CS317 File and Database Systems
|
|
- Gervais Goodwin
- 6 years ago
- Views:
Transcription
1 CS317 File and Database Systems Lecture 12 DBMS Security Considerations November 13, 2017 Sam Siewert
2 Assignment #4 Grading Now Reminders Assignment #5, Physical DB Design Reviewing TEAMS Assignment #6, DBMS Project of Your Interest POSTED FINAL ORAL PRESENTATION Design Schema for DBMS project in a small team Logical design focus Normalization Physical is MySQL on PRClab Combine Network Applications with DBMS in C/C++, JDBC, or Python - Add Stored Programs and Triggers Add Views Create Transactions where needed Sam Siewert 2
3 Security Primer GENERAL PLATFORM SECURITY Sam Siewert 3
4 Key Issues NIST (National Institute of Standards and Tech) Department of Commerce Data privacy and protection FISMA (Federal Information Security and Modernization Act) Detailed categorization of federal information and systems (threat, risk, cost, benefit) - FIPS 199, FIPS 200, FIPS 800 v1, v2 How would YOU prioritize Data Security? 1. Data Privacy (Disclosure to unauthorized user, system, application) 2. Misuse of Data (Fraud, Identity Theft) 3. Fake Data (forged documents or credentials) 4. Access Privilege Violations (Seeing Co-worker salaries) 5. Data Corruption (Integrity, Veracity) 6. Denial of Service (Can t Access Data or Services due to Attack) 7. Data Loss (Restore from backup? - RTO/RPO) Sam Siewert 4
5 Recent Data Security Disasters and Lessons to Learn Equifax - facing potential judgment of corporate dissolution (corporate death penalty) Companies like this are data stewards, entrusted with personal financial data to provide services for pay - this is their job Why? million personal records compromised (financial records used in credit scores) Mistakes exposed in Congressional Hearings (6 Fresh Horrors From the Equifax CEO's Congressional Hearing) 1. Slow to act on knowledge of breach 2. Software vulnerability patching process (points of failure, human and automation) - one system had user=admin, pass=admin, Apache struts vulnerability ignored 3. Data storage of sensitive consumer information in plaintext 4. Quarterly security reviews (infrequent for primary business) 5. Not sure who is attacking them (or attacked) 6. Breach notification separate system (domain) Sam Siewert 5
6 Authorization and Access Control By Session Login By File (permissions) By Directory Host to Network (Known host Ethernet address, WWID) By Execution Privilege Level (root or user) sudo Authorized Users, Computers, and Applications Encrypted password, pass phrase, password hash (salt) - Randomness in Digital Cryptography: A Survey Avoid Dictionary and Birthday attacks Download password files (to crack) Use dictionary derived guesses Probability of one password matching any other is higher than one matching a specific Informed guessing and testing Require Authentication Proving you are who you claim you are Producing a pass phrase, an answer to a challenge question Key or smartcard Providing biometric scan 10% of the Internet Is Encrypted with Lava Lamps Marton, Kinga, Alin Suciu, and Iosif Ignat. "Randomness in digital cryptography: A survey." Romanian Journal of Information Science and Technology 13.3 (2010): Sam Siewert 6
7 Attacks on Security Early Famous Attacks DES (Banking) Encryption for ATM machines EFF Showed Weakness in DES (Cluster attack, then FPGA) Scramble to patch with Triple DES (1996 timeframe) NIST competition for AES (Advanced Encryption Standard) Cryptanalysis Capture Encrypted Data ( Man in the middle ) Capture Encryption code, key, or mechanism Capture Decryption code, key, or mechanism Analyze Examples to Deduce the Substitution and Transposition Cypher Code mappings Inverse Function Defense Very Large Cryptographic Hashing Functions 128-bit, 256-bit or larger random number generators Frequent Key Updates Sam Siewert 7
8 Denial of Service Rather than Gaining Unauthorized Access, Deny Other Authorized Users Access Bug System with 1000 s or Millions of Invalid Requests Per Second Flood Network with Bad Protocol or Packets Cause Routing Loops, Crash Services Remotely on Purpose Reason for Maximum Login Attempts Withdraw Prompt for Password to A Particular Network Client or Terminal Invalidate a Username Reason for Network Authentication of Clients Block All Traffic for a Specific IP or Ethernet Address Secure Physical Network Switches and Gateway Machines Sam Siewert 8
9 Malware Software Designed to Harm a Client or Exploit a Known Bug Trojan Horse Present Free Software, an Application, Plug-In, or other Method to Deliver an Application with Bad Intent User Agrees to Download without Authentication of Source or Verification of Code Data Digest (Unique Signature for Tested and Authentic Code) Beware of Free Software from Unknown Sources Virus Application Code that Installs Itself on a Computer in Key Operating System and Shared Data Locations Boot Code Commonly Used File system Code Transfer Malware via Shared Files, Networks, Disks (e.g. USB stick) Exploit Find Buffer Overflow on Widely Used Operating System or Networking Service to Exploit Buffer Overflow Provides Doorway to Modify Code Perfect Exploit in Private Lab, Release as Trojan Horse or Virus Rootkit Gain Access and Install Monitoring Software or Create Second Administrator Prviliege Password and Account Sam Siewert 9
10 Phishing Write A Program that Asks for a Password Run this on a Public Computing System Spoofing a Wellknown and Trusted Server Collect Login Credentials from Users (Produce Error Messages) Fake Requesting Credentials Fake Service or Business Front Impersonation of a Web Service (Re-direction of Traffic) Indicating your Are Over Quota Limits, Credit has Been Frozen, Etc. Followed by Request for Credentials Sam Siewert 10
11 Newer Threats Continue to Emerge Character Defamation Impersonation of Web Presence Defame a User - a.k.a. Fake News Influence a Stock Price ( Pump & Dump ) Confuse or Influence with specific purpose Identity Theft Creation of Accounts Using False Credentials Outright theft (credit card fraud) Less obvious - Sign up all identities for free Netflix trial Ransomware - Hold files hostage for payment to get back Cyber Attacks and Cyber Warfare Malware Designed to Harm or Deny Service to Physical Systems Using Process Control (Water, Power, Traffic Management, etc.) Financial Sector Attacks Discrediting a Company, Service Disruption of Exchanges and Banking Discrediting Governments, Spoofing, Replay Attacks Sam Siewert 11
12 White-hat Sites, Historic Attacks Wikipedia Overview on DEF CON Wikipedia on EFF BackTrack, Security Admin Tool for Analyzing Networks Alleged Cyber-warfare attack Stuxnet Motor Vehicle Attack Analysis Wired and Wireless Database Attacks Typically Stolen Account Information Playstation Attack April 17-19, Sony Blamed Anonymous, but Not Clear Who did it! JP Morgan Database Breach Home Depot Breach OPM Breach Many More Sam Siewert 12
13 Biggest Data Breaches Current (2017) Sam Siewert 13
14 Cybersecurity Some Databases for SOA (Service Oriented Architecture) with Cyberphysical Systems Growing Trend for Intelligent Transportation and Vechicle Telematics E.g. On-Star System uses Oracle DBMS Security not Just Records or Information Breaches Sam Siewert 14
15 Best General Defenses Encryption Used for Authentication, Data Exchange (e.g Secure Sockets), and to Sign and Verify All Updates and Upgrades Public Services, Ports, and Terminals Should be Limited Only Necessary Services SSH, SFTP No Plaintext Services FTP, Telnet Routine Monitoring and Logging Review all Connection Attempts and Login Attempts Review Logs for Services that Crash and Restart Installations, Updates, Upgrades Signed Drivers Modifications to Boot Code or CMOS/UEFI (Firmware) Security Patches and Updates from Trusted Sources Sam Siewert 15
16 Inside Threats Insiders with Physical Access to Machines and Networking Equipment Log all Entry / Exit to/from Data center and labs Cross-checks and Need-to-Know Limited Distributions of Sensitive Data No Password Sharing, Guest or Anonymous Accounts Delete Access and Accounts for Severed Relationships VPN Virtual Private Network Remote Access (Encrypted and Tunnels for Data from Authenticated Client to Host over SSL) Limit Data Removal on Media File Permission and ACL (Access Control List) Maintenance Sam Siewert 16
17 Extreme Protection Private Network, No Public LAN Limited Physical Access (Vault) Strong Encryption (E.g. AES 256 FIPS-197, or Larger Keys) AES Validation, Validation List Multi-method Authentication (Smartcard, Pass phrase, and Fingerprint) Compartmentalization - Limit Knowledge of Why Work is Being Done (Hide Global Purpose) Require Multiple Independent User Authentication Combined Key or Pass Phrase Access that Requires Two Logins [E.g. mysql-workbench SSH tunnel] Quotas on Bandwidth, Storage, Download, Session Time, Intrusion Detection Monitors, Port Monitors Sam Siewert 17
18 Encryption Methods Mathematical Hashing Functions One Way Hash Functions Digital Signatures, Authentication codes, Hash tables, Fingerprints Not Reversible, but Valuable in Protocol 1 to 1 Transposition and Substitution Mapping Functions Reversible Mathematical Transforms Y=f(X), X=f(Y) Security Based on: 1. Algorithm E.g. AES, Rijndael, RSA, PGP, DES, Triple-DES, 2. Key Length (Bits), Cypher Block Chaining 3. Key Exchange Protocol (Public or Private) Sam Siewert 18
19 Basic Encryption - Substitution Re-map Alphabet, 1-to-1 and On-to (function) A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z ssiewert@ssiewert-virtualbox:~/a320/crypto$./a.out A B C D E F G H I J K L M N O P Q R S T U V W X Y Z N A S I J K C M Q R F B D G H E L O P W T Z Y V U X TRANSLATE THIS! WONGPBNWJ WMQP! BETA>INTRODUCTION TO COMPUTERS QGWOHITSWQHG WH SHDETWJOP INTRODUCTION TO COMPUTERS BETA>abcdefghijklmnopqrstuvwxyz NASIJKCMQRFBDGHELOPWTZYVUX ABCDEFGHIJKLMNOPQRSTUVWXYZ BETA>exit JVQW EXIT Sam Siewert 19
20 Basic Encryption - Transposition Permute Text Block (e.g. up to 10 characters at a time) ssiewert@ssiewert-virtualbox:~/a320/crypto$./a.out ABCD ABCD TRAN>introduction to computers utcdnroiitc o ntopomuters introduction to computers TRAN>abcdefghijklmnopqrstuvwxyz gchfbdejaiqmrplnotksuvwxyz abcdefghijklmnopqrstuvwxyz TRAN>exit exit exit Sam Siewert 20
21 Basic Encryption Early Automation Substitution with transposition Enigma Code, U571 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z N A S I J K C M Q R F B D G H E L O P W T Z Y V U X TRANSLATE THIS! WONGPBNWJ WMQP! NNWBOGP WJWMQP! CRYPT>abcdefghijklmnopqrstuvwxyz NASIJKCMQRFBDGHELOPWTZYVUX CSMKAIJRNQLDOEBGHWFPTZYVUX CRYPT>introduction to computers QGWOHITSWQHG WH SHDETWJOP TWSIGOHQQWS H GWHEHDTWJOP CRYPT>exit JVQW JVQW Sam Siewert 21
22 Symmetric Key Concepts Encryption Keys Can I encrypt and decrypt with the same key? struct charmap submap[alphabet] = { {'A','N'}, {'B','A'}, {'C','S'}, {'D','I'}, {'E','J'}, {'F','K'}, {'G','C'}, {'H','M'}, {'I','Q'}, {'J','R'}, {'K','F'}, {'L','B'}, {'M','D'}, {'N','G'}, {'O','H'}, {'P','E'}, {'Q','L'}, {'R','O'}, {'S','P'}, {'T','W'}, {'U','T'}, {'V','Z'}, {'W','Y'}, {'X','V'}, {'Y','U'}, {'Z','X'} }; With the substitution Key, Yes // int transmap[block_size]= {6, 2, 7, 5, 1, 3, 4, 9, 0, 8}; int detransmap[block_size]={8, 4, 1, 5, 6, 3, 0, 2, 9, 7}; With the transposition Key, Yes This is a Symmetric Key System Sam Siewert 22
23 Better Key Management? One Time Stack of Keys Exchanged in Private by Sender and Receiver in Advance Agree to Use Different Symmetric Keys Based on Day of Year or some Universal Coordination Cycle Through 365 Different Keys Attacker Can Still Capture Stack of Keys Better Approach is a Public-Private Key System, E.g. PGP Public Key Shared Public Key Used to Encrypt Only (Digital Signature) Private Key Used to Decrypt Only (Authentication, Plaintext Recovery) Key Exchange Protocol and Key Rings Sam Siewert 23
24 Security for MySQL on PRClab Level 1 SSH Login and/or Tunnel Authentication Level 2 MySQL Authentication Level 3 MySQL Grants and Privileges by DB 24
25 E.g. SSH Tunnel Setup for mysqlworkbench Generate SSH Keys on PRClab for your account In directory.ssh Copy and paste id_rsa contents into file on your PC Truncated for security purposes Start up mysql-workbench on your PC and set up SSH Tunnel using id_rsa private key on your PC Sam Siewert 25
26 SSH Tunnel Configuration SSH Tunnel PRClab Account PRClab id_rsa PRClab MySQL username Sam Siewert 26
27 SSH Tunnel Connection to DB Enter PRClab Password Enter MySQL PRClab Server Password Now workbench is connected to PRClab MySQL Server over Tunnel Sam Siewert 27
28 Summary Take a Cybersecurity Class E.g. CI311 (Operations) and CS303 (Design/Implementation) Tutorial Papers Big Iron Lessons 5 & 6 Old-Mathematics.pdf In Practice Used by Egypt to Present Day Cryptanalysis Time Should be Larger than the Time the Information is Sensitive or Private Assume All Codes Can Eventually Be Broken with Sufficient Computing and Man-in-Middle Samples [Change Keys, Pass Phrases, Passwords, etc. Often] Critical for Secure Military Communications Considered a Munition, Export Controlled Security Features Should Be Designed In and Patched Often as Threats Emerge Sam Siewert 28
29 Embry Riddle Courses to Go Deeper Sam Siewert 29
30 Encryption Substitution Take Away Transposition cypher blocks Mathematical Basis (mapping functions, random number generation, large hashing functions, one-way and reversible) Secure Systems Authorization Authentication and Access Control Denial of Service Trojan Horses, Malware, Exploits [E.g. Buffer Overflow] Sam Siewert 30
31 C&B Reference - Chapter 20 - Security DBMS SECURITY NOTES Sam Siewert 31
32 Chapter - Objectives The scope of database security. Why database security is a serious concern for an organization. The type of threats that can affect a database system. 32
33 Chapter - Objectives How to protect a computer system using computerbased controls. The security measures provided by Microsoft Office Access and Oracle DBMSs. Approaches for securing a DBMS on the Web. 33
34 Database Security Data is a valuable resource that must be strictly controlled and managed, as with any corporate resource. Part or all of the corporate data may have strategic importance and therefore needs to be kept secure and confidential. 34
35 Database Security Mechanisms that protect the database against intentional or accidental threats. Security considerations do not only apply to the data held in a database. Breaches of security may affect other parts of the system, which may in turn affect the database. 35
36 Database Security Involves measures to avoid: Theft and fraud Loss of confidentiality (secrecy) Loss of privacy Loss of integrity Loss of availability 36
37 Database Security Threat Any situation or event, whether intentional or unintentional, that will adversely affect a system and consequently an organization. 37
38 Summary of Threats to Computer Systems 38
39 Typical Multi-user Computer Environment 39
40 Countermeasures Computer-Based Controls Concerned with physical controls to administrative procedures and includes: Authorization Access controls Views Backup and recovery Integrity Encryption RAID technology 40
41 Countermeasures Computer-Based Authorization Controls The granting of a right or privilege, which enables a subject to legitimately have access to a system or a system s object. Authorization is a mechanism that determines whether a user is, who he or she claims to be. 41
42 Countermeasures Computer-Based Access control Controls Based on the granting and revoking of privileges. A privilege allows a user to create or access (that is read, write, or modify) some database object (such as a relation, view, and index) or to run certain DBMS utilities. Privileges are granted to users to accomplish the tasks required for their jobs. 42
43 Countermeasures Computer-Based Controls Most DBMS provide an approach called Discretionary Access Control (DAC). SQL standard supports DAC through the GRANT and REVOKE commands. The GRANT command gives privileges to users, and the REVOKE command takes away privileges. 43
44 Countermeasures Computer-Based Controls DAC while effective has certain weaknesses. In particular an unauthorized user can trick an authorized user into disclosing sensitive data. An additional approach is required called Mandatory Access Control (MAC). 44
45 Countermeasures Computer-Based Controls DAC based on system-wide policies that cannot be changed by individual users. Each database object is assigned a security class and each user is assigned a clearance for a security class, and rules are imposed on reading and writing of database objects by users. 45
46 Countermeasures Computer-Based Controls DAC determines whether a user can read or write an object based on rules that involve the security level of the object and the clearance of the user. These rules ensure that sensitive data can never be passed on to another user without the necessary clearance. The SQL standard does not include support for MAC. 46
47 Popular Model for MAC (Mandatory Access Control) called Bell-LaPadula 47
48 Countermeasures Computer-Based Controls View Is the dynamic result of one or more relational operations operating on the base relations to produce another relation. A view is a virtual relation that does not actually exist in the database, but is produced upon request by a particular user, at the time of request. 48
49 Countermeasures Computer-Based Backup Controls Process of periodically taking a copy of the database and log file (and possibly programs) to offline storage media. Journaling Process of keeping and maintaining a log file (or journal) of all changes made to database to enable effective recovery in event of failure. 49
50 Countermeasures Computer-Based Controls Integrity Prevents data from becoming invalid, and hence giving misleading or incorrect results. Encryption The encoding of the data by a special algorithm that renders the data unreadable by any program without the decryption key. 50
51 Setting the Insert, Select, and Update privileges 51
52 DBMSs and Web Security Internet communication relies on TCP/IP as the underlying protocol. However, TCP/IP and HTTP were not designed with security in mind. Without special software, all Internet traffic travels in the clear and anyone who monitors traffic can read it. 52
53 DBMSs and Web Security Must ensure while transmitting information over the Internet that: inaccessible to anyone but sender and receiver (privacy); not changed during transmission (integrity); receiver can be sure it came from sender (authenticity); sender can be sure receiver is genuine (nonfabrication); sender cannot deny he or she sent it (nonrepudiation). 53
54 DBMSs and Web Security Measures include: Proxy servers Firewalls Message digest algorithms and digital signatures Digital certificates Kerberos Secure sockets layer (SSL) and Secure HTTP (S- HTTP) Secure Electronic Transactions (SET) and Secure Transaction Technology (SST) Java security ActiveX security 54
55 How Secure Electronic Transactions (SET) Works 55
SE420 Software Quality Assurance
SE420 Software Quality Assurance Encryption Backgrounder September 5, 2014 Sam Siewert Encryption - Substitution Re-map Alphabet, 1-to-1 and On-to (function) A B C D E F G H I J K L M N O P Q R S T U V
More informationChapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao
Chapter 9: Database Security: An Introduction Nguyen Thi Ai Thao thaonguyen@cse.hcmut.edu.vn Spring- 2016 Outline Introduction to Database Security Issues Types of Security Threats to databases Database
More informatione-commerce Study Guide Test 2. Security Chapter 10
e-commerce Study Guide Test 2. Security Chapter 10 True/False Indicate whether the sentence or statement is true or false. 1. Necessity refers to preventing data delays or denials (removal) within the
More informationChapter 19 Security. Chapter 19 Security
Chapter 19 Security Outline 19.1 Introduction 19.2 Cryptography 19.2.1 Secret-Key Cryptography 19.2.2 Public-Key Cryptography 19.3 Authentication 19.3.1 Basic Authentication 19.3.2 Biometrics and Smart
More informationInformation Security: Principles and Practice Second Edition. Mark Stamp
Information Security: Principles and Practice Second Edition Mark Stamp August 10, 2009 Contents Preface Second Edition Preface About The Author Acknowledgments xvii xix xxiii xxv 1 Introduction 1 1.1
More informationUnderstanding Cisco Cybersecurity Fundamentals
210-250 Understanding Cisco Cybersecurity Fundamentals NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 210-250 Exam on Understanding Cisco
More information19.1. Security must consider external environment of the system, and protect it from:
Module 19: Security The Security Problem Authentication Program Threats System Threats Securing Systems Intrusion Detection Encryption Windows NT 19.1 The Security Problem Security must consider external
More informationPrinciples of Information Security, Fourth Edition. Chapter 8 Cryptography
Principles of Information Security, Fourth Edition Chapter 8 Cryptography Learning Objectives Upon completion of this material, you should be able to: Chronicle the most significant events and discoveries
More informationCompTIA Security+(2008 Edition) Exam
http://www.51- pass.com Exam : SY0-201 Title : CompTIA Security+(2008 Edition) Exam Version : Demo 1 / 7 1.An administrator is explaining the conditions under which penetration testing is preferred over
More informationAPNIC elearning: Cryptography Basics
APNIC elearning: Cryptography Basics 27 MAY 2015 03:00 PM AEST Brisbane (UTC+10) Issue Date: Revision: Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security
More informationkey distribution requirements for public key algorithms asymmetric (or public) key algorithms
topics: cis3.2 electronic commerce 24 april 2006 lecture # 22 internet security (part 2) finish from last time: symmetric (single key) and asymmetric (public key) methods different cryptographic systems
More informationMost Common Security Threats (cont.)
Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software What is a zero-day vulnerability?
More informationDistributed Systems. Lecture 14: Security. Distributed Systems 1
06-06798 Distributed Systems Lecture 14: Security Distributed Systems 1 What is security? policies and mechanisms threats and attacks Overview Security of electronic transactions secure channels authentication
More informationDistributed Systems. Lecture 14: Security. 5 March,
06-06798 Distributed Systems Lecture 14: Security 5 March, 2002 1 What is security? policies and mechanisms threats and attacks Overview Security of electronic transactions secure channels authentication
More informationNetwork Security Issues and Cryptography
Network Security Issues and Cryptography PriyaTrivedi 1, Sanya Harneja 2 1 Information Technology, Maharishi Dayanand University Farrukhnagar, Gurgaon, Haryana, India 2 Information Technology, Maharishi
More informationInt ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28
Int ernet w orking Internet Security Literature: Forouzan: TCP/IP Protocol Suite : Ch 28 Internet Security Internet security is difficult Internet protocols were not originally designed for security The
More informationSecurity: Focus of Control
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More information(2½ hours) Total Marks: 75
(2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.
More informationE-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.
E-Commerce Security 2008 Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al. Learning Objectives 1. Explain EC-related crimes and why they cannot be stopped. 2. Describe an EC security
More informationA Review Paper on Network Security Attacks and Defences
EUROPEAN ACADEMIC RESEARCH Vol. IV, Issue 12/ March 2017 ISSN 2286-4822 www.euacademic.org Impact Factor: 3.4546 (UIF) DRJI Value: 5.9 (B+) A Review Paper on Network Security Attacks and ALLYSA ASHLEY
More informationKALASALINGAM UNIVERSITY
KALASALINGAM UNIVERSITY (Kalasalingam Academy of Research and Education) DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING CLASS NOTES CRYPTOGRAPHY AND NETWOTK SECURITY (CSE 405) Prepared by M.RAJA AP/CSE
More informationThe question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).
Time: 3hrs BCA III Network security and Cryptography Examination-2016 Model Paper 2 M.M:50 The question paper contains 40 multiple choice questions with four choices and students will have to pick the
More information1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class
1.264 Lecture 27 Security protocols Symmetric cryptography Next class: Anderson chapter 10. Exercise due after class 1 Exercise: hotel keys What is the protocol? What attacks are possible? Copy Cut and
More informationCS System Security 2nd-Half Semester Review
CS 356 - System Security 2nd-Half Semester Review Fall 2013 Final Exam Wednesday, 2 PM to 4 PM you may bring one 8-1/2 x 11 sheet of paper with any notes you would like no cellphones, calculators This
More informationSecurity: Focus of Control. Authentication
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More informationChapter 15: Security. Operating System Concepts 8 th Edition,
Chapter 15: Security, Silberschatz, Galvin and Gagne 2009 Chapter 15: Security The Security Problem Program Threats System and Network Threats Cryptography as a Security Tool User Authentication Implementing
More informationAN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP
AN IPSWITCH WHITEPAPER The Definitive Guide to Secure FTP The Importance of File Transfer Are you concerned with the security of file transfer processes in your company? According to a survey of IT pros
More informationCTS2134 Introduction to Networking. Module 08: Network Security
CTS2134 Introduction to Networking Module 08: Network Security Denial of Service (DoS) DoS (Denial of Service) attack impacts system availability by flooding the target system with traffic or by exploiting
More informationMU2a Authentication, Authorization & Accounting Questions and Answers with Explainations
98-367 MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations Which are common symptoms of a virus infection? (Lesson 5 p 135-136) Poor system performance. Unusually low
More informationMASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.893 Fall 2009 Quiz II All problems are open-ended questions. In order to receive credit you must answer
More informationBerner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2
Table of Contents Hacking Web Sites Broken Authentication Emmanuel Benoist Spring Term 2018 Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking
More informationWHITE PAPER. Secure communication. - Security functions of i-pro system s
WHITE PAPER Secure communication - Security functions of i-pro system s Panasonic Video surveillance systems Table of Contents 1. Introduction... 1 2. Outline... 1 3. Common security functions of the i-pro
More informationComputer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ
Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.
More informationINFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council
Use of SSL/Early TLS for POS POI Terminal Connections Date: Author: PCI Security Standards Council Table of Contents Introduction...1 Executive Summary...1 What is the risk?...1 What is meant by Early
More informationVerteilte Systeme (Distributed Systems)
Verteilte Systeme (Distributed Systems) Lorenz Froihofer l.froihofer@infosys.tuwien.ac.at http://www.infosys.tuwien.ac.at/teaching/courses/ VerteilteSysteme/ Security Threats, mechanisms, design issues
More informationComputer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University
Computer Networks Network Security and Ethics Week 14 College of Information Science and Engineering Ritsumeikan University Security Intro for Admins l Network administrators can break security into two
More informationCyber Security Practice Questions. Varying Difficulty
Cyber Security Practice Questions Varying Difficulty 1 : This is a class of programs that searches your hard drive and floppy disks for any known or potential viruses. A. intrusion detection B. security
More informationComputers and Security
The contents of this Supporting Material document have been prepared from the Eight units of study texts for the course M150: Date, Computing and Information, produced by The Open University, UK. Copyright
More informationSDR Guide to Complete the SDR
I. General Information You must list the Yale Servers & if Virtual their host Business Associate Agreement (BAA ) in place. Required for the new HIPAA rules Contract questions are critical if using 3 Lock
More informationCompTIA Security+ (2008 Edition) Exam
CompTIA SY0-201 CompTIA Security+ (2008 Edition) Exam Version: 7.20 Topic 1, Volume A QUESTION NO: 1 Which of the following cryptography types provides the same level of security but uses smaller key sizes
More informationCompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals
CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals This course contains copyrighted material used by permission of Logical Operations, Inc. Slide 1 Course 01: Security Fundamentals The Information
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationChapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.
Name Date Chapter 10: Security After completion of this chapter, students should be able to: Explain why security is important and describe security threats. Explain social engineering, data wiping, hard
More informationNetwork Security Chapter 8
Network Security Chapter 8 Cryptography Symmetric-Key Algorithms Public-Key Algorithms Digital Signatures Management of Public Keys Communication Security Authentication Protocols Email Security Web Security
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 9 Encryption and Firewalls By Whitman, Mattord & Austin 2008 Course Technology Learning Objectives Describe the role encryption
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationIPM Secure Hardening Guidelines
IPM Secure Hardening Guidelines Introduction Due to rapidly increasing Cyber Threats and cyber warfare on Industrial Control System Devices and applications, Eaton recommends following best practices for
More informationNetwork Security and Cryptography. December Sample Exam Marking Scheme
Network Security and Cryptography December 2015 Sample Exam Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers
More informationCUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE
Instructor: Prof Aftab Ahmad Office: NB 612 Telephone No. (212)393-6314 Email Address: aahmad@jjay.cuny.edu Office Hours: By appointment TEXT & REFERENCE MATERIAL Text Notes from instructor posted on Blackboard
More informationData Communication. Chapter # 5: Networking Threats. By: William Stalling
Data Communication Chapter # 5: By: Networking Threats William Stalling Risk of Network Intrusion Whether wired or wireless, computer networks are quickly becoming essential to everyday activities. Individuals
More informationCompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management
CompTIA Security+ Lecture Six Threats and Vulnerabilities Vulnerability Management Copyright 2011 - VTC Malware Malicious code refers to software threats to network and systems, including viruses, Trojan
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationSecurity and Authentication
Security and Authentication Authentication and Security A major problem with computer communication Trust Who is sending you those bits What they allow to do in your system 2 Authentication In distributed
More informationWeb Security, Summer Term 2012
IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session
More informationWeb Security, Summer Term 2012
Table of Contents IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Introduction Examples of Attacks Brute Force Session
More informationCN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005
85 Grove Street - Peterboro ugh, N H 0345 8 voice 603-924-6 079 fax 60 3-924- 8668 CN!Express CX-6000 Single User Version 3.38.4.4 PCI Compliance Status Version 1.0 28 June 2005 Overview Auric Systems
More information10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms
Authentication IT443 Network Security Administration Instructor: Bo Sheng Authentication Mechanisms Key Distribution Center and Certificate Authorities Session Key 1 2 Authentication Authentication is
More informationSecurity+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:
Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing International Standard Book Number: 0789731517 Warning and Disclaimer Every effort has been made to make this book
More informationCS317 File and Database Systems
CS317 File and Database Systems http://dev.mysql.com/downloads/workbench Using MySQL Workbench [PRClab] August 25, 2015 Sam Siewert Resources for MySQL-Workbench Examine Use of MySQL Workbench to Go Between
More informationNetwork Security and Cryptography. 2 September Marking Scheme
Network Security and Cryptography 2 September 2015 Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers to the questions,
More informationAssessing Your Incident Response Capabilities Do You Have What it Takes?
Assessing Your Incident Response Capabilities Do You Have What it Takes? March 31, 2017 Presenters Tim L. Bryan, CPA/CFF/CITP, CISA, EnCE Director, Advisory Services Forensic Technology & Investigation
More informationCISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks
CISNTWK-440 Intro to Network Security Chapter 4 Network Vulnerabilities and Attacks Objectives Explain the types of network vulnerabilities List categories of network attacks Define different methods of
More informationExam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo
Exam : JK0-015 Title : CompTIA E2C Security+ (2008 Edition) Exam Version : Demo 1.Which of the following logical access control methods would a security administrator need to modify in order to control
More informationEthical Hacking and Prevention
Ethical Hacking and Prevention This course is mapped to the popular Ethical Hacking and Prevention Certification Exam from US-Council. This course is meant for those professionals who are looking for comprehensive
More informationIT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao
IT Service Delivery and Support Week Three IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1 Infrastructure Essentials Computer Hardware Operating Systems (OS) & System Software Applications
More informationThe Tension. Security vs. ease of use: the more security measures added, the more difficult a site is to use, and the slower it becomes
s10 Security 1 The Tension Security vs. ease of use: the more security measures added, the more difficult a site is to use, and the slower it becomes Security vs. desire of individuals to act anonymously
More informationISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :
ISACA CISA ISACA CISA ( Certified Information Systems Auditor ) Download Full Version : http://killexams.com/pass4sure/exam-detail/cisa QUESTION: 390 Applying a digital signature to data traveling in a
More informationWireless LAN Security (RM12/2002)
Information Technology in Education Project Reference Materials Wireless LAN Security (RM12/2002) Infrastructure Division Education Department The Government of HKSAR www.ited.ed.gov.hk December 2002 For
More informationLecture 9 User Authentication
Lecture 9 User Authentication RFC 4949 RFC 4949 defines user authentication as: The process of verifying an identity claimed by or for a system entity. Authentication Process Fundamental building block
More informationAuthentication CHAPTER 17
Authentication CHAPTER 17 Authentication Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources. getting entrance
More informationPass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores
Pass4suresVCE http://www.pass4suresvce.com Pass4sures exam vce dumps for guaranteed success with high scores Exam : CS0-001 Title : CompTIA Cybersecurity Analyst (CySA+) Exam Vendor : CompTIA Version :
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationSecurity: Cryptography
Security: Cryptography Computer Science and Engineering College of Engineering The Ohio State University Lecture 38 Some High-Level Goals Confidentiality Non-authorized users have limited access Integrity
More informationFRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months
FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months MODULE: INTRODUCTION TO INFORMATION SECURITY INFORMATION SECURITY ESSENTIAL TERMINOLOGIES
More informationOracle Communications Services Gatekeeper
Oracle Communications Services Gatekeeper Security Guide Release 5.1 E36134-01 June 2013 Oracle Communications Services Gatekeeper Security Guide, Release 5.1 E36134-01 Copyright 2011, 2013, Oracle and/or
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationIdentity, Authentication and Authorization. John Slankas
Identity, Authentication and Authorization John Slankas jbslanka@ncsu.edu Identity Who or what a person or thing is; a distinct impression of a single person or thing presented to or perceived by others;
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationCOPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51
Acknowledgments Introduction Part I: The Basics in Depth 1 Chapter 1: Windows Attacks 3 Attack Classes 3 Automated versus Dedicated Attacker 4 Remote versus Local 7 Types of Attacks 8 Dedicated Manual
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 3 User Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown User Authentication fundamental security building
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationChapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010
Cryptography Chapter 8 Network Security Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic Principles Need for Security An Introduction
More informationQuestion No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:
Volume: 75 Questions Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output: Which of the following is occurring? A. A ping sweep B. A port scan
More informationCurso: Ethical Hacking and Countermeasures
Curso: Ethical Hacking and Countermeasures Module 1: Introduction to Ethical Hacking Who is a Hacker? Essential Terminologies Effects of Hacking Effects of Hacking on Business Elements of Information Security
More informationjk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022
CompTIA Exam Questions jk0-022 CompTIA Academic/E2C Security+ Certification Exam Voucher Only Version:Demo 1.An attacker used an undocumented and unknown application exploit to gain access to a file server.
More informationWhat is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.
P1L4 Authentication What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource. Authentication: Who are you? Prove it.
More informationImplementing Cisco Cybersecurity Operations
210-255 Implementing Cisco Cybersecurity Operations NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 210-255 Exam on Implementing Cisco
More informationComputer Security Policy
Administration and Policy: Computer usage policy B 0.2/3 All systems Computer and Rules for users of the ECMWF computer systems May 1995 Table of Contents 1. The requirement for computer security... 1
More informationCS System Security Mid-Semester Review
CS 356 - System Security Mid-Semester Review Fall 2013 Mid-Term Exam Thursday, 9:30-10:45 you may bring one 8-1/2 x 11 sheet of paper with any notes you would like no cellphones, calculators This is to
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationAccess Controls. CISSP Guide to Security Essentials Chapter 2
Access Controls CISSP Guide to Security Essentials Chapter 2 Objectives Identification and Authentication Centralized Access Control Decentralized Access Control Access Control Attacks Testing Access Controls
More informationFrom Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005
Chapter 7: Security From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edition 4 Introduction Security policies Provide for the sharing of resources within specified limits
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationn Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network
Always Remember Chapter #1: Network Device Configuration There is no 100 percent secure system, and there is nothing that is foolproof! 2 Outline Learn about the Security+ exam Learn basic terminology
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (1 st Week) Outline Course Information and Policies Course Syllabus 1. Overview Course Information Instructor: Prof. Dr. Hasan H. BALIK, balik@yildiz.edu.tr,
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More information