SlideShare ist ein Scribd-Unternehmen logo
1 von 44
Downloaden Sie, um offline zu lesen
Security  Science  
        And  
     Engineering	
                                     Sashank Dara



This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   1
This talk is intended for Graduate or Under graduate
students as an attempt to motivate them into this
exciting field of computer security

This talk is by no means complete although constantly
evolves to be comprehensive




 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   2
Science	




This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   3
Engineering	




This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   4
Flaws  can  be  Disastrous	




This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   5
Boundaries  to  breach	




        Bumble  bee  aerodynamically  cannot  fly,  what  does  this  mean  ?	

This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   6
Symbols  and  Interpretation	
                    Engineering  application,	
                                                                                     Scientific  Theory,  	
                    Product	
                                                                                     Framework,	
                                                                                     Mathematical  Model	




                                                                                       Scope  for  
                         A  Flaw  either  in  theory  or	
                                                                                       breaching  
                         in  application  that  resulted	
                                                                                       theoretical  or  
                         In  disaster	
                                                                                       practical      
                                                                                       boundaries  	


This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported                         7
Foundations	
•    Authentication
•    Authorization
•    Confidentiality
•    Integrity
•    Non Repudiation
•    Availability ( Non Denial of service)

Note : Any a security application, appliance or
research would be about achieving combination of
above properties or their variants

 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   8
Authentication	




 Less  formally  ,  this  involves  confirming  the  identity  of  a  person  	
 or  software  program.  “you  are  who  you  say  you  are”	


This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   9
 Factors  and  Identity	
•  Ownership Factors, something the user has, say ID Card,
   Security token, Phone etc.

•  Knowledge Factors, something the user knows, say
   password, passphrase, PIN, challenge response

•  Inherence Factors, something the user is or does, say
   finger print, DNA sequence, retinal scan, voice, facial
   recognition

•  Two factor authentication is an approach to
   authentication which requires the presentation of "two or
   more" of the three authentication "factors"

 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   10
Applications	
•  Single sign-on, a user logs in once and gains access to all
   systems without being prompted to log in again at each of
   them
•  Open-Id, Users may create accounts with their preferred
   OpenID identity providers, and then use those accounts as the
   basis for signing on to any website which accepts OpenID
   authentication.
•  Kerberos, is a computer network authentication protocol
   which works on the basis of "tickets" to allow nodes prove their
   identity to one another in a secure manner.
•  BrowserID is a decentralized identity system that makes it
   possible for users to prove ownership of email addresses in a
   secure manner, without requiring per-site passwords
•  Two-Factor authentication


 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   11
Caveats	
•      Security experts argue that it is impossible to prove the identity of a
       computer user with absolute certainty. Any given test can be
       spoofed one way or another, with varying degrees of difficulty. –
       Wikipedia
•      Strong Passwords are difficult to remember
•      Finger printing has been successfully spoofed using glue and thumb
       impressions
•      Facial recognition can be beaten using photographs !
•      Voice can be easily mimicked !
•      ID Cards, Phones, Security Tokens can be subjected to theft !

•      U S Government defines strong authentication as layered
       authentication approach relying on two or more authenticators to
       establish the identity of an originator or receiver of information.


     This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   12
Authorization	




          Function  of  specifying  access  rights  to  resources,	
          More  formally,  "ʺto  authorize"ʺ  is  to  define  access  policy.  	



This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   13
Authorization	
•  For example, human resources staff are normally
   authorized to access employee records, and this
   policy is usually formalized as access control rules in
   a computer system.

•  During operation, the system uses the access
   control rules to decide whether access requests
   from (authenticated) consumers shall be approved
   (granted) or disapproved (rejected)




 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   14
Access  Control	




            Access  Control  includes  Authentication,  Authorization,  Audit	


This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   15
Two  Steps	
•  Policy definition phase where access is authorized
    o  This step is more of Authorization phase




•  Policy enforcement phase where access requests
   are approved or disapproved




This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   16
Access  Control  Lists	
•  In short a list of permissions attached to an object or
   a collection of objects
•  File system ACLs, is a data structure (usually a table)
   containing entries that specify individual user or
   group rights to specific system objects such as
   programs, processes, or files.
•  Network ACLs, is a list of rules specifying the services
   that can be accessed by inbound and outbound
   traffic.
     o  Firewalls predominantly are based on ACL’s
     o  Famous five tuple ( Source IP , Destination IP, Source port , Dest Port ,
        action)


 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   17
Security  Models	
•  Discretionary based access control
    o  Users (owners) have the ability to make policy decisions and/or assign
       security attributes.
    o  Example is Unix file mode info represented by rwx bits

•  Mandatory based access control
    o  Decision making authorities have the ability to make policy decisions and/
       or assign security attributes
    o  Users do not have ability to make policy decisions
    o  Example is SELinux framework

•  Role based access control
    o  Combination of DAC and MAC, typically used in enterprises




This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   18
Security  Models	
•  Context based access control
    o  Deep packet and stateful inspection of firewalls




•  Capability based Security
    o  a capability is a token, ticket, or key that gives the possessor permission to
       access an entity or object in a computer system
    o  In contrast there are no ACLs !



•  There are many other models



This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported      19
Mathematical  models	
•  Conflicts in access control list can open up security
   holes !
    o  Often misconfiguration of firewalls resulted in disasters !

•  Can we mathematically model access control list ?
    o  Boolean logic
    o  Lattice based access control models

•  Can we prove they are formally correct and
   complete ?




This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   20
User  level  Access  Control	
•  Identity management, describes the management of
   individual identities, their authentication, authorization, roles ,
   and privileges
     o  Password managers, LDAP, Etc.
•  OAuth allows users to share their private resources (e.g.
   photos, videos, contact lists) stored on one site with another
   site without having to hand out their credentials, typically
   supplying username and password tokens instead
     o  Complimentary to OpenID
•  SAML, Secure Assertion Markup Language is an XML-based
   open standard for exchanging authentication and
   authorization data between security domains.
     o  Primarily to solve and standardize single sign on
     o  Quite popular among identity based solutions


 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   21
Network  Access  Control	
•  Firewalls, often touted as first layer of defense in any
   organization’s security design
•  First generation firewalls were mere packet filters
   based on five tuple
•  Second generation firewalls are stateful and do
   deep packet inspection
•  Third generation firewalls are more “context-aware”




 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   22
Confidentiality	




           Confidentiality  is  the  concept  of  ensuring  that  data  
           is  not  made  available  or  disclosed  to  unauthorized  
           people.	
This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   23
Integrity	




           Data  Integrity  in  broadest  meaning  refers  to  the  trustworthiness  	
           of  information  over  its  entire  life  cycle	

This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   24
Cryptography	
•  Cryptography simple stated is the art of “Secret
   writing”
•  Traditional Cryptography has been used
   successfully for authentication, confidentiality,
   integrity
•  Confidentiality cannot be achieved without
   cryptography
    o  Exception a technique called chaffing and winnowing was proposed but
       that is not practically strong enough




This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   25
Cryptography	
•  Art of secret writing dates back to thousands of years
•  cryptography was chiefly concerned with linguistic and
   lexicographic patterns until twentieth century
•  Now extensive use of of mathematics, including aspects of
   information theory, computational complexity, statistics,
   combinatorics, abstract algebra, number theory, and finite
   mathematics generally
•  And lately even quantum theory and chaos theory too !




 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   26
Cryptanalysis	
                                                            Myth:  The  Enigma  was  too  complex  to  be  	
                                                            broken	
                                                                	
-­‐‑  ...  as  believed  by  the  German  Military	
                                                            •  Fact:  The  Enigma  was  broken  almost	
                                                              daily  for  years  during  WWII	




This particular work by Landon Curt Noll is Licensed under CC Attribution-Share Alike 3.0 Unported License      27
Cryptographic  Engg	
•  Many implementation challenges
   o  Key management
   o  Pseudo Random Number Generators
   o  Side channel attacks
   o  Tamper proof hardware
   o  Verification techniques
   o  Protocol Analysis




 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   28
Protocols	
•      Secure Sockets Layer (SSL/TLS)
•      IP Sec
•      VPN’s
•      PGP
•      Many many to name a few




     This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   29
Caveats	
•  Myth: The larger the key, the stronger the key
•  Fact: Key size is no guarantee of key strength
•  An early web browser with 128-bit SSL keys
     o  Key was generated by the random() pseudo-random number generator
     o  With only 4 billion different srandom() seeds, only 4 billion different SSL keys
        could ever be generated
     o  Only 32 bits of real protection
•  There are more important issues than size:
     o    - Generating keys that cannot be guessed
     o    - Securely storing keys
     o    - How humans use a key
     o    - How unattended machines use a key
     o    - Lost key recovery
     o    - Key life-cycle management



 This particular work by Landon Curt Noll is Licensed under CC Attribution-Share Alike 3.0 Unported License   30
Caveats	
•  Large Key but Weak Key Example, The US “nuclear
   football”
     o  Nuclear launch authorization code was long but until 1976, the code was
        all 0’s!!! Really !!!

•  Larger keys do not necessarily mean better
     o  Key size cannot overcome a predictable method of generating it
     o  A huge compromised key is much worse than a smaller well-managed
        key
     o  The cost of discovering the key must be higher than the value of the data
        being protected




 This particular work by Landon Curt Noll is Licensed under CC Attribution-Share Alike 3.0 Unported License   31
Applications	
•      Entire Web Commerce infrastructure SETS,HTTPS
•      Virtual Private Networking
•      IPSEC
•      Cryptography in wireless applications (mobile
       phone, WLANs, analysis of standards, etc.)
•      Cryptography for pervasive computing (RFID, sensor
       networks, smart devices, etc.)
•      FPGA design security
•      Hardware IP protection and anti-counterfeiting
•      Reconfigurable hardware for cryptography

     This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   32
Applications	
•  Smart card processors, systems and applications
•  Security in commercial consumer applications (pay-
   TV, automotive, domotics, etc.)
•  Secure storage devices (memories, disks, etc.
•  Technologies and hardware for content protection
•  Trusted computing platforms




 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   33
Non  Repudiation	




This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   34
Non  Repudiation	
•  A service that provides proof of the integrity and
   origin of data.
•  An authentication that with high assurance can be
   asserted to be genuine.
•  Entire Public Key Infrastructure is built for this




 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   35
Availability                                  
   (  Non  Denial  of  Service)	




This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   36
Denial  of  Service	
•  A DoS attack can be perpetrated in a number of
   ways. The five basic types of attack are:
    o  Consumption of computational resources, such as
       bandwidth, disk space, or processor time.
    o  Disruption of configuration information, such as routing
       information.
    o  Disruption of state information, such as unsolicited resetting
       of TCP sessions.
    o  Disruption of physical network components.




 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   37
Denial  of  Service	
•  A DoS attack may include execution of malware
   intended to:
   o  Max out the processor's usage, preventing any work from
      occurring.
   o  Trigger errors in the microcode of the machine.
   o  Trigger errors in the sequencing of instructions, so as to
      force the computer into an unstable state or lock-up.
   o  Exploit errors in the operating system, causing resource
      starvation and/or thrashing, i.e. to use up all available
      facilities so no real work can be accomplished.
   o  Crash the operating system itself.
•  Few DOS Attacks
   o  Smurf attack , Ping flood , Ping of death, SYN Flood


This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   38
Intrusion  Prevention  
                 systems	
•  Are network security appliances that monitor network and/or
   system activities for malicious activity
•  First generation were Intrusion Detection Systems
•  Classification
    o    Network based
    o    Host based
    o    Wireless IPS
    o    Network Behavior Analysis
•  IPS checks for malware, worm outbreaks, DDOS attacks
•  An IPS can also correct Cyclic Redundancy Check (CRC)
   errors, un fragment packet streams, prevent TCP sequencing
   issues, and clean up unwanted transport and network layer
   options.


 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   39
Intrusion  Prevention  
                systems	
•  Detection Methods
   o Signature Methods
   o Statistical anomaly detection
   o Stateful protocol Analysis Detection
•  Other Recent Trends
   o  IP Reputation
   o  Global Correlation
•  Popular IPS (Open Source)
    o Snort

This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   40
Security  Principles	
•  Security is an afterthought , internet was built to share
   physics documents among researchers but not social
   networking, commerce and everything
•  Security by obscurity is disastrous,
    o   Kerckhoff’s principle A cryptosystem should be secure even if everything
       about the system, except the key, is public knowledge.
•  Security is as strong as its weakest link and often its the
   people.
•  There is no silver bullet
•  Security is a process rather than a product.
•  Defense in depth
•  Risk Assessment , Threat modeling , compliance can
   mitigate

 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   41
Conclusions	
•  Few things not yet covered
    o    Cloud security
    o    Threat modeling
    o    Popular Attacks
    o    Secure Development Life cycle
    o    Social Engineering
    o    Security Management
    o    Many Others ..




•  This talk is a work in progress, so it would be
   continually evolving do come back to check for
   latest revisions of the file

 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   42
Contact	
•  I can be reached at
    o  Krishna.sashank@iiitb.org
    o  http://www.linkedin.com/in/sashankdara



•  Note : Parts of the work is taken from Landon Curt
   Noll as mentioned in the foot notes where ever
   relevant.
    o  He can be reached at http://isthe.com/chongo/




 This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   43
This work is made available under Creative
Commons Attribution-Share Alike 3.0

Images courtesy : Google Images




This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported   44

Weitere ähnliche Inhalte

Was ist angesagt?

IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
 
IRJET- A Study on Image Authentication Methods
IRJET- A Study on Image Authentication MethodsIRJET- A Study on Image Authentication Methods
IRJET- A Study on Image Authentication MethodsIRJET Journal
 
A Havoc Proof for Secure and Robust Audio Watermarking
A Havoc Proof for Secure and Robust Audio WatermarkingA Havoc Proof for Secure and Robust Audio Watermarking
A Havoc Proof for Secure and Robust Audio WatermarkingCSCJournals
 
Graphical Based Password for Android Phones using Keystroke Dynamics - A Survey
Graphical Based Password for Android Phones using Keystroke Dynamics - A SurveyGraphical Based Password for Android Phones using Keystroke Dynamics - A Survey
Graphical Based Password for Android Phones using Keystroke Dynamics - A SurveyIJSRD
 
Security for Hard AI Problems Using CaRP Authentication
Security for Hard AI Problems Using CaRP AuthenticationSecurity for Hard AI Problems Using CaRP Authentication
Security for Hard AI Problems Using CaRP Authenticationpaperpublications3
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd Iaetsd
 
Double guard detection project rreport
Double guard detection project rreportDouble guard detection project rreport
Double guard detection project rreportVenkatesan Sathish
 
GTB Data Leakage Prevention Use Cases 2014
GTB Data Leakage Prevention Use Cases 2014GTB Data Leakage Prevention Use Cases 2014
GTB Data Leakage Prevention Use Cases 2014Ravindran Vasu
 
USER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKS
USER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKSUSER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKS
USER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKSpharmaindexing
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkSalam Shah
 
Graphical password based hybrid authentication system for smart hand held dev...
Graphical password based hybrid authentication system for smart hand held dev...Graphical password based hybrid authentication system for smart hand held dev...
Graphical password based hybrid authentication system for smart hand held dev...Alexander Decker
 
Blacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersBlacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersIAEME Publication
 
Blacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersBlacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersIAEME Publication
 
User Authentication Overview
User Authentication OverviewUser Authentication Overview
User Authentication OverviewJim Fenton
 
Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015Syed Ubaid Ali Jafri
 

Was ist angesagt? (18)

IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
 
CARP: AN IMAGE BASED SECURITY USING I-PAS
CARP: AN IMAGE BASED SECURITY USING I-PASCARP: AN IMAGE BASED SECURITY USING I-PAS
CARP: AN IMAGE BASED SECURITY USING I-PAS
 
IRJET- A Study on Image Authentication Methods
IRJET- A Study on Image Authentication MethodsIRJET- A Study on Image Authentication Methods
IRJET- A Study on Image Authentication Methods
 
A Havoc Proof for Secure and Robust Audio Watermarking
A Havoc Proof for Secure and Robust Audio WatermarkingA Havoc Proof for Secure and Robust Audio Watermarking
A Havoc Proof for Secure and Robust Audio Watermarking
 
Graphical Based Password for Android Phones using Keystroke Dynamics - A Survey
Graphical Based Password for Android Phones using Keystroke Dynamics - A SurveyGraphical Based Password for Android Phones using Keystroke Dynamics - A Survey
Graphical Based Password for Android Phones using Keystroke Dynamics - A Survey
 
3d passwords
3d passwords 3d passwords
3d passwords
 
Security for Hard AI Problems Using CaRP Authentication
Security for Hard AI Problems Using CaRP AuthenticationSecurity for Hard AI Problems Using CaRP Authentication
Security for Hard AI Problems Using CaRP Authentication
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authentication
 
Double guard detection project rreport
Double guard detection project rreportDouble guard detection project rreport
Double guard detection project rreport
 
GTB Data Leakage Prevention Use Cases 2014
GTB Data Leakage Prevention Use Cases 2014GTB Data Leakage Prevention Use Cases 2014
GTB Data Leakage Prevention Use Cases 2014
 
USER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKS
USER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKSUSER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKS
USER AUTHENTICATION DEFENSE AGAINST ONLINE DICTIONARY ATTACKS
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud network
 
Graphical password based hybrid authentication system for smart hand held dev...
Graphical password based hybrid authentication system for smart hand held dev...Graphical password based hybrid authentication system for smart hand held dev...
Graphical password based hybrid authentication system for smart hand held dev...
 
Blacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersBlacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential users
 
Blacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersBlacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential users
 
User Authentication Overview
User Authentication OverviewUser Authentication Overview
User Authentication Overview
 
Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015Final Year Projects Computer Science (Information security) -2015
Final Year Projects Computer Science (Information security) -2015
 
Vshantaram
VshantaramVshantaram
Vshantaram
 

Ähnlich wie Computer Security science and enggineering

Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based   Cloud Computing     Two Aspect Endorsement Access Control for web Based   Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing IRJET Journal
 
55994241 cissp-cram
55994241 cissp-cram55994241 cissp-cram
55994241 cissp-crambsnl007
 
Access Controls And Access Control
Access Controls And Access ControlAccess Controls And Access Control
Access Controls And Access ControlLaura Martin
 
Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946Editor IJARCET
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application BackdoorsTyler Shields
 
Ipas implicit password_authentication_system
Ipas implicit password_authentication_systemIpas implicit password_authentication_system
Ipas implicit password_authentication_systemSameer Dighe
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideDarin Fredde
 
Cloud security privacy- org
Cloud security  privacy- orgCloud security  privacy- org
Cloud security privacy- orgDharmalingam S
 
Access Control Dbq
Access Control DbqAccess Control Dbq
Access Control DbqJill Lyons
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Stack Identity OWASP Shadow Access Transform Cloud IAM.pdf
Stack Identity OWASP Shadow Access Transform Cloud IAM.pdfStack Identity OWASP Shadow Access Transform Cloud IAM.pdf
Stack Identity OWASP Shadow Access Transform Cloud IAM.pdfStack Identity
 
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdfThangVuQuang4
 
Credential Access Control System
Credential Access Control SystemCredential Access Control System
Credential Access Control SystemTeresa Oakman
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Brianna Johnson
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero TrustIvan Dwyer
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam NotesVijayanand Yadla
 

Ähnlich wie Computer Security science and enggineering (20)

S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based   Cloud Computing     Two Aspect Endorsement Access Control for web Based   Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
 
55994241 cissp-cram
55994241 cissp-cram55994241 cissp-cram
55994241 cissp-cram
 
Access Controls And Access Control
Access Controls And Access ControlAccess Controls And Access Control
Access Controls And Access Control
 
Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
 
ANS_Ch_04_Handouts.pdf
ANS_Ch_04_Handouts.pdfANS_Ch_04_Handouts.pdf
ANS_Ch_04_Handouts.pdf
 
Ipas implicit password_authentication_system
Ipas implicit password_authentication_systemIpas implicit password_authentication_system
Ipas implicit password_authentication_system
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guide
 
Cloud security privacy- org
Cloud security  privacy- orgCloud security  privacy- org
Cloud security privacy- org
 
Access Control Dbq
Access Control DbqAccess Control Dbq
Access Control Dbq
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
RAZORPOINT SECURITY GLOSSARY
RAZORPOINT SECURITY GLOSSARYRAZORPOINT SECURITY GLOSSARY
RAZORPOINT SECURITY GLOSSARY
 
Stack Identity OWASP Shadow Access Transform Cloud IAM.pdf
Stack Identity OWASP Shadow Access Transform Cloud IAM.pdfStack Identity OWASP Shadow Access Transform Cloud IAM.pdf
Stack Identity OWASP Shadow Access Transform Cloud IAM.pdf
 
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
 
Credential Access Control System
Credential Access Control SystemCredential Access Control System
Credential Access Control System
 
Data base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access methodData base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access method
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero Trust
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam Notes
 

Kürzlich hochgeladen

How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?TechSoup
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...CaraSkikne1
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.EnglishCEIPdeSigeiro
 
Protein Structure - threading Protein modelling pptx
Protein Structure - threading Protein modelling pptxProtein Structure - threading Protein modelling pptx
Protein Structure - threading Protein modelling pptxvidhisharma994099
 
ARTICULAR DISC OF TEMPOROMANDIBULAR JOINT
ARTICULAR DISC OF TEMPOROMANDIBULAR JOINTARTICULAR DISC OF TEMPOROMANDIBULAR JOINT
ARTICULAR DISC OF TEMPOROMANDIBULAR JOINTDR. SNEHA NAIR
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxraviapr7
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxheathfieldcps1
 
How to Create a Toggle Button in Odoo 17
How to Create a Toggle Button in Odoo 17How to Create a Toggle Button in Odoo 17
How to Create a Toggle Button in Odoo 17Celine George
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
Department of Health Compounder Question ‍Solution 2022.pdf
Department of Health Compounder Question ‍Solution 2022.pdfDepartment of Health Compounder Question ‍Solution 2022.pdf
Department of Health Compounder Question ‍Solution 2022.pdfMohonDas
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsEugene Lysak
 
How to Send Emails From Odoo 17 Using Code
How to Send Emails From Odoo 17 Using CodeHow to Send Emails From Odoo 17 Using Code
How to Send Emails From Odoo 17 Using CodeCeline George
 
Work Experience for psp3 portfolio sasha
Work Experience for psp3 portfolio sashaWork Experience for psp3 portfolio sasha
Work Experience for psp3 portfolio sashasashalaycock03
 
Optical Fibre and It's Applications.pptx
Optical Fibre and It's Applications.pptxOptical Fibre and It's Applications.pptx
Optical Fibre and It's Applications.pptxPurva Nikam
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesCeline George
 

Kürzlich hochgeladen (20)

How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...
 
Prelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quizPrelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quiz
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.
 
Protein Structure - threading Protein modelling pptx
Protein Structure - threading Protein modelling pptxProtein Structure - threading Protein modelling pptx
Protein Structure - threading Protein modelling pptx
 
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdfPersonal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
 
ARTICULAR DISC OF TEMPOROMANDIBULAR JOINT
ARTICULAR DISC OF TEMPOROMANDIBULAR JOINTARTICULAR DISC OF TEMPOROMANDIBULAR JOINT
ARTICULAR DISC OF TEMPOROMANDIBULAR JOINT
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptx
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptx
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
How to Create a Toggle Button in Odoo 17
How to Create a Toggle Button in Odoo 17How to Create a Toggle Button in Odoo 17
How to Create a Toggle Button in Odoo 17
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
March 2024 Directors Meeting, Division of Student Affairs and Academic Support
March 2024 Directors Meeting, Division of Student Affairs and Academic SupportMarch 2024 Directors Meeting, Division of Student Affairs and Academic Support
March 2024 Directors Meeting, Division of Student Affairs and Academic Support
 
Department of Health Compounder Question ‍Solution 2022.pdf
Department of Health Compounder Question ‍Solution 2022.pdfDepartment of Health Compounder Question ‍Solution 2022.pdf
Department of Health Compounder Question ‍Solution 2022.pdf
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George Wells
 
How to Send Emails From Odoo 17 Using Code
How to Send Emails From Odoo 17 Using CodeHow to Send Emails From Odoo 17 Using Code
How to Send Emails From Odoo 17 Using Code
 
Work Experience for psp3 portfolio sasha
Work Experience for psp3 portfolio sashaWork Experience for psp3 portfolio sasha
Work Experience for psp3 portfolio sasha
 
Optical Fibre and It's Applications.pptx
Optical Fibre and It's Applications.pptxOptical Fibre and It's Applications.pptx
Optical Fibre and It's Applications.pptx
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 Sales
 

Computer Security science and enggineering

  • 1. Security  Science   And   Engineering Sashank Dara This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 1
  • 2. This talk is intended for Graduate or Under graduate students as an attempt to motivate them into this exciting field of computer security This talk is by no means complete although constantly evolves to be comprehensive This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 2
  • 3. Science This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 3
  • 4. Engineering This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 4
  • 5. Flaws  can  be  Disastrous This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 5
  • 6. Boundaries  to  breach Bumble  bee  aerodynamically  cannot  fly,  what  does  this  mean  ? This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 6
  • 7. Symbols  and  Interpretation Engineering  application, Scientific  Theory,   Product Framework, Mathematical  Model Scope  for   A  Flaw  either  in  theory  or breaching   in  application  that  resulted theoretical  or   In  disaster practical       boundaries   This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 7
  • 8. Foundations •  Authentication •  Authorization •  Confidentiality •  Integrity •  Non Repudiation •  Availability ( Non Denial of service) Note : Any a security application, appliance or research would be about achieving combination of above properties or their variants This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 8
  • 9. Authentication Less  formally  ,  this  involves  confirming  the  identity  of  a  person   or  software  program.  “you  are  who  you  say  you  are” This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 9
  • 10.  Factors  and  Identity •  Ownership Factors, something the user has, say ID Card, Security token, Phone etc. •  Knowledge Factors, something the user knows, say password, passphrase, PIN, challenge response •  Inherence Factors, something the user is or does, say finger print, DNA sequence, retinal scan, voice, facial recognition •  Two factor authentication is an approach to authentication which requires the presentation of "two or more" of the three authentication "factors" This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 10
  • 11. Applications •  Single sign-on, a user logs in once and gains access to all systems without being prompted to log in again at each of them •  Open-Id, Users may create accounts with their preferred OpenID identity providers, and then use those accounts as the basis for signing on to any website which accepts OpenID authentication. •  Kerberos, is a computer network authentication protocol which works on the basis of "tickets" to allow nodes prove their identity to one another in a secure manner. •  BrowserID is a decentralized identity system that makes it possible for users to prove ownership of email addresses in a secure manner, without requiring per-site passwords •  Two-Factor authentication This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 11
  • 12. Caveats •  Security experts argue that it is impossible to prove the identity of a computer user with absolute certainty. Any given test can be spoofed one way or another, with varying degrees of difficulty. – Wikipedia •  Strong Passwords are difficult to remember •  Finger printing has been successfully spoofed using glue and thumb impressions •  Facial recognition can be beaten using photographs ! •  Voice can be easily mimicked ! •  ID Cards, Phones, Security Tokens can be subjected to theft ! •  U S Government defines strong authentication as layered authentication approach relying on two or more authenticators to establish the identity of an originator or receiver of information. This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 12
  • 13. Authorization Function  of  specifying  access  rights  to  resources, More  formally,  "ʺto  authorize"ʺ  is  to  define  access  policy.   This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 13
  • 14. Authorization •  For example, human resources staff are normally authorized to access employee records, and this policy is usually formalized as access control rules in a computer system. •  During operation, the system uses the access control rules to decide whether access requests from (authenticated) consumers shall be approved (granted) or disapproved (rejected) This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 14
  • 15. Access  Control Access  Control  includes  Authentication,  Authorization,  Audit This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 15
  • 16. Two  Steps •  Policy definition phase where access is authorized o  This step is more of Authorization phase •  Policy enforcement phase where access requests are approved or disapproved This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 16
  • 17. Access  Control  Lists •  In short a list of permissions attached to an object or a collection of objects •  File system ACLs, is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files. •  Network ACLs, is a list of rules specifying the services that can be accessed by inbound and outbound traffic. o  Firewalls predominantly are based on ACL’s o  Famous five tuple ( Source IP , Destination IP, Source port , Dest Port , action) This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 17
  • 18. Security  Models •  Discretionary based access control o  Users (owners) have the ability to make policy decisions and/or assign security attributes. o  Example is Unix file mode info represented by rwx bits •  Mandatory based access control o  Decision making authorities have the ability to make policy decisions and/ or assign security attributes o  Users do not have ability to make policy decisions o  Example is SELinux framework •  Role based access control o  Combination of DAC and MAC, typically used in enterprises This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 18
  • 19. Security  Models •  Context based access control o  Deep packet and stateful inspection of firewalls •  Capability based Security o  a capability is a token, ticket, or key that gives the possessor permission to access an entity or object in a computer system o  In contrast there are no ACLs ! •  There are many other models This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 19
  • 20. Mathematical  models •  Conflicts in access control list can open up security holes ! o  Often misconfiguration of firewalls resulted in disasters ! •  Can we mathematically model access control list ? o  Boolean logic o  Lattice based access control models •  Can we prove they are formally correct and complete ? This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 20
  • 21. User  level  Access  Control •  Identity management, describes the management of individual identities, their authentication, authorization, roles , and privileges o  Password managers, LDAP, Etc. •  OAuth allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically supplying username and password tokens instead o  Complimentary to OpenID •  SAML, Secure Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization data between security domains. o  Primarily to solve and standardize single sign on o  Quite popular among identity based solutions This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 21
  • 22. Network  Access  Control •  Firewalls, often touted as first layer of defense in any organization’s security design •  First generation firewalls were mere packet filters based on five tuple •  Second generation firewalls are stateful and do deep packet inspection •  Third generation firewalls are more “context-aware” This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 22
  • 23. Confidentiality Confidentiality  is  the  concept  of  ensuring  that  data   is  not  made  available  or  disclosed  to  unauthorized   people. This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 23
  • 24. Integrity Data  Integrity  in  broadest  meaning  refers  to  the  trustworthiness   of  information  over  its  entire  life  cycle This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 24
  • 25. Cryptography •  Cryptography simple stated is the art of “Secret writing” •  Traditional Cryptography has been used successfully for authentication, confidentiality, integrity •  Confidentiality cannot be achieved without cryptography o  Exception a technique called chaffing and winnowing was proposed but that is not practically strong enough This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 25
  • 26. Cryptography •  Art of secret writing dates back to thousands of years •  cryptography was chiefly concerned with linguistic and lexicographic patterns until twentieth century •  Now extensive use of of mathematics, including aspects of information theory, computational complexity, statistics, combinatorics, abstract algebra, number theory, and finite mathematics generally •  And lately even quantum theory and chaos theory too ! This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 26
  • 27. Cryptanalysis Myth:  The  Enigma  was  too  complex  to  be   broken -­‐‑  ...  as  believed  by  the  German  Military •  Fact:  The  Enigma  was  broken  almost  daily  for  years  during  WWII This particular work by Landon Curt Noll is Licensed under CC Attribution-Share Alike 3.0 Unported License 27
  • 28. Cryptographic  Engg •  Many implementation challenges o  Key management o  Pseudo Random Number Generators o  Side channel attacks o  Tamper proof hardware o  Verification techniques o  Protocol Analysis This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 28
  • 29. Protocols •  Secure Sockets Layer (SSL/TLS) •  IP Sec •  VPN’s •  PGP •  Many many to name a few This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 29
  • 30. Caveats •  Myth: The larger the key, the stronger the key •  Fact: Key size is no guarantee of key strength •  An early web browser with 128-bit SSL keys o  Key was generated by the random() pseudo-random number generator o  With only 4 billion different srandom() seeds, only 4 billion different SSL keys could ever be generated o  Only 32 bits of real protection •  There are more important issues than size: o  - Generating keys that cannot be guessed o  - Securely storing keys o  - How humans use a key o  - How unattended machines use a key o  - Lost key recovery o  - Key life-cycle management This particular work by Landon Curt Noll is Licensed under CC Attribution-Share Alike 3.0 Unported License 30
  • 31. Caveats •  Large Key but Weak Key Example, The US “nuclear football” o  Nuclear launch authorization code was long but until 1976, the code was all 0’s!!! Really !!! •  Larger keys do not necessarily mean better o  Key size cannot overcome a predictable method of generating it o  A huge compromised key is much worse than a smaller well-managed key o  The cost of discovering the key must be higher than the value of the data being protected This particular work by Landon Curt Noll is Licensed under CC Attribution-Share Alike 3.0 Unported License 31
  • 32. Applications •  Entire Web Commerce infrastructure SETS,HTTPS •  Virtual Private Networking •  IPSEC •  Cryptography in wireless applications (mobile phone, WLANs, analysis of standards, etc.) •  Cryptography for pervasive computing (RFID, sensor networks, smart devices, etc.) •  FPGA design security •  Hardware IP protection and anti-counterfeiting •  Reconfigurable hardware for cryptography This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 32
  • 33. Applications •  Smart card processors, systems and applications •  Security in commercial consumer applications (pay- TV, automotive, domotics, etc.) •  Secure storage devices (memories, disks, etc. •  Technologies and hardware for content protection •  Trusted computing platforms This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 33
  • 34. Non  Repudiation This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 34
  • 35. Non  Repudiation •  A service that provides proof of the integrity and origin of data. •  An authentication that with high assurance can be asserted to be genuine. •  Entire Public Key Infrastructure is built for this This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 35
  • 36. Availability                                   (  Non  Denial  of  Service) This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 36
  • 37. Denial  of  Service •  A DoS attack can be perpetrated in a number of ways. The five basic types of attack are: o  Consumption of computational resources, such as bandwidth, disk space, or processor time. o  Disruption of configuration information, such as routing information. o  Disruption of state information, such as unsolicited resetting of TCP sessions. o  Disruption of physical network components. This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 37
  • 38. Denial  of  Service •  A DoS attack may include execution of malware intended to: o  Max out the processor's usage, preventing any work from occurring. o  Trigger errors in the microcode of the machine. o  Trigger errors in the sequencing of instructions, so as to force the computer into an unstable state or lock-up. o  Exploit errors in the operating system, causing resource starvation and/or thrashing, i.e. to use up all available facilities so no real work can be accomplished. o  Crash the operating system itself. •  Few DOS Attacks o  Smurf attack , Ping flood , Ping of death, SYN Flood This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 38
  • 39. Intrusion  Prevention   systems •  Are network security appliances that monitor network and/or system activities for malicious activity •  First generation were Intrusion Detection Systems •  Classification o  Network based o  Host based o  Wireless IPS o  Network Behavior Analysis •  IPS checks for malware, worm outbreaks, DDOS attacks •  An IPS can also correct Cyclic Redundancy Check (CRC) errors, un fragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options. This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 39
  • 40. Intrusion  Prevention   systems •  Detection Methods o Signature Methods o Statistical anomaly detection o Stateful protocol Analysis Detection •  Other Recent Trends o  IP Reputation o  Global Correlation •  Popular IPS (Open Source) o Snort This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 40
  • 41. Security  Principles •  Security is an afterthought , internet was built to share physics documents among researchers but not social networking, commerce and everything •  Security by obscurity is disastrous, o   Kerckhoff’s principle A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. •  Security is as strong as its weakest link and often its the people. •  There is no silver bullet •  Security is a process rather than a product. •  Defense in depth •  Risk Assessment , Threat modeling , compliance can mitigate This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 41
  • 42. Conclusions •  Few things not yet covered o  Cloud security o  Threat modeling o  Popular Attacks o  Secure Development Life cycle o  Social Engineering o  Security Management o  Many Others .. •  This talk is a work in progress, so it would be continually evolving do come back to check for latest revisions of the file This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 42
  • 43. Contact •  I can be reached at o  Krishna.sashank@iiitb.org o  http://www.linkedin.com/in/sashankdara •  Note : Parts of the work is taken from Landon Curt Noll as mentioned in the foot notes where ever relevant. o  He can be reached at http://isthe.com/chongo/ This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 43
  • 44. This work is made available under Creative Commons Attribution-Share Alike 3.0 Images courtesy : Google Images This work by Sashank Dara is licensed under CC Attribution-ShareAlike 3.0 Unported 44