CSE 4482: Computer Security Management: Assessment and Forensics
description
Transcript of CSE 4482: Computer Security Management: Assessment and Forensics
![Page 1: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/1.jpg)
104/22/23 1
Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875
Lectures: Tues (CB 122), 7–10 PM
Office hours: Wed 3-5 pm (CSEB 3043), or by appointment.
Textbooks: 1. "Management of Information Security", M. E. Whitman, H. J.
Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition 2. "Guide to Computer Forensics and Investigations", B. Nelson, A. Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE
Learning, 2010, 4th Edition.
CSE 4482: Computer Security Management: Assessment and Forensics
![Page 2: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/2.jpg)
2
Objectives
On completing this chapter, you should be able to:• Describe the various access control approaches, including
authentication, authorization, and biometric access controls
• Identify the various types of firewalls and the common approaches to firewall implementation
• Enumerate and discuss the current issues in dial-up access and protection
• Identify and describe the types of intrusion detection systems and the two strategies on which they are based
• Explain cryptography and the encryption process, and compare and contrast symmetric and asymmetric encryption
Management of Information Security, 3rd ed.
![Page 3: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/3.jpg)
3
Introduction
• Technical controls– Usually an essential part of information
security programs– Insufficient if used alone– Must be combined with sound policy and
education, training, and awareness efforts
Management of Information Security, 3rd ed.
![Page 4: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/4.jpg)
4
Introduction (cont’d.)
Management of Information Security, 3rd ed.
Figure 10-1 Sphere of security
Source: Course Technology/Cengage Learning
![Page 5: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/5.jpg)
5
Technical security mechanisms
• Access controls
• Firewalls
• intrusion detection systems (host , network)
• scanning and analysis tools
• vulnerability assessment
• encryption systems
![Page 6: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/6.jpg)
6
Access ControlsThe four processes of access control• Identification
– Obtaining the identity of the person requesting access
• Authentication– Confirming the identity of the person
• Authorization– Determining which actions that a person can perform in
that physical or logical area
• Accountability– Documenting the activities of the authorized individual
and systems
Management of Information Security, 3rd ed.
“Triple A of security”
![Page 7: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/7.jpg)
7
Identification
• A mechanism that provides information about a supplicant that requests access
• Identifier (ID)– The label applied to the supplicant – Must be a unique value that can be mapped to
one and only one entity within the security domain
• Examples: name, first initial and surname
Management of Information Security, 3rd ed.
![Page 8: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/8.jpg)
8
Authentication
• Authentication mechanism types– Something you know– Something you have– Something you are – Something you produce
• Strong authentication – Uses at least two different authentication
mechanism types (e.g. Bank ABM card + Pin)
Management of Information Security, 3rd ed.
![Page 9: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/9.jpg)
9
Authentication (cont’d.)
• Something you know– A password, passphrase, or other unique code
• A password is a private word or combination of characters that only the user should know
• A passphrase is a plain-language phrase, typically longer than a password, from which a virtual password is derived
– Passwords should be at least eight characters long and contain at least one number and one special character
Management of Information Security, 3rd ed.
![Page 10: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/10.jpg)
10
Management of Information Security, 3rd ed.
Table 10-1 Password power
Source: Course Technology/Cengage Learning
Brute force password cracking
@ about 8 million guesses per second
![Page 11: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/11.jpg)
11
Authentication (cont’d.)Something you (user or system) have
Examples: A card, key, or token
• A dumb card (such as an ATM card) with magnetic stripes – Card no. (and other info) stored on magnetic stripe– Machine encrypts pin, sends to a database for
verification
• A smart card (contains a processor) – Contains CPU, RAM, ROM, encryption hardware– Stores encrypted Pin, user info– 100 x as much data as magnetic stripe– Can verify PIN, generate a certificate for transaction
Management of Information Security, 3rd ed.
![Page 12: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/12.jpg)
12
Authentication (cont’d.)
Management of Information Security, 3rd ed.
Figure 10-3 Access control tokens
Source: Course Technology/Cengage Learning
•A cryptographic token (a processor in a card that has a display); provides a one-time-password
•Tokens may be either synchronous (use time to generate one-time password) or asynchronous (challenge-response for authentication)
![Page 13: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/13.jpg)
13
Authentication (cont’d.)
• Something you are– Something inherent in the user that is
evaluated using biometrics
• Most technologies that scan human characteristics convert the images to obtain minutiae (unique points of reference that are digitized and stored in an encrypted format)
• Examples: fingerprints, retina, iris
• Effective, may be expensive
Management of Information Security, 3rd ed.
![Page 14: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/14.jpg)
14
Authentication (cont’d.)
• Something you produce– Something the user performs or produces
• Includes technology related to signature recognition and voice recognition
• Less expensive, less reliable than biometrics
Management of Information Security, 3rd ed.
![Page 15: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/15.jpg)
15
Authentication (cont’d.)
Management of Information Security, 3rd ed.
Figure 10-4 Recognition characteristics
Source: Course Technology/Cengage Learning
![Page 16: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/16.jpg)
16
Interesting variant
• User authentication through keystroke dynamics (computers, mobile devices)
![Page 17: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/17.jpg)
17
Evaluating Biometrics
• Biometric evaluation criteria– False reject rate (Type I error)
• Percentage of authorized users who are denied access
– False accept rate (Type II error)• Percentage of unauthorized users who are allowed
access
– Crossover error rate (CER)• Point at which the number of false rejections equals
the number of false acceptances
Management of Information Security, 3rd ed.
![Page 18: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/18.jpg)
18
Error ratesFrom http://www.techrepublic.com/article/reduce-multi-factor-authentication-costs-
with-behavioral-biometrics/6150761
Biometrics Type 2 Type 1
Fingerprint 0% 1%
Voiceprint 1.6% 1.8%
Typeprint 0.01% 3%
![Page 19: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/19.jpg)
19
Acceptability of Biometrics
• Note: Iris Scanning has experienced rapid growth in popularity and due to it’s acceptability, low cost, and effective security
Management of Information Security, 3rd ed.
Figure 10-4 Recognition characteristics
Source: Harold F. Tipton and Micki Krause. Handbook of Information Security Management. Boca Raton, FL: CRC Press, 1998: 39–41.
![Page 20: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/20.jpg)
20
Authorization
• Types of authorization– Each authenticated user
• The system performs an authentication process to verify the specific entity and then grants access to resources for only that entity
– Members of a group• The system matches authenticated entities to a list
of group memberships, and then grants access to resources based on the group’s access rights
– Across multiple systems• A central system verifies identity and grants a set of
credentials to the verified entity
Management of Information Security, 3rd ed.
![Page 21: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/21.jpg)
21
Accountability
• Monitors actions so that they can be attributed to an authenticated entity
• Examples: attempts to read write data, attempts to modify privileges, attempts to gain unauthorized access
• Most common technique: logs
• Examples: security application logs, security hardware logs, OS logs
![Page 22: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/22.jpg)
22
Managing Access Controls
• A formal access control policy– Determines how access rights are granted to
entities and groups– Includes provisions for periodically reviewing
all access rights, granting access rights to new employees, changing access rights when job roles change, and revoking access rights as appropriate
Management of Information Security, 3rd ed.
![Page 23: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/23.jpg)
23
Next: Firewalls
• From http://www.hardwaresecrets.com/imageview.php?image=6731
![Page 24: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/24.jpg)
24
TCP/IP:logical communication
• http://flylib.com/books/2/959/1/html/2/images/mir08f01.jpg
![Page 25: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/25.jpg)
25
TCP/IP:logical communication • http://www.tcpipguide.com/free/diagrams/ipsectransport.png
![Page 26: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/26.jpg)
26
Firewalls
• Any device that prevents a specific type of information from moving between two networks– Between the outside (untrusted network: e.g.,
the Internet), and the inside (trusted network)
• May be – a separate computer system– a service running on an existing router, server– separate network of supporting devices
Management of Information Security, 3rd ed.
![Page 27: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/27.jpg)
27
Firewalls
Can
• Limit access– Separate different parts of a network– Dynamically change permissions
• Enforce security policy
• Monitor/log activity
![Page 28: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/28.jpg)
28
Firewalls
Cannot
• Protect against malicious insiders
• Protect against unforeseen threats
• Protect against connections not passing through it (e.g. direct dialup).
• Limited use against viruses
![Page 29: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/29.jpg)
29
The Development of Firewalls
• Packet filtering firewalls– First generation firewalls– Simple networking devices that filter packets
by examining every incoming and outgoing packet header
– Selectively filter packets based on values in the packet header
– Can be configured to filter based on IP address, type of packet, port request, and/or other elements present in the packet
Management of Information Security, 3rd ed.
![Page 30: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/30.jpg)
30
The Development of Firewalls (cont’d.)
Management of Information Security, 3rd ed.
Table 10-4 Packet filtering example rules
Source: Course Technology/Cengage Learning
Typically use filtering rules based on IP addresses,
Direction, port numbers.
![Page 31: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/31.jpg)
31
Development of Firewalls - contd
• Application-level firewalls– Second generation firewalls– dedicated computers kept separate from the
first filtering router (edge router)– Commonly used in conjunction with a second
or internal filtering router - or proxy server• The proxy server, rather than the Web server, is
exposed to the outside world from within a network segment called the demilitarized zone (DMZ), an intermediate area between a trusted network and an untrusted network
– Implemented for specific protocols
Management of Information Security, 3rd ed.
![Page 32: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/32.jpg)
32
Development of Firewalls - contd
Stateless vs stateful inspection
• Stateless: simple, memoryless, oblivious
• Stateful inspection firewalls– Third generation firewalls– Keeps track of each network connection
established between internal and external systems using a state table
• State tables track the state and context of each packet exchanged by recording which station sent which packet and when
Management of Information Security, 3rd ed.
![Page 33: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/33.jpg)
33
Development of Firewalls - contd
• Stateful inspection firewalls (cont’d.)– Can restrict incoming packets by allowing
access only to packets that constitute responses to requests from internal hosts
– If the stateful inspection firewall receives an incoming packet that it cannot match to its state table
• It uses ACL rights to determine whether to allow the packet to pass
• Stateless firewalls: Network and link layers,
• Stateful firewalls: Transport, Network and link layers
Management of Information Security, 3rd ed.
![Page 34: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/34.jpg)
34
Statis vs Dynamic Firewalls
• Static: fixed rules, configured by admin
• Dynamic packet filtering firewall– Fourth generation firewall– Can adapt to changing conditions by creating
and/or changing rules– Understands how the protocol functions, and
opens and closes ports depending on application
– An intermediate form between traditional static packet filters and application proxies
Management of Information Security, 3rd ed.
![Page 35: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/35.jpg)
35
Packet-filtering firewalls: notes
• Does not examine packet contents, only headers
• Application level firewalls examine packet contents
![Page 36: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/36.jpg)
36
Application gateway
• http://download.oracle.com/docs/cd/B19306_01/network.102/b14212/img/net81083.gif
![Page 37: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/37.jpg)
37
Application gateway (proxy)
• Application aware• client and the server connect to these proxies
instead of connecting directly to each other • can look in to individual sessions• can drop a packet based on information in
the application protocol headers or in the application payload.
• E.g.: SMTP proxies can be configured to allow only helo, mail from:, rcpt to: to pass through the firewall
![Page 38: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/38.jpg)
38
Application gateway: uses
• IP address hiding/translation
• Header modification
• Prevent port/protocol spoofing
• Content-based filtering (prevent sensitive data from being emailed out)
• URL filtering
• MIME filtering
![Page 39: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/39.jpg)
39
Application gateway: drawbacks
• End-to-end semantics lost
• Slower processing, lower throughput
• Not all applications amenable to this strategy
Other strategies: circuit gateways, MAC layer firewall
![Page 40: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/40.jpg)
40
Firewall Architectures
• Each firewall generation can be implemented in several architectural configurations
• Common architectural implementations– Packet filtering routers– Screened-host firewalls– Dual-homed host firewalls– Screened-subnet firewalls
Management of Information Security, 3rd ed.
![Page 41: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/41.jpg)
41
Packet filtering routers
• Most organizations with an Internet connection use some form of router between their internal networks and the external service provider– Many can be configured to block packets that the
organization does not allow into the network– Such an architecture lacks auditing and strong
authentication– The complexity of the access control lists used to filter
the packets can grow to a point that degrades network performance
Management of Information Security, 3rd ed.
![Page 42: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/42.jpg)
42
Packet filtering routers (cont’d.)
Management of Information Security, 3rd ed.
Figure 10-5 Packet filtering firewall
Source: Course Technology/Cengage Learning
![Page 43: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/43.jpg)
43
Screened-host firewall systems
• Combine the packet filtering router with a separate, dedicated firewall such as an application proxy server
• Allows the router to screen packets– Minimizes network traffic and load on the internal proxy
• The application proxy examines an application layer protocol, such as HTTP, and performs the proxy services
• Bastion host– A single, rich target for external attacks– Should be very thoroughly secured
Management of Information Security, 3rd ed.
![Page 44: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/44.jpg)
44
Screened-host firewall systems(cont’d.)
Management of Information Security, 3rd ed.
Figure 10-6 Screened-host firewall
Source: Course Technology/Cengage Learning
![Page 45: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/45.jpg)
45
Dual-homed host firewalls• The bastion host contains two network interfaces
– One is connected to the external network– One is connected to the internal network– Requires all traffic to travel through the firewall to
move between the internal and external networks• Network-address translation (NAT) is often
implemented with this architecture, which converts external IP addresses to special ranges of internal IP addresses
• These special, nonroutable addresses consist of three different ranges: – 10.x.x.x: greater than 16.5 million usable addresses– 192.168.x.x: greater than 65,500 addresses– 172.16.0.x - 172.16.15.x: greater than 4000 usable
addresses
Management of Information Security, 3rd ed.
![Page 46: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/46.jpg)
46
Generalize this idea to…
• A host firewall (not router) with 2 NICs placed between external and internal router.
• More isolation, higher cost, slower processing, single point of failure
![Page 47: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/47.jpg)
47
Management of Information Security, 3rd ed.
Dual-homed host firewalls – contd.
Figure 10-7 Dual-homed host firewall
Source: Course Technology/Cengage Learning
![Page 48: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/48.jpg)
48
• Consists of one or more internal bastion hosts located behind a packet filtering router, with each host protecting the trusted network
• The first general model uses two filtering routers, with one or more dual-homed bastion hosts between them
• The second general model shows connections routed as follows:– Connections from the untrusted network are routed
through an external filtering router– Connections from the untrusted network are routed
into—and then out of—a routing firewall to the separate network segment known as the DMZ
– Second general model (cont’d.)• Connections into the trusted internal network are
allowed only from the DMZ bastion host servers
Management of Information Security, 3rd ed.
Screened-Subnet Firewalls
![Page 49: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/49.jpg)
49
Management of Information Security, 3rd ed.
Figure 10-8 Screened subnet (DMZ)
Source: Course Technology/Cengage Learning
Screened-Subnet Firewalls(contd)
![Page 50: CSE 4482: Computer Security Management: Assessment and Forensics](https://reader033.fdocuments.in/reader033/viewer/2022051517/568159f0550346895dc73a6e/html5/thumbnails/50.jpg)
50
Selecting the Right Firewall
• Firewall technology:• What type offers the right balance between protection and
cost for the organization’s needs?
• Cost:– What features are included in the base price? At extra
cost? Are all cost factors known?
• Maintenance:– How easy is it to set up and configure the firewall? – How accessible are the staff technicians who can
competently configure the firewall?
• Future growth: Can the candidate firewall adapt to the growing network in the target organization?
Management of Information Security, 3rd ed.