Description
Read the provided textbook Chapter 1 and Chapter 2 and answer the following 5 questions with short and coherent answers.
1- Distinguish between vulnerability, threat, and control?
2- List at least three kinds of harm a company could experience from electronic
espionage or unauthorized viewing of confidential company materials?
3- Suppose a program to print paychecks secretly leaks a list of names of employees earning more than a certain amount each month. What controls could be instituted to limit the vulnerability of this leakage?
4- If you forget your password for a website and you click [Forgot my password], sometimes the company sends you a new password by email but sometimes it sends you your old password by email. Compare these two cases in terms of vulnerability of the website owner?
5- How are passwords stored on your personal computer?
Please find the attached chapters 1 & 2 to help you with the answers.
The assignment is easy so I need it within 3 hours.
Thanks,
Unformatted Attachment Preview
CIT 616: Introduction to Cybersecurity and Digital Forensic
Executive Master of Forensic Accounting
Lecture 02: Authentication
Prepared by : Dr. Wahid Rajeh & Dr. A’aeshah Alhakamy
Book Author: Pfleeger, C.P
Authentication
• A computer system does not have the cues we do with face-to-face
communication that let us recognize our friends. Instead, computers
depend on data to recognize others. Determining who a person really
is consists of two separate steps:
• Identification is the act of asserting who a person is
• Authentication is the act of proving that asserted identity: that the person is
who she/he says she/he is
• We have phrased these steps from the perspective of a person
seeking to be recognized, using the term “person” for simplicity. In
fact, such recognition occurs between people, computer processes
(executing programs), network connections, devices, and similar
active entities. In security, all these entities are called subjects.
Identification Versus Authentication
• Identities are often well known, predictable, or guessable. If you send
email to someone, you implicitly send along your email account ID so
the other person can reply to you
• Your bank account number is printed on checks you write; your debit
card account number is shown on your card, and so on. In each of
these cases you reveal a part of your identity
• Identity is more than just your name: Your bank account number,
debit card number, email address, and other things are ways by which
people and processes identify you
Identification Versus Authentication
• Authentication, on the other hand, should be reliable. If identification
asserts your identity, authentication confirms that you are who you
purport to be
• Although identifiers may be widely known or easily determined,
authentication should be private
• Identities are typically public or well known. Authentication should be
private
Authentication mechanisms
• Authentication mechanisms use any of three qualities to confirm a
user’s identity:
• Something the user knows: Passwords, PIN numbers, passphrases, a secret
handshake, and mother’s maiden name are examples of what a user may
know
• Something the user is: These authenticators, called biometrics, are based on
a physical characteristic of the user, such as a fingerprint, the pattern of a
person’s voice, or a face (picture)
• Something the user has: Identity badges, physical keys, a driver’s license, or a
uniform are common examples of things people have that make them
recognizable
Authentication Based on Phrases and Facts:
Something You Know
• Password Use: Even though passwords are widely used, they suffer
from some difficulties of use
• Use: Supplying a password for each access to an object can be inconvenient
and time consuming
• Disclosure: If a user discloses a password to an unauthorized individual, the
object becomes immediately accessible. If the user then changes the
password to re-protect the object, the user must inform any other valid users
of the new password because their old password will fail
• Revocation: To revoke one user’s access right to an object, someone must
change the password, thereby causing the same problems as disclosure
• Loss: Depending on how the passwords are implemented, it may be
impossible to retrieve a lost or forgotten password.
Authentication Based on Phrases and Facts:
Something You Know
• Attacking and Protecting Passwords:
• Passwords are somewhat limited as protection devices because of the
relatively small number of bits of information they contain
• people pick passwords that do not even take advantage of the number of bits
available: Choosing a well-known string, such as qwerty, password, or 123456
reduces an attacker’s uncertainty or difficulty essentially to zero
Attacking and Protecting Passwords
• 12 steps an attacker might try in order to determine a password:
1.
2.
3.
4.
No password
The same as the user ID
Is, or is derived from, the user’s name
On a common word list (for example, password, secret, private) plus
common names and patterns (for example, qwerty, aaaaaa)
5. Contained in a short college dictionary
6. Contained in a complete English word list
7. Contained in common non-English-language dictionaries
Attacking and Protecting Passwords
• 12 steps an attacker might try in order to determine a password:
8. Contained in a short college dictionary with capitalizations (PaSsWorD) or
substitutions (digit 0 for letter O, and so forth)
9. Contained in a complete English dictionary with capitalizations or
substitutions
10. Contained in common non-English dictionaries with capitalization or
substitutions
11. Obtained by brute force, trying all possible combinations of alphabetic
characters
12. Obtained by brute force, trying all possible combinations from the full
character set
Attacking and Protecting Passwords
• Dictionary Attacks: Several network sites post dictionaries of phrases,
science fiction character names, places, mythological names, Chinese
words, Yiddish words, and other specialized lists.
• These lists help site administrators identify users who have chosen
weak passwords, but the same dictionaries can also be used by
attackers of sites that do not have such attentive administrators
• Now Internet sites offer so-called password recovery software as
freeware or shareware for under $20. (These are password cracking
programs.)
Attacking and Protecting Passwords
• Guessing Probable Passwords:
• Think of a word. Is the word you thought of long? Is it uncommon? Is it hard
to spell or to pronounce? The answer to all three of these questions is
probably no.
• Penetrators searching for passwords realize these very human
characteristics and use them to their advantage.
• There are only 26 1 + 26 2 + 26 3 = 18,278 (not case sensitive)
passwords of length 3 or less
Attacking and Protecting Passwords
• At an assumed rate of one password per millisecond, all of these
passwords can be checked in 18.278 seconds, hardly a challenge with
a computer. Even expanding the tries to 4 or 5 characters raises the
count only to 475 seconds (about 8 minutes) or 12,356 seconds
(about 3.5 hours), respectively
• Many computing systems have spelling checkers that can be used to
check for spelling errors and typographic mistakes in documents.
Trying all of these words as passwords takes only 80 seconds at the
unrealistically generous estimate of one guess per millisecond
Attacking and Protecting Passwords
• Good Passwords: The term “password” implies a single word, but you
can actually use a nonexistent word or a phrase. So 2Brn2Bti? could
be a password (derived from “to be or not to be, that is the
question”) or “PayTaxesApril15th.”
• The strings are long, they are chosen from a large set of characters,
and they do not appear in a dictionary.
• These properties make the password difficult (but, of course, not
impossible) to determine
Attacking and Protecting Passwords
• Best practices for strong password:
• Use characters other than just a–z
• Choose longer passwords
• Avoid actual names or words
• Use a string you can remember
• Use variants for multiple passwords
• Change the password regularly
• Don’t write it down
• Don’t tell anyone else
Authentication Based on
Biometrics: Something You Are
Authentication Based on Biometrics:
Something You Are
• Biometrics are biological properties, based on some physical characteristic
of the human body.
• The list of biometric authentication technologies is still growing.
• Now devices can recognize the following biometrics:
• Fingerprint
• Hand geometry (shape and size of fingers)
• Retina and iris (parts of the eye)
• Voice
• Handwriting, signature, hand motion
• Typing characteristics
• Blood vessels in the finger or hand
• Face or facial features, such as nose shape or eye spacing
Authentication
Based on Biometrics:
Something You Are
Authentication with biometrics has
advantages over passwords
because a biometric cannot be
lost, stolen, forgotten, or shared
and is always available, always at
hand, so to speak. These
characteristics are difficult, if not
impossible, to forge
Authentication Based on Biometrics:
Something You Are
• Biometrics come with several problems:
• Biometrics are relatively new, and some people find their use intrusive. For
example, people in some cultures are insulted by having to submit to
fingerprinting, because they think that only criminals are fingerprinted
• Hand geometry and face recognition (which can be done from a camera
across the room) are scarcely invasive, but people have real concerns about
peering into a laser beam or sticking a finger into a slot
• Biometric recognition devices are costly, although as the devices become
more popular, their cost per device should go down. Still, outfitting every
user’s workstation with a reader can be expensive for a large company with
many employees
Authentication Based on Biometrics:
Something You Are
• Biometrics come with several problems:
• Biometric readers and comparisons can become a single point of failure.
Consider a retail application in which a biometric recognition is linked to a
payment scheme: As one user puts it, “If my credit card fails to register, I can
always pull out a second card, but if my fingerprint is not recognized, I have
only that one finger
• All biometric readers use sampling and establish a threshold for acceptance of
a close match. The device has to sample the biometric, measure often
hundreds of key points, and compare that set of measurements with a
template.
Authentication Based on Biometrics:
Something You Are
• Although equipment accuracy is improving, false readings still occur.
We label a false positive or false accept a reading that is accepted
when it should be rejected (that is, the authenticator does not match)
and a false negative or false reject one that rejects when it should
accept.
“False positive: incorrectly confirming an identity”
“False negative: incorrectly denying an identity”
• Biometric matches are not exact; the issue is whether the rate of false
positives and false negatives is acceptable.
Authentication Based on Tokens:
Something You Have
Authentication Based on Tokens: Something
You Have
• Passive Tokens: A photo or key is an example of a passive token in
that the contents of the token never change
• Active Token: can have some variability or interaction with its
surroundings such as a magnetic strip
Passive tokens do not change.
Active tokens communicate with a sensor
Authentication Based on Tokens: Something
You Have
• Static Tokens
• The value of a static token remains fixed such as Keys, identity cards,
passports, credit and other magnetic-stripe cards, and radio transmitter cards
(called RFID devices)
• Static tokens are most useful for onsite authentication
• It may not be easy to transmit the image of the badge and the appearance of
your face for a remote computer to compare
• See ATM Skimming attack example in page 95
Authentication Based on Tokens: Something
You Have
• Dynamic Tokens
• The value of a dynamic token is changed over time. such as a device that
generates an unpredictable value that we might call a pass number
• Some devices change numbers at a particular event, for example, once a
minute; others change numbers when you press a button, and others
compute a new number in response to an input, sometimes called a challenge
• Useful for remote authentication, especially of a person to a computer. An
example of a dynamic token is the SecurID token from RSA Laboratories
Authentication Based on Tokens: Something
You Have
• Dynamic Tokens Time-Based Token Authentication
• SecurID token
Login:
mcollings
Passcode: 2468159759
PASSCODE
=
PIN
+
TOKENCODE
Token code:
Changes every
60 seconds
Clock
synchronized to
UCT
Unique seed
Federated Identity Management
• A federated identity management scheme: is a union of separate
identification and authentication systems.
• Instead of maintaining separate user profiles, a federated scheme maintains
one profile with one authentication method
• Separate systems share access to the authenticated identity database
• Authentication is performed in one place, and separate processes and
systems determine that an already authenticated user is to be activated
Federated Identity Management
User
Identity Manager
(performs
authentication)
Application
(no authentication)
Authenticated
Identity
Application
(no authentication)
Application
(no authentication)
Single Sign-On
Single Sign-On
Shell
User
Password
Authentication
Identification and
Authentication
Credentials
Token
Authentication
Application
Authentication
Application
Application
28
From Security in Computing, Fifth Edition, by Charles P.
Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by
Pearson Education, Inc. All rights reserved.
Access Control
29
From Security in Computing, Fifth Edition, by Charles P.
Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by
Pearson Education, Inc. All rights reserved.
Multifactor Authentication
• Combining authentication information is called multifactor
authentication. Two forms of authentication (which is, not
surprisingly, known as two-factor authentication) are presumed to be
better than one, assuming of course that the two forms are strong.
• From a usability point of view, large values of n –factors may lead to
user frustration and reduced security
CIT 616: Introduction to Cybersecurity and Digital Forensic
Executive Master of Forensic Accounting
Lecture 01: Introduction to
Cybersecurity
Prepared by : Dr. Wahid Rajeh & Dr. A’aeshah Alhakamy
Book Author: Pfleeger, C.P
What Is Computer Security?
• Computer security: is the protection of the items you value, called
the assets of a computer or computer system.
• types of assets are hardware, software, data, people, processes, or
combinations of these
• To determine what to protect, we must first identify what has value and to
whom e.g:
• Design for your next new product
• Photos from your recent vacation
• Chapters of your new book
• Genome sequence resulting from your recent research
Values of Assets
• After identifying the assets to
protect, we next determine their
value.
• For example, when you go for a
swim you can leave a bottle of
water and a towel on the beach,
but not your wallet or cell phone.
• The value of an asset depends on
the asset owner’s or user’s
perspective, and it may be
independent of financial cost
The Vulnerability–Threat–Control Paradigm
• Vulnerability: is a weakness in the system, for example, in
procedures, design, or implementation, that might be exploited to
cause loss or harm.
• Threat: is a set of circumstances that has the potential to cause loss
or harm.
• Controls: prevent threats from exercising
vulnerabilities
Basic Security Properties (C-I-A triad)
• Availability: the ability of a system to ensure that an asset can be
used by any authorized parties
• Integrity: the ability of a system to ensure that an asset is modified
only by authorized parties
• Confidentiality: the ability of a system to ensure that an asset is
viewed only by authorized parties
• Authentication (Network Security): the ability of a system to confirm
the identity of a sender
• Accountability (Network Security): the ability of a system to confirm
that a sender cannot convincingly deny having sent something
Basic Security Properties (C-I-A triad)
• Harm characterized by four acts:
• Interception
• Interruption
• Modification
• Fabrication
Confidentiality can suffer if someone intercepts data, availability is lost if
someone or something interrupts a flow of data or access to a computer, and
integrity can fail if someone or something modifies data or fabricates false data
Basic Security Properties (C-I-A triad)
• Confidentiality: A person,
process, or program is (or
is not) authorized to access
a data item in a particular
way. We call the person,
process, or program a
subject, the data item an
object, the kind of access
(such as read, write, or
execute) an access mode,
and the authorization a
policy
Basic Security Properties (C-I-A triad)
• Integrity of an item, mean that the item is:
• Precise
• Accurate
• Unmodified
• Modified only in acceptable ways
• Modified only by authorized people
• Modified only by authorized processes
• Consistent
• Internally consistent
• Meaningful and usable
Basic Security Properties (C-I-A triad)
• an object or service is thought to
be available if the following are
true:
• It is present in a usable form
• It has enough capacity to meet the
service’s needs
• It is making clear progress, and, if
in wait mode, it has a bounded
waiting time
• The service is completed in an
acceptable period.
Basic Security Properties (C-I-A triad)
• Computer security: seeks to prevent unauthorized viewing
(confidentiality) or modification (integrity) of data while preserving
access (availability).
Types of Threats
• Threats are caused both by
human and other sources.
• Threats can be malicious or
not.
• Threats can be targeted or
random.
Types of Threats
• Non-human threats :
• Natural disasters like fires or floods
• Loss of electrical power
• Failure of a component such as a communications cable, processor chip, or disk drive
• Attack by a wild boar or rats.
• Human threats:
• Non-malicious
• accidentally spilling a soft drink on a laptop
• unintentionally deleting text
• inadvertently sending an email message to the wrong person
• carelessly typing “12” instead of “21” when entering a phone number
• clicking “yes” instead of “no” to overwrite a file
• Malicious
Types of Threats
• Human threats:
• Non-malicious
• accidentally spilling a soft drink on a laptop
• unintentionally deleting text
• inadvertently sending an email message to the wrong person
• carelessly typing “12” instead of “21” when entering a phone number
• clicking “yes” instead of “no” to overwrite a file
• Malicious
• Random attack: attacker wants to harm any computer or user
• Directed attack: attacker intends harm to specific computers
Types of Threats
• Attackers can be
• Individuals
• Organized, Worldwide Groups
• Organized Crime
• Terrorists
Risk and Common Sense
• The negative consequence of an actualized threat is harm.
• Risk management: is the process that involves choosing which
threats to control and what resources to devote to protection.
• it includes weighing the seriousness of a threat against our ability to
protect.
Method–Opportunity–Motive
• A malicious attacker must have three things to ensure success:
• Method “How”: mean the skills, knowledge, tools, and other things with
which to perpetrate the attack.
• Opportunity “When”: the time and access to execute an attack
• Motive “Why”: reason to want to attack
Security Countermeasure (Control)
• Countermeasure is a means to counter threats. Harm occurs when a
threat is realized against a vulnerability. deal with harm in several
ways:
• Prevent it, by blocking the attack or closing the vulnerability
• Deter it, by making the attack harder but not impossible
• Deflect it, by making another target more attractive (or this one less so)
• Mitigate it, by making its impact less severe
• Detect it, either as it happens or some time after the fact
• Recover from its effects
Security Countermeasure (Control)
Effects of Controls
Security Countermeasure (Control)
• Type of controls
1- Physical controls stop or block an attack by using something tangible, such as
• Walls and Fences
• Locks and Human guards
• Sprinklers
• Fire extinguishers
2- Procedural or administrative controls use a command or agreement that –
requires or advises people how to act; for example:
• Laws and Regulations
• Policies, Procedures and Guidelines
• Copyrights and Patents
• Contracts and Agreements
Security Countermeasure (Control)
3- Technical controls: counter threats with technology (hardware or software),
including:
• Passwords
• Program or operating system access controls
• Network protocols
• Firewalls
• Intrusion detection systems
• Encryption
• Network traffic flow regulators
Conclusion
Purchase answer to see full
attachment
