Tuesday, August 5, 2014

Assignment for Final. (PKI & Hardening)

Public Key Infrastructure (PKI)


What is PKI?

PKI (Public Key Infrastructure) is a process or method of determining the identity and validity of a person (or entity) that you have not previously met or interacted with through the use of certificates containing identifying information and public keys. PKI accomplishes this by defining a central authority who is mutually trusted by all users of the system (Gaulet, 2009).

There are different types of systems in a PKI:
  1. Private and Public Key Systems: Private systems are symmetric cryptography and public systems are asymmetric cryptography. Currently, public key systems are the most common.
  2. Symmetric Encryption Systems: The same key is used for both the processes of encryption and decryption.
  3. Asymmetric Encryption Systems: A different key is used for each process. If something is encrypted with the public key, then decryption can only be done with the private key. Alternatively, if something is encrypted with the private key, then decryption must be done only with the public key (Janssen, Public Key Infrastructure (PKI), 2014).

Digital Certificate Stores

To verify the identity of people and organizations on the Web and to ensure content integrity, Internet Explorer uses industry-standard X.509 v3 digital certificates. Certificates are electronic credentials that bind the identity of the certificate owner to a pair (public and private) of electronic keys that can be used to encrypt and sign information digitally. These electronic credentials assure that the keys actually belong to the person or organization specified. Messages can be encrypted with either the public or the private key and then decrypted with the other key (Microsoft , 2014).

Certificates form the basis for secure communication and client and server authentication on the Web. You can use certificates to do the following:
  • Verify the identity of clients and servers on the Web. 
  • Encrypt channels to provide secure communication between clients and servers. 
  • Encrypt messages for secure Internet e-mail communication. 
  • Verify the sender's identity for Internet e-mail messages. 
  • Put your digital signature on executable code that users can download from the Web. 
  • Verify the source and integrity of signed executable code that users can download from the Web (Microsoft , 2014)
  
The following illustration shows the basic process of using public and private keys to encrypt and decrypt a message sent over the Internet.

                                        Dd361898.ierk601(en-us,TechNet.10).gif

 (Microsoft , 2014)

Web Browser example

Below is a typical flow for a one-way communication between a web browser and a web server over HTTPS. This system utilizes asymmetric keys for the initial handshake, and then a symmetric key to encrypt data thereafter.
  • Client browser hits your web server asking for identification.
  • The server responds by sending the client its public key (or certificate file).
  • The client browser then examines the certificate, checking it against its built in database of Certification Authority (CA) keys. If it has a CA root key installed for the CA used to sign the servers certificate and it checks out, then it trusts that the server is who it says it is.
  • Using the servers now validated public key, the browser generates and encrypts a symmetric key. It then sends it the server.
  • The server receives the encrypted symmetric key and decrypts it with its private key.
  • Now the client and server both have a copy of the symmetric key, efficient encryption / decryption can occur between the server and client (Inbound Traffic, 2014).

The Basics of Computer System Hardening

Hardening refers to providing various means of protection in a computer system. Protection is provided in various layers such as the host level, the application level, the operating system level, the user level, the physical level and all the sublevels in between (Janssen, 2014).

Hardening’s goal is to eliminate as many risks and threats to a computer system as necessary (Janssen, 2014). For instance, employees in the IT department of a hospital or bank would employ some of the various means of protection on their systems to protect the privacy of the information they collect from their customers, as well as safeguard against unauthorized personnel having access to information they have not been cleared to have. 


Hardening activities for a computer system can includes the following:
  • Keeping security patches and hot fixes updated
  • Installing a firewall
  • Installing virus and spyware protection, including an anti-adware tool
  • Keeping a backup, such as a hard drive, of the computer system
  • Disabling cookies
  • Creating strong passwords
  • Never opening emails or attachments from unknown senders
  • Using encryption where possible
  • Implementing Hardening security policies, such as local policies relating to how often a password should be changed, how long and in what format a password must be in (Janssen, 2014).

In recent news reports, there have been news stories involving data breach of large companies such as Target (Sharf, 2014), and most recently, the restaurant P.F. Chang’s (London, 2014). Having a hardening security policy in place could have protected their systems from such breaches. It is not enough to plan, develop, and implement a data security plan. The last phase of the process, evaluation, has to be ongoing. Technicians must stay on top of current trends and make sure their systems are built proactively to potential security threats.


References

Gaulet, W. (2009, January 19). Summarizing PKI Certification Validation . Retrieved from Securism Blog: http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/
Inbound Traffic. (2014, January 22). How does PKI work? Retrieved from Inbound Traffic: http://inboundtraffic.net/how-does-pki-work/
Janssen, C. (2014). Hardening. Retrieved from Techopedia.com: http://www.techopedia.com/definition/24833/hardening
Janssen, C. (2014). Public Key Infrastructure (PKI). Retrieved from Techopedia.com: http://www.techopedia.com/definition/4071/public-key-infrastructure-pki
London, D. (2014, August 4). P.F. Chang's: 33 restaurants affected in data breach. Retrieved from USA Today: http://www.usatoday.com/story/money/business/2014/08/04/pfchang-credit-debit-card-data-breach/13567795/
Microsoft . (2014). Digital Certificates. Retrieved from Technet.Microsoft.com: http://technet.microsoft.com/en-us/library/dd361898.aspx
Sharf, S. (2014, August 5). Target Shares Tumble As Retailer Reveals Cost Of Data Breach. Retrieved from Forbes.com: http://www.forbes.com/sites/samanthasharf/2014/08/05/target-shares-tumble-as-retailer-reveals-cost-of-data-breach/



Tuesday, July 29, 2014

Risk Mitigation

Risk Mitigation, A systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence. Also called risk reduction.

How to Control Risk

Privilege Management, the process of assigning and revoking privileges to objects; that is, it covers the procedures of managing object authorizations.

Change Management, refers to a methodology for making modifications and keeping track of those changes. Change management seeks to approach changes systematically and provide the necessary documentation of the changes.

Incident Management, the framework and functions required to enable incident response and incident handling within an organization. The object of incident management is to restore normal operations as quickly as possible with the least possible impact on either the business or the users.

Types of Security Policies

User Policies - Define what users can do when using your network or data and also define security settings that affect users such as password policies.
  • Password Policies - This policy is to help keep user accounts secure. It defines how often users must change their passwords, how long they must be, complexity rules (types of characters used such as lower case letters, upper case letters, numbers, and special characters), and other items.
  • Proprietary Information Use - Acceptable use of any proprietary information owned by the company. Defines where it can be stored and where it may be taken, how and where it can be transmitted.
  • Internet Usage - Use of internet mail, Use of programs with passwords or unencrypted data sent over the internet.
  • System Use - Program installation, No Instant Messaging, No file sharing such as Kazaa, Morpheus. Restrictions on use of your account or password (not to be given away).
  • VPN and remote user system use (remote access) - Must be checked for viruses/trojans/backdoors. Must have firewall, must have AV.
  • Acceptable use of hardware such as modems - No use of modems to internet without a personal firewall.
IT Policies - Define the policies of the IT department used to govern the network for maximum security and stability.
  • Virus incident and security incident - Intrusion detection, containment, and removal.
  • Backup policy - Define what to back up, who backs it up, where it is stored, how long it is stored, how to test backups, what program is used to do backups.
  • Client update policies - Update clients how often and using what means or tools.
  • Server configuration, patch update, and modification policies (security) - Remove unneeded services (harden server). 
  • Firewall policies - What ports to block or allow, how to interface to it or manage it, who has access to the control console.
  • Wireless, VPN, router and switch security, dmz policy, email retention, auto forwarded email policy, ability for IT to audit and do risk assessment, acceptable encryption algorithms
General Policies - High level policies defining who is responsible for the policies along with business continuity planning and policies.
  • High level program policy - Defines who owns other policies, who is responsible for them, scope and purpose of policies, any policy exceptions, related documents or policies.
  • Business continuity plan - Includes the following plans:
    • Crisis Management - What to do during the (any) crisis which may threaten the organization.
    • Disaster Recovery - Subfunctions:
      • Server recovery
      • Data recovery
      • End-user recovery
      • Phone system recovery
      • Emergency response plan
      • Workplace recovery

                                   How Awareness and Training Provide Increased Security

Awareness and training involve instruction regarding compliance, secure user practices, and an awareness of threats. Awareness and training also involve helping users understand how their normal practices can impact the security of the organization.

With compliance, users should be made aware of the organization's established security strategy as well as the reasons it is necessary to adhere to it. This can include information on security policy training and procedures, data labeling, handling and disposal, developing and safeguarding one's personally identifiable information, and compliance with laws, best practices and standards.

Some user practices include password behaviors, data handling, clean desk policies, preventing tailgating, and the use of personally owned devices.

With threat awareness, users may be unaware of the security threat a practice or technology may introduce. For example, when using peer-to-peer (P2P) networks for file sharing, the system may become susceptible to viruses, worms, trojans, and spyware. The other technology associated with this type of threat is social networking. Users often include personal information in their profiles for others to read. Attackers may steal this data and use it for malicious purposes. Another thing to consider is the vulnerability of of the social networking site, and how easy it may be for attackers to break into the sites to steal user information.

















http://www.businessdictionary.com/definition/risk-mitigation.html
http://www.comptechdoc.org/independent/security/recommendations/secpolgen.html

Tuesday, July 22, 2014

Business Continuity

 Business continuity can be defined as the ability of an organization to maintain its operations and services in the face of a disruptive event.

Environmental controls are steps to avoid disruptions rather than trying to recover from them.

Fire suppression, the act of suppressing a fire with different materials, chemicals, and/or systems.

Electromagnetic Interference (EMI) Shielding, shielding which protects from the sudden flow of electric current between two objects, which can destroy electronic equipment.

Heating, Ventilation, and Air Conditioning (HVAC), are systems that provide and regulate heating and cooling.

Components of Redundancy Training

Servers, a system that connects computers on a network, so that information can be shared between all systems.

Storage, internal and external disks and drives where information is stored and retrieved.

Networks, a redundant network ensures that network services are always accessible.

Sites,  simply defined as a location; can be physical and electronic.

Data Backups, is copying information to a different medium and storing it (preferably at an off-site location) so that it can be used in the event of a disaster.

Disaster Recovery Procedures

Recovery strategies should be developed for Information technology (IT) systems, applications and data. This includes networks, servers, desktops, laptops, wireless devices, data and connectivity. Priorities for IT recovery should be consistent with the priorities for recovery of business functions and processes that were developed during the business impact analysis. IT resources required to support time-sensitive business functions and processes should also be identified. The recovery time for an IT resource should match the recovery time objective for the business function or process that depends on the IT resource.

Incident Response Procedures, the components required to identify, analyze, and contain that incident. Incident handling is the planning, coordination, communications, and planning functions that are needed in order to resolve an incident in an efficient manner.







http://www.ready.gov/business/implementation/IT








Wednesday, July 16, 2014

                                                                Passwords



Passwords, are a secret combination of letters, numbers, and/or characters that only the user should know.


                                                 Why length and complexity is important?

          

The length  and complexity of  an password  will presents an obstacle for anyone attempting  to decipher . A password that may consist of  "XYZ", will be considerably easier to decipher than a password that can say "stix007candy1886a". The challenge for people trying to break passwords is the “keyspace”, which is the total number of possibilities for a password based on the number of characters it uses. Therefore, it’s not complexity (the number of characters used) but the length of the password that makes the password a strong repellent for hackers.


                                                                 Attacks on passwords  

  
Password Attacks, are ways the one tries to figure out a password to gain access.

To understand how to protect yourself from a password attack, you should become familiar with the most commonly used types of attacks. Commonly used attacks are:

Password Guessing, The most common type of attack is password guessing. Attackers can guess passwords locally or remotely using either a manual or automated approach. Though this approach is
a possibility, in reality, this is not practical.

Brute-Force Attack, in which the attacker tries every possible combination of characters for a password, given a character set (e.g., abcd…ABCD…1234…!@#$) and a maximum password length.The most successful and time-consuming of attacks.

Dictionary attacks,  work on the assumption that most passwords consist of whole words, dates, or numbers taken from a dictionary. Dictionary attack tools require a dictionary input list. Hybrid attacks, are variations of the dictionary attack. They add special characters, may spell words backward or misspell words, or add numbers.


Password Resetting, A case where rather figuring out or "cracking" the password, attackers find it easier to reset the password by using a program re-setter

Password Cracking, Password cracking is the process of taking a captured password hash (or some other obscured form of the plaintext password or challenge-response packets) and converting it to its plaintext original. Basically, software will learn the password.

 Rainbow tables, These days, password crackers are computing all possible passwords and their hashes (Unique strings of data) in a given system and putting the results into a lookup table called a rainbow table. When an attacker extracts a hash from a target system, he or she can simply go to the rainbow table and look up the plaintext password.

 Password sniffing, Some password crackers can sniff authentication traffic between a client and server and extract password hashes or enough authentication information to begin the cracking process.




Password Capturing, Many attackers capture passwords simply by installing a keyboard-sniffing Trojan horse or one of the many physical keyboard-logging hardware devices for sale on the Internet.


                                                 
                                                           Limitations on Password Supplements

Password Supplements,  Are solutions that have been developed to help users avoid using poor password practices. Autocomplete or HTTP Authentication Passwords are examples.

The limitations and disadvantages are that users are restricted to using the computer that has the password information previously stored, they must avoid clearing the passwords from the computer, and the passwords may be vulnerable if another user is allowed access to their computer.


                                          Project Case 10-4: Use Cognitive Biometrics

Is this type of cognitive biometrics effective? If you came back to this site tomorrow, would you remember the three faces?  Yes, Yes

                                                    

                                                     Other types of authentication

 Authentication, The steps that ensure that the individual is who they claim to be.

Tokens, is typically a small device with a window display. A token works in conjunction with a authentication server to share a unique algorithm once every 30 to 60 seconds.

Cards, Smart Cards and Common Access Cards are examples. Both have integrated chips that assist in executing the authentication process.

Standard Biometrics, Uses a person's unique physical characteristics.

Behavioral Biometrics, Uses the normal actions that a user may perform.

Keystroke Dynamics, Type of behavioral biometric which recognizes a users unique typing pattern.

Voice Recognition, Recognizes a users voice.

Cognitive Biometrics, Uses perception and facial recognition through a familiarization process.

Single Sign-On, A single authentication spread across multiple networks.

Windows Live Id, Standard password and username.

Open ID, Identity in which only a URL backed up by a username and password. Provides a means to say that the user owns the specific URL.

Open Authorization, A technology to avoid using multiple passwords. Example: google+






















http://www.soliditsolutions.com/2011/03/the-importance-of-password-length-and-complexity/
http://windowsitpro.com/security/types-password-attacks