SlideShare ist ein Scribd-Unternehmen logo

Computer & Data Security

Frederik Questier
Frederik Questier

F. Questier, Computer & Data Security, presented at Arba Minch University, Ethiopia, March 2019.

Technologie
1 von 123
Downloaden Sie, um offline zu lesen
Computer & Data Security Prof. dr. Frederik Questier - Vrije Universiteit Brussel Presented at: Arba Minch University, Ethiopia, 03/2019
Main objectives of computer security ➢ Confidentiality ➢ of data (secrecy) ➢ of persons (privacy) ➢ access only by authorized parties ➢ Integrity ➢ data only correctly modified or deleted by authorized parties ➢ Availability ➢ correctly accessible in a timely manner ➢ the failure to meet this goal is called a denial of service
Assignment Risk analysis Congratulations! You are elected member of the newly established computer and data security team in the university. Make a list of all possible risks that can have an impact on the security and stability of your internal and external IT services.
What can go wrong? Nature ➢ lightning strike ➢ fire ➢ flood ➢ heat wave – cold wave ➢ storm weather, hurricane ➢ earthquake ➢ tsunami ➢ volcano eruption ➢ electro magnetic pulse from the sun ➢ disease of key employees
What can go wrong? Infrastructure or services problems ➢ Failure of ➢ software (bugs; license expired, ...) ➢ hardware ➢ electricity ➢ power outage or power surge ➢ network (cable cut – saturation) ➢ airconditioning ➢ water pipes –> leak ➢ system upgrades ➢ service providers (e.g. cloud) ➢ Overload of CPU, memory, storage, network (spam)
What can go wrong? Human errors ➢ Weak security ➢ Loss of laptops, smartphones, USB-sticks, … ➢ No encryption ➢ Passwords leaks or cracks ➢ Computer console left unlocked ➢ Misunderstanding computer interface or other mistakes ➢ Deleting data ➢ Corrupting data ➢ Confiscation of machines
What can go wrong? Evil actions by people ➢ break in (hackers - crackers) ➢ social engineering ➢ phishing ➢ (identity) theft ➢ vandalism ➢ unhappy employees ➢ sabotage (time bomb), leaks ➢ cyber attack, e.g. (Distributed) Denial of Service ➢ terrorism ➢ war ➢ nuclear bomb
What can go wrong? Malware (malicious software) ➢ Botnet ➢ Rootkit ➢ Back door ➢ Spyware ➢ keylogger ➢ network sniffer ➢ Dialer ➢ Ransomware
Business continuity planning = how to stay in business in the event of disaster? ➢ Disaster recovery ● Preventive measures ● Detective measures ● Corrective measures
Threat modeling 1) What do you want to protect? 2) Who/what do you want to protect it from? 3) How likely is it that you will need to protect it? 4) How bad are the consequences if you fail? 5) How much trouble are you willing to go through in order to try to prevent those?
Tools for computer security
Tools for confidentiality ➢ Authorization - access policies - access control ➢ Authentication – identification ➢ Passwords ➢ … ➢ Encryption ➢ Virtual private networking ➢ Auditing – logging ➢ ...
Tools for integrity ➢ Backups ➢ Checksums ➢ ...
Tools for availability ➢ Disaster recovery planning ➢ Physical protections ➢ Anti-theft ➢ Uninterruptible Power Supply ➢ Redundancies ➢ Intrusion-detection systems ➢ Antivirus software ➢ Firewall ➢ ...
TOOLS FOR CONFIDENTIALITY
Passwords ➢ Don't share them ➢ Not even with computer administrators ➢ Don't write them down ➢ Don't reuse them among different sites ➢ Change them often ➢ Select wise: ➢ Easy to remember ➢ Hard to guess (resistant to dictionary attacks) ➢ Password length ➢ Large set of characters (caps, lower case, numbers, symbols)
Some notorious password leaks ➢ 2016: 500M Yahoo passwords ➢ 2015: 30M Ashley Madison MD5 passwords etc ➢ 2014: 5M Gmail passwords ➢ 2013: 38M Adobe passwords (and source code) ➢ 2013: 250K Twitter passwords ➢ 2012: 12M Apple User IDs stolen by FBI, 1M leaked ➢ 2012: 6M LinkedIn passwords ➢ 2012: 450K plain text Yahoo passwords ➢ 2012: 1.5M plain text Youporn passwords ➢ 2009: 10K MS Hotmail, MSN and Live passwords
Johannes Weber, http://blog.webernetz.net/2013/07/30/password-strengthentropy-characters-vs-words/
Passphrases are more secure than passwords
Biometric identification ➢ Finger print ➢ Voice print ➢ Iris scan ➢ Retinal scan ➢ Convenient ➢ Relative safe ➢ But...
Danger of biometric identification?
Danger of biometric identification? ➢ You can't change your biometric password once it got leaked ➢ You can't legally refuse to give it, unlike a password (US fifth amendment) ➢ Something like a fingerprint might be unusable as a password, because you leave copies of your fingerprints on everything you touch. ➢ Fingerprint is more like a login than like a password.
Lock your screen when you leave
Security issues in communication PrivacyPrivacy IntegrityIntegrity AuthenticationAuthentication Non-repudiationNon-repudiation Interception Spoofing Modification Proof of parties involved
Cryptography = secret writing
Cipher algorithm for performing encryption or decryption ➢ Example: Caesar cipher
Great if we can exchange our messages encrypted! But how can we safely exchange our keys?
Symmetric encryption Sender and receiver must both know the same secret key How to exchange that key over distance??? Asymmetric encryption Sender only needs to know the public key of receiver!
Public key encryption The private key can unlock (decrypt) what is locked (encrypted) with the public key
Public key encryption Creation of keys
Man-in-the-middle attack ➢ How can Bob know that Alice's key is really Alice's key (and not Mallory's)?
Digital certificates Version # Serial # Signature Algorithm Issuer Name Validity Period Subject Name Subject Public Key Issuer Unique ID Subject Unique ID Extensions Digital Signature
HTTPS SSL exchange
➢ CAcert.org is a community-driven certificate authority that issues free public key certificates to the public (unlike other certificate authorities which are commercial and sell certificates). ➢ CAcert has over 200,000 verified users. ➢ These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet.
Web of trust Keysigning parties
Belgian eID contains personal authentication certificate signature certificate Two factor auth: possession of eID and knowledge of pin code
Private keys never leave eID! Signatures are computed in eID on hash of file-to-be-signed (SHA-1 = Secure Hash Algorithm)
Error detection - Checksum - cryptographic hash e.g. CRC32 (cyclic redundancy check) MD5 (message digest) SHA-3 (Secure Hash Algorithm)
Belgian electronic medical prescriptions are based on the e-ID ➢ Doctor is identified with e-ID ➢ Patient is identified with e-ID ➢ Doctor signs the prescription with e-ID ➢ Prescription is stored in national Recip-e database. ➢ Patient can consult prescriptions in patient portal with e-ID ➢ Pharmacist is identified with e-ID ➢ Pharmacist finds the prescription in the Recip-e database with barcode on the paper version of the prescription.
➢ Encrypted protocols ➢ HTTPS ➢ SFTP ➢ SSH ➢ TOR ➢ VPN ➢ WEP (Wired Equivalent Protocol. Weak!) ➢ WPA - WPA2 Wi-Fi Protected Access ➢ Non-encrypted protocols ➢ HTTP ➢ FTP ➢ TELNET ➢ BitTorrent
Telegram and Signal ➢ Free Open Source software ➢ End to end encryption ➢ Delete messages everywhere ➢ Self-destruct timer for messages ➢ VOIP ➢ User friendly ➢ For Android, iOS, …
Full disk encryption
Virtual drive in file container Encrypted file container.txt Mountable as virtual drive /media/encrypted-disk /Volumes/encrypted-disk E:
Android encryption
Virtual Private Networks extends a private (hospital) network across a public (internet) network encrypted to protect against network sniffing
Internet use through a VPN provider Sarah A. Downey, http://www.abine.com/blog/2012/petraeuss-emails-werent-private-and-neither-are-yours/
(Free) VPNs? ➢ VPNs good for ➢ protection against nearby spying and MITM attack ➢ avoiding geoblocking ➢ But you need to trust your VPN provider ➢ The free VPNs might have a business model based on spying on you. ➢ Don’t install their proprietary apps ➢ The good VPN providers support OpenVPN ➢ Best to install e.g. OpenVPN on your own server.
Firewall Private versus Demilitarized zone
Private browsing
Task: check http://donttrack.us/
= The Onion Router Free Open Source software for anonymity network
Edward Snowden: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”
➢ From the European Parliament investigation into the Echelon system (05/18/2001): “If security is to be taken seriously, only those operating systems should be used whose source code has been published and checked, since only then can it be determined with certainty what happens to the data.”
➢ Cryptographer, computer security expert Bruce Schneier: “Secrecy and security aren't the same, even though it may seem that way. Only bad security relies on secrecy; good security works even if all the details of it are public." “If researchers don’t go public, things don’t get fixed. Companies don't see it as a security problem; they see it as a PR problem.” “Demand open source code for anything related to security”
The Borland Interbase example ➢ 1992-1994: Borland inserted intentional back door into Interbase (closed source database server) allowing local or remote users root access to the machine ➢ 07/2000: Borland releases source code (→ Firebird) ➢ 12/2000: Back door is discovered
Your opinion?
“Our products just aren’t engineered for security.” Brian Valentine, Microsoft senior vice-president Windows Engineering, 2002
Be aware of phishing attacks
TOOLS FOR INTEGRITY
Backups How would you optimize this backup strategy? ➢ Every night at 4 am, all university computers get a wake up signal. ➢ The backup server takes over network a complete backup of every hard disk of every computer. ➢ The backups are stored on a NAS (Network Attached Storage) with 1000 hard disks. ➢ The backup server and the NAS are located in the data center of the university (floor level -1). ➢ To save storage space, backups older than a year are deleted.
Backup Example: centralized over network
Backups ➢ First time and sometimes: full backup ➢ Most often: only incremental backup ➢ Use a good data retention scheme ➢ e.g. 7 daily, 4 weekly, 12 monthly, all yearly backups ➢ + Use off-site data protection = vaulting ➢ e.g. remote backup (compression, encryption!) ➢ Use offline backups as protection against ransomware ➢ Reflect about your time for full restore ➢ Test the restore procedure! ➢ “80% of backups fail to restore”
(Cheap) versioning For important documents save daily new version as: thesis20190307.odt This avoids overwriting backups with corrupt data See also https://en.wikipedia.org/wiki/ISO_8601
Integrity checkers ➢ Tripwire ➢ Samhain
TOOLS FOR AVAILABILITY
Uninterruptible Power Supply UPS 1)Flywheel 2)Diesel generators 3)Batteries (UPS)
Your toilets are better locked than your electrical switches
DDoS Distributed Denial of Service
fault tolerance high availability redundancy fail over
RAID: Redundant Array of Independent Disks
Install software from trusted sources! (avoid if possible P2P or web downloads)
Apply software updates and upgrades!
If you don’t apply security fixes fast enough... ➢ Microsoft ➢ Patch Tuesday ➢ Exploit Wednesday
Principle of least privilege Avoid privilege escalation
Intrusion Detection Systems (IDS) ➢ Fail2ban ➢ Snort ➢ real-time traffic analysis and packet logging ➢ detect probes or attacks ➢ Samhain ➢ Complete integrity check ➢ uses cryptographic checksums of files to detect modifications, ➢ can find rogue SUID executables anywhere on disk ➢ Centralized monitoring ➢ native support for logging to a central server via encrypted and authenticated connections ➢ Tamper resistance ➢ database and configuration files can be signed ➢ log file entries and e-mail reports are signed ➢ support for stealth operation ➢ Honey pots ➢ ...
Subscribe to security mailing lists of the critical software you are using
Assignments ➢ Make a risk analysis and threat modeling of the computer and data systems at your organization. What are the weakest and most unsecure parts? ➢ Risk ... probability * potential impact = total risk level ➢ Which actions will you take to increase the security at your organization? ➢ Why are some operating systems more secure than others? ➢ Compare the security characteristics of the Linux operating system and Windows
Windows versus Linux security ➢ Windows origin ➢ QDOS (Quick and Dirty Operating System, 1980) ➢ To fit in small 8086 Personal Computer all existing concepts of security, network, multi-user, … where omitted. ➢ 86-DOS ➢ MSDOS ➢ Windows ➢ Linux (1991) ➢ Modeled according to UNIX, with security, network and multi-user concepts implemented from the beginning.
Windows versus Linux security ➢ Windows and its software ➢ Source code mostly secret ➢ Cannot be audited ➢ Microsoft’s self-inflicted curse of binary compatibility: ➢ Major design improvements are hard as Microsoft cannot modify & recompile proprietary software by others ➢ Linux and its software ➢ Free Open Source ➢ Source code can be audited, bugs and backdoors found ➢ Major design improvements are easier to implement
Windows versus Linux security ➢ Windows software ➢ Often (illegal copies) downloaded from web or P2P ➢ No checksum or signature ➢ Often malware. No way to detect it. ➢ Installer = executable ➢ Any malware gets executed with admin privileges ➢ Linux ➢ Software is installed through package manager ➢ Package maintainers of the many distributions often audit code and compile from source. ➢ Package maintainers sign the packages and provide checksums ➢ Package = compressed archive only unpacked by root
Windows versus Linux security Updates ➢ Windows update manager is only updating Windows (and other Microsoft software?) ➢ Linux update manager is updating all software installed through the package manager, which is typically near 100%.
Windows versus Linux security User attitudes towards updates & upgrades ➢ Windows users don’t like updates & upgrades ➢ Windows reboots for updates ➢ System cannot be used during installation of the updates ➢ Users have very little control over updates ➢ Updates often come with more anti-user features ➢ Microsoft forces GUI changes upon upgrades ➢ Users continue with outdated OS when they don’t like GUI of newer version ➢ Linux ➢ Software and kernel(!) updates can be installed without rebooting or unavailability of the system ➢ Users have total control over updates ➢ User can select the GUI indepentdently from upgrades
Windows versus Linux security Who gets updates ➢ Windows and its software ➢ Sometimes “pirate users” did not get updates ➢ Linux and its software ➢ Users are never labeled as “pirates” ➢ Users are not denied updates
Windows versus Linux security ➢ Windows ➢ Not modular ➢ Most versions can’t be run without GUI ➢ No strict separation between kernel and GUI, webbrowser, games, … ➢ Any bug in these can lead to crash or intrusion of the kernel ➢ Linux and its software ➢ Modular ➢ GUI is an option ➢ Strict separation between kernel and user space
Windows versus Linux security ➢ Windows ➢ Decides if a file is executable based on extension ➢ Read and execute permissions are not distinct ➢ “50+ File Extensions that are Potentially Dangerous on Windows” ➢ Windows hides extensions by default, but only the last one ➢ file.jpg.exe is visible as file.jpg ➢ Mail attachments can infect you with malware ➢ Linux ➢ Decides if a file is executable based on execution bit ➢ Read and execute permissions are distinct ➢ Nobody was stupid enough to write a Linux mail client that sets the execution permission on attachments.
Windows versus Linux security ➢ Windows ➢ Autorun software from CD and USB (until Windows 7) ➢ Linux ➢ Autorun is not default or asks user permission
Windows versus Linux security ➢ Windows ➢ Many users work day in day out with an admin account ➢ Linux ➢ Users get a big fat warning when they attempt to login in the GUI as root ➢ Users get very low privileges ➢ Different crucial applications run on different user accounts ➢ E.g. Apache web server runs as user www ➢ User www has only (write) access to its own files.
Windows versus Linux security ➢ Windows ➢ FAT and NTFS still don’t have the option to create a non- executable partition? ➢ Linux ➢ /tmp can be set as noexec ➢ This prevents that malware uploaded through e.g. webserver can be executed.
Windows versus Linux security ➢ Windows ➢ Monoculture ➢ Linux ➢ 300+ distributions ➢ 84+ window managers ➢ Many packaging systems ➢ Many mail clients ➢ The diversity slows down widespread malware infections as these will not work for all Linux systems.
Windows versus Linux security ➢ Windows filesystems ➢ Not much more than FAT and NTFS ➢ Linux ➢ Supports tens of filesystems ➢ Including some high availability oriented ones such as ZFS.
Windows versus Linux security Matheus effect ➢ Windows ➢ Many users don’t care about security ➢ Linux ➢ Users caring about security will rather use Linux ➢ These users secure their systems more ➢ Linux get more attention by security caring developers
Credits ➢ Password Strength, Creative Commons BY-NC http://xkcd.com/936/ ➢ Security, Creative Commons BY-NC http://xkcd.com/538/ ➢ Zimmermann Telegram, 1917, no known copyright restrictions ➢ Assymetric and symmetric encryption by Jeremy Stretch, http://packetlife.net/blog/2010/nov/23/symmetric-asymmetric-encryption-hashing/ ➢ Orange blue public key cryptography, Creative Commons CC0 by Bananenfalter ➢ HTTPS SSL Exchange by Robb Perry, http://coding.smashingmagazine.com/2012/05/17/backpack-algorithms-and-public-key-cryptography-made-easy/ ➢ Bitcoin logo, Public Domain by bitboy ➢ Bitcoin Transaction Visual, Creative Commons CC0 by Graingert ➢ Question mark CC-by by Stefan Baudy ➢ GNU Head Joseph W. Reiss Free Art License or the GNU GPLv2
This presentation was made with 100% Free Software No animals were harmed Questier.com Frederik AT Questier.com www.linkedin.com/in/fquestie www.diigo.com/user/frederikquestier www.slideshare.net/Frederik_Questier T hank you! Q uestions?

Empfohlen

Introduction of computer security
Introduction of computer securityIntroduction of computer security
Introduction of computer security
SoundaryaB2
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
frcarlson
 
Impact to it security of incorrect configuration of firewall policies and thi...
Impact to it security of incorrect configuration of firewall policies and thi...Impact to it security of incorrect configuration of firewall policies and thi...
Impact to it security of incorrect configuration of firewall policies and thi...
usman butt
 
Network security - Basic concepts
Network security - Basic conceptsNetwork security - Basic concepts
Network security - Basic concepts
Khoa Nguyen
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar report
Inder NeGi
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantages
amit kumar
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
Hacking Closed Networks
Hacking Closed NetworksHacking Closed Networks
Hacking Closed Networks
Priyanka Aash
 

Empfohlen

Introduction of computer security
Introduction of computer securityIntroduction of computer security
Introduction of computer security
SoundaryaB2
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
frcarlson
 
Impact to it security of incorrect configuration of firewall policies and thi...
Impact to it security of incorrect configuration of firewall policies and thi...Impact to it security of incorrect configuration of firewall policies and thi...
Impact to it security of incorrect configuration of firewall policies and thi...
usman butt
 
Network security - Basic concepts
Network security - Basic conceptsNetwork security - Basic concepts
Network security - Basic concepts
Khoa Nguyen
 
Honeypot seminar report
Honeypot seminar reportHoneypot seminar report
Honeypot seminar report
Inder NeGi
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantages
amit kumar
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
Hacking Closed Networks
Hacking Closed NetworksHacking Closed Networks
Hacking Closed Networks
Priyanka Aash
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
Loay Elbasyouni
 
Network security and System Admin
Network security and System AdminNetwork security and System Admin
Network security and System Admin
MD SAHABUDDIN
 
Network Security
Network SecurityNetwork Security
Network Security
VIKAS SINGH BHADOURIA
 
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
shawn_merdinger
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Positive Hack Days
 
Network Security
Network SecurityNetwork Security
Network Security
Puneet Abichandani
 
Cyber crime trends in 2013
Cyber crime trends in 2013 Cyber crime trends in 2013
Cyber crime trends in 2013
The eCore Group
 
BYOD and Your Business
BYOD and Your BusinessBYOD and Your Business
BYOD and Your Business
cherienetclarity
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Honey Pot
Honey PotHoney Pot
Honey Pot
iradarji
 
Honeypot and Steganography
Honeypot and SteganographyHoneypot and Steganography
Honeypot and Steganography
Preeti Yadav
 
Hacking
Hacking Hacking
Hacking
SahilGothoskar
 
Why Risk Management Fails
Why Risk Management FailsWhy Risk Management Fails
Why Risk Management Fails
Richard Stiennon
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
Nicholas Davis
 
A+ Update Endpoint Encryption
A+ Update Endpoint EncryptionA+ Update Endpoint Encryption
A+ Update Endpoint Encryption
OSU - East
 
Session Slide
Session SlideSession Slide
Session Slide
Muralidharan Radhakrishnan
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief Overview
SILPI ROSAN
 
Mobile #Infosec hackathon for journalists(2)
Mobile #Infosec hackathon for journalists(2)Mobile #Infosec hackathon for journalists(2)
Mobile #Infosec hackathon for journalists(2)
Tanja Drca
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentals
Tariq kanher
 
Encryption
EncryptionEncryption
Encryption
DanielNanaAnyemeduHe
 
Computer Security
Computer SecurityComputer Security
Computer Security
Frederik Questier
 
Internet Security
Internet SecurityInternet Security
Internet Security
JainamParikh3
 

Weitere ähnliche Inhalte

Was ist angesagt?

Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
Loay Elbasyouni
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Positive Hack Days
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
Nicholas Davis
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief Overview
SILPI ROSAN
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentals
Tariq kanher
 

Was ist angesagt? (20)

Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
 
Network security and System Admin
Network security and System AdminNetwork security and System Admin
Network security and System Admin
 
Network Security
Network SecurityNetwork Security
Network Security
 
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
 
Network Security
Network SecurityNetwork Security
Network Security
 
Cyber crime trends in 2013
Cyber crime trends in 2013 Cyber crime trends in 2013
Cyber crime trends in 2013
 
BYOD and Your Business
BYOD and Your BusinessBYOD and Your Business
BYOD and Your Business
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
Honey Pot
Honey PotHoney Pot
Honey Pot
 
Honeypot and Steganography
Honeypot and SteganographyHoneypot and Steganography
Honeypot and Steganography
 
Hacking
Hacking Hacking
Hacking
 
Why Risk Management Fails
Why Risk Management FailsWhy Risk Management Fails
Why Risk Management Fails
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
 
A+ Update Endpoint Encryption
A+ Update Endpoint EncryptionA+ Update Endpoint Encryption
A+ Update Endpoint Encryption
 
Session Slide
Session SlideSession Slide
Session Slide
 
Honeypot-A Brief Overview
Honeypot-A Brief OverviewHoneypot-A Brief Overview
Honeypot-A Brief Overview
 
Mobile #Infosec hackathon for journalists(2)
Mobile #Infosec hackathon for journalists(2)Mobile #Infosec hackathon for journalists(2)
Mobile #Infosec hackathon for journalists(2)
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentals
 
Encryption
EncryptionEncryption
Encryption
 

Ähnlich wie Computer & Data Security

Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
KnownId
 
2.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-112.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-11
mrmwood
 
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Cengage Learning
 
2014CyberSecurityProject
2014CyberSecurityProject2014CyberSecurityProject
2014CyberSecurityProject
Kaley Hair
 
E-commerce & Security
E-commerce & SecurityE-commerce & Security
E-commerce & Security
NetstarterSL
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Product of Things
 

Ähnlich wie Computer & Data Security (20)

Computer Security
Computer SecurityComputer Security
Computer Security
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
 
2.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-112.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-11
 
Data security
Data securityData security
Data security
 
Computer security
Computer securityComputer security
Computer security
 
Notacd02
Notacd02Notacd02
Notacd02
 
Network Security
Network SecurityNetwork Security
Network Security
 
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
 
2014CyberSecurityProject
2014CyberSecurityProject2014CyberSecurityProject
2014CyberSecurityProject
 
Notacd02
Notacd02Notacd02
Notacd02
 
E-commerce & Security
E-commerce & SecurityE-commerce & Security
E-commerce & Security
 
TOPIC7.pptx
TOPIC7.pptxTOPIC7.pptx
TOPIC7.pptx
 
Internet security
Internet securityInternet security
Internet security
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
 
Building Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesBuilding Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal Devices
 
NewIinternet security
NewIinternet securityNewIinternet security
NewIinternet security
 
New internet security
New internet securityNew internet security
New internet security
 
It security,malware,phishing,information theft
It security,malware,phishing,information theftIt security,malware,phishing,information theft
It security,malware,phishing,information theft
 
Windows 10: Windows 10 de ITPros a ITPros
Windows 10: Windows 10 de ITPros a ITProsWindows 10: Windows 10 de ITPros a ITPros
Windows 10: Windows 10 de ITPros a ITPros
 

Mehr von Frederik Questier

Mehr von Frederik Questier (20)

Free Libre Open Source Software Development
Free Libre Open Source Software DevelopmentFree Libre Open Source Software Development
Free Libre Open Source Software Development
 
OER & Copyrights
OER & CopyrightsOER & Copyrights
OER & Copyrights
 
Plagiarism prevention and detection
Plagiarism prevention and detectionPlagiarism prevention and detection
Plagiarism prevention and detection
 
FLOSS strategies & policies
FLOSS strategies & policiesFLOSS strategies & policies
FLOSS strategies & policies
 
Open e-learning - MarMOOC experiences - Cuba
Open e-learning - MarMOOC experiences - CubaOpen e-learning - MarMOOC experiences - Cuba
Open e-learning - MarMOOC experiences - Cuba
 
Open learning experiences from the MarMOOC project presented at BDU
Open learning experiences from the MarMOOC project presented at BDUOpen learning experiences from the MarMOOC project presented at BDU
Open learning experiences from the MarMOOC project presented at BDU
 
Open learning Experiences from the MarMOOC project (presented at UHo)
Open learning Experiences from the MarMOOC project (presented at UHo)Open learning Experiences from the MarMOOC project (presented at UHo)
Open learning Experiences from the MarMOOC project (presented at UHo)
 
Open learning Experiences from the MarMOOC project
Open learning Experiences from the MarMOOC projectOpen learning Experiences from the MarMOOC project
Open learning Experiences from the MarMOOC project
 
FLOSS development
FLOSS developmentFLOSS development
FLOSS development
 
Authentication options for Open edX: focus on OAuth and OpenID
Authentication options for Open edX: focus on OAuth and OpenIDAuthentication options for Open edX: focus on OAuth and OpenID
Authentication options for Open edX: focus on OAuth and OpenID
 
E-learning design models - Primer for (educational) technologists
E-learning design models - Primer for (educational) technologistsE-learning design models - Primer for (educational) technologists
E-learning design models - Primer for (educational) technologists
 
MOOCs & Openness
MOOCs & OpennessMOOCs & Openness
MOOCs & Openness
 
New learning paradigms and learning technologies
New learning paradigms and learning technologiesNew learning paradigms and learning technologies
New learning paradigms and learning technologies
 
Free Libre And Open Source Software Acceptance in The Cuban Higher Educationa...
Free Libre And Open Source Software Acceptance in The Cuban Higher Educationa...Free Libre And Open Source Software Acceptance in The Cuban Higher Educationa...
Free Libre And Open Source Software Acceptance in The Cuban Higher Educationa...
 
Students' Experiential Knowledge Production in the Teaching-Learning Process ...
Students' Experiential Knowledge Production in the Teaching-Learning Process ...Students' Experiential Knowledge Production in the Teaching-Learning Process ...
Students' Experiential Knowledge Production in the Teaching-Learning Process ...
 
Institutional strategies for educational innovation and e-learning
Institutional strategies for educational innovation and e-learningInstitutional strategies for educational innovation and e-learning
Institutional strategies for educational innovation and e-learning
 
New learning paradigms and technologies
New learning paradigms and technologiesNew learning paradigms and technologies
New learning paradigms and technologies
 
Free & Open Source Software (2017 update)
Free & Open Source Software (2017 update)Free & Open Source Software (2017 update)
Free & Open Source Software (2017 update)
 
Challenges for 21st century education and blended learning
Challenges for 21st century education and blended learningChallenges for 21st century education and blended learning
Challenges for 21st century education and blended learning
 
FLOSS & OER
FLOSS & OERFLOSS & OER
FLOSS & OER
 

Kürzlich hochgeladen

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Kürzlich hochgeladen (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Computer & Data Security

  • 1. Computer & Data Security Prof. dr. Frederik Questier - Vrije Universiteit Brussel Presented at: Arba Minch University, Ethiopia, 03/2019
  • 2.
  • 3. Main objectives of computer security ➢ Confidentiality ➢ of data (secrecy) ➢ of persons (privacy) ➢ access only by authorized parties ➢ Integrity ➢ data only correctly modified or deleted by authorized parties ➢ Availability ➢ correctly accessible in a timely manner ➢ the failure to meet this goal is called a denial of service
  • 4. Assignment Risk analysis Congratulations! You are elected member of the newly established computer and data security team in the university. Make a list of all possible risks that can have an impact on the security and stability of your internal and external IT services.
  • 5. What can go wrong? Nature ➢ lightning strike ➢ fire ➢ flood ➢ heat wave – cold wave ➢ storm weather, hurricane ➢ earthquake ➢ tsunami ➢ volcano eruption ➢ electro magnetic pulse from the sun ➢ disease of key employees
  • 6. What can go wrong? Infrastructure or services problems ➢ Failure of ➢ software (bugs; license expired, ...) ➢ hardware ➢ electricity ➢ power outage or power surge ➢ network (cable cut – saturation) ➢ airconditioning ➢ water pipes –> leak ➢ system upgrades ➢ service providers (e.g. cloud) ➢ Overload of CPU, memory, storage, network (spam)
  • 7. What can go wrong? Human errors ➢ Weak security ➢ Loss of laptops, smartphones, USB-sticks, … ➢ No encryption ➢ Passwords leaks or cracks ➢ Computer console left unlocked ➢ Misunderstanding computer interface or other mistakes ➢ Deleting data ➢ Corrupting data ➢ Confiscation of machines
  • 8. What can go wrong? Evil actions by people ➢ break in (hackers - crackers) ➢ social engineering ➢ phishing ➢ (identity) theft ➢ vandalism ➢ unhappy employees ➢ sabotage (time bomb), leaks ➢ cyber attack, e.g. (Distributed) Denial of Service ➢ terrorism ➢ war ➢ nuclear bomb
  • 9. What can go wrong? Malware (malicious software) ➢ Botnet ➢ Rootkit ➢ Back door ➢ Spyware ➢ keylogger ➢ network sniffer ➢ Dialer ➢ Ransomware
  • 10. Business continuity planning = how to stay in business in the event of disaster? ➢ Disaster recovery ● Preventive measures ● Detective measures ● Corrective measures
  • 11. Threat modeling 1) What do you want to protect? 2) Who/what do you want to protect it from? 3) How likely is it that you will need to protect it? 4) How bad are the consequences if you fail? 5) How much trouble are you willing to go through in order to try to prevent those?
  • 12. Tools for computer security
  • 13. Tools for confidentiality ➢ Authorization - access policies - access control ➢ Authentication – identification ➢ Passwords ➢ … ➢ Encryption ➢ Virtual private networking ➢ Auditing – logging ➢ ...
  • 15. Tools for availability ➢ Disaster recovery planning ➢ Physical protections ➢ Anti-theft ➢ Uninterruptible Power Supply ➢ Redundancies ➢ Intrusion-detection systems ➢ Antivirus software ➢ Firewall ➢ ...
  • 17. Passwords ➢ Don't share them ➢ Not even with computer administrators ➢ Don't write them down ➢ Don't reuse them among different sites ➢ Change them often ➢ Select wise: ➢ Easy to remember ➢ Hard to guess (resistant to dictionary attacks) ➢ Password length ➢ Large set of characters (caps, lower case, numbers, symbols)
  • 18. Some notorious password leaks ➢ 2016: 500M Yahoo passwords ➢ 2015: 30M Ashley Madison MD5 passwords etc ➢ 2014: 5M Gmail passwords ➢ 2013: 38M Adobe passwords (and source code) ➢ 2013: 250K Twitter passwords ➢ 2012: 12M Apple User IDs stolen by FBI, 1M leaked ➢ 2012: 6M LinkedIn passwords ➢ 2012: 450K plain text Yahoo passwords ➢ 2012: 1.5M plain text Youporn passwords ➢ 2009: 10K MS Hotmail, MSN and Live passwords
  • 19.
  • 21. Passphrases are more secure than passwords
  • 22.
  • 23. Biometric identification ➢ Finger print ➢ Voice print ➢ Iris scan ➢ Retinal scan ➢ Convenient ➢ Relative safe ➢ But...
  • 25. Danger of biometric identification? ➢ You can't change your biometric password once it got leaked ➢ You can't legally refuse to give it, unlike a password (US fifth amendment) ➢ Something like a fingerprint might be unusable as a password, because you leave copies of your fingerprints on everything you touch. ➢ Fingerprint is more like a login than like a password.
  • 26. Lock your screen when you leave
  • 27. Security issues in communication PrivacyPrivacy IntegrityIntegrity AuthenticationAuthentication Non-repudiationNon-repudiation Interception Spoofing Modification Proof of parties involved
  • 28.
  • 30.
  • 31. Cipher algorithm for performing encryption or decryption ➢ Example: Caesar cipher
  • 32.
  • 33.
  • 34.
  • 35.
  • 36. Great if we can exchange our messages encrypted! But how can we safely exchange our keys?
  • 37. Symmetric encryption Sender and receiver must both know the same secret key How to exchange that key over distance??? Asymmetric encryption Sender only needs to know the public key of receiver!
  • 38. Public key encryption The private key can unlock (decrypt) what is locked (encrypted) with the public key
  • 40.
  • 41.
  • 42.
  • 43.
  • 44. Man-in-the-middle attack ➢ How can Bob know that Alice's key is really Alice's key (and not Mallory's)?
  • 45. Digital certificates Version # Serial # Signature Algorithm Issuer Name Validity Period Subject Name Subject Public Key Issuer Unique ID Subject Unique ID Extensions Digital Signature
  • 47. ➢ CAcert.org is a community-driven certificate authority that issues free public key certificates to the public (unlike other certificate authorities which are commercial and sell certificates). ➢ CAcert has over 200,000 verified users. ➢ These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet.
  • 49. Belgian eID contains personal authentication certificate signature certificate Two factor auth: possession of eID and knowledge of pin code
  • 50. Private keys never leave eID! Signatures are computed in eID on hash of file-to-be-signed (SHA-1 = Secure Hash Algorithm)
  • 51. Error detection - Checksum - cryptographic hash e.g. CRC32 (cyclic redundancy check) MD5 (message digest) SHA-3 (Secure Hash Algorithm)
  • 52. Belgian electronic medical prescriptions are based on the e-ID ➢ Doctor is identified with e-ID ➢ Patient is identified with e-ID ➢ Doctor signs the prescription with e-ID ➢ Prescription is stored in national Recip-e database. ➢ Patient can consult prescriptions in patient portal with e-ID ➢ Pharmacist is identified with e-ID ➢ Pharmacist finds the prescription in the Recip-e database with barcode on the paper version of the prescription.
  • 53. ➢ Encrypted protocols ➢ HTTPS ➢ SFTP ➢ SSH ➢ TOR ➢ VPN ➢ WEP (Wired Equivalent Protocol. Weak!) ➢ WPA - WPA2 Wi-Fi Protected Access ➢ Non-encrypted protocols ➢ HTTP ➢ FTP ➢ TELNET ➢ BitTorrent
  • 54. Telegram and Signal ➢ Free Open Source software ➢ End to end encryption ➢ Delete messages everywhere ➢ Self-destruct timer for messages ➢ VOIP ➢ User friendly ➢ For Android, iOS, …
  • 56.
  • 57.
  • 58.
  • 59.
  • 60. Virtual drive in file container Encrypted file container.txt Mountable as virtual drive /media/encrypted-disk /Volumes/encrypted-disk E:
  • 61.
  • 62.
  • 63.
  • 65. Virtual Private Networks extends a private (hospital) network across a public (internet) network encrypted to protect against network sniffing
  • 66. Internet use through a VPN provider Sarah A. Downey, http://www.abine.com/blog/2012/petraeuss-emails-werent-private-and-neither-are-yours/
  • 67. (Free) VPNs? ➢ VPNs good for ➢ protection against nearby spying and MITM attack ➢ avoiding geoblocking ➢ But you need to trust your VPN provider ➢ The free VPNs might have a business model based on spying on you. ➢ Don’t install their proprietary apps ➢ The good VPN providers support OpenVPN ➢ Best to install e.g. OpenVPN on your own server.
  • 69.
  • 72. = The Onion Router Free Open Source software for anonymity network
  • 73. Edward Snowden: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”
  • 74.
  • 75. ➢ From the European Parliament investigation into the Echelon system (05/18/2001): “If security is to be taken seriously, only those operating systems should be used whose source code has been published and checked, since only then can it be determined with certainty what happens to the data.”
  • 76. ➢ Cryptographer, computer security expert Bruce Schneier: “Secrecy and security aren't the same, even though it may seem that way. Only bad security relies on secrecy; good security works even if all the details of it are public." “If researchers don’t go public, things don’t get fixed. Companies don't see it as a security problem; they see it as a PR problem.” “Demand open source code for anything related to security”
  • 77. The Borland Interbase example ➢ 1992-1994: Borland inserted intentional back door into Interbase (closed source database server) allowing local or remote users root access to the machine ➢ 07/2000: Borland releases source code (→ Firebird) ➢ 12/2000: Back door is discovered
  • 79.
  • 80.
  • 81. “Our products just aren’t engineered for security.” Brian Valentine, Microsoft senior vice-president Windows Engineering, 2002
  • 82.
  • 83.
  • 84. Be aware of phishing attacks
  • 86. Backups How would you optimize this backup strategy? ➢ Every night at 4 am, all university computers get a wake up signal. ➢ The backup server takes over network a complete backup of every hard disk of every computer. ➢ The backups are stored on a NAS (Network Attached Storage) with 1000 hard disks. ➢ The backup server and the NAS are located in the data center of the university (floor level -1). ➢ To save storage space, backups older than a year are deleted.
  • 88. Backups ➢ First time and sometimes: full backup ➢ Most often: only incremental backup ➢ Use a good data retention scheme ➢ e.g. 7 daily, 4 weekly, 12 monthly, all yearly backups ➢ + Use off-site data protection = vaulting ➢ e.g. remote backup (compression, encryption!) ➢ Use offline backups as protection against ransomware ➢ Reflect about your time for full restore ➢ Test the restore procedure! ➢ “80% of backups fail to restore”
  • 89.
  • 90. (Cheap) versioning For important documents save daily new version as: thesis20190307.odt This avoids overwriting backups with corrupt data See also https://en.wikipedia.org/wiki/ISO_8601
  • 94. Your toilets are better locked than your electrical switches
  • 96.
  • 98. RAID: Redundant Array of Independent Disks
  • 99.
  • 100.
  • 101. Install software from trusted sources! (avoid if possible P2P or web downloads)
  • 102. Apply software updates and upgrades!
  • 103. If you don’t apply security fixes fast enough... ➢ Microsoft ➢ Patch Tuesday ➢ Exploit Wednesday
  • 104. Principle of least privilege Avoid privilege escalation
  • 105. Intrusion Detection Systems (IDS) ➢ Fail2ban ➢ Snort ➢ real-time traffic analysis and packet logging ➢ detect probes or attacks ➢ Samhain ➢ Complete integrity check ➢ uses cryptographic checksums of files to detect modifications, ➢ can find rogue SUID executables anywhere on disk ➢ Centralized monitoring ➢ native support for logging to a central server via encrypted and authenticated connections ➢ Tamper resistance ➢ database and configuration files can be signed ➢ log file entries and e-mail reports are signed ➢ support for stealth operation ➢ Honey pots ➢ ...
  • 106. Subscribe to security mailing lists of the critical software you are using
  • 107. Assignments ➢ Make a risk analysis and threat modeling of the computer and data systems at your organization. What are the weakest and most unsecure parts? ➢ Risk ... probability * potential impact = total risk level ➢ Which actions will you take to increase the security at your organization? ➢ Why are some operating systems more secure than others? ➢ Compare the security characteristics of the Linux operating system and Windows
  • 108. Windows versus Linux security ➢ Windows origin ➢ QDOS (Quick and Dirty Operating System, 1980) ➢ To fit in small 8086 Personal Computer all existing concepts of security, network, multi-user, … where omitted. ➢ 86-DOS ➢ MSDOS ➢ Windows ➢ Linux (1991) ➢ Modeled according to UNIX, with security, network and multi-user concepts implemented from the beginning.
  • 109. Windows versus Linux security ➢ Windows and its software ➢ Source code mostly secret ➢ Cannot be audited ➢ Microsoft’s self-inflicted curse of binary compatibility: ➢ Major design improvements are hard as Microsoft cannot modify & recompile proprietary software by others ➢ Linux and its software ➢ Free Open Source ➢ Source code can be audited, bugs and backdoors found ➢ Major design improvements are easier to implement
  • 110. Windows versus Linux security ➢ Windows software ➢ Often (illegal copies) downloaded from web or P2P ➢ No checksum or signature ➢ Often malware. No way to detect it. ➢ Installer = executable ➢ Any malware gets executed with admin privileges ➢ Linux ➢ Software is installed through package manager ➢ Package maintainers of the many distributions often audit code and compile from source. ➢ Package maintainers sign the packages and provide checksums ➢ Package = compressed archive only unpacked by root
  • 111. Windows versus Linux security Updates ➢ Windows update manager is only updating Windows (and other Microsoft software?) ➢ Linux update manager is updating all software installed through the package manager, which is typically near 100%.
  • 112. Windows versus Linux security User attitudes towards updates & upgrades ➢ Windows users don’t like updates & upgrades ➢ Windows reboots for updates ➢ System cannot be used during installation of the updates ➢ Users have very little control over updates ➢ Updates often come with more anti-user features ➢ Microsoft forces GUI changes upon upgrades ➢ Users continue with outdated OS when they don’t like GUI of newer version ➢ Linux ➢ Software and kernel(!) updates can be installed without rebooting or unavailability of the system ➢ Users have total control over updates ➢ User can select the GUI indepentdently from upgrades
  • 113. Windows versus Linux security Who gets updates ➢ Windows and its software ➢ Sometimes “pirate users” did not get updates ➢ Linux and its software ➢ Users are never labeled as “pirates” ➢ Users are not denied updates
  • 114. Windows versus Linux security ➢ Windows ➢ Not modular ➢ Most versions can’t be run without GUI ➢ No strict separation between kernel and GUI, webbrowser, games, … ➢ Any bug in these can lead to crash or intrusion of the kernel ➢ Linux and its software ➢ Modular ➢ GUI is an option ➢ Strict separation between kernel and user space
  • 115. Windows versus Linux security ➢ Windows ➢ Decides if a file is executable based on extension ➢ Read and execute permissions are not distinct ➢ “50+ File Extensions that are Potentially Dangerous on Windows” ➢ Windows hides extensions by default, but only the last one ➢ file.jpg.exe is visible as file.jpg ➢ Mail attachments can infect you with malware ➢ Linux ➢ Decides if a file is executable based on execution bit ➢ Read and execute permissions are distinct ➢ Nobody was stupid enough to write a Linux mail client that sets the execution permission on attachments.
  • 116. Windows versus Linux security ➢ Windows ➢ Autorun software from CD and USB (until Windows 7) ➢ Linux ➢ Autorun is not default or asks user permission
  • 117. Windows versus Linux security ➢ Windows ➢ Many users work day in day out with an admin account ➢ Linux ➢ Users get a big fat warning when they attempt to login in the GUI as root ➢ Users get very low privileges ➢ Different crucial applications run on different user accounts ➢ E.g. Apache web server runs as user www ➢ User www has only (write) access to its own files.
  • 118. Windows versus Linux security ➢ Windows ➢ FAT and NTFS still don’t have the option to create a non- executable partition? ➢ Linux ➢ /tmp can be set as noexec ➢ This prevents that malware uploaded through e.g. webserver can be executed.
  • 119. Windows versus Linux security ➢ Windows ➢ Monoculture ➢ Linux ➢ 300+ distributions ➢ 84+ window managers ➢ Many packaging systems ➢ Many mail clients ➢ The diversity slows down widespread malware infections as these will not work for all Linux systems.
  • 120. Windows versus Linux security ➢ Windows filesystems ➢ Not much more than FAT and NTFS ➢ Linux ➢ Supports tens of filesystems ➢ Including some high availability oriented ones such as ZFS.
  • 121. Windows versus Linux security Matheus effect ➢ Windows ➢ Many users don’t care about security ➢ Linux ➢ Users caring about security will rather use Linux ➢ These users secure their systems more ➢ Linux get more attention by security caring developers
  • 122. Credits ➢ Password Strength, Creative Commons BY-NC http://xkcd.com/936/ ➢ Security, Creative Commons BY-NC http://xkcd.com/538/ ➢ Zimmermann Telegram, 1917, no known copyright restrictions ➢ Assymetric and symmetric encryption by Jeremy Stretch, http://packetlife.net/blog/2010/nov/23/symmetric-asymmetric-encryption-hashing/ ➢ Orange blue public key cryptography, Creative Commons CC0 by Bananenfalter ➢ HTTPS SSL Exchange by Robb Perry, http://coding.smashingmagazine.com/2012/05/17/backpack-algorithms-and-public-key-cryptography-made-easy/ ➢ Bitcoin logo, Public Domain by bitboy ➢ Bitcoin Transaction Visual, Creative Commons CC0 by Graingert ➢ Question mark CC-by by Stefan Baudy ➢ GNU Head Joseph W. Reiss Free Art License or the GNU GPLv2
  • 123. This presentation was made with 100% Free Software No animals were harmed Questier.com Frederik AT Questier.com www.linkedin.com/in/fquestie www.diigo.com/user/frederikquestier www.slideshare.net/Frederik_Questier T hank you! Q uestions?