Security organisation

Organizational structure

Actual Organizational structure is not discussed here, since every company is different. Rather, roles are described. These roles can be attributed to different persons in an organization depending on it's structure, size, culture etc. 
  
Roles and Responsibility

Depending on company size, responsibility may be attributed to the following roles. What is important is that responsibility is clear and that the responsible persons can actually assume their responsibilities (i.e. the have powers necessary to take corresponding decisions an the experience/knowledge to take the right decisions).

Executives: The managing director, CEO or equivalent is ultimately responsible for security strategy and must make the necessary resources available to combat business threats. This person is also responsible for disseminating strategy and establishing a security-aware culture.

IT Security manager: is responsible for Enterprise security. The IT security manager(s) defines IT security guidelines together with the process owner. He/she is also responsible for security awareness and advising management correctly on security issues. He/she may also carry out risk analyses. It is important that this person be up-to-date on the latest security problems/risks/solutions. Co-ordination with partner companies, security organisations is also important.

Business process / data / operation owner: is directly responsible for a particular process or business unit's data and reports directly to top management. He analyses the impact of security failures and specifies classification and guidelines/processes to ensure the security of the data for which he is responsible. He should not have any influence on auditing.
 
System supplier: Installs and maintains systems. A service level agreement should exist defining the customer/supplier roles and responsibilities. The supplier may be, for example, an external contracting company or the internal datacentre or System/Security administrator. He is responsible for the correct use of security mechanisms. Often this person is root (UNIX) or dba (databases).

System designer: The persons who develop a system have a key role in ensuring that a system can be used securely. New development projects must consider security requirements at an early stage.

Project Leaders: ensure that Security guidelines are adhered to in projects.

Line Managers: ensures that his personnel are fully aware of security policies and does not provide objectives which conflict with policy. He/she enforces policy and checks actual progress.

Users: Users, or "information processors/operators" are responsible for their actions. They are aware of company security policy, understand what the consequences of their actions are and act accordingly. They have effective mechanisms at their disposal so that they can operate with the desired level of security. Should users receive confidential information that is not classified, they are responsible for classifying and distribution of this information.

Auditor: is an independent person, within or outside the company, who checks the status of IT security, much in the same way as a Financial Auditor verifies the validity of accounting records. It is important that the Auditor be independent, not being involved in security administration. Often external consultants fulfill this role, since they can offer a more objective view of policies, processes, organizations and mechanisms.
  

Processes

The security policy needs processes and people (organization) to ensure it's implementation and accordance with business needs. Typical security processes are:

• Security Hotline / Helpdesk (user management)
• Change management
• System monitoring & intruder detection
• Data backup & recovery
• System audits
• Crisis management/Firewall

  1. Security Hotline/ Helpdesk

• User account management is often available over a so-called hotline or helpdesk.
• The help-desk is where users call when they have problems. If the helpdesk cannot resolve a problem, it is responsible for escalation (and tracking) of the problem to vendors or system administrators, for example.
• Users should have access to a service hotline to unlock passwords quickly (if they forget them), otherwise users may write the passwords down.
• How can password be exchanged over the phone? How can you be sure that the correct user is asking for an allowed modification? Some kind of "authentication" is required. (Perhaps by using internal phone systems where the calling number is visible?, or by calling the user back at his desk?)

2. Change Management

• Who installs or upgrades HW and SW?
• New SW should be tested for a few weeks before being installed on production systems.
• Changes should be carefully prepared and carried out such that production is not disturbed and such that if the changes have a negative effect, they can be removed. During hardware changes ensure that anti-static wrist straps are worn, that the correct tools are available and that the power is connected or removed according to the manufacturer's instructions.
• Follow the axioms KISS (Keep it simple, stupid) and "if it isn't broken, don't fix it". Only install updates if they are necessary.

3. Systems monitoring

Who monitors what systems, where, with what utilities? Monitoring is often more effective if decentralized in very large organizations.

4. Data Backup & Restore

Processes & responsibility need to be defined to ensure reliable backups and restores when needed. The restore policy should be regularly tested.

5. System audits

• Servers should be audited regularly (e.g. once per year).
• A audit checklist should be made for each security level/OS, for simplicity.
• The auditor should be independent of the administration and be objective.
• The audit should check: Guidelines, Policies, Users, Management, IT Security managers, Administrators, IT Resources.

6. Crisis Management / "Firewall" / Emergency Response Team / Disaster Planning

Even with a solid security policy, educated users and solid system administration, an emergency response team is useful. Plan for a disaster!

• Who is on "Firewall", how should they react to a serious security breach?
• If internal personnel are not expert enough, a "emergency standby" contract could be outsourced to a specialized company.
• Decide in advance who will be in charge in the event of a security incident. Determine the chain of command (define processes & responsibility).
• Keep important names, telephone numbers, email addresses off-line. Do not assume that your on-line address book will be available in an emergency.

Security Marketing

Communications Manager: responsible for spreading security awareness in the company. 

Security Information Center

Having the right information at the right time is important.

• It is advisable to have the current books on relevant security topics available, access to Internet security Newsgroups, mailing lists, WWW servers and ftp servers.
• All corporate documents on security and the standards on which they are based should be available.
• Copies of rules, policies, documentation and addresses should be kept off-line (or even better on paper).

The following services could be offered to internal departments:

• A Security Library (as detailed above).
• Risk analysis.
• Education: Courses on IT security for users, administrators, line managers etc.
• Technical expertise (for each important OS / application / system) who follows security developments. Each specialist must be aware of all new security problems & fixes.
• Guidance in the purchasing / development of new systems.
• Testing of new systems.
• One time audits of systems & processes: do systems conform to policy, what weaknesses do they have?
• Statistical analysis: regular reporting of system usage, performance, user behaviour, technological trends, external connection usage.

 

Read More

Protection & Security in OS

Introduction

• Interference in resource utilization is a very serious threat in an OS.
• The nature of the threat depends on the nature of a resource and the manner in which it is used.
• In this session, we will discuss the issues involved in protection and security.
• It involves guarding a user's data and programs against interference by other authorized users of the system.

Facets to Protection of Information

There are two facets to protection of information

• Secrecy : Implies that only authorized users should be able to access information.
• Privacy : Implies that information should be used only for the purposes(s) for which it is intended and shared.

OS focuses on guaranteeing secrecy of information, and leaves the issue of privacy to the users and their processes.

Security and Protection : Policies and Mechanisms

Security Attributes

Security is traditionally defined by the three attributes namely:

• Confidentiality : It is the prevention of unauthorized modification of information or resources.
• Integrity : It is the prevention of unauthorized
• Availability : It is the prevention of unauthorized withholding of information or resources.

Security Threats

• Direct : This is any direct attack on your specific systems, whether from outside hackers or from disgruntled insiders.
• Indirect : This is general random attack, most commonly computer worms or Trojan horses.

Reasons for taking Security measures

• To prevent loss of data
• To prevent corruption of data
• To prevent compromise of data
• To prevent theft of data
• To prevent sabotage

Authentication

• Goal of Authentication : Reasonable assurance that anyone who attempts to access a system or a network is a legitimate user.
• 3 mechanisms

             - Password

             - Physical token or an artifact

             - Biometric measure

Security models

Security models can be discretionary or mandatory.

• Discretionary : Holders of right can be allowed to transfer them at their discretion.
• Mandatory : Only designated roles are allowed to grand rights and users cannot transfer them.

 Security policy Vs. Security Model

• Security Policy : Outlines several high level points; how the data is accessed, the amount of security required and what are the steps when these requirements are not met.
• Security Model : The mechanism to support security policy. This involves in the design of the security system.

Access Matrix Model

Consists three principal components:

• A set of passive objects (files, terminals, devices and other entities)
• A set of active subjects, which may be manipulate the objects
• A set of rules governing the manipulation of objects by subjects.
• The access matrix is a rectangular array with one row per subject and one column per object.

Role Based Access Control

• Enforces access controls depending upon a user role(s).
• Roles represent specific organization duties and are commonly mapped to job title. Ex: Administrator, Developer etc.
• Role definitions and associated access rights must be based upon a thorough understanding of an organization's security policy.

Take-Grant Model

• This model use graphs to model access control.
• The graph structure can be represented as an adjacency matrix and labels on the arcs can be coded as different values in the matrix.
• Nodes in the graph are of two types, one corresponding to subjects and the other to objects.
• The possible access rights are read(r), write(w), take(t) and grant(g).

Example of Take

Read More

OS Security Goals, Policy & Model and Access Control Techniques

 Security Goals

Secrecy (confidentiality)
- Unauthorized disclosure
- Limits the objects (files/sockets) that a process can read

Integrity
- Unauthorized modification
- Limits the objects that a process can write
 (objects may contains information that other processes depend on)

Availability
- Limits the system resources that processes (or users) may consume 
- Therefore preventing denial of service attacks
- Achieved by OS resource management techniques like fair scheduling

Confidentiality & Integrity

Achieved by Access Control

• Every access to an object in the system should be controlled
• All and Only authorized accesses can take place

Access Control Systems

Development of an access control system has three components
- Security Policy  : high level rules that define access control
- Security Model  : a formal representation of the access control security policy and its working.
       (this allows a mathematical representation of a policy; there by aid in proving that the model is secure)
- Security Mechanism  : low level (sw / hw) functional implementations of policy and model.

Security Policy

• A scheme for specifying and enforcing security policies in a system
• Driven by

         - Understanding of threat and system design

• Often take the form of a set of statements

       - Succinct statements
       - Goals are agreed upon either by
                 * The entire community
                 * Top management
                 * Or is the basis of a formal mathematical analysis


A bad security policy model of a company

Megacorp Inc security policy

1. This policy is approved by Management.
2. All staff shall obey this security policy.
3. Data shall be available only to those with a 'need-to-know'. 
4. All breaches of this policy shall be reported at once to security.

Security Model

Why have it at all?

• It is a mathematical representation of the policy.
• By proving the model is secure and that the mechanism correctly implements the model, we can argue that the system is indeed secure (w.r.t. the security policy)

Security Mechanism

• Implementing a correct mechanism is non trivial 
• Could contain bugs in implementation which would break the security
• The implementation of the security policy must work as a 'trusted base' (reference monitor)
• Properties of the implementation

           - Tamper proof

           - Non-bypassable (all access should be evaluated by the mechanism)

           - Security kernel - must be confined to a limited part of the system (scattering security functions all over the system implies that all code must be verified)

          - Small - so as to achieve rigorous verification.

Discretionary Access Control

Discretionary (DAC)

• Access based on

          - Identity of requestor

          - Access rules state what requestors are (or are not) allowed to do

• Privileges granted or revoked by an administrator
• Users can pass on their privileges to other users
• Example. Access Matrix Model.

Access Matrix Model

• By Butler Lampson, 1971
• Subjects : active elements requesting information
• Objects : passive elements storing information

States of Access Matrix 

Read More

Information Gathering

What is Information Gathering ?

The process of well knowing the target, digging details, foot printing and keep in touch with the target is called information gathering.

Types of Information Gathering

Active Information Gathering

• Information is gathered directly.
• E.g. -by phone call, interviews or by face to face meeting.

Passive Information Gathering

• Information is gathered using third party.
• E.g. - using search engine tools, websites etc.

1st Target - Person
2nd Target - Website
3rd Target - Email-id
4th Target - Web Server


Information Gathering - Website

• Before testing web application it is good to find information about that.
• WHO is Information
• Reverse IP Check
• Website Framework
• DNS Records

Information Gathering - Web Server

• Web Server provides access to internet resources

• Server Operating System
• Services running on that server
• Open Ports

Read More

Ethical Hacking

What is Hacking ?

•  Hacking is the act of finding the possible entry points that exist in a computer system or a computer network and finally entering into them.
• Hacking is usually done to gain unauthorized access to a computer system or a computer network, either to harm the systems or to steal sensitive information available on the computer.

What is Ethical Hacking ?

• Ethical Hacking is the act of doing penetration testing, finding vulnerabilities to ensure the security of an organization's information system.
• These professionals are the part of cyber security company.
• There goal in company is-
• To protect system's from attackers
• To ensure privacy of organization data
• Eliminate any potential threat 

Types of Hacker's

• Black Hat :- It is a very dangerous hacker, because there are note associate any kind of company. The actually do hacking in order to harm people or organization and also do hacking in order to steel of sensitive information.
• White Hat :- The white hat hacker the associate with particular organization and always do hacking in order to protect their company data from another hackers.
• Grey Hat :- Grey hat hacker is combination of black hat hacker and white hat hacker.So some times gray hat hacker associated with particular company and do hacking for good way but side by side they also do hacking for any legal purpose. 

Phases

• Reconnaisance
• Scanning
• Gaining Access
• Maintaining Access
• Clearing Tracks

Read More

Computer Security

Computer Security or IT security is the protection of computer systems from theft of or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the service they provide.

• Hardware
• Software
• Firmware

Goals of Computer Security

1. Confidentiality
2. Data Integrity
3. Availability
4. Control
5. Audit

1. Confidentiality

Typically achieved by:

• Physical isolation
• Cryptography
• Background checks on People

2. Data Integrity

 Typically achieved by:

• Redundancy
• Backups
• Checksum & digital Signatures

3. Availability

Typically achieved by:

• Harding
• Redundancy
• Reference Checks on People

4. Control

Typically achieved by:

• Access Control lists
• Physical Security

5. Audit

Typically achieved by:

• Log Files
• Human auditors & expert systems

What to Secure? - Types of Computer Security

• Physical Security → Controlling who gets access to a computer
• OS Security → Permission controlling schemes, making sure users are authorized to perform certain actions.
• Access Control → managing who can Access what resources, from physical machines to programs to networks. 

Potential Losses due to security Attacks

Basic Computer Security Checklist

• Check if the user is password protected
• Check if the OS is updated
• Download software from reputable sources
• Check if the antivirus or antimalware is installed
• Terminate unusual service running that consumes resources
• Check if the firewall is on or not
• Check for your backups regularly
• Clear your private data from web browsers

Securing your Operating System (OS)

1. Keep your windows OS up to date
2. Update your software
3. Create a Restore point
4. Install antivirus product
5. Install a proactive security solution for multi-layered protection
6. Backup your system
7. Use a standard user account
8. Keep your user account control enabled
9. Secure your web browser before going online
10. Use an encryption software tool for your hardware

 Antivirus

→ Antivirus software, or anti-virus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

• Scanning
• Integrity
• Interception

Securing your Networks : Firewalls

A firewall i a network security system tat monitors and controls incoming and outgoing network traffic based on predetermine security rules.

• Cisco ASA Seies
• Checkpoint
• Fortinet
• Juniper
• SonicWALL
• pfSense

Securing Your  Network : IDS

An intrusion detection system (IDS) is a device or software application that monitors a network o systems for malicious activity or policy violations.

Securing Your Network : VPN

A virtual private network extends a secure and encrypted connection to share data remotely through public networks.

Read More

Network Security

Network Security is any activity designed to protect the usability and integrity of your network and data. It includes both hardware and software technologies. Effective network security manages access to the network. It targets a variety of threats and stops them from entering or spreading on your network.

Vulnerabilities in TCP/IP

1. Transfer are done in plain text
2. Weak authentication between client and web-server
3. No solution to syn-packet flooding
4. IP layer susceptible to many vulnerabilities.

The CIA Triad

• Confidentiality part of network security makes sure that the data is available only to the intended and authorized persons.
• Make sure that the data is reliable and is not changed by unauthorized persons.
• Availability is to make sure that the data, network resources/services are continuously available to the legitimate users, whenever they require.

Achieving Network Security

ENCIPHERMENT :- 
                   This mechanism provides data confidentiality services by transforming data into not-readable forms for the unauthorized persons. This mechanism uses encryption-decryption algorithm with secret keys.

DIGITAL SIGNATURE :-
                   This mechanism is the electronic is the ordinary signatures in electronic data. It provides authenticity of the data.

ACCESS CONTROL
                  This mechanism is used to provide access control services. These mechanism may use the identification and authentication of an entity to determine and enforce the access rights of the entity.

Client-Server Architecture

Email Security

• Confidentiality :- E-mail should be read by intended recipient only.
• Authentication :- E-mail recipient should be sure of the identity of sender.
• Integrity :- E-mail recipient should be sure of the identity of sender.
• Proof of Delivery :- Sender gets a confirmation that the recipient received the message.
• Non Repudiation :- Sender gets a confirmation that the recipient received the message.
• Proof of Submission :- Confirmation that message has been submitted to the mailing server.

PGP

Read More

Top 10 Reasons to Learn Cyber Security

1. Evergreen Industry

Artificial Intelligence
Chalbot
Machine Learning
Cloud computing
Cryptocurrency
Robot Assistants
Block Chain
Deep Learning
Internet of Things (IoT)
Big Data

2. The World is Your Oyster

High transferable skills mean you can move anywhere in the world.

Top countries you could travel to:

• United States of America
• United Kingdom
• Japan
• Russia

3. Working for the Greater Good

As a rule, cyber-security professionals are not likely to be famous. On the contrary, they quietly provide committed, faithful and honourable service to their organizations, countries and society as a whole.

4. Work with Top Secret Agencies 

• National Security Agency
• Mossad
• Central Intelligence Agency
• Military Intelligence Section 6 

5. Non Concern for Maths

6. Unlimited Growth Potential

A good cyber-security professional works to understand as much about how about technologies and organizations work as possible. That's massive opportunity to stay engaged and challenged challenged. The possibilities for personal and career growth are endless.

7. Everyone Wants you

8. Variety of Industries

 Every industry is going through some sort of digitalisation. And where ever digitalisation occurs, cyber attacks are bound to happens, hence cyber-security professionals find jobs everywhere.

9. Dynamic and Challenging

All of the opportunities for growth stem from the variety of technologies and situations security professionals face. If it uses ones and zeros, it has a cyber security component, and some roles even extend to physical security!

• Never Gets Boring
• New and Interesting Problems
• Creativity is encouraged

10. Money Makes the World Go Round

Faced with online attacks, business and government are looking for experts who can protect their systems from cyber criminals - and they are willing to pay high salaries and provides training and development.

• Fastest Growing Salaries
• For Seniors, it surpasses the median
• Earning based only on merit

 

Read More

Cyber Law

"The modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb".
                      
                  National Research Council, U S A " Computers at Risk". 1991

Need of Cyber Law

• Internet has dramatically changed our life.
• Transition from paper to paperless world.
• Laws of real world cannot be interpreted in the light of emerging cyberspace.
• Internet requires an enabling and supportive legal infrastructure to tune with the times.

Cyber Law ?

• Cyber Law is the law governing cyber space.
• Cyber space includes computers. networks, software's, data storage devices (such as hard disks, USB disks etc), the Internet, websites, emails and even electronic devices such as cell phones, ATM.

Cyber Crime

• Any crime with the help of computer and telecommunication technology.
• Any crime where either the computer is used as an object or subject.

Categories of Cyber Crime

• Cybercrimes against persons
• Cybercrimes against property.
• Cybercrimes against government. 

Statistics of Cyber Crimes

IT ACT - 2000

• The Information Technology Act, 2000 (IT Act), came into force on 17 October 2000.
• The primary purpose of the Act is to provide legal recognition to electronic commerce and to facilitate filing of electronic records with the Government.
• Information Technology Act 2000 consisted of 94 sections segregated into 13 chapters.

IT ACT-2000 : Objectives

• To provide legal recognition for transactions
• To facilitate electronic filing of documents with the Government agencies.
• To amend the Indian Penal Code, The Indian Evidence Act, 1872, The Banker's Book Act, 1891 and the Reserve Bank of India Act, 1934.
• Aims to provide the legal framework to all electronic records.

IT ACT Amendment - 2008

• The Information Technology Amendment Act, 2008 (IT Act 2008) has been passed by the parliament on 23rd December 2008.
• It received the assent of President of India on 5th February, 2009.
• The IT Act 2008 has been notified on October 27, 2009.
• ITA-2008, is a new version of IT Act 2000.
• Provides additional focus on Information Security.
• Added several new sections on offences including Cyber Terrorism and Data Protection.
• 124 sections and 14 chapters.
• Schedule I and II have been replaced ^ Schedules III and I are deleted.

Importance of Cyber Law

• We are living in highly digitalized world.
• All companies depend upon their computer networks and keep their Valuable data in electronic form.
• Government forms including income tax returns company law forms etc are now filled in electronic form.
• Consumers are increasingly using credit cards for shopping.
• Most people are using email, cell phones and SMS messages for communication.
• Even in "non-cyber crime" cases, important evidence is found in computers / cell phones e.g. in cases of divorce, murder, kidnapping, organized crime, terrorist operations, counterfeit currency etc.
• Since it touches all the aspects of transactions and activities on and concerning the Internet, the World Wide Web( WWW) and Cyberspace therefore Cyber Law is extremely important.

Read More

A basic Encryption Decryption System

Encryption

• Transforming information from readable format to unreadable format.
• Encryption Algorithms can be used to encrypt data.

Decryption

• Transforming from unreadable format to readable format
• Decryption Algorithms can be used to decrypt data.

Key

• A string of bits used by a cryptography algorithm to transform plain text into cipher text or vice versa.
• Key remains private and secures communication.

Plain text 

 The original message (before encrypting) is called as plain text

Cipher text

   The transformed message (after encrypting) is called as Cipher text.

Cryptanalysis

• Techniques used for decrypting a message without any knowledge of the encryption details.
• "Breaking the code"

Brute force attack

• Trying every possible key until an intelligible translation of the ciphertext into plaintext is obtained.

Two Techniques

1. Symmetric Cryptography

• Also called secret key/private key cryptography
• Same key used for Encryption & Decryption.

2. Asymmetric Cryptography.

• Also called public key cryptography
• A pair of keys is used for encryption and decryption.

Read More

Virus Damage Scenarious in OS Security

Virus

• Blackmail
• Denial of service as long as virus runs
• Permanently damage hardware
• Target a competitor's computer

            - Do harm
            - Espionage

• Intra-corporate dirty tricks

            - Practical joke
            - Sabotage another corporate officer's files

Worms vs Viruses

• Viruses require other programs to run
• Worms are self-running (separate process)
• The 1988 Internet Worm

            - Consisted of two programs
                   Bootstrap to upload worm
                   The worm itself
            - Exploited bugs in sendmail and finger
            - Worm first hid its existence
            - Next replicated itself on new machines
            - Brought the Internet (1988 version) to a screeching halt.

Read More

Cyber Security Paperback – 2011 by Nina Godbole (Author), Sunit Belapure (Author)

Cyber Security Paperback – 2011
by Nina Godbole (Author), Sunit Belapure (Author)

This book, focusing on cyberthreats and cybersecurity, provides the much needed awareness in the times of growing cybercrime episodes. · Comprehensive treatment of important topic - cybersecurity to help readers understand the implications of cybercrime. · The book provides adequate orientation on laws in reference to cybercrime and cybersecurity taking into account the Indian as well as global scenario. · Awareness created through simple practical tips and tricks, educates readers to learn how to avoid becoming victims of cybercrime. · Written by InfoSec domain SME and co-authored by qualified ethical hacking professional who is also a security certified. · Well-presented case illustrations and examples from real life to underline the significance of topics addressed in each chapter.

Buy Link: 

https://amzn.to/2Qn4IXp

About the Author

Nina Godbole is an author of the book Information Systems Security: Security Management, Metrics, Frameworks and Best Practices published by Wiley India in January 2009. She is also on the Editorial Board of IEEE Computer Society. She has published numerous articles on topics in leading IT magazines. She has a vast work experience in the IT industry in Software Quality Assurance, systems analysis and design, application support services as well as application audit and IS audit. Nina is a CIPP/IT - a privacy professional certified by the IAPP USA (International Association of Privacy Professional) as well as a CISA (Certified Information Systems Auditor) certified by ISACA USA (Information Systems Audit and Control Association). Nina is also an ITIL foundation certified professional, a PMP, CQA and CSTE from QAI, USA (Quality Assurance Institute). Sunit Belapure has more than 8 years experience in Information Security domain out of his total industry experience of more than 18 years. He works in the domain of ISRM (Information Security and Risk and Management) and Information System Audit. Sunit has respective international certifications to his credit - CISA (Certified Information Systems Auditor) from ISACA-USA, IRCA certified ISO 27001:2005 Lead Auditor, Certified Ethical Hacker (CEH v5.0) from EC-Council-USA and CISM (Certified Information Security Manager) from ISACA-USA. He is a member of ISACA, USA. He engages into Compliance and Assurance assignments (for ERP as well as for Non-ERP applications) under IS security and IT Governance domain. Sunit is a noted speaker on Information Security domain at reputed institutes in and around Pune.

Read More

User Authentication in OS Security

Problem: how does the computer know who you are?

Solution: use authentication to identify

• Something the user knows
• Something the user has
• Something the user is

This must be done before user can use the system

Important: from the computer's point of view...

• Anyone who can duplicate your ID is you
• Fooling a computer isn't all that hard...

There are two types of authentication

• External : verify the user

             Usually username/password combination
       May require two passwords or other identification

• Internal : verify the process

               Don't allow one users process to appear to be that of another user


Dealing with Passwords

Password should be memorable

• Users shouldn't need to write them down!
• Users should be able to recall them easily

Solution: use hashing to hide "real" password

• One-way function converting password to meaningless string of digits (UNIX password hash, MD5, SHA-1)
• Difficult to find another password that hashes to the same random-looking string
• Knowing the hashed value and hash function gives no clue to the original password.

Authentication using bio-metrics

Use basic body properties to prove identity

Examples include

• Fingerprints
• Voice
• Hand size
• Retina patterns
• Iris Patterns
• Facial features

Potential problems

• Duplicating the measurement
• Stealing it from its original owner?

Read More