensive guide on how to embark on this exciting journey.
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
Today's security is that the main downside and every one the work is finished over the net mistreatment knowledge. whereas the information is out there, there square measure many varieties of users who act with knowledge and a few of them for his or her would like it all for his or her gaining data. There square measure numerous techniques used for cover of information however the hacker or cracker is a lot of intelligent to hack the security, there square measure 2 classes of hackers theyre completely different from one another on the idea of their arrange. The one who has smart plans square measure referred to as moral hackers as a result of the ethics to use their talent and techniques of hacking to supply security to the organization. this idea describes concerning the hacking, styles of hackers, rules of moral hacking and also the blessings of the moral hacking. Mukesh. M | Dr. S. Vengateshkumar "Ethical Hacking" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-6 , October 2019, URL: https://www.ijtsrd.com/papers/ijtsrd29351.pdf Paper URL: https://www.ijtsrd.com/engineering/computer-engineering/29351/ethical-hacking/mukesh-m
Selected advanced themes in ethical hacking and penetration testingCSITiaesprime
Since 1980 cyberattacks have been evolving with the rising numbers of internet users and the constant evolving of security systems, and since then security systems experts have been trying to fight these kinds of attacks. This paper has both ethical and scientific goals, ethically, to raise awareness on cyberattacks and provide people with the knowledge that allows them to use the world wide web with fewer worries knowing how to protect their information and their devices with what they can. Scientifically, this paper includes a deep understanding of types of hackers, attacks, and various ways to stay safe online. This research investigates how ethical hackers adapt to the current and upcoming cyber threats. The different approaches for some famous hacking types along with their results are shown. Python and Ruby are used for coding, which we run on Kali Linux operating system.
About the PresentationsThe presentations cover the objectives .docxaryan532920
About the Presentations
The presentations cover the objectives found in the opening of each chapter.
All chapter objectives are listed in the beginning of each presentation.
You may customize the presentations to fit your class needs.
Some figures from the chapters are included. A complete set of images from the book can be found on the Instructor Resources disc.
1
Principles of Incident Response and Disaster Recovery, 2nd Edition
Chapter 01
An Overview of Information
Security and Risk Management
2
2
Objectives
Define and explain information security
Identify and explain the basic concepts of risk management
List and discuss the components of contingency planning
Describe the role of information security policy in the development of contingency plans
Principles of Incident Response and Disaster Recovery, 2nd Edition
3
3
Introduction
Contingency planning
Being ready for incidents and disasters
Example: 1/10 of one percent of online users
Allows for two and a half million potential attackers
Example: World Trade Center (WTC) organizations
Had contingency plans due to February 1993 attack
Example: 2008 Gartner report
2/3 of organizations invoked plans in prior two years
Information security includes contingency planning
Ensures confidentiality, integrity, availability of data
Principles of Incident Response and Disaster Recovery, 2nd Edition
4
4
Information Security
Committee on National Security Systems (CNSS) information security definition
Protection of information and its critical elements
Includes systems and hardware storing, transmitting information
Part of the CNSS model (evolved from C.I.A. triangle)
Conceptual framework for understanding security
Information security (InfoSec)
Protection of confidentiality, integrity, and availability of information
In storage, during processing, and during transmission
Principles of Incident Response and Disaster Recovery, 2nd Edition
5
5
Key Information Security Concepts
Threat: object, person, other entity posing potential risk of loss to an asset
Asset: organizational resource being protected
Logical or physical
Attack: attempt to cause damage to or compromise information of supporting systems
Arises from a threat; intentional or unintentional
Threat-agent: threat instance
Specific and identifiable; exploits asset vulnerabilities
Principles of Incident Response and Disaster Recovery, 2nd Edition
6
6
Key Information Security Concepts (cont’d.)
Vulnerability
Flaw or weakness in system security procedures, design, implementation, internal controls
Results in security breach or security policy violation
Well-known or latent
Exercised accidently or intentionally
Exploit: caused by threat-agent
Can exploit system or information through illegal use
Can create an exploit to target a specific vulnerability
Control/safeguard/countermeasure: prevent attack
Principles of Incident Response and Disaster Recovery, 2nd Edition
7
7
Key Information Security Concepts (cont’d.)
Princ.
About the PresentationsThe presentations cover the objectives .docxbartholomeocoombs
About the Presentations
The presentations cover the objectives found in the opening of each chapter.
All chapter objectives are listed in the beginning of each presentation.
You may customize the presentations to fit your class needs.
Some figures from the chapters are included. A complete set of images from the book can be found on the Instructor Resources disc.
1
Principles of Incident Response and Disaster Recovery, 2nd Edition
Chapter 01
An Overview of Information
Security and Risk Management
2
2
Objectives
Define and explain information security
Identify and explain the basic concepts of risk management
List and discuss the components of contingency planning
Describe the role of information security policy in the development of contingency plans
Principles of Incident Response and Disaster Recovery, 2nd Edition
3
3
Introduction
Contingency planning
Being ready for incidents and disasters
Example: 1/10 of one percent of online users
Allows for two and a half million potential attackers
Example: World Trade Center (WTC) organizations
Had contingency plans due to February 1993 attack
Example: 2008 Gartner report
2/3 of organizations invoked plans in prior two years
Information security includes contingency planning
Ensures confidentiality, integrity, availability of data
Principles of Incident Response and Disaster Recovery, 2nd Edition
4
4
Information Security
Committee on National Security Systems (CNSS) information security definition
Protection of information and its critical elements
Includes systems and hardware storing, transmitting information
Part of the CNSS model (evolved from C.I.A. triangle)
Conceptual framework for understanding security
Information security (InfoSec)
Protection of confidentiality, integrity, and availability of information
In storage, during processing, and during transmission
Principles of Incident Response and Disaster Recovery, 2nd Edition
5
5
Key Information Security Concepts
Threat: object, person, other entity posing potential risk of loss to an asset
Asset: organizational resource being protected
Logical or physical
Attack: attempt to cause damage to or compromise information of supporting systems
Arises from a threat; intentional or unintentional
Threat-agent: threat instance
Specific and identifiable; exploits asset vulnerabilities
Principles of Incident Response and Disaster Recovery, 2nd Edition
6
6
Key Information Security Concepts (cont’d.)
Vulnerability
Flaw or weakness in system security procedures, design, implementation, internal controls
Results in security breach or security policy violation
Well-known or latent
Exercised accidently or intentionally
Exploit: caused by threat-agent
Can exploit system or information through illegal use
Can create an exploit to target a specific vulnerability
Control/safeguard/countermeasure: prevent attack
Principles of Incident Response and Disaster Recovery, 2nd Edition
7
7
Key Information Security Concepts (cont’d.)
Princ.
The world of computing has been revolutionised by the introduction of cloud computing. The cloud is an environment in which data and software are stored and managed remotely, typically on servers connected to the Internet. With the widespread use of cloud computing, more people are now able to access data and use software that would previously have been too expensive for them to own.
Ethical hacking is the process of evaluating and testing a computer or network for security vulnerabilities and flaws. This process is typically done to assess the security of a network or a computer system. It is also used to evaluate the security of a product before it is released. The main goal of ethical hacking is to protect the confidentiality, integrity, and availability of information and computer systems.
Similar to Lecture #2: Defence Strategies and Techniques (Security): Part I (20)
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdfKamal Acharya
The College Bus Management system is completely developed by Visual Basic .NET Version. The application is connect with most secured database language MS SQL Server. The application is develop by using best combination of front-end and back-end languages. The application is totally design like flat user interface. This flat user interface is more attractive user interface in 2017. The application is gives more important to the system functionality. The application is to manage the student’s details, driver’s details, bus details, bus route details, bus fees details and more. The application has only one unit for admin. The admin can manage the entire application. The admin can login into the application by using username and password of the admin. The application is develop for big and small colleges. It is more user friendly for non-computer person. Even they can easily learn how to manage the application within hours. The application is more secure by the admin. The system will give an effective output for the VB.Net and SQL Server given as input to the system. The compiled java program given as input to the system, after scanning the program will generate different reports. The application generates the report for users. The admin can view and download the report of the data. The application deliver the excel format reports. Because, excel formatted reports is very easy to understand the income and expense of the college bus. This application is mainly develop for windows operating system users. In 2017, 73% of people enterprises are using windows operating system. So the application will easily install for all the windows operating system users. The application-developed size is very low. The application consumes very low space in disk. Therefore, the user can allocate very minimum local disk space for this application.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Lecture #2: Defence Strategies and Techniques (Security): Part I
1. Lecture #2: Defence Strategies and Techniques: Part I
Dr.Ramchandra Mangrulkar
August 5, 2020
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 1 / 15
3. Access Control
First Strategy
Security technique that regulates who or what can view
Selective restriction of access to a place or other resource
Fundamental concept in security that minimizes risk to the business
or organization.
Two Types : Physical and Logical.
Physical access control limits access to campuses, buildings, rooms
and physical IT assets.
Logical access control limits connections to computer networks,
system files and data.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 3 / 15
4. Access Control
First Strategy
Security technique that regulates who or what can view
Selective restriction of access to a place or other resource
Fundamental concept in security that minimizes risk to the business
or organization.
Two Types : Physical and Logical.
Physical access control limits access to campuses, buildings, rooms
and physical IT assets.
Logical access control limits connections to computer networks,
system files and data.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 3 / 15
5. Access Control
First Strategy
Security technique that regulates who or what can view
Selective restriction of access to a place or other resource
Fundamental concept in security that minimizes risk to the business
or organization.
Two Types : Physical and Logical.
Physical access control limits access to campuses, buildings, rooms
and physical IT assets.
Logical access control limits connections to computer networks,
system files and data.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 3 / 15
6. Access Control
First Strategy
Security technique that regulates who or what can view
Selective restriction of access to a place or other resource
Fundamental concept in security that minimizes risk to the business
or organization.
Two Types : Physical and Logical.
Physical access control limits access to campuses, buildings, rooms
and physical IT assets.
Logical access control limits connections to computer networks,
system files and data.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 3 / 15
7. Access Control
First Strategy
Security technique that regulates who or what can view
Selective restriction of access to a place or other resource
Fundamental concept in security that minimizes risk to the business
or organization.
Two Types : Physical and Logical.
Physical access control limits access to campuses, buildings, rooms
and physical IT assets.
Logical access control limits connections to computer networks,
system files and data.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 3 / 15
8. Access Control
First Strategy
Security technique that regulates who or what can view
Selective restriction of access to a place or other resource
Fundamental concept in security that minimizes risk to the business
or organization.
Two Types : Physical and Logical.
Physical access control limits access to campuses, buildings, rooms
and physical IT assets.
Logical access control limits connections to computer networks,
system files and data.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 3 / 15
9. Access Control
First Strategy
Security technique that regulates who or what can view
Selective restriction of access to a place or other resource
Fundamental concept in security that minimizes risk to the business
or organization.
Two Types : Physical and Logical.
Physical access control limits access to campuses, buildings, rooms
and physical IT assets.
Logical access control limits connections to computer networks,
system files and data.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 3 / 15
10. Access Control(Continue...)
Authentication and Authorization1
Authentication Methods (Three-factor authentication) :
Something you know (Something I know)
Something you have (Something I Have)
Something you are (Something I am)
1
https://www.coursera.org/learn/cybersecurity/lecture/sQpu1/introduction-to-
identity-credentials
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 4 / 15
11. Access Control(Continue...)
Authentication and Authorization1
Authentication Methods (Three-factor authentication) :
Something you know (Something I know)
Something you have (Something I Have)
Something you are (Something I am)
1
https://www.coursera.org/learn/cybersecurity/lecture/sQpu1/introduction-to-
identity-credentials
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 4 / 15
12. Access Control(Continue...)
Authentication and Authorization1
Authentication Methods (Three-factor authentication) :
Something you know (Something I know)
Something you have (Something I Have)
Something you are (Something I am)
1
https://www.coursera.org/learn/cybersecurity/lecture/sQpu1/introduction-to-
identity-credentials
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 4 / 15
13. Access Control(Continue...)
Authentication and Authorization1
Authentication Methods (Three-factor authentication) :
Something you know (Something I know)
Something you have (Something I Have)
Something you are (Something I am)
1
https://www.coursera.org/learn/cybersecurity/lecture/sQpu1/introduction-to-
identity-credentials
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 4 / 15
14. Access Control(Continue...)
Authentication and Authorization1
Authentication Methods (Three-factor authentication) :
Something you know (Something I know)
Something you have (Something I Have)
Something you are (Something I am)
1
https://www.coursera.org/learn/cybersecurity/lecture/sQpu1/introduction-to-
identity-credentials
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 4 / 15
15. Something you know
Something you know (Something I know)
Only user of system know
-e.g. Password, Pin
-knowledge of a secret distinguishes you from all other individuals
-system simply needs to check to see if the person claiming to be you
knows the secret
-An attacker can last steal this kind of credential
people will tend to choose passwords that are easy to remember,
which usually means that the password is easy to guess
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 5 / 15
16. Something you know
Something you know (Something I know)
Only user of system know
-e.g. Password, Pin
-knowledge of a secret distinguishes you from all other individuals
-system simply needs to check to see if the person claiming to be you
knows the secret
-An attacker can last steal this kind of credential
people will tend to choose passwords that are easy to remember,
which usually means that the password is easy to guess
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 5 / 15
17. Something you know
Something you know (Something I know)
Only user of system know
-e.g. Password, Pin
-knowledge of a secret distinguishes you from all other individuals
-system simply needs to check to see if the person claiming to be you
knows the secret
-An attacker can last steal this kind of credential
people will tend to choose passwords that are easy to remember,
which usually means that the password is easy to guess
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 5 / 15
18. Something you know
Changing a password requires human intervention. Thus,
compromised passwords could remain valid for longer than is desirable.
And there must be some mechanism for resetting the password
(because passwords will get forgotten and compromised).
This mechanism could itself be vulnerable to social-engineering
attacks, which rely on convincing a human with the authority to
change or access information that it is necessary to do so.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 6 / 15
19. Something you know
Changing a password requires human intervention. Thus,
compromised passwords could remain valid for longer than is desirable.
And there must be some mechanism for resetting the password
(because passwords will get forgotten and compromised).
This mechanism could itself be vulnerable to social-engineering
attacks, which rely on convincing a human with the authority to
change or access information that it is necessary to do so.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 6 / 15
20. Something you know
Changing a password requires human intervention. Thus,
compromised passwords could remain valid for longer than is desirable.
And there must be some mechanism for resetting the password
(because passwords will get forgotten and compromised).
This mechanism could itself be vulnerable to social-engineering
attacks, which rely on convincing a human with the authority to
change or access information that it is necessary to do so.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 6 / 15
21. Something you know
There are three dimensions2
Length
- Longer passwords are better - A good way to get a long password
that is seemingly random yet easy to remember
- e.g. like the first words of a song and then generate the password
from the first letters of the passphrase.
Character set -more characters...greater the number of possible
combinations of characters
-so the larger the password space... require doing more work by an
attacker.
Randomness
- Mathematically, it turns out that English has about 1.3 bits of
information per character. Thus it takes 49 characters to get 64 bits
of ”secret”, which comes out to about 10 words (at 5 characters on
average per word).
2
https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 7 / 15
22. Something you know
There are three dimensions2
Length
- Longer passwords are better - A good way to get a long password
that is seemingly random yet easy to remember
- e.g. like the first words of a song and then generate the password
from the first letters of the passphrase.
Character set -more characters...greater the number of possible
combinations of characters
-so the larger the password space... require doing more work by an
attacker.
Randomness
- Mathematically, it turns out that English has about 1.3 bits of
information per character. Thus it takes 49 characters to get 64 bits
of ”secret”, which comes out to about 10 words (at 5 characters on
average per word).
2
https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 7 / 15
23. Something you know
There are three dimensions2
Length
- Longer passwords are better - A good way to get a long password
that is seemingly random yet easy to remember
- e.g. like the first words of a song and then generate the password
from the first letters of the passphrase.
Character set -more characters...greater the number of possible
combinations of characters
-so the larger the password space... require doing more work by an
attacker.
Randomness
- Mathematically, it turns out that English has about 1.3 bits of
information per character. Thus it takes 49 characters to get 64 bits
of ”secret”, which comes out to about 10 words (at 5 characters on
average per word).
2
https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 7 / 15
24. Something you know
There are three dimensions2
Length
- Longer passwords are better - A good way to get a long password
that is seemingly random yet easy to remember
- e.g. like the first words of a song and then generate the password
from the first letters of the passphrase.
Character set -more characters...greater the number of possible
combinations of characters
-so the larger the password space... require doing more work by an
attacker.
Randomness
- Mathematically, it turns out that English has about 1.3 bits of
information per character. Thus it takes 49 characters to get 64 bits
of ”secret”, which comes out to about 10 words (at 5 characters on
average per word).
2
https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 7 / 15
25. Something you know : more on ”Password”
Password stored as HASH value
possibility of offline dictionary attacks. - hash of every word in some dictionary - compares each hash with the stored
password hashes. - if matched, the attacker has learned a password.
Salt is a random number that is associated with a user and is added to that user’s password when the hash is computed.
system stores both h(password + salt) and the salt for each account
Salt does not make it more difficult for an attacker to guess the password for a given account, since the salt for each
account is stored in the clear. What salt does, however, is make it harder for the attacker to perpetrate an offline
dictionary attack against all users. When salt is used, all the words in the dictionary would have to be rehashed for every
user. What formerly could be seen as a ”wholesale” attack has been transformed into a ”retail” one.
Salt is used in most UNIX implementations. The salt in early versions of UNIX was 12 bits, and it was formed from the
system time and the process identifier when an account is created. Unfortunately, 12 bits is hopelessly small, nowadays.
Even an old PC can perform 13,000 crypt/sec, which means such a PC so can hash a 20k word dictionary with every
possible value of a 12 bit salt in 1 hour.
Point to Explore : Secret Salt, Defense Against Password Theft: A Trusted Path 3
3
https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 8 / 15
26. Something you know : more on ”Password”
Password stored as HASH value
possibility of offline dictionary attacks. - hash of every word in some dictionary - compares each hash with the stored
password hashes. - if matched, the attacker has learned a password.
Salt is a random number that is associated with a user and is added to that user’s password when the hash is computed.
system stores both h(password + salt) and the salt for each account
Salt does not make it more difficult for an attacker to guess the password for a given account, since the salt for each
account is stored in the clear. What salt does, however, is make it harder for the attacker to perpetrate an offline
dictionary attack against all users. When salt is used, all the words in the dictionary would have to be rehashed for every
user. What formerly could be seen as a ”wholesale” attack has been transformed into a ”retail” one.
Salt is used in most UNIX implementations. The salt in early versions of UNIX was 12 bits, and it was formed from the
system time and the process identifier when an account is created. Unfortunately, 12 bits is hopelessly small, nowadays.
Even an old PC can perform 13,000 crypt/sec, which means such a PC so can hash a 20k word dictionary with every
possible value of a 12 bit salt in 1 hour.
Point to Explore : Secret Salt, Defense Against Password Theft: A Trusted Path 3
3
https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 8 / 15
27. Something you know : more on ”Password”
Password stored as HASH value
possibility of offline dictionary attacks. - hash of every word in some dictionary - compares each hash with the stored
password hashes. - if matched, the attacker has learned a password.
Salt is a random number that is associated with a user and is added to that user’s password when the hash is computed.
system stores both h(password + salt) and the salt for each account
Salt does not make it more difficult for an attacker to guess the password for a given account, since the salt for each
account is stored in the clear. What salt does, however, is make it harder for the attacker to perpetrate an offline
dictionary attack against all users. When salt is used, all the words in the dictionary would have to be rehashed for every
user. What formerly could be seen as a ”wholesale” attack has been transformed into a ”retail” one.
Salt is used in most UNIX implementations. The salt in early versions of UNIX was 12 bits, and it was formed from the
system time and the process identifier when an account is created. Unfortunately, 12 bits is hopelessly small, nowadays.
Even an old PC can perform 13,000 crypt/sec, which means such a PC so can hash a 20k word dictionary with every
possible value of a 12 bit salt in 1 hour.
Point to Explore : Secret Salt, Defense Against Password Theft: A Trusted Path 3
3
https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 8 / 15
28. Something you know : more on ”Password”
Password stored as HASH value
possibility of offline dictionary attacks. - hash of every word in some dictionary - compares each hash with the stored
password hashes. - if matched, the attacker has learned a password.
Salt is a random number that is associated with a user and is added to that user’s password when the hash is computed.
system stores both h(password + salt) and the salt for each account
Salt does not make it more difficult for an attacker to guess the password for a given account, since the salt for each
account is stored in the clear. What salt does, however, is make it harder for the attacker to perpetrate an offline
dictionary attack against all users. When salt is used, all the words in the dictionary would have to be rehashed for every
user. What formerly could be seen as a ”wholesale” attack has been transformed into a ”retail” one.
Salt is used in most UNIX implementations. The salt in early versions of UNIX was 12 bits, and it was formed from the
system time and the process identifier when an account is created. Unfortunately, 12 bits is hopelessly small, nowadays.
Even an old PC can perform 13,000 crypt/sec, which means such a PC so can hash a 20k word dictionary with every
possible value of a 12 bit salt in 1 hour.
Point to Explore : Secret Salt, Defense Against Password Theft: A Trusted Path 3
3
https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 8 / 15
29. Something you know : more on ”Password”
Password stored as HASH value
possibility of offline dictionary attacks. - hash of every word in some dictionary - compares each hash with the stored
password hashes. - if matched, the attacker has learned a password.
Salt is a random number that is associated with a user and is added to that user’s password when the hash is computed.
system stores both h(password + salt) and the salt for each account
Salt does not make it more difficult for an attacker to guess the password for a given account, since the salt for each
account is stored in the clear. What salt does, however, is make it harder for the attacker to perpetrate an offline
dictionary attack against all users. When salt is used, all the words in the dictionary would have to be rehashed for every
user. What formerly could be seen as a ”wholesale” attack has been transformed into a ”retail” one.
Salt is used in most UNIX implementations. The salt in early versions of UNIX was 12 bits, and it was formed from the
system time and the process identifier when an account is created. Unfortunately, 12 bits is hopelessly small, nowadays.
Even an old PC can perform 13,000 crypt/sec, which means such a PC so can hash a 20k word dictionary with every
possible value of a 12 bit salt in 1 hour.
Point to Explore : Secret Salt, Defense Against Password Theft: A Trusted Path 3
3
https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 8 / 15
30. Something you know : more on ”Password”
Password stored as HASH value
possibility of offline dictionary attacks. - hash of every word in some dictionary - compares each hash with the stored
password hashes. - if matched, the attacker has learned a password.
Salt is a random number that is associated with a user and is added to that user’s password when the hash is computed.
system stores both h(password + salt) and the salt for each account
Salt does not make it more difficult for an attacker to guess the password for a given account, since the salt for each
account is stored in the clear. What salt does, however, is make it harder for the attacker to perpetrate an offline
dictionary attack against all users. When salt is used, all the words in the dictionary would have to be rehashed for every
user. What formerly could be seen as a ”wholesale” attack has been transformed into a ”retail” one.
Salt is used in most UNIX implementations. The salt in early versions of UNIX was 12 bits, and it was formed from the
system time and the process identifier when an account is created. Unfortunately, 12 bits is hopelessly small, nowadays.
Even an old PC can perform 13,000 crypt/sec, which means such a PC so can hash a 20k word dictionary with every
possible value of a 12 bit salt in 1 hour.
Point to Explore : Secret Salt, Defense Against Password Theft: A Trusted Path 3
3
https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 8 / 15
31. Something you know : more on ”Password”
Password stored as HASH value
possibility of offline dictionary attacks. - hash of every word in some dictionary - compares each hash with the stored
password hashes. - if matched, the attacker has learned a password.
Salt is a random number that is associated with a user and is added to that user’s password when the hash is computed.
system stores both h(password + salt) and the salt for each account
Salt does not make it more difficult for an attacker to guess the password for a given account, since the salt for each
account is stored in the clear. What salt does, however, is make it harder for the attacker to perpetrate an offline
dictionary attack against all users. When salt is used, all the words in the dictionary would have to be rehashed for every
user. What formerly could be seen as a ”wholesale” attack has been transformed into a ”retail” one.
Salt is used in most UNIX implementations. The salt in early versions of UNIX was 12 bits, and it was formed from the
system time and the process identifier when an account is created. Unfortunately, 12 bits is hopelessly small, nowadays.
Even an old PC can perform 13,000 crypt/sec, which means such a PC so can hash a 20k word dictionary with every
possible value of a 12 bit salt in 1 hour.
Point to Explore : Secret Salt, Defense Against Password Theft: A Trusted Path 3
3
https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 8 / 15
32. Something you have (Something I Have)
Something you have (Something I Have)
e.g. Certificate, I-card, Smart Card
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 9 / 15
33. Something you have (Something I Have)
Something you have (Something I Have)
e.g. Certificate, I-card, Smart Card
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 9 / 15
34. Something you have (Something I Have)
A magnetic strip card. (eg. Cornell ID, credit card) One serious problem with these cards is that they are fairly easy to
duplicate. It only costs about $50 to buy a writer, and it’s easy to get your hands on cards to copy them. To get around
these problems, banks implement 2-factor authentication by requiring knowledge of a 4 to 7 character PIN whenever the
card is used.
Proximity card or RFID. These cards transmit stored information to a monitor via RF.
Challenge/Response cards and Cryptographic Calculators. These are also called smart cards and perform some sort of
cryptographic calculation. Sometimes the card will have memory, and sometimes it will have an associated PIN. A smart
card transforms the authentication problem for humans, because we are no longer constrained by stringent
computational and storage limitations. Unfortunately, today’s smart cards are vulnerable to power-analysis attacks.
One prevalent form of smartcard is the RSA secure id. It continuously displays encrypted time; and each RSA secure id
encrypts with a different key.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 10 / 15
35. Something you have (Something I Have)
A magnetic strip card. (eg. Cornell ID, credit card) One serious problem with these cards is that they are fairly easy to
duplicate. It only costs about $50 to buy a writer, and it’s easy to get your hands on cards to copy them. To get around
these problems, banks implement 2-factor authentication by requiring knowledge of a 4 to 7 character PIN whenever the
card is used.
Proximity card or RFID. These cards transmit stored information to a monitor via RF.
Challenge/Response cards and Cryptographic Calculators. These are also called smart cards and perform some sort of
cryptographic calculation. Sometimes the card will have memory, and sometimes it will have an associated PIN. A smart
card transforms the authentication problem for humans, because we are no longer constrained by stringent
computational and storage limitations. Unfortunately, today’s smart cards are vulnerable to power-analysis attacks.
One prevalent form of smartcard is the RSA secure id. It continuously displays encrypted time; and each RSA secure id
encrypts with a different key.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 10 / 15
36. Something you have (Something I Have)
A magnetic strip card. (eg. Cornell ID, credit card) One serious problem with these cards is that they are fairly easy to
duplicate. It only costs about $50 to buy a writer, and it’s easy to get your hands on cards to copy them. To get around
these problems, banks implement 2-factor authentication by requiring knowledge of a 4 to 7 character PIN whenever the
card is used.
Proximity card or RFID. These cards transmit stored information to a monitor via RF.
Challenge/Response cards and Cryptographic Calculators. These are also called smart cards and perform some sort of
cryptographic calculation. Sometimes the card will have memory, and sometimes it will have an associated PIN. A smart
card transforms the authentication problem for humans, because we are no longer constrained by stringent
computational and storage limitations. Unfortunately, today’s smart cards are vulnerable to power-analysis attacks.
One prevalent form of smartcard is the RSA secure id. It continuously displays encrypted time; and each RSA secure id
encrypts with a different key.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 10 / 15
37. Something you have (Something I Have)
A magnetic strip card. (eg. Cornell ID, credit card) One serious problem with these cards is that they are fairly easy to
duplicate. It only costs about $50 to buy a writer, and it’s easy to get your hands on cards to copy them. To get around
these problems, banks implement 2-factor authentication by requiring knowledge of a 4 to 7 character PIN whenever the
card is used.
Proximity card or RFID. These cards transmit stored information to a monitor via RF.
Challenge/Response cards and Cryptographic Calculators. These are also called smart cards and perform some sort of
cryptographic calculation. Sometimes the card will have memory, and sometimes it will have an associated PIN. A smart
card transforms the authentication problem for humans, because we are no longer constrained by stringent
computational and storage limitations. Unfortunately, today’s smart cards are vulnerable to power-analysis attacks.
One prevalent form of smartcard is the RSA secure id. It continuously displays encrypted time; and each RSA secure id
encrypts with a different key.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 10 / 15
38. Something you are (Something I am)
Something you are (Something I am)
e.g. Certificate, I-card, Smart Card
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 11 / 15
39. Something you are (Something I am)
Something you are (Something I am)
e.g. Certificate, I-card, Smart Card
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 11 / 15
40. Something you are (Something I am)
employ behavioral and physiological characteristics
we might use Retinal scan, Fingerprint reader, Handprint reader,
Voice print, Keystroke timing ,Signature
with some agreed error rate (For example, fingerprint readers today
normally exhibit error rates upwards of 5%.)
Methods to subvert a fingerprint reader give some indication of the
difficulties of deploying unsupervised biometric sensors as the sole
means of authenticating humans.
-Steal a finger
-Steal a fingerprint
-Replace the biometric sensor
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 12 / 15
41. Something you are (Something I am)
employ behavioral and physiological characteristics
we might use Retinal scan, Fingerprint reader, Handprint reader,
Voice print, Keystroke timing ,Signature
with some agreed error rate (For example, fingerprint readers today
normally exhibit error rates upwards of 5%.)
Methods to subvert a fingerprint reader give some indication of the
difficulties of deploying unsupervised biometric sensors as the sole
means of authenticating humans.
-Steal a finger
-Steal a fingerprint
-Replace the biometric sensor
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 12 / 15
42. Something you are (Something I am)
employ behavioral and physiological characteristics
we might use Retinal scan, Fingerprint reader, Handprint reader,
Voice print, Keystroke timing ,Signature
with some agreed error rate (For example, fingerprint readers today
normally exhibit error rates upwards of 5%.)
Methods to subvert a fingerprint reader give some indication of the
difficulties of deploying unsupervised biometric sensors as the sole
means of authenticating humans.
-Steal a finger
-Steal a fingerprint
-Replace the biometric sensor
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 12 / 15
43. Something you are (Something I am)
employ behavioral and physiological characteristics
we might use Retinal scan, Fingerprint reader, Handprint reader,
Voice print, Keystroke timing ,Signature
with some agreed error rate (For example, fingerprint readers today
normally exhibit error rates upwards of 5%.)
Methods to subvert a fingerprint reader give some indication of the
difficulties of deploying unsupervised biometric sensors as the sole
means of authenticating humans.
-Steal a finger
-Steal a fingerprint
-Replace the biometric sensor
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 12 / 15
44. Something you are (Something I am)
There are several well known problems with biometric-based
authentication schemes:
-Reliability of the method
-Cost and availability
-Unwillingness or inability to interact with biometric input devices
-Compromise the biometric database or system
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 13 / 15
45. Research Problem 2
Post 9/11, the United States started searching airline passengers for bombs
and other potentially dangerous material. More recently, in reaction to the
Madrid and London subway bombings, other governments have started
searching subway customers.
In all of these schemes, the cost of searching a suspect is significant and it is
too costly to search every passenger. Some sort of sampling is then
employed, which leads to a design choice about who gets selected for
searches:
Select randomly among all passengers.
Select randomly among passengers satisfying certain predefined profiles.
Adopt (1) and you end up searching babies, grandmothers, and congressman;
adopt (2) and you might only search males of a certain age and ethnicity.
Given a fixed budget for performing searches, which of (1) and (2) is likely
to be more effective at decreasing the chances of successful future terrorist
attacks on airplanes and/or subways.
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 14 / 15
46. Authentication Protocols
Different Categories of Authentication Protocols:
Reciprocity of Authentication (Mutual/One Way)
Type of Cryptography (Symmetric/Asymmetric)
Key Exchange
Computational and Communication Efficiency
Real time involvement of Third Party (online vs offline)
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 15 / 15
47. Authentication Protocols
Different Categories of Authentication Protocols:
Reciprocity of Authentication (Mutual/One Way)
Type of Cryptography (Symmetric/Asymmetric)
Key Exchange
Computational and Communication Efficiency
Real time involvement of Third Party (online vs offline)
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 15 / 15
48. Authentication Protocols
Different Categories of Authentication Protocols:
Reciprocity of Authentication (Mutual/One Way)
Type of Cryptography (Symmetric/Asymmetric)
Key Exchange
Computational and Communication Efficiency
Real time involvement of Third Party (online vs offline)
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 15 / 15
49. Authentication Protocols
Different Categories of Authentication Protocols:
Reciprocity of Authentication (Mutual/One Way)
Type of Cryptography (Symmetric/Asymmetric)
Key Exchange
Computational and Communication Efficiency
Real time involvement of Third Party (online vs offline)
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 15 / 15
50. Authentication Protocols
Different Categories of Authentication Protocols:
Reciprocity of Authentication (Mutual/One Way)
Type of Cryptography (Symmetric/Asymmetric)
Key Exchange
Computational and Communication Efficiency
Real time involvement of Third Party (online vs offline)
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 15 / 15
51. Authentication Protocols
Different Categories of Authentication Protocols:
Reciprocity of Authentication (Mutual/One Way)
Type of Cryptography (Symmetric/Asymmetric)
Key Exchange
Computational and Communication Efficiency
Real time involvement of Third Party (online vs offline)
Dr.Ramchandra Mangrulkar Lecture #2: Defence Strategies and Techniques: Part I August 5, 2020 15 / 15