This document outlines a lecture on network security. It discusses key topics like authentication, access control, identification, authorization, and password management. It provides details on security concerns, password hashing and encryption, one-time passwords using token devices, and using cryptographic keys. The document also outlines the class policy, grading evaluation, and course schedule for the network security course.
This document outlines topics to be discussed in a lecture on cryptography and network security. It includes two case studies of data breaches at government organizations and a hotel chain. It discusses security needs and objectives, why security is difficult to achieve, how security became an issue, threat modeling, risk assessment, the three aspects of security (attacks, mechanisms, services), and key points to remember around security including the trade-off between security and usability.
This document discusses various types of cyber attacks and threats such as viruses, worms, Trojan horses, botnets, trap doors, logic bombs, denial of service attacks, and spyware. It provides details on the characteristics and techniques of different attacks, including how viruses, worms, and Trojan horses infect systems. Distributed denial of service (DDoS) attacks are explained along with specific DDoS techniques like SYN floods and Smurf attacks. The document is a lecture on cryptography and network security that outlines different cyber threats.
This document provides an overview of information and cyber security. It defines cyber security as technologies and processes designed to protect computers, networks, and data from attacks, vulnerabilities, damages, and unauthorized access. It discusses why cyber security is important by explaining the principles of confidentiality, integrity, and availability. It also covers common cyber security threats like viruses, malware, hacking, phishing, and denial of service attacks. The document provides tips on cyber security best practices for passwords, mobile devices, banking, and more. It introduces tools used in cyber security like Network Pro and F-RAT and concludes by emphasizing the importance of vigilance in maintaining security.
Chapter 4 vulnerability threat and attack newbie2019
This document discusses threats, vulnerabilities, and attacks related to information security. It defines threats as potential dangers that could breach security, and lists categories of threats like deliberate threats, environmental threats, and accidental threats. Vulnerabilities are weaknesses that can be exploited by threats, like physical vulnerabilities, hardware/software vulnerabilities, and human vulnerabilities. Attacks are exploits of vulnerabilities that damage systems. Common attacks are discussed like passive attacks that obtain information and active attacks that alter systems. The document also categorizes attacks as interruptions, interceptions, modifications, or fabrications of systems and assets. The three biggest common attacks are said to be virus, worm, and Trojan horse attacks.
The document outlines the goals of network security which are confidentiality, integrity, and availability. Confidentiality aims to hide data from unauthorized people through encryption. Integrity seeks to prevent unauthorized modification of data using hashing. Availability aims to prevent loss of access to resources for authorized users by developing efficient network design, preventing malicious activity like DDoS attacks, ensuring sufficient bandwidth, and removing duplex mismatches. The document was presented by an instructor from the Faculty of Computer Science at Kabul Education University to discuss network security goals and methods.
In this video we talk about some tools and techniques that can be used to protect your login credentials and digital identity including good password practices, adding Multi Factor Authentication (MFA), and monitoring to alert when a compromised account is found. Don’t assume your organization won’t be targeted – everyone is a target. As with all our webinars, this presentation is appropriate for an audience of varied IT and security experience.
This document outlines topics to be discussed in a lecture on cryptography and network security. It includes two case studies of data breaches at government organizations and a hotel chain. It discusses security needs and objectives, why security is difficult to achieve, how security became an issue, threat modeling, risk assessment, the three aspects of security (attacks, mechanisms, services), and key points to remember around security including the trade-off between security and usability.
This document discusses various types of cyber attacks and threats such as viruses, worms, Trojan horses, botnets, trap doors, logic bombs, denial of service attacks, and spyware. It provides details on the characteristics and techniques of different attacks, including how viruses, worms, and Trojan horses infect systems. Distributed denial of service (DDoS) attacks are explained along with specific DDoS techniques like SYN floods and Smurf attacks. The document is a lecture on cryptography and network security that outlines different cyber threats.
This document provides an overview of information and cyber security. It defines cyber security as technologies and processes designed to protect computers, networks, and data from attacks, vulnerabilities, damages, and unauthorized access. It discusses why cyber security is important by explaining the principles of confidentiality, integrity, and availability. It also covers common cyber security threats like viruses, malware, hacking, phishing, and denial of service attacks. The document provides tips on cyber security best practices for passwords, mobile devices, banking, and more. It introduces tools used in cyber security like Network Pro and F-RAT and concludes by emphasizing the importance of vigilance in maintaining security.
Chapter 4 vulnerability threat and attack newbie2019
This document discusses threats, vulnerabilities, and attacks related to information security. It defines threats as potential dangers that could breach security, and lists categories of threats like deliberate threats, environmental threats, and accidental threats. Vulnerabilities are weaknesses that can be exploited by threats, like physical vulnerabilities, hardware/software vulnerabilities, and human vulnerabilities. Attacks are exploits of vulnerabilities that damage systems. Common attacks are discussed like passive attacks that obtain information and active attacks that alter systems. The document also categorizes attacks as interruptions, interceptions, modifications, or fabrications of systems and assets. The three biggest common attacks are said to be virus, worm, and Trojan horse attacks.
The document outlines the goals of network security which are confidentiality, integrity, and availability. Confidentiality aims to hide data from unauthorized people through encryption. Integrity seeks to prevent unauthorized modification of data using hashing. Availability aims to prevent loss of access to resources for authorized users by developing efficient network design, preventing malicious activity like DDoS attacks, ensuring sufficient bandwidth, and removing duplex mismatches. The document was presented by an instructor from the Faculty of Computer Science at Kabul Education University to discuss network security goals and methods.
In this video we talk about some tools and techniques that can be used to protect your login credentials and digital identity including good password practices, adding Multi Factor Authentication (MFA), and monitoring to alert when a compromised account is found. Don’t assume your organization won’t be targeted – everyone is a target. As with all our webinars, this presentation is appropriate for an audience of varied IT and security experience.
The document discusses security threats in eHealth (electronic health) systems. It outlines various motives for attacks on eHealth systems, including financial gain, revenge, intellectual challenge, and terrorism. Tactics that may be used include stealing devices, sniffing networks, social engineering, trojans, backdoors, and malicious apps. The document recommends solutions like strengthening technology, processes, user training, compliance, and information security governance to better secure eHealth systems and patient data.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
The document provides a summary of common wireless attacks and attacks on wireless encryption. For wireless attacks, it discusses war driving/war chalking, rogue access point attacks, jamming attacks, evil twin attacks, bluejacking attacks, bluesnarfing attacks, and NFC attacks. For attacks on encryption, it describes how all modern encryption standards can be broken, with some easier than others. Common encryption attacks mentioned are replay attacks, packet sniffer attacks, IV attacks, WEP cracking/WPA cracking, and WPS attacks.
This document discusses information system security. It defines information system security as collecting activities to protect information systems and stored data. It outlines four components of an IT security policy framework: policies, standards, procedures, and guidelines. It also discusses vulnerabilities, threats, attacks, and trends in attacks. Vulnerabilities refer to weaknesses, while threats use tools and scripts to launch attacks like reconnaissance, access, denial of service, and viruses/Trojans. Common attacks trends include malware, phishing, ransomware, denial of service, man-in-the-middle, cryptojacking, SQL injection, and zero-day exploits.
ETHICAL HACKING AND SOCIAL ENGINEERING
Topics Covered: Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling, Enterprise Information Security Architecture, Vulnerability, Assessment and Penetration Testing, Types of Social Engineering, Insider Attack, Preventing Insider Threats, Social Engineering Targets and Defence Strategies
Information Technology Security BasicsMohan Jadhav
The document discusses various topics related to IT security basics. It begins by providing two examples of security breaches to illustrate why security is important. It then discusses the four virtues of security and the nine rules of security. The document also defines information security, its goal of ensuring confidentiality, integrity and availability of systems, and the potential impacts of security failures. Additionally, it outlines common security definitions, 10 security domains, and provides an overview of access control and application security.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
This document discusses security frameworks and tools for information systems. It begins by explaining why systems are vulnerable, such as accessibility of networks and software/hardware problems. It then describes organizational frameworks for security, including risk assessment, security policies, identity management, disaster recovery planning, and information systems audits. Finally, it discusses tools for safeguarding resources, such as identity management software. The document provides an overview of securing information systems from multiple perspectives.
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...XEventsHospitality
By A.K. Vishwanathan, Senior Director – Enterprise Risk Services, Deloitte India
Vis is a Chartered Accountant, has a Certified in Risk and Information System Control (CRISC) and a member of the Information Systems Audit and Controls Association (ISACA).
He has advised large organisations in their endeavour in information security and controls, and led risk consulting in complex environments and regulated industries; specifically banking and financial services, telecom, manufacturing, oil and gas, pharma and life sciences and government sector.
The document discusses data security and various threats to data. It provides definitions of key terms like data, security, and data security. It then describes three main objectives of the project: to understand data security threats and their backgrounds, and techniques to defend against these threats. Various threats are outlined, like human threats from hackers, staff, and spies. Technologies for security like cryptography, firewalls, and intrusion detection systems are also summarized. The document provides an overview of the importance of data security.
Security & control in management information systemOnline
The document discusses security concepts in information systems including prevention of unauthorized access, modification, and deletion of information. It outlines unintentional threats like human error and intentional threats like criminal attacks. The goals of information security are prevention, detection, and response. Risks to applications and data include computer crime, hacking, cyber-theft, unauthorized work use, software piracy, and viruses/worms. Risks to hardware include natural disasters, blackouts, and vandalism. Major defense strategies are encryption, authentication, firewalls, email monitoring, antivirus software, backup files, security monitors, and biometric controls. The document also discusses disaster recovery, business recovery plans, and general controls to minimize errors and disasters.
This document provides an overview of cybersecurity training for Windstone Health Services employees in 2021. It defines cybersecurity and why it is important, discusses common cybersecurity threats like malware, phishing, and denial of service attacks. It also outlines responsibilities for both employees and the company, including maintaining secure passwords, updating software, and employing firewalls and encryption. The overall message is that cyberattacks are a serious risk and all entities must work together to protect systems, be wary of suspicious activities, and keep security protocols up to date.
HIPAA, Privacy, Security, and Good BusinessStephen Cobb
HIPAA's implications for privacy and security practices in American businesses, addressed in March of 2001 at the Employers' Summit on Health Care, by Stephen Cobb, CISSP. Uploaded in 2014 for the historical record.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
The document discusses various aspects of information security and network security. It defines information security and describes different types including physical security, communication security, and network security. It then discusses several common security processes and tools used for protection, such as anti-virus software, access controls, firewalls, intrusion detection systems, policy management, and vulnerability scanning. However, it notes that no single security measure provides complete protection and that security is an ongoing process.
This document discusses foundational concepts in cyber security including cryptography, access control, and the CIA triad of confidentiality, integrity and availability. It provides an overview of common security terms and the roles and responsibilities in organizational security governance. Key topics covered include legislative and regulatory compliance, industry standards, and the importance of documentation for effective security.
This document outlines a security concept and risk management process. It discusses identifying risks and assets, assessing impact and probability, and determining appropriate risk responses such as acceptance, avoidance, mitigation, and transfer. It also describes common security controls around availability, confidentiality and integrity. Attack vectors like malware, denial of service attacks, social engineering and phishing are examined. Finally, it discusses security patterns for identity and access management, segregation of duties, layered security and cryptography.
This document provides an overview of reducing cybersecurity risks for business leaders. It discusses the growing threat of cyber attacks and how attackers' motives include espionage, financial gain, and disruption. The document recommends starting with behaviors to reduce risk, such as training employees and installing software patches. It also suggests implementing two-factor authentication, intrusion detection, and incident response plans. The document references frameworks for covering all cybersecurity specialties and provides examples of questions board members may ask about an organization's cybersecurity program.
Access control provides security by controlling how users and systems interact with resources. It uses identification, authentication, and authorization to determine access. There are three main categories of access control - administrative, physical, and technical. Administrative controls involve policies, procedures, and training while physical controls address facility security and technical controls use technology like encryption. Access control models include discretionary, mandatory, and role-based access control. Monitoring tools like IDS and IPS detect and prevent unauthorized access. Proper administration and auditing help enforce access control policies.
The document provides an information security audit report for the University of Florida Health Science Center. It examines the organization's user account and password management policies and provides recommendations for improvement. The audit found that while many policies were compliant or partially compliant with standards, some areas needed improvement, such as password management training for employees and clarifying consequences for non-compliance. The report concludes by recommending the development of additional policies to address contingency planning, data backup procedures, and human resources issues.
The document discusses security threats in eHealth (electronic health) systems. It outlines various motives for attacks on eHealth systems, including financial gain, revenge, intellectual challenge, and terrorism. Tactics that may be used include stealing devices, sniffing networks, social engineering, trojans, backdoors, and malicious apps. The document recommends solutions like strengthening technology, processes, user training, compliance, and information security governance to better secure eHealth systems and patient data.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
The document provides a summary of common wireless attacks and attacks on wireless encryption. For wireless attacks, it discusses war driving/war chalking, rogue access point attacks, jamming attacks, evil twin attacks, bluejacking attacks, bluesnarfing attacks, and NFC attacks. For attacks on encryption, it describes how all modern encryption standards can be broken, with some easier than others. Common encryption attacks mentioned are replay attacks, packet sniffer attacks, IV attacks, WEP cracking/WPA cracking, and WPS attacks.
This document discusses information system security. It defines information system security as collecting activities to protect information systems and stored data. It outlines four components of an IT security policy framework: policies, standards, procedures, and guidelines. It also discusses vulnerabilities, threats, attacks, and trends in attacks. Vulnerabilities refer to weaknesses, while threats use tools and scripts to launch attacks like reconnaissance, access, denial of service, and viruses/Trojans. Common attacks trends include malware, phishing, ransomware, denial of service, man-in-the-middle, cryptojacking, SQL injection, and zero-day exploits.
ETHICAL HACKING AND SOCIAL ENGINEERING
Topics Covered: Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling, Enterprise Information Security Architecture, Vulnerability, Assessment and Penetration Testing, Types of Social Engineering, Insider Attack, Preventing Insider Threats, Social Engineering Targets and Defence Strategies
Information Technology Security BasicsMohan Jadhav
The document discusses various topics related to IT security basics. It begins by providing two examples of security breaches to illustrate why security is important. It then discusses the four virtues of security and the nine rules of security. The document also defines information security, its goal of ensuring confidentiality, integrity and availability of systems, and the potential impacts of security failures. Additionally, it outlines common security definitions, 10 security domains, and provides an overview of access control and application security.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
This document discusses security frameworks and tools for information systems. It begins by explaining why systems are vulnerable, such as accessibility of networks and software/hardware problems. It then describes organizational frameworks for security, including risk assessment, security policies, identity management, disaster recovery planning, and information systems audits. Finally, it discusses tools for safeguarding resources, such as identity management software. The document provides an overview of securing information systems from multiple perspectives.
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...XEventsHospitality
By A.K. Vishwanathan, Senior Director – Enterprise Risk Services, Deloitte India
Vis is a Chartered Accountant, has a Certified in Risk and Information System Control (CRISC) and a member of the Information Systems Audit and Controls Association (ISACA).
He has advised large organisations in their endeavour in information security and controls, and led risk consulting in complex environments and regulated industries; specifically banking and financial services, telecom, manufacturing, oil and gas, pharma and life sciences and government sector.
The document discusses data security and various threats to data. It provides definitions of key terms like data, security, and data security. It then describes three main objectives of the project: to understand data security threats and their backgrounds, and techniques to defend against these threats. Various threats are outlined, like human threats from hackers, staff, and spies. Technologies for security like cryptography, firewalls, and intrusion detection systems are also summarized. The document provides an overview of the importance of data security.
Security & control in management information systemOnline
The document discusses security concepts in information systems including prevention of unauthorized access, modification, and deletion of information. It outlines unintentional threats like human error and intentional threats like criminal attacks. The goals of information security are prevention, detection, and response. Risks to applications and data include computer crime, hacking, cyber-theft, unauthorized work use, software piracy, and viruses/worms. Risks to hardware include natural disasters, blackouts, and vandalism. Major defense strategies are encryption, authentication, firewalls, email monitoring, antivirus software, backup files, security monitors, and biometric controls. The document also discusses disaster recovery, business recovery plans, and general controls to minimize errors and disasters.
This document provides an overview of cybersecurity training for Windstone Health Services employees in 2021. It defines cybersecurity and why it is important, discusses common cybersecurity threats like malware, phishing, and denial of service attacks. It also outlines responsibilities for both employees and the company, including maintaining secure passwords, updating software, and employing firewalls and encryption. The overall message is that cyberattacks are a serious risk and all entities must work together to protect systems, be wary of suspicious activities, and keep security protocols up to date.
HIPAA, Privacy, Security, and Good BusinessStephen Cobb
HIPAA's implications for privacy and security practices in American businesses, addressed in March of 2001 at the Employers' Summit on Health Care, by Stephen Cobb, CISSP. Uploaded in 2014 for the historical record.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
The document discusses various aspects of information security and network security. It defines information security and describes different types including physical security, communication security, and network security. It then discusses several common security processes and tools used for protection, such as anti-virus software, access controls, firewalls, intrusion detection systems, policy management, and vulnerability scanning. However, it notes that no single security measure provides complete protection and that security is an ongoing process.
This document discusses foundational concepts in cyber security including cryptography, access control, and the CIA triad of confidentiality, integrity and availability. It provides an overview of common security terms and the roles and responsibilities in organizational security governance. Key topics covered include legislative and regulatory compliance, industry standards, and the importance of documentation for effective security.
This document outlines a security concept and risk management process. It discusses identifying risks and assets, assessing impact and probability, and determining appropriate risk responses such as acceptance, avoidance, mitigation, and transfer. It also describes common security controls around availability, confidentiality and integrity. Attack vectors like malware, denial of service attacks, social engineering and phishing are examined. Finally, it discusses security patterns for identity and access management, segregation of duties, layered security and cryptography.
This document provides an overview of reducing cybersecurity risks for business leaders. It discusses the growing threat of cyber attacks and how attackers' motives include espionage, financial gain, and disruption. The document recommends starting with behaviors to reduce risk, such as training employees and installing software patches. It also suggests implementing two-factor authentication, intrusion detection, and incident response plans. The document references frameworks for covering all cybersecurity specialties and provides examples of questions board members may ask about an organization's cybersecurity program.
Access control provides security by controlling how users and systems interact with resources. It uses identification, authentication, and authorization to determine access. There are three main categories of access control - administrative, physical, and technical. Administrative controls involve policies, procedures, and training while physical controls address facility security and technical controls use technology like encryption. Access control models include discretionary, mandatory, and role-based access control. Monitoring tools like IDS and IPS detect and prevent unauthorized access. Proper administration and auditing help enforce access control policies.
The document provides an information security audit report for the University of Florida Health Science Center. It examines the organization's user account and password management policies and provides recommendations for improvement. The audit found that while many policies were compliant or partially compliant with standards, some areas needed improvement, such as password management training for employees and clarifying consequences for non-compliance. The report concludes by recommending the development of additional policies to address contingency planning, data backup procedures, and human resources issues.
This document outlines the course content for a network security class at Kabul Education University. It includes an overview of topics to be covered in the first week such as network security background, definitions, why security became important, network models, and security goals. It also outlines the class policies on attendance and assignments. The grading evaluation breaks down the internal and final exam components. Several lecture slides provide more details on concepts like what security is, why network security is needed, security attack categories, and that security is best achieved through a process using multiple mechanisms rather than a single product.
ppt based upon e certificate isssue using blockchain technologyPrasadJagtap26
This document outlines a project to develop an application called "E-Certificates Issue Services using Blockchain". The application would allow students to request certificates and recommendation letters from their college digitally by storing the documents on a blockchain for security. The project aims to reduce the difficulty students face in physically collecting documents from their college. The document discusses the motivation, objectives, literature review, requirements analysis, proposed system design, and concludes with advantages, disadvantages and opportunities for future enhancement.
User authentication is the process of verifying a user's identity before granting access to a system or network. There are several important principles to consider, including using strong passwords, two-factor authentication, least privilege access, secure password storage, regular password updates, and access logs. Following these principles helps ensure security and prevent unauthorized access.
The document proposes novel one, two, and three-factor authentication methods for mobile devices based on public key cryptography without certificates. The methods provide strong security while being easy to implement and deploy. In the one-factor method, the device authenticates using a stored key pair. In the two-factor method, the key pair is regenerated from the user's passcode. In the three-factor method, the key pair is regenerated from the passcode and a biometric sample, providing stronger authentication.
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationPeter Choi
This document proposes using location as a fourth factor for authentication in addition to the traditional three factors of what you know, what you have, and what you are. It aims to address limitations of current authentication techniques for dealing with insider threats. Specifically, current methods do not provide continuous identification tracking or allow for real-time enforcement of security policies. The document outlines general rules an authentication system should follow, including not hindering users or violating physical laws. It argues that using accurate location tracking from real-time locating systems could satisfy the rules by providing continuous authentication without inconveniencing users. The document then discusses requirements for an insider threat prevention system that would actively monitor for malicious insider behavior using location as the fourth authentication factor.
Digital Proctor is a company that provides a solution for authenticating online student identities. Their solution uses typing pattern analysis to uniquely identify students and verify their identity as they complete coursework. It can detect potential cases of outsourcing assignments or entire courses by checking for inconsistencies in a student's typing patterns across assignments. The solution also flags unusual cutting/pasting activity and potential collusion. It provides reporting to faculty and administrators on suspicious activity with data to help them investigate cases further. The solution aims to promote academic integrity while being non-invasive to students and protecting their privacy.
Three Step Multifactor Authentication Systems for Modern Securityijtsrd
Three factor authentication includes all major features in password authentication such as one factor authentication. Using passwords and two factor authentication is not enough to provide the best protection in the digital age significantly. Advances in the field of information technology. Even when one or two feature authentication was used to protect the remote control system, hacking tools, it was a simple computer program to collect private keys, and private generators made it difficult to provide protection. Security threats based on malware, such as key trackers installed, continue to be available to improve security risks. This requires the use of safe and easy to use materials. As a result, Three Level Security is an easy to use software. Soumyashree RK | Goutham S "Three Step Multifactor Authentication Systems for Modern Security" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-6 | Issue-3 , April 2022, URL: https://www.ijtsrd.com/papers/ijtsrd49785.pdf Paper URL: https://www.ijtsrd.com/computer-science/computer-security/49785/three-step-multifactor-authentication-systems-for-modern-security/soumyashree-rk
BeyondCorp is Google's zero trust architecture that allows employees to work from untrusted networks without using a VPN. It automates good security practices by making access decisions based on who the user is, what device they're on, and other dynamic factors. This eliminates issues like shared credentials and unpatched devices accessing resources. The key aspects of BeyondCorp are removing network trust, using short-lived credentials, and centralizing authentication and authorization based on real-time trust evaluations of users and their devices. The presentation provides recommendations for organizations to implement their own zero trust architecture, such as taking an inventory, understanding use cases, defining policy frameworks, and starting with simple access controls before getting more granular.
Secret Lock – Anti Theft: Integration of App Locker & Detection of Theft Usin...IRJET Journal
This document proposes and evaluates a mobile application called "Secret Lock" that integrates app locking and mobile theft detection using user patterns. The application allows users to add apps for secure access and generates authentication questions during registration based on the user's mobile usage history and patterns. If the mobile is stolen, the app activates sensors like the camera, GPS, and voice recorder to take photos, track the location, and record audio of the thief. This data is then sent to the user via SMS and email to identify and track the stolen device. The system architecture uses support vector machines for user identification, GPS for location tracking, and SMS and email for alerting the user if their device is stolen. The application was tested and found to generate
BeyondCorp is Google's implementation of a Zero Trust security model that eliminates the use of network-based controls like VPNs. It authenticates and authorizes access to resources based on dynamic factors like the user, device, location, and time. This provides stronger security, visibility, and a better user experience than traditional perimeter-based approaches. The presentation outlines how to achieve a similar BeyondCorp-inspired architecture by collecting relevant data, defining access policies, writing user scenarios, and implementing dynamic access controls and ephemeral credentials. Moving to this model will impact VPN and legacy security vendors and lead to converged access management categories.
This document is a study guide for the CISSP certification exam. It provides summaries of the 10 domains covered on the exam, including access control systems, telecommunications and network security, security management practices, applications and systems development, cryptography, security architecture and models, operational security, business continuity planning and disaster recovery planning, law, investigation, and ethics, and physical security. For each domain it highlights important concepts, terms, and methodologies relevant to information security professionals.
Eds user authenticationuser authentication methodslapao2014
User authentication is the process of verifying a user's identity and granting access to resources. It commonly involves a username and password but is vulnerable. Strong authentication uses two or more factors, such as something you have (e.g. card) and something you know (e.g. PIN), making impersonation and repudiation more difficult. Common strong authentication methods include smart cards, digital certificates, and biometrics. Organizations select authentication based on required security level, complexity of techniques, user impact, and cost.
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...IRJET Journal
1. The document discusses the implementation of a machine learning-based security system for office premises using user authentication.
2. The proposed system uses four-step security including login credentials, one-time passwords, and face recognition to authenticate users and restrict unauthorized access, while also featuring auto-saving of data to servers and automatic logouts.
3. The system aims to provide strong security, integrity, and confidentiality of data by making unauthorized access more difficult through multi-factor authentication barriers.
Two-factor authentication- A sample writing _ZamanAsad Zaman
This document discusses various authentication methods including passwords, biometrics, tokens, two-factor authentication, and multi-factor authentication. It provides details on each method, including their strengths, weaknesses, and how they provide different levels of security. Multiple authentication factors can be combined to achieve stronger authentication through a multi-factor approach. The document also includes examples of how different authentication methods may be suitable for different access levels and use cases.
Secured E-Learning Content on Handheld DeviceIOSR Journals
This document discusses securing e-learning content delivered to handheld devices. It proposes a system that provides authentication through system authentication, password protection, and data encryption using AES 128-bit encryption. The content can be viewed by connecting the handheld device to a television. The system aims to prevent piracy by controlling access through a web view and managing system controls. It discusses the need for security features like authentication, authorization, and encryption to protect valuable e-learning content from unauthorized access and piracy. The methodology uses tools like client-side scripting, payment gateways, authentication agents, and play modules to control access and verify users before allowing access to encrypted content.
BeyondCorp New York Meetup: Closing the Adherence GapIvan Dwyer
BeyondCorp is Google's approach to access management that eliminates the need for a VPN. It is based on zero-trust principles where access is granted based on who the user is and what device they are using rather than which network they connect from. Google implemented dynamic access policies that consider user identity, device security properties, and request context to determine access in real-time. The key aspects of BeyondCorp include redefining corporate identity as the user and device, making access decisions based on their current attributes and state, removing trust from networks by centralizing access controls, and issuing short-lived credentials to authenticate users and devices securely. The document provides guidance on starting with BeyondCorp by taking inventories, defining access use cases as job stories
BeyondCorp Boston Meetup: Closing the Adherence GapIvan Dwyer
Ivan Dwyer presented on Google's BeyondCorp approach to access management. BeyondCorp moves away from traditional VPN access and instead bases access decisions on multiple factors including who the user is, what device they are using, and the current state of that device. This zero-trust approach grants dynamic, short-lived credentials and makes access decisions in real-time based on over a dozen attributes of the user and device. Implementing BeyondCorp involves taking inventories of users, devices, resources and credentials; defining access policies and trust tiers; and implementing technical controls to enforce the new dynamic, context-aware access model.
The document discusses authentication, authorization, and accounting (the three As) as a leading model for access control. It describes authentication as identifying users, usually with a username and password. Authorization gives users access to resources based on their identity. Accounting (also called auditing) tracks user activity like time spent and services accessed. The document provides details on different authentication methods like passwords, PINs, smart cards, and digital certificates. It emphasizes the importance of strong passwords and changing them regularly.
This document discusses ITIL problem management. It defines a problem as an unknown cause of one or more incidents, while an error is a known cause. Problem management aims to prevent problems, eliminate recurring incidents, and minimize the impact of unavoidable incidents. It involves diagnosing incident causes, determining resolutions, and ensuring resolutions are implemented. Problems are categorized and documented in a known error database to improve incident response. Problem management works closely with incident management using similar tools and processes. The roles involved include the problem manager, technical groups, and third-party suppliers. Taking a formal approach to problem management provides benefits like improved service quality, reduced incidents, permanent solutions, organizational learning, and a better first-time fix rate.
The document discusses the importance of leadership and teamwork in achieving organizational goals. Effective leaders inspire and motivate employees to work collaboratively towards shared objectives. When people work together as a cohesive unit, it allows a company to overcome challenges and thrive in a competitive business environment.
This document discusses service validation and testing in ITIL. It explains that validation and testing are important to ensure a new or changed service will meet requirements and be fit for purpose before it is released. The key points made include: validation and testing help reduce incidents, support calls, problems and costs after release; their purpose is to provide evidence a service supports business needs; and their goal is to ensure a service will provide value to customers. The document outlines objectives, scope and value of validation and testing. It provides a diagram illustrating the concepts.
A series of Cyber security lecture notes..........................
(Endpoint, Server, and Device Security), (Identity, Authentication, and Access Management)
(Data Protection and Cryptography)
Release and Deployment Management (RDM) aims to build, test, and deliver new or changed IT services to customers. RDM plans, schedules, and controls the movement of service releases through testing and implementation. The goal of RDM is to deploy releases into operation and establish effective customer service while ensuring handover to operations and adequate documentation for support. RDM defines processes for packaging, building, testing, and deploying releases to production according to a release policy and governance.
The document discusses various aspects of cyber security, focusing on system administration security, network security, and application security. It outlines 11 functional areas of enterprise cybersecurity that need to be organized and managed. For each of the three areas highlighted, it describes the goals, threats, and key capabilities. The overall aim is to prevent attacks, detect intrusions, and enable forensic investigation through controls across different parts of the IT infrastructure and applications.
- Over 10 years ago, the organization's help desk was immature and unorganized, relying on paper binders for documentation with no consistency. Five years ago, they started using SharePoint but it was not fully trusted and paper was still the default. Two years ago, they established a knowledge management project and migrated data from SharePoint to a new KM system. Currently, they have formalized KM tools and processes, publish KM statistics monthly, and staff have been able to consistently improve first call resolution rates over 10 years.
1. Cybersecurity risk management involves identifying vulnerabilities and risks, assessing their likelihood and impact, and implementing measures to reduce risks to acceptable levels.
2. A risk analysis was presented that identifies assets, threats, vulnerabilities, assesses impact of threats, likelihood of vulnerabilities being exploited, and determines overall risk levels.
3. Managing cybersecurity risk is a team effort that requires addressing both technical risks like vulnerabilities in systems, as well as human risks from employees through training to reduce threats.
This document discusses Service Asset and Configuration Management (SACM) as part of ITIL. It defines key terms like configuration item, configuration management, and outlines the purpose, objectives and scope of SACM. The document also discusses how SACM supports IT service management processes by maintaining accurate information on IT assets, configurations and relationships in a Configuration Management Database to support incident and problem resolution.
This document discusses various aspects of ITIL including IT service continuity management, information security management, change management, and service transitions. It provides details on topics such as business impact analysis, change types, the change advisory board, change proposals, change management processes, and change manager responsibilities. The presentation outlines key ITIL concepts to ensure the resumption of IT services within agreed timescales and introduce changes in a controlled manner to optimize business risk.
This document provides an overview of ITIL (Information Technology Infrastructure Library) service lifecycle concepts. It discusses the purpose and key activities of Service Strategy, which includes defining the market, developing offerings, strategic assets, and preparing for execution. Service Design processes like availability management and service level management are also summarized. The document explains concepts like service portfolios, service level agreements, capacity management, and ensuring the right IT resources are provided at the right time for the right cost.
This document provides an overview of ITIL (Information Technology Infrastructure Library) which is a framework for IT service management best practices. It discusses that ITIL aims to align IT services with business needs, improve quality, and reduce costs. The key topics covered include the 10 core ITIL processes, the ITIL service lifecycle, the history and advantages of ITIL, and why organizations implement ITIL best practices.
This document provides an overview of a cyber security lecture at Bakhtar University. It discusses the course objectives, policies, and grading evaluation. It then defines cybersecurity and outlines the major cybersecurity challenges, including advanced persistent threats and recent cyber attacks against major organizations. The document categorizes types of cyber attackers and concludes by listing reference books.
Mr. Islahuddin Jalal presented an introduction to computer forensics focused on mobile phone forensics. The presentation outlined objectives of mobile phone forensics, potential evidence sources like phone memory, SIM card, and external storage. Guidelines for seizure, examination, data extraction, and documentation of mobile phone evidence were discussed. Tools for logical and physical extraction from phone memory, SIM card, and external storage were also presented.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
CAKE: Sharing Slices of Confidential Data on BlockchainClaudio Di Ciccio
Presented at the CAiSE 2024 Forum, Intelligent Information Systems, June 6th, Limassol, Cyprus.
Synopsis: Cooperative information systems typically involve various entities in a collaborative process within a distributed environment. Blockchain technology offers a mechanism for automating such processes, even when only partial trust exists among participants. The data stored on the blockchain is replicated across all nodes in the network, ensuring accessibility to all participants. While this aspect facilitates traceability, integrity, and persistence, it poses challenges for adopting public blockchains in enterprise settings due to confidentiality issues. In this paper, we present a software tool named Control Access via Key Encryption (CAKE), designed to ensure data confidentiality in scenarios involving public blockchains. After outlining its core components and functionalities, we showcase the application of CAKE in the context of a real-world cyber-security project within the logistics domain.
Paper: https://doi.org/10.1007/978-3-031-61000-4_16
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfTechgropse Pvt.Ltd.
In this blog post, we'll delve into the intersection of AI and app development in Saudi Arabia, focusing on the food delivery sector. We'll explore how AI is revolutionizing the way Saudi consumers order food, how restaurants manage their operations, and how delivery partners navigate the bustling streets of cities like Riyadh, Jeddah, and Dammam. Through real-world case studies, we'll showcase how leading Saudi food delivery apps are leveraging AI to redefine convenience, personalization, and efficiency.
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Network security # Lecture 2
1. CSC8 – NETWORK
SECURITY
KABUL EDUCATION UNIVERSITY
C O M P U T E R S C I E N C E D E P A R T M E N T
L E C T U R E R : I S L A H U D D I N J A L A L
M A S T E R I N C Y B E R S E C U R I T Y
9/16/2017 KABUL EDUCATION UNIVERSITY 1
2. Second week course outlines
Overview of network security
◦ Security Concerns of authentication
◦ Access Control
◦ Identification
◦ Authentication
◦ Authorization
◦ Identity Management
◦ Password and password management
◦ Kerberos
9/16/2017 KABUL EDUCATION UNIVERSITY 2
3. Class Policy
A student must reach the class-room in time. Late comers may join the class but are not entitled
to be marked present.
Attendance shall be marked at the start of the class and students failing to secure 75%
attendance will not be allowed to sit in final exam.
The assignment submission deadline must be observed. In case of late submission, ten percent
may be deducted from each day.
Those who are absent on the announcement date of the assignment/test. Must get the
topic/chapter of test/assignment confirmed through their peers.
Mobile phones must be switched-off in the class-rooms.
9/16/2017 KABUL EDUCATION UNIVERSITY 3
4. Grading Evaluation for Network Security
Internal Evaluation
Midterm Exam 20%
Attendance 5%
Assignment/Presentations 5%
Quizzes/Tests 10%
Total Internal Evaluation 40%
Final-term Examination
Final-term Exam 60%
Total Marks 100%
9/16/2017 KABUL EDUCATION UNIVERSITY 4
5. SECURITY CONCERNS
Key concerns are confidentiality and timeliness
◦ Prevent unauthorized access
◦ ensure freshness of data
To provide confidentiality, one must encrypt identification and session key
information
◦ This requires the use of previously shared private or public keys
Need timeliness to prevent replay attacks
◦ by using sequence numbers or timestamps or challenge/response
9/16/2017 KABUL EDUCATION UNIVERSITY 5
6. ACCESS CONTROLS
Security features that control how users and systems communicate and interact
with other systems and resources
Protect the systems and resources from unauthorized access, and monitor the
activities through:
◦ identification, authentication, authorization and accountability
Subject: Is an active entity that requests access to an object or the data within
an object
Object: A passive entity that contains information
Access: Is the flow of information between a subject and an object
9/16/2017 KABUL EDUCATION UNIVERSITY 6
7. IDENTIFICATION, AUTHENTICATION AND
AUTHORIZATION
• Identification
– Ensure that a subject (user, program, or process) is the entity it claims to be
– Identification can be provided with the use of a username or account number
• Authentication
– The subject is usually required to provide another method of credentials such as:
password, passphrase, cryptographic key, personal identification number (PIN),
biometrics, or token
9/16/2017 KABUL EDUCATION UNIVERSITY 7
8. IDENTIFICATION, AUTHENTICATION AND
AUTHORIZATION
•Authorization
–A process that grants or denies subject access to object
• Subject needs to be held accountable for the actions taken within
a system or domain. The only way to ensure accountability is
that, if the subject can be uniquely identified and the subject’s
actions are recorded
• Technical/logical access controls are tools used for identification,
authentication, authorization, and accountability
9/16/2017 KABUL EDUCATION UNIVERSITY 8
9. IDENTIFICATION AND AUTHENTICATION
Three general factors for authentication:
◦ Something a person knows: A password, PIN, mother’s maiden name, or
combination to a lock
◦ Something a person has: A key, swipe card, access card, or badge
◦ Something a person is: Unique physical attribute (biometrics)
Two-factor authentication
◦ Strong authentication contains more than one of these three methods
9/16/2017 KABUL EDUCATION UNIVERSITY 9
10. IDENTIFICATION AND AUTHENTICATION
Identification Requirements
◦ Each value should be unique, for user accountability
◦ A standard naming scheme should be followed
◦ The value should be non-descriptive of the user’s position or tasks
◦ The value should not be shared between users
9/16/2017 KABUL EDUCATION UNIVERSITY 10
11. IDENTITY MANAGEMENT
Automated products to identify, authenticate, and authorize subject
To manage individuals, their authentication, authorization, and privileges within
or across systems.
The objective is to increase security and productivity and decrease cost,
downtime and redundant tasks
E.g Lastpass, keepass, Password Safe (password manager) etc.
9/16/2017 KABUL EDUCATION UNIVERSITY 11
12. IDENTITY MANAGEMENT
Examples of technologies, services and terms related to identity management:
◦ Active Directory, Service Providers, Identity Providers, Web Services, Access control,
Digital Identities, Password Managers, Single Sign-on, Security Tokens, Security Token
Services (STS), Workflows, OpenID, WS-Security, WS-Trust, SAML 2.0, OAuth and RBAC
Common services provided
◦ Password synchronization and resetting
◦ Delegation of administrative tasks
◦ Centralized auditing and reporting
◦ Integrated workflow and increase in business productivity
◦ Regulatory compliance
9/16/2017 KABUL EDUCATION UNIVERSITY 12
13. PASSWORDS
A password is something the user knows
Passwords are one of the most used authentication mechanisms
It is important that the passwords are strong and properly managed
However, it is also the weakest security mechanisms
9/16/2017 KABUL EDUCATION UNIVERSITY 13
14. PASSWORD MANAGEMENT
System generated password should create uncomplicated, pronounceable, non-
dictionary words to help users remember them so that they aren’t tempted to
write them down
User generated password should contain a certain number of characters,
unrelated to the user ID, include special characters, include upper- and
lowercase letters, and not be easily guessable
Forced to change their passwords periodically
9/16/2017 KABUL EDUCATION UNIVERSITY 14
15. PASSWORD MANAGEMENT
•As a precaution to the users:
– A message can be presented to a user indicating the date and time of the last
successful logon, the location of this logon, and if there were any unsuccessful logon
attempts
– Certain number of failed logon attempts (clipping level) to be accepted before a user is
locked out
•Audit trail can also be used to track password usage and successful and
unsuccessful logon attempts
9/16/2017 KABUL EDUCATION UNIVERSITY 15
16. PASSWORD MANAGEMENT
Password attack techniques
◦ Electronic monitoring
◦ Listening to network traffics to capture information. The password can be
copied and reused by the attacker at another time, which is called a replay
attack
◦ Access to the password file
◦ Usually done at the authentication server. This file should be protected with
access control mechanisms and encryption
9/16/2017 KABUL EDUCATION UNIVERSITY 16
17. PASSWORD MANAGEMENT
Password attack techniques
◦ Brute force attacks
◦ Performed with tools that cycle through many possible character, number,
and symbol combinations to uncover a password.
◦ Dictionary attacks
◦ Files of thousands of words are used to compare to the user’s password
until a match is found
◦ Social engineering
◦ An attacker falsely convinces an individual that he/she has the necessary
authorization to access specific resources
9/16/2017 KABUL EDUCATION UNIVERSITY 17
18. PASSWORD CHECKERS
Test the strength of user-chosen passwords using tools that perform dictionary
and/or brute force attacks to detect the weak passwords
You need to obtain management’s approval before attempting the test
Password cracker: it is usually the same tool use by hackers to obtain password
9/16/2017 KABUL EDUCATION UNIVERSITY 18
19. PASSWORD HASHING AND ENCRYPTION
When password is sent to the network, it should not be sent in cleartext
Password should be hashed or encrypted before using
9/16/2017 KABUL EDUCATION UNIVERSITY 19
Picture Source: RAHUL THADANI
20. COGNITIVE PASSWORDS
A user is enrolled by answering several questions based on her life experiences
that she is not likely to forget
User answer the questions, instead of having to remember a password
This authentication process is best for a service the user does not use on a daily
basis because it takes longer than other authentication mechanisms
9/16/2017 KABUL EDUCATION UNIVERSITY 20
21. ONE-TIME PASSWORDS
Also called a dynamic password
Used for authentication purposes and is only used once (cannot be reused)
E.g.: Token device
◦ usually a handheld device that has an LCD display and possibly a keypad
◦ This hardware is separated from the computer that the user want to access
◦ Generate a one-time password to be entered by user when logging onto a
computer
9/16/2017 KABUL EDUCATION UNIVERSITY 21
22. ONE-TIME PASSWORDS
Two types of token device
◦ Synchronous token device
◦ Asynchronous token device
9/16/2017 KABUL EDUCATION UNIVERSITY 22
23. ONE-TIME PASSWORDS
•Synchronous Token Device:
– Usually requires a hardware called a security token, given to each user to generate a
one-time password.
– for e.g. a small calculator or a dongle with an LCD display that shows random numbers.
Inside the token is an accurate clock that has been synchronized with the clock on the
proprietary authentication server.
– the generation of new passwords is based on the current time
9/16/2017 KABUL EDUCATION UNIVERSITY 23
24. ONE-TIME PASSWORDS
Asynchronous Token Device:
9/16/2017 KABUL EDUCATION UNIVERSITY 24
Source: Certified Information Systems Security Professional
Token Device
25. ONE-TIME PASSWORDS
Both token systems can fall prey to masquerading if a user shares his
identification information (ID or username), or the token device is shared or
stolen
The token device can also have battery failure or other malfunctions
However, this type of system is not vulnerable to electronic eavesdropping,
sniffing, or password guessing
Two factors authentication is use:
• The user has to enter a password or PIN into the token device before it provides a
one-time password: Something the user knows (PIN) and something the user has
(the token device)
9/16/2017 KABUL EDUCATION UNIVERSITY 25
26. CRYPTOGRAPHIC KEYS
Use a private key or generate a digital signature
Private keys and digital signatures have higher security protection than
passwords
A private key is a secret value that should be in the possession of one person,
and one person only and it should never be disclosed to an outside party
A digital signature is a technology that uses a private key to encrypt a hash value
(message digest)
9/16/2017 KABUL EDUCATION UNIVERSITY 26
27. PASSPHRASE
•A sequence of characters that is longer than a password (thus a “phrase”), used
as password during an authentication process
•Passphrase is transform into a virtual password, with length and format that are
required for authentication
•Passphrase is more secure than a password because it is longer and likely to
remember than password
•E.g:
– “Gran Hewad Afghanistan"
– “Nangarhar hamesha Bahar”
9/16/2017 KABUL EDUCATION UNIVERSITY 27
28. ACCESS CRITERIA
Granting access rights to subjects based on the level of trust a company has in a
subject and the subject’s need to know
Five different access criteria
1. Roles
– An efficient way to assign rights to a subject who performs a certain task that is based
on a job assignment or function
2. Group
– Users that require the same access to resource are grouped and then assigning rights
and permissions to that group
– Easier to manage than assigning rights and permissions to each and every individual
separately
9/16/2017 KABUL EDUCATION UNIVERSITY 28
29. ACCESS CRITERIA
3. Physical or logical location
– Control object access for a subject that logs on interactively (locally) or remotely
4. Time of day
– Defining the time and duration where object access are available to subject (e.g. office
hour/off hour)
5. Transaction-type
– Access criteria can be used to control what object is accessed during certain types of
functions and what commands can be carried out on the object
9/16/2017 KABUL EDUCATION UNIVERSITY 29
30. DEFAULT: NO ACCESS
Access control mechanisms should default to no access, to provide the necessary
level of security and ensure that no security holes go unnoticed
If access is not explicitly allowed, it should be completely denied
9/16/2017 KABUL EDUCATION UNIVERSITY 30
31. NEED TO KNOW
Need-to-know principle is similar to the least-privilege principle
The concept that individuals should be given access only to the information that
they absolutely need in order to perform their job duties
Grant the least amount of privileges, but just enough for that individual to be
productive when carrying out tasks
9/16/2017 KABUL EDUCATION UNIVERSITY 31
32. ACCESS CONTROL PRACTICES
Regular tasks to ensure that security stays at a satisfactory level
◦ Deny access to systems by undefined users or anonymous accounts
◦ Limit and monitor the usage of administrator and other powerful accounts
◦ Suspend or delay access capability after a specific number of unsuccessful logon attempts
◦ Remove obsolete user accounts as soon as the user leaves the company
◦ Suspend inactive accounts after 30 to 60 days
◦ Enforce strict access criteria
◦ Enforce the need-to-know and least-privilege practices
◦ Disable unneeded system features, services, and ports
9/16/2017 KABUL EDUCATION UNIVERSITY 32
33. ACCESS CONTROL PRACTICES
◦ Replace default password settings on accounts
◦ Limit and monitor global access rules
◦ Ensure that logon IDs are non-descriptive of job function
◦ Remove redundant user IDs, accounts, and role-based accounts from resource access
lists
◦ Enforce password requirements (length, contents, lifetime, distribution, storage, and
transmission)
◦ Audit system and user events and actions and review reports periodically
◦ Protect audit logs
9/16/2017 KABUL EDUCATION UNIVERSITY 33
• Regular tasks to ensure that security stays at a satisfactory level
34. UNAUTHORIZED DISCLOSURE OF INFORMATION
Object reuse
◦ Reassigning to a subject, media that previously contained one or more objects
◦ Hard drive, floppy disk, or tape, it should be cleared from any residual information that
was on it previously
◦ Objects that are reused by computer processes, such as memory locations, variables,
and registers
◦ Storage media should be security label by owner, procedures of the media life cycle
should be define
9/16/2017 KABUL EDUCATION UNIVERSITY 34
35. UNAUTHORIZED DISCLOSURE OF INFORMATION
Emanation Security
◦ All electronic devices emit electrical signals, these signal can be captured by attacker using
proper devices and at proper positions as data transmitted or processed
◦ Tempest: codename referring to spying on information systems through leaking
emanations, including unintentional radio or electrical signals, sounds, and vibrations.
◦ Shielding standards
◦ Standard that outlines how to develop countermeasures that control spurious electrical
signals that are emitted by electrical equipment by DOD
◦ Tempest equipment is implemented to prevent intruders from picking up information
through the airwaves with listening devices
9/16/2017 KABUL EDUCATION UNIVERSITY 35
36. UNAUTHORIZED DISCLOSURE OF INFORMATION
White noise
◦ Is a uniform spectrum of random electrical signals, so that
intruder is not able to decipher real information
Control zone
◦ Facilities use material in their walls to contain electrical signals
9/16/2017 KABUL EDUCATION UNIVERSITY 36
37. ACCESS CONTROL MONITORING
Method of keeping track of who attempts to access specific network
resources
It is an important detection mechanism
e,.g. Intrusion detection system (IDS)
◦ The process of detecting an unauthorized use of, or attack upon a computer,
network, or telecommunications infrastructure
◦ To spot something suspicious/abnormal happening on the network and sound an
alarm by flashing a message on a network manager’s screen
◦ Can look for sequences of data bits that might indicate a questionable action or
event, or monitor system log and activity recording files
◦ The sensors collect traffic and user activity data and send it to an analyzer, which
looks for suspicious activity and sends an alert to the administrator’s interface on
any suspicious activity
9/16/2017 KABUL EDUCATION UNIVERSITY 37
38. KERBEROS
Kerberos: In Greek mythology, a many headed dog; the
guardian of the entrance of Hades
9/16/2017 KABUL EDUCATION UNIVERSITY 38
Image Source: MIT Kerberos
39. Kerberos
Network Authentication Protocol
Invented at M.I.T in the late 1980’s
Trusted Third Party key distribution system
Provides centralized third-party authentication in a distributed network
Allows users access to services distributed throughout network
Uses a key distribution Center (KDC)
9/16/2017 KABUL EDUCATION UNIVERSITY 39
40. KERBEROS
Users wish to access services on servers
Three threats exist:
◦ User pretend to be another user.
◦ User alter the network address of a workstation.
◦ User eavesdrop on exchanges and use a replay attack.
9/16/2017 KABUL EDUCATION UNIVERSITY 40
41. KERBEROS
S: Authentication Server
A: User machine
B: a server that hosted services
Kas and Kbs are examples of
session keys shared by the
entities A and B with S
9/16/2017 KABUL EDUCATION UNIVERSITY 41
S
A B
Kas
Kbs
• Basically, A wants to talk to B, with permission from S.
42. Kerberos
1. User A sends request to an Authentication Server S, asking to sign on to a service on a server B.
2. S checks that it knows the user A;
• S generates: (1) a session key Kab and
(2) a ticket for B //later on will be given to B;
9/16/2017 KABUL EDUCATION UNIVERSITY 42
Note: the password is never sent to S. S generates the secret key by
hashing the password of the user found at the database
),,,(,ticket BLnKE AabKB as
),,(ticket LAKE abKB bs
Note: Kbs is a secret key shared by B and S
• S sends the Kab to A, encrypted under the key Kas, which is derived from
the user’s password.
• S sends to A:
L=lifetime or
timestamp
43. Kerberos
A has:
3. A decrypts its part of the reply, and checks the nonce; Then sends ticket and
authenticator to B:
• Decrypt and get Kab and nonce,
• Compute Authenticator:
• A sends to B:
9/16/2017 KABUL EDUCATION UNIVERSITY 43
),,,(,ticket BLnKE AabKB as
),(torauthentica
),,(ticket
AK
abKB
TAE
LAKE
ab
bs
LnKBLnKD AabAabKas
,,),,,(
),(torauthentica AK TAE ab
44. Kerberos
B has:
4. B decrypts the ticket with Kbs and obtains the session key Kab;
B checks that the identifiers, which is A in ticket and authenticator match,
that the ticket has not expired and that the time stamp is valid.
5. B returns time stamp TA encrypted under the session key Kab to client.
9/16/2017 KABUL EDUCATION UNIVERSITY 44
),(torauthentica
),,(ticket
AK
abKB
TAE
LAKE
ab
bs
45. Kerberos
Validity period for time stamps must consider the skew between the local clocks
of client and server.
Traditionally, Kerberos is deployed using ticket granting servers in conjunction
with an authentication server
S = KAS, TGS, A, B
◦ KAS authenticate principals at logon and issues tickets, which are valid for one login
session and enable principals to obtain other tickets from ticket granting server.
◦ KAS is sometimes called KDS, for key distribution centre
◦ A user first contacts an authentication server (KAS) to get a ticket granting ticket (TGT)
from a Ticket Granting Server (TGS).
9/16/2017 KABUL EDUCATION UNIVERSITY 45
46. Ticket Granting Servers
1. Request ticket granting
ticket
2. TGT is granted
3. Request server ticket
4. Server ticket
5. Service request
9/16/2017 KABUL EDUCATION UNIVERSITY 46
KAS
A B
TGS
1
2 3
4
5
47. DIFFERENCE BETWEEN VERSION 4 AND 5
9/16/2017 KABUL EDUCATION UNIVERSITY 47
• Encryption system dependence
– v4 requires DES algorithm
– v5 allows many encryption techniques
– Cipher text is tagged with encryption type id.
• Internet protocol dependence
– v4 requires the use of IP
– v5 allows other network protocols
48. DIFFERENCE BETWEEN VERSION 4 AND 5
9/16/2017 KABUL EDUCATION UNIVERSITY 48
• Ticket lifetime
– v4 encodes it in 8 bit quantity
– v5 allows explicit start and end times.
• Authentication forwarding
– v4 does not allow credentials issued to one client
– to be forwarded to other host for use by some other clients.
– v5 allows it.
49. KERBEROS – IN PRACTICE
9/16/2017 KABUL EDUCATION UNIVERSITY 49
• Currently have two Kerberos versions:
– v4 : restricted to a single realm
– v5 : allows inter-realm authentication, in beta test
– Kerberos v5 is an Internet standard
– specified in RFC1510, and used by many utilities
• Requirements to use Kerberos:
– need to have a KDC on your network
– need to have Kerberised applications running on all participating
systems
– major problem: US export restrictions, where Kerberos cannot be
directly distributed outside the US in source format (& binary
versions must obscure crypto routine entry points and have no
encryption)
– Alternatively, crypto libraries must be re-implemented locally