MODULE V PHYSICAL DESIGN

Security Technology, IDS, Scanning and Analysis Tools, Cryptography, Access Control
Devices, Physical Security, Security and Personnel

SECURITY TECHNOLOGY
What is Security?
quality or state of being secure—to be free from danger”
A successful organization should have multiple layers of security in place:
Physical security
Personal security
Operations security
Communications security
Network security
Information security

Physical Design
Physical design of an information security program is made up of two parts:
Security technologies
Physical security
Physical design process:
Identifies complete technical solutions based on these technologies
(deployment, operations and maintenance elements)
Design physical security measures to support the technical solution.
Firewalls
A software or hardware component that restricts network communication
between two computers or networks.
In buildings, a firewall is a fireproof wall that restricts the spread of a fire.
Network firewall prevents threats from spreading from one network to
another
Prevent specific types of information from moving between the outside
world (untrusted networks) and the inside world (trusted networks)
The firewall may be a separate computer system, a software servic e running
on an existing router all serve r, or a separate network containing a number
of supporting devices.
Internet Firewalls

What Firewalls do
Protects the resources of an internal network.
Restrict external access.
Log Network activities.
Intrusion detection
DoS
Act as intermediary
Centralized Security Management
Carefully administer one firewall to control internet traffic of many
machines.
Internal machines can be administered with less care.
Types of Firewalls (General)
Firewalls types can be categorized depending on:
The Function or methodology the firewall use
Whether the communication is being done between a single node
and the network, or between two or more networks.
Personal Firewalls
a software application which normally filters traffic entering or
leaving a single computer.
Network firewalls
normally running on a dedicated network device or computer
positioned on the boundary of two or more networks.
Whether the communication state is being tracked at the firewall or
not.
3 Firewall categorization methods
The Function or methodology the firewall use
Five processing modes that firewalls can be categorized by are :
packet filtering
application gateways
circuit gateways
MAC layer firewalls
hybrids
Packet filtering:
examine the header information of data packets that come into a
network.
a packet filtering firewall installed on TCP/IP based network and
determine whether to drop a packet or forward it to the next network
connection based on the rules programmed in the firewall.
Packet filtering firewalls scan network data packets looking for
violation of the rules of the firewalls database.
Filtering firewall inspect packets on at the network layers.
If the device finds a packet that matches a restriction it stops the
packet from traveling from network to another.
filters packet-by-packet, decides to Accept/Deny/Discard packet based
on certain/configurable criteria – Filter Rule sets.
Typically stateless: do not keep a table of the connection state of the
various traffic that flows through them
Not dynamic enough to be considered true firewalls.
Usually located at the boundary of a network.
Their main strength points: Speed and Flexibility.
There are three subsets of packet filtering firewalls:
static filtering
dynamic filtering
stateful inspection
static filtering:
 requires that the filtering rules covering how the firewall
decides which packets are allowed and which are denied.
This type of filtering is common in network routers and
gateways.
Dynamic filtering
allows the firewall to create rules to deal with event.
This reaction could be positive as in allowing an internal user
to engage in a specific activity upon request or negative as in
dropping all packets from a particular address
Stateful inspection
keep track of each network connection between internal and
external systems using a state table.
A state table tracks the state and context of each packet in the
conversation by recording which station send , what packet
and when.
More complex than their constituent component firewalls
Nearly all modern firewalls in the market today are stateful

Stateful Inspection Firewalls

Basic Weaknesses Associated with Packet Filters\ Stateful
They cannot prevent attacks that employ application-specific
vulnerabilities or functions.
Logging functionality present in packet filter firewalls is limited
Most packet filter firewalls do not support advanced user
authentication schemes.
Vulnerable to attacks and exploits that take advantage of problems
within the TCP/IP specification and protocol stack, such as network
layer ad dress spoofing.
Susceptible to security breaches caused by improper configurations.
Advantages:
One packet filter can protect an entire network
Efficient (require s little CPU)
Supported by most routers
Disadvantages:
Difficult to configure correctly
Must consider rule set in its entirety
Difficult to test completely
Performance penalty for complex rulesets
Stateful packet filtering much more expensive
Enforces ACLs at layer 3 + 4, without knowing any
application details
Packet Filtering Firewalls
The original firewall
Works at the network level of the OSI model
Applies packet filters based on access Rules:
Source IP address
Destination IP address
Application or protocol
Source port number
Destination port number
 Packet Filtering Firewalls

Application gateways:
is also known as proxy server since it runs special software that acts as
a proxy for a service request.
One common example of proxy server is a firewall that blocks or
requests for and responses to request for web pages and services from
the internal computers of an organization.
The primary disadvantage of application-level firewalls is that they
are designed for a specific protocol and cannot easily be reconfigured
to protect against attacks in other protocols.
Application firewalls work at the application layer.
Filters packets on application data as well as on IP/TCP/UDP fields.
The interaction is controlled at the application layer
A proxy server is an application that mediates traffic between
two network segments.
With the proxy acting a s mediator, the source and destination system
s never actually“connect”.
Filtering Hostile Code: Proxies can analyse the payload of a packet of
data and make decision as to whether this packet should be passed or
dropped.
Circuit gateways:
operates at the transport layer
Connections are authorized based on addresses, they prevent direct
connections between network and another.
They accomplish this prevention by creating channels connecting
specific systems on each side of the firewall and then allow only
authorized traffic.
relays two TCP connections (session layer)
imposes security by limiting which such connections are allowed
once created usually relays traffic without examining contents
Monitor handshaking between packets to decide whether the traffic is
legitimate
typically used when trust internal users by allowing general outbound
connections
SOCKS commonly used for this
Circuit Level Firewalls Example

MAC layer firewalls:

design to operate at the media access control layer.
Using this approach, the MAC addresses of specific host computers
are linked to ACL entries that identify the specific types of packets
that can be send to each host and all other traffic is blocked.
Hybrids firewalls:
companied the elements of other types of firewalls, example the
elements of packet filtering and proxy services, or a packet filtering
and circuit gateways.
That means a hybrids firewall may actually of two separate firewall
devices; each is a separate firewall system, but they are connected so
that they work together.
Types of Firewalls
Finally, Types depending on whether the firewalls keeps track of the
state of network connections or treats each packet in isolation, two
additional categories of firewalls exist:
Stateful firewall
Stateless firewall
Stateful firewall
keeps track of the state of network connections (such as TCP
streams) traveling across it.

Stateful firewall is able to hold in memory significant attributes

of each connection, from start to finish. These attributes, which
are collectively known as the state of the connection, may
include such details as the IP addresses and ports involved in
the connection and the sequence numbers of the packets
traversing the connection.
Stateless firewall
Treats each network frame (Packet) in isolation. Such a
firewall has no way of knowing if any given packet is part of
an existing connection, is trying to establish a new connection,
or is just a rogue packet.
The classic example is the File Transfer Protocol, because by
design it opens new connections to random ports.
Advantages of a Firewall
Stop incoming calls to insecure services
such as rlogin and NFS
Control access to other services
Control the spread of viruses
Cost Effective
More secure than securing every system
Disadvantages of a Firewall
Central point of attack
Restrict legitimate use of the Internet
Bottleneck for performance
Does not protect the ‘back door’
Cannot always protect against smuggling
Cannot prevent insider attacks
INTRUSION DETECTION SYSTEM
Introduction
Intrusion: type of attack on information assets in which instigator attempts to
gain entry into or disrupt system with harmful intent
Intrusion detection: consists of procedures and systems created and operated
to detect system intrusions
Intrusion reaction: encompasses actions an organization undertakes when
intrusion event is detected
Intrusion correction activities: finalize restoration of operations to a normal
state
Intrusion prevention: consists of activities that seek to deter an intrusion
from occurring
Intrusion Detection Systems (IDSs)
Detects a violation of its configuration and activates alarm
Many IDSs enable administrators to configure systems to notify them directly of
trouble via e-mail or pagers
Systems can also be configured to notify an external security service
organization of a
“break-in”
IDS Terminology
Alert or alarm
False negative
The failure of an IDS system to react to an actual attack event.
False positive
An alarm or alert that indicates that an attack is in progress or that an attack has
successfully occurred when in fact there was no such attack.
Confidence value
Alarm filtering
IDSs Classification
All IDSs use one of two detection methods:
Signature-based
Statistical anomaly-based
IDSs operate as:
network-based
host-based
application-based systems
Signature-Based IDS
Examine data traffic in search of patterns that match known signatures
Widely used because many attacks have clear and distinct signatures
Problem with this approach is that as new attack strategies are identified,
the IDS’s database of signatures must be continually updated
Statistical Anomaly-Based IDS
The statistical anomaly-based IDS (stat IDS) or behavior-based IDS
sample network activity to compare to traffic that is known to be normal
 When measured activity is outside baseline parameters or clipping level,
IDS will trigger an alert
IDS can detect new types of attacks
Requires much more overhead and processing capacity than signature-
based
May generate many false positives

Intrusion Detection System (IDS)

Network-Based IDS (NIDS)

Resides on computer or appliance connected to segment of an
organization’s network; looks for signs of attacks
When examining packets, a NIDS looks for attack patterns
Installed at specific place in the network where it can watch traffic going
into and out of particular network segment
NIDS Signature Matching
To detect an attack, NIDSs look for attack patterns
Done by using special implementation of TCP/IP stack:
In process of protocol stack verification, NIDSs look for invalid
data packets
In application protocol verification, higher-order protocols are
examined for unexpected packet behaviour or improper use
Advantages and Disadvantages of NIDSs
Good network design and placement of NIDS can enable
organization to use a few devices to monitor large network
NIDSs are usually passive and can be deployed into existing
networks with little disruption to normal network operations
NIDSs not usually susceptible to direct attack and may not be
detectable by attackers
 Can become overwhelmed by network volume and fail to recognize
attacks
Require access to all traffic to be monitored
Cannot analyse encrypted packets
Cannot reliably ascertain if attack was successful or not
Some forms of attack are not easily discerned by NIDSs,
specifically those involving fragmented packets
Host-Based IDS
Host-based IDS (HIDS) resides on a particular computer or server and
monitors activity only on that system
Benchmark and monitor the status of key system files and detect when
intruder creates, modifies, or deletes files
Most HIDSs work on the principle of configuration or change
management
Advantage over NIDS: can usually be installed so that it can access
information encrypted when traveling over network
Advantages and Disadvantages of HIDSs
Can detect local events on host systems and detect attacks that may
elude a network-based IDS
Functions on host system, where encrypted traffic will have been
decrypted and is available for processing
Not affected by use of switched network protocols
Can detect inconsistencies in how applications and systems
programs were used by examining records stored in audit logs
Pose more management issues
Vulnerable both to direct attacks and attacks against host operating
system
Does not detect multi-host scanning, nor scanning of non-host
network devices
Susceptible to some denial-of-service attacks
Can use large amounts of disk space
Can inflict a performance overhead on its host systems
Application-Based IDS
Application-based IDS (AppIDS) examines application for abnormal
events
AppIDS may be configured to intercept requests:
File System
Network
Configuration
Execution Space
Advantages and Disadvantages of AppIDSs
Advantages
Aware of specific users; can observe interaction between
application and user
Able to operate even when incoming data is encrypted
 Disadvantages
More susceptible to attack
Less capable of detecting software tampering
May be taken in by forms of spoofing
Selecting IDS Approaches and Products
Technical and policy considerations
What is your systems environment?
What are your security goals and objectives?
What is your existing security policy?
Organizational requirements and constraints
What are requirements that are levied from outside the organization?
What are your organization’s resource constraints?
IDS Control Strategies
An IDS can be implemented via one of three basic control strategies
Centralized: all IDS control functions are implemented and managed in a
central location
Fully distributed: all control functions are applied at the physical location of
each IDS component
Partially distributed: combines the two; while individual agents can still
analyse and respond to local threats, they report to a hierarchical central
facility to enable organization to detect widespread attacks
 IDS Deployment Overview
Like decision regarding control strategies, decisions about where to locate
elements of intrusion detection systems can be art in itself
Planners must select deployment strategy based on careful analysis of
organization’s information security requirements but, at the same time,
causes minimal impact
NIDS and HIDS can be used in tandem to cover both individual systems
that connect to an organization’s networks and networks themselves
Deploying Network-Based IDSs
NIST recommends four locations for NIDS sensors
Location 1: behind each external firewall, in the network DMZ
Location 2: outside an external firewall
Location 3: On major network backbones
Location 4: On critical subnets
Deploying Host-Based IDSs
Proper implementation of HIDSs can be painstaking and time-consuming
task
Deployment begins with implementing most critical systems first
Installation continues until either all systems are installed, or the
organization reaches planned degree of coverage it is willing to live with
Measuring the Effectiveness of IDSs
IDSs are evaluated using two dominant metrics:
Administrators evaluate the number of attacks detected in a known collection of
probes
Administrators examine the level of use at which IDSs fail
Evaluation of IDS might read: at 100 Mb/s, IDS was able to detect 97% of
directed attacks
Since developing this collection can be tedious, most IDS vendors provide
testing mechanisms that verify systems are performing as expected
Some of these testing processes will enable the administrator to:
Record and retransmit packets from real virus or worm scan
Record and retransmit packets from a real virus or worm scan with incomplete
TCP/IP session connections (missing SYN packets)
Conduct a real virus or worm scan against an invulnerable system
Honey Pots, Honey Nets, and Padded Cell Systems
Honey pots: decoy systems designed to lure potential attackers away from
critical systems and encourage attacks against the themselves
Honey nets: collection of honey pots connecting several honey pot systems
on a subnet
Honey pots designed to:
Divert attacker from accessing critical systems
Collect information about attacker’s activity
Encourage attacker to stay on system long enough for administrators to document
event and, perhaps, respond

Padded cell: honey pot that has been protected so it cannot be easily
compromised
In addition to attracting attackers with tempting data, a padded cell operates in
tandem with a traditional IDS
When the IDS detects attackers, it seamlessly transfers them to a special
simulated environment where they can cause no harm—the nature of this host
environment is what gives approach the name padded cell
Advantages
Attackers can be diverted to targets they cannot damage
Administrators have time to decide how to respond to attacker
Attackers’ actions can be easily and more extensively monitored, and records can
be used to refine threat models and improve system protections
Honey pots may be effective at catching insiders who are snooping around a
network
Disadvantages
Legal implications of using such devices are not well defined
Honey pots and padded cells have not yet been shown to be generally useful
security technologies
Expert attacker, once diverted into a decoy system, may become angry and
launch a more hostile attack against an organization’s systems
Administrators and security managers will need a high level of expertise to use
these systems
Trap and Trace Systems
Use combination of techniques to detect an intrusion and trace it back to its
source
Trap usually consists of honey pot or padded cell and alarm
Legal drawbacks to trap and trace
Enticement: process of attracting attention to system by placing tantalizing bits of
information in key locations
Entrapment: action of luring an individual into committing a crime to get a
conviction.
Enticement is legal and ethical, whereas entrapment is not
SCANNING AND ANALYSIS TOOLS
Typically used to collect information that attacker would need to launch
successful attack
Attack protocol is series of steps or processes used by an attacker, in a logical
sequence, to launch attack against a target system or network
Foot printing: the organized research of Internet addresses owned or controlled by
a target organization

Fingerprinting: systematic survey of all of target organization’s Internet addresses

collected during the foot printing phase
Fingerprinting reveals useful information about internal structure and operational
nature of target system or network for anticipated attack
These tools are valuable to network defender since they can quickly pinpoint the
parts of the systems or network that need a prompt repair to close the
vulnerability
Port Scanners
Tools used by both attackers and defenders to identify computers active on a
network, and other useful information
Can scan for specific types of computers, protocols, or resources, or their
scans can be generic
The more specific the scanner is, the better it can give attackers and
defenders useful information
Firewall Analysis Tools
Several tools automate remote discovery of firewall rules and assist the
administrator in analysing the rules
Administrators who feel wary of using same tools that attackers use should
remember:
It is intent of user that will dictate how information gathered will be used
In order to defend a computer or network well, necessary to understand ways it
can be attacked
A tool that can help close up an open or poorly configured firewall will help
network defender minimize risk from attack
Packet Sniffers
Network tool that collects copies of packets from network and analyzes them
Can provide network administrator with valuable information for diagnosing and
resolving networking issues
In the wrong hands, a sniffer can be used to eavesdrop on network traffic
To use packet sniffer legally, administrator must be on network that organization
owns, be under direct authorization of owners of network, and have knowledge
and consent of the content creators
Wireless Security Tools
Organization that spends its time securing wired network and leaves wireless
networks to operate in any manner is opening itself up for security breach
Security professional must assess risk of wireless networks
A wireless security toolkit should include the ability to sniff wireless traffic, scan
wireless hosts, and assess level of privacy or confidentiality afforded on the
wireless network
CRYPTOGRAPHY
Security goals
We will first discuss three security goals: confidentiality, integrity and availability
(Figure 16.1).

Confidentiality
Confidentiality, keeping information secret from unauthorized access, is probably
the most common aspect of information security: we need to protect confidential
information. An organization needs to guard against those malicious actions that
endanger the confidentiality of its information.
Integrity
Information needs to be changed constantly. In a bank, when a customer deposits
or withdraws money, the balance of their account needs to be changed. Integrity
means that changes should be done only by authorized users and through
authorized mechanisms.
Availability
The third component of information security is availability. The information
created and stored by an organization needs to be available to authorized users
and applications. Information is useless if it is not available. Information needs to
be changed constantly, which means that it must be accessible to those authorized
to access it. Unavailability of information is just as harmful to an organization as
a lack of confidentiality or integrity. Imagine what would happen to a bank if the
customers could not access their accounts for transactions.
Attacks
The three goals of security—confidentiality, integrity and availability—can be
threatened by security attacks. Figure relates the taxonomy of attack types to
security goals.

Attacks threatening confidentiality

In general, two types of attack threaten the confidentiality of information:
snooping and traffic analysis. Snooping refers to unauthorized access to or
interception of data. Traffic analysis refers other types of information collected
by an intruder by monitoring online traffic.
Attacks threatening integrity
The integrity of data can be threatened by several kinds of attack: modification,
masquerading, replaying and repudiation.
Attacks threatening availability
 Denial of service (DoS) attacks may slow down or totally interrupt the service of
a system. The attacker can use several strategies to achieve this. They might make
the system so busy that it collapses, or they might intercept messages sent in one
direction and make the sending system believe that one of the parties involved in
the communication or message has lost the message and that it should be resent.
Security services
Standards have been defined for security services to achieve security goals and
prevent security attacks. Figure 16.3 shows the taxonomy of the five common
services.

Techniques
The actual implementation of security goals needs some help from mathematics.
Two techniques are prevalent today: one is very general—cryptography—and
one is specific—steganography.
CRYPTOGRAPHY
Some security services can be implemented using cryptography. Cryptography, a
word with Greek origins, means “secret writing”.
Steganography
The word steganography, with its origin in Greek, means “covered writing”, in
contrast to cryptography, which means
“secret writing”.
Symmetric-Key Cryptography
Figure 16.4 shows the general idea behind symmetric-key cryptography. Alice
can send a message to Bob over an insecure channel with the assumption that an
adversary, Eve, cannot understand the contents of the message by simply
eavesdropping on the channel.
The original message from Alice to Bob is referred to as plaintext; the message
that is sent through the channel is referred to as the ciphertext. Alice uses an
encryption algorithm and a shared secret key. Bob uses a decryption algorithm
and the same secret key.
Traditional ciphers
Traditional ciphers used two techniques for hiding information from an
intruder: substitution and transposition.
Substitution ciphers
A substitution cipher replaces one symbol with another. If the symbols in the
plaintext are alphabetic characters, we replace one character with another.
Example 16.1
ü Use the additive cipher with key = 15 to encrypt the message “hello”.
Solution
ü We apply the encryption algorithm to the plaintext, character by character:

ü The ciphertext is therefore “wtaad”.

Transposition ciphers
A transposition cipher does not substitute one symbol for another, instead it
changes the location of the symbols. A symbol in the first position of the plaintext
may appear in the tenth position of the ciphertext, while a symbol in the eighth
position in the plaintext may appear in the first position of the ciphertext. In other
words, a transposition cipher reorders (transposes) the symbols.
Example 16.2
Alice needs to send the message “Enemy attacks tonight” to Bob. Alice and
Bob have agreed to divide the text into groups of five characters and then
permute the characters in each group. The following shows the grouping after
adding a bogus character (z) at the end to make the last group the same size as the
others.

The key used for encryption and decryption is a permutation key, which shows
how the character are permuted. For this message, assume that Alice and Bob
used the following key:

The third character in the plaintext block becomes the first character in the
ciphertext block, the first character in the plaintext block becomes the second
character in the ciphertext block and so on. The permutation yields:

Alice sends the ciphertext “eemyntaacttkonshitzg” to Bob. Bob divides the

ciphertext into five-character groups and, using the key in the reverse order, finds
the plaintext.
Modern symmetric-key ciphers
Since traditional ciphers are no longer secure, modern symmetric-key ciphers
have been developed during the last few decades. Modern ciphers normally use a
combination of substitution, transposition and some other complex
transformations to create a ciphertext from a plaintext. Modern ciphers are bit-
oriented (instead of character-oriented). The plaintext, ciphertext and the key are
strings of bits. In this section we briefly discuss two examples of modern
symmetric-key ciphers: DES and AES. The coverage of these two ciphers is
short: interested readers can consult the references at the end of the chapter for
more details.
DES
The Data Encryption Standard (DES) is a symmetric-key block cipher published
by the National Institute of Standards and Technology (NIST) in 1977. DES has
been the most widely used symmetric-key block cipher since its publication.
AES
The Advanced Encryption Standard (AES) is a symmetric-key block cipher
published by the US National Institute of Standards and Technology (NIST) in
2001 in response to the shortcoming of DES, for example its small key size. See
Figure 16.6.

Asymmetric-Key Cryptography
Figure shows the general idea of asymmetric-key cryptography as used for
confidentiality. The figure shows that, unlike symmetric-key cryptography, there
are distinctive keys in asymmetric-key cryptography: a private key and a public
key. If encryption and decryption are thought of as locking and unlocking
padlocks with keys, then the padlock that is locked with a public key can be
unlocked only with the corresponding private key. Eve should not be able to
advertise her public key to the community pretending that it is Bob’s public key.
Example 16.3
Bob chooses p = 7 and q = 11 and calculates n = 7 × 11 = 77. Now he chooses
two exponents, 13 and 37, using the complex process mentioned before. The
public key is (n = 77 and e = 13) and the private key is (d = 37). Now imagine
that Alice wants to send the plaintext 5 to Bob. The following shows the
encryption and decryption.
 Asymmetric-Key Cryptography
Both symmetric-key and asymmetric-key cryptography will continue to exist in
parallel. We believe that they are complements of each other: the advantages of
one can compensate for the disadvantages of the other.
The number of secrets
The conceptual differences between the two systems are based on how these
systems keep a secret. In symmetric-key cryptography, the secret token must be
shared between two parties. In asymmetric-key cryptography, the token is
unshared: each party creates its own token.
Symmetric-key cryptography is based on sharing secrecy;
asymmetric-key cryptography is based on personal secrecy.
A need for both systems
There are other aspects of security besides confidentiality that need asymmetric-
key cryptography. These include authentication and digital signatures (discussed
later). Whereas symmetric-key cryptography is based on substitution and
permutation of symbols, asymmetric-key cryptography is based on applying
mathematical functions to numbers.
In symmetric-key cryptography, symbols are permuted or substituted:
in asymmetric-key cryptography, numbers are manipulated.
ACCESS CONTROL DEVICES
Successful access control system includes number of components, depending on
system’s needs for authentication and authorization
Strong authentication requires at least two forms of authentication to authenticate
the supplicant’s identity
The technology to manage authentication based on what a supplicant knows is
widely integrated into the networking and security software systems in use across
the IT industry
Authentication
Authentication is validation of a supplicant’s identity
Four general ways in which authentication is carried out:
What a supplicant knows
What a supplicant has
 Who a supplicant is
What a supplicant produces
Authorization: Are you allowed to do that?
Once you have access, what can you do?
Enforces limits on actions
Note: Access control often used as synonym for authorization
Authentication
How to authenticate a human to a machine?
Can be based on…
Something you know
For example, a password
Something you have
For example, a smartcard
Something you are
For example, your fingerprint
Passwords
Lots of things act as passwords!
PIN
Social security number
Mother’s maiden name
Date of birth
Name of your pet, etc.
Trouble with Passwords
“Passwords are one of the biggest practical problems facing security engineers
today.”
“Humans are incapable of securely storing high-quality cryptographic keys, and
they have unacceptable speed and accuracy when performing cryptographic
operations. (They are also large, expensive to maintain, difficult to manage, and
they pollute the environment. It is astonishing that these devices continue to be
manufactured and deployed.)”
Why Passwords?
Why is “something you know” more popular than “something you have” and
“something you are”?
Cost: passwords are free
Convenience: easier for SA to reset pwd than to issue user a new thumb
Keys vs Passwords
Crypto keys
Spse key is 64 bits
Then 264 keys
Choose key at random
Then attacker must try about 263 keys
Passwords
Spse passwords are 8 characters, and 256 different characters
Then 2568 = 264 pwds
Users do not select passwords at random
 Attacker has far less than 263 pwds to try (dictionary attack)
Good and Bad Passwords
Bad passwords
frank
Fido
password
4444
Pikachu
102560
Good Passwords?
jfIej,43j-EmmL+y
09864376537263
P0kem0N
FSa7Yago
0nceuP0nAt1m8
Password Experiment
Three groups of users ¾ each group advised to select passwords as follows
Group A: At least 6 chars, 1 non-letter
Group B: Password based on passphrase
Group C: 8 random characters
Results
Group A: About 30% of pwds easy to crack
Group B: About 10% cracked
Passwords easy to remember
Group C: About 10% cracked
Passwords hard to remember
User compliance hard to achieve
In each case, 1/3rd did not comply (and about 1/3rd of those easy to crack!)
Assigned passwords sometimes best
If passwords not assigned, best advice is
Choose passwords based on passphrase
Use pwd cracking tool to test for weak pwds
Require periodic password changes?
Attacks on Passwords
Attacker could…
Target one particular account
Target any account on system
Target any account on any system
Attempt denial of service (DoS) attack
Common attack path
Outsider ® normal user ® administrator
May only require one weak password!
Password Retry
Suppose system locks after 3 bad passwords. How long should it lock?
5 seconds
 5 minutes
Until SA restores service
What are +’s and -’s of each?
Password File
Bad idea to store passwords in a file
But need a way to verify passwords
Cryptographic solution: hash the passwords
Store y = h(password)
Can verify entered password by hashing
If attacker obtains password file, he does not obtain passwords
But attacker with password file can guess x and check whether y = h(x)
If so, attacker has found password!
Dictionary Attack
Attacker pre-computes h(x) for all x in a dictionary of common passwords
Suppose attacker gets access to password file containing hashed passwords
Attacker only needs to compare hashes to his pre-computed
dictionary
Same attack will work each time
Can we prevent this attack? Or at least make attacker’s job more difficult?
Password Cracking: Do the Math
Assumptions
Pwds are 8 chars, 128 choices per character
Then 1288 = 256 possible passwords
There is a password file with 210 pwds
Attacker has dictionary of 220 common pwds
Probability of 1/4 that a pwd is in dictionary
Work is measured by number of hashes
Password Cracking
Attack 1 password without dictionary
Must try 256/2 = 255 on average
Just like exhaustive key search
Attack 1 password with dictionary
Expected work is about
/4 (2 ) + 3/4 (255) = 254.6
19

But in practice, try all in dictionary and quit if not found  work is at most
220 and probability of success is 1/4
Attack any of 1024 passwords in file
Without dictionary
Assume all 210 passwords are distinct
Need 255 comparisons before expect to find password
If no salt, each hash computation gives 210 comparisons Þ the
expected work (number of hashes) is 255/210 = 245
If salt is used, expected work is 255 since each comparison requires a
new hash computation
Attack any of 1024 passwords in file
 With dictionary
Probability at least one password is in dictionary is 1 - (3/4)1024 = 1
We ignore case where no pwd is in dictionary
If no salt, work is about 219/210 = 29
If salt, expected work is less than 222
Note: If no salt, we can precompute all dictionary hashes and
amortize the work
Password cracking is too easy!
One weak password may break security
Users choose bad passwords
Social engineering attacks, etc.
The bad guy has all of the advantages
All of the math favours bad guys
Passwords are a big security problem
Password Cracking Tools
Popular password cracking tools
Password Crackers
Password Portal
L0phtCrack and LC4 (Windows)
John the Ripper (Unix)
Admins should use these tools to test for weak passwords since attackers will!
Good article on password cracking
Passwords - Cornerstone of Computer Security

Biometric
“You are your key” ¾ Schneier
Examples
Fingerprint
Handwritten signature
Facial recognition
Speech recognition
Gait (walking) recognition
“Digital doggie” (odour recognition)
Many more!
Why Biometrics?
Biometrics seen as desirable replacement for passwords
Cheap and reliable biometrics needed
Today, a very active area of research
Biometrics are used in security today
 Thumbprint mouse
Palm print for secure entry
Fingerprint to unlock car door, etc.
But biometrics not too popular
Has not lived up to its promise (yet)
Ideal Biometric
Universal ¾ applies to (almost) everyone
In reality, no biometric applies to everyone
Distinguishing ¾ distinguish with certainty
In reality, cannot hope for 100% certainty
Permanent ¾ physical characteristic being measured never changes
In reality, want it to remain valid for a long time
Collectable ¾ easy to collect required data
Depends on whether subjects are cooperative
Safe, easy to use, etc., etc.
Biometric Modes
ü Identification ¾ Who goes there?
Compare one to many
Example: The FBI fingerprint database
Authentication  Is that really you?
Compare one to one
Example: Thumbprint mouse
Identification problem more difficult
More “random” matches since more comparisons
Fingerprint Comparison
Examples of loops, whorls and arches
Minutia extracted from these features
PHYSICAL SECURITY
Introduction
Physical security addresses design, implementation, and maintenance of
countermeasures that protect physical resources of an organization.
Most controls can be circumvented if attacker gains physical access
Physical security is as important as logical security
Seven major sources of physical loss
Extreme temperature
Gases
Liquids
Living organisms
Projectiles
Movement
Energy anomalies
Community roles
General management: responsible for facility security
IT management and professionals: responsible for environmental and access
security
Information security management and professionals: perform risk assessments and
implementation reviews
Physical Access Controls
Secure facility: physical location engineered with controls designed to minimize
risk of attacks from physical threats
Secure facility can take advantage of natural terrain, traffic flow, and degree
of urban development; can complement these with protection mechanisms
(fences, gates, walls, guards, alarms)
1 Controls for Protecting the Secure Facility
Walls, fencing, and gates
Guards
Dogs
ID Cards and badges
Locks and keys
Mantraps
Electronic monitoring
Alarms and alarm systems
Computer rooms and wiring closets
Interior walls and doors
2 ID Cards and Badges
Ties physical security with information access control
ID card is typically concealed
Name badge is visible
Serve as simple form of biometrics (facial recognition)
Should not be only means of control as cards can be easily duplicated, stolen, and
modified
Tailgating occurs when unauthorized individual follows authorized user through
the control
3 Locks and Keys
Two types of locks: mechanical and electromechanical
Locks can also be divided into four categories: manual, programmable, electronic,
biometric
Locks fail and alternative procedures for controlling access must be put in place
Locks fail in one of two ways
Fail-safe lock
Fail-secure lock
4 Mantraps
Small enclosure that has entry point and different exit point
Individual enters mantrap, requests access, and if verified, is allowed to exit
mantrap into facility
Individual denied entry is not allowed to exit until security official overrides
automatic locks of the enclosure
5 Electronic Monitoring
Records events where other types of physical controls are impractical or
incomplete
May use cameras with vi deo recorders; includes closed-circuit television (CCT)
systems
Drawbacks
Reactive; do not prevent access or prohibited activity
Recordings often not monitored in real time; must be reviewed to have any value
Alarms and Alarm Systems
Alarm systems notify when an event occurs
Detect fire, intrusion, environmental disturbance, or an interruption in services
Rely on sensors that detect event; e.g., motion detectors, smoke detectors, thermal
detectors, glass breakage detectors, weight sensors, contact sensors, vibration
sensors
6 Computer Rooms and Wiring Closets
ü Require special attenti on to ensure confidentiality, integrity, and availability of
information
ü Logical controls easily d efeated if attacker gains physical access to comp uting
equipment
Custodial staff often the least scrutinized persons who have access to offices; are
given greatest degree of unsupervised access
7 Interior Walls and Doors
Information asset security sometimes compromised by construction of facility
walls and doors
Facility walls typically either standard interior or firewall
High-security areas must have firewall-grade walls to provide physical security
from potential intruders and improve resistance to fires
Doors allowing access to high security rooms should be evaluated
Recommended that push or crash bars be installed on computer rooms and closets
 8 Fire Security and Safety
Most serious threat to safety of people who work in an organization is possibility of
fire
Fires account for more property damage, personal injury, and death than any other
threat
Imperative that physical security plans examine and implement strong measures to
detect and respond to fires
9 Fire Detection and Response
Fire suppression systems: devices installed and maintained to detect and respond to
a fire
Deny an environment of heat, fuel, or oxygen
Water and water mist systems
Carbon dioxide systems
Soda acid systems
Gas-based systems
10 Fire Detection
Fire detection systems fall into two general categories: manual and automatic
Part of a complete fire safety program includes individuals that monitor chaos of
fire evacuation to prevent an attacker accessing offices
There are three basic types of fire detection systems: thermal detection, smoke
detection, flame detection
11 Fire Suppression
Systems consist of portable, manual, or automatic apparatus
Portable extinguishers are rated by the type of fire: Class A, Class B, Class C,
Class D
Installed systems apply suppressive agents; usually either sprinkler or gaseous
systems
Power Management and Conditioning

Electrical quantity (voltage level; amperage rating) is a concern, as is quality of

power (cleanliness; proper installation)
Noise that interferes with the normal 60 Hertz cycle can result in inaccurate time
clocks or unreliable internal clocks inside CPU
Grounding ensures that returning flow of current is properly discharged to ground
Overloading a circuit causes problems with circuit tripping and can overload
electrical cable, increasing risk of fire
Inventory Management
Computing equipment should be inventoried and inspected on a regular basis
Classified information should also be inventoried and managed
Physical security of computing equipment, data storage media and classified
documents varies for each organization
SECURITY AND PERSONNEL
Introduction
When implementing information security, there are many human resource issues
that must be addressed
Positioning and naming
Staffing
Evaluating impact of information security across every role in IT function
Integrating solid information security concepts into personnel practices
Employees often feel threatened when organization is creating or enhancing overall
information security program
Positioning and Staffing the Security Function
The security function can be placed within:
IT function
Physical security function
Administrative services function
Insurance and risk management function
Legal department
Organizations balance needs of enforcement with needs for education, training,
awareness, and customer service
Staffing The Information Security Function
Selecting personnel is based on many criteria, including supply and demand
Many professionals enter security market by gaining skills, experience, and
credentials
At present, information security industry is in period of high demand
Qualifications and Requirements
The following factors must be addressed:
Management should learn more about position requirements and qualifications
Upper management should learn about budgetary needs of information security
function
IT and management must learn more about level of influence and prestige the
information security function should be given to be effective
Organizations typically look for technically qualified information security
generalist
Organizations look for information security professionals who understand:
How an organization operates at all levels
Information security usually a management problem, not a technical
problem
Strong communications and writing skills
The role of policy in guiding security efforts
Organizations look for (continued):
Most mainstream IT technologies
The terminology of IT and information security
Threats facing an organization and how they can become attacks
How to protect organization’s assets from information security attacks
How business solutions can be applied to solve specific information
security problems
Entry into the Information Security Profession
Many information security professionals enter the field through one of two career
paths:
 Law enforcement and military
Technical, working on security applications and processes
Today, students select and tailor degree programs to prepare for work in
information security
Organizations can foster greater professionalism by matching candidates to
clearly defined expectations and position descriptions
Information Security Positions
Use of standard job descriptions can increase degree of professionalism and
improve the consistency of roles and responsibilities between organizations
Charles Cresson Wood’s book Information Security Roles and Responsibilities
Made Easy offers set of model job descriptions
Chief Information Security Officer (CISO or CSO)
Top information security position; frequently reports to
Chief Information Officer
Manages the overall information security program
Drafts or approves information security policies
Works with the CIO on strategic plans
Chief Information Security Officer (CISO or CSO) (continued)
Develops information security budgets
Sets priorities for information security projects and technology
Makes recruiting, hiring, and firing decisions or recommendations
Acts as spokesperson for information security team
Typical qualifications: accreditation; graduate degree; experience
Security Manager
Accountable for day-to-day operation of information security program
Accomplish objectives as identified by CISO
Typical qualifications: not uncommon to have accreditation; ability to draft middle
and lower level policies, standards and guidelines; budgeting, project management,
and hiring and firing; manage technicians
Employment Policies and Practices
Management community of interest should integrate solid information security
concepts into organization’s employment policies and practices
Organization should make information security a documented part of every
employee’s job description
From information security perspective, hiring of employees is a responsibility
laden with potential security pitfalls
CISO and information security manager should provide human resources with
information security input to personnel hiring guidelines
Termination
When employee leaves organization, there are a number of security-related issues
Key is protection of all information to which employee had access
Once cleared, the former employee should be escorted from premises
Many organizations use an exit interview to remind former employee of
contractual obligations and to obtain feedback
Hostile departures include termination for cause, permanent downsizing, temporary
lay-off, or some instances of quitting
Before employee is aware, all logical and keycard access is terminated
Employee collects all belongings and surrenders all keys, keycards, and other
company property
Employee is then escorted out of the building
Friendly departures include resignation, retirement, promotion, or relocation
Employee may be notified well in advance of departure date
More difficult for security to maintain positive control over employee’s access and
information usage
Employee access usually continues with new expiration date
Employees come and go at will, collect their own belongings, and leave on their
own
Offices and information used by the employee must be inventoried; files stored or
destroyed; and property returned to organizational stores
Possible that employees foresee departure well in advance and begin collecting
organizational information for their future employment
Only by scrutinizing systems logs after employee has departed can organization
determine if there has been a breach of policy or a loss of information
If information has been copied or stolen, action should be declared an incident and
the appropriate policy followed