Security Counter Measures Flashcards
Difficulties of Passwords
Passwords are a trade-off between password complexity and human memory faculties.
- A password does not authenticate a person, only that they know a particular secret
For this secondary forms of authentication can be used such as;
Two-factor authentication.
One-time passwords.
Personal delivery courier
Security Design Principles
- A combination of mechanisms can enhance protection
- Security by obscurity only protects against casual intruder
- Where possible, separate security-relevant data from data that should be openly available.
- You have to balance convenience and security
Encryption and access control are used to guard password files. This can be referred to as defence in depth.
Refrain from placing much trust in this strategy. Out of sight, out of mind does not work on a determined attacker.
Shadow password files achieve the desired separation
Access Control
Access control is crucial in computer systems for maintaining integrity and securing shared resources like memory and printers.
Password authentication is used to grant or deny access to objects, while reference monitors grant or deny access based on the subject’s request.
Principals, either human or software, are stored in an access control list (ACL) attached to the object.
Objects can be files or resources, and an entity can be a subject in one access request and an object in another.
Access Control Matrix
An ACL corresponds to a column of the access control matrix and states who may access a given object
Grouping
Grouping simply means bringing users with similar access rights together
Protection Rings
Protection rings are an intermediate layer of hardware-based access control for processes in an operating system.
Each process is assigned a number based on its importance, with ring 0 providing the highest degree of protection.
These rings are used for integrity protection, ensuring that memory locations containing sensitive data can only be accessed by processes running in ring 0 or 1.
0 – operating system kernel;
1 – operating system;
2 – utilities;
3 – user processes
Policy Instantiation
By applying Access control, Grouping and Protection rings Access control algorithms are created
Security Subsystem
- Logon process (winlogon) – the process that authenticates a user when logging on.
- Local security authority (LSA) – involved at logon when it checks the user account and creates an access token; it is also responsible for auditing functions.
- Security account manager (SAM): maintains the user account database used by the LSA during user authentication for local
logon
Cryptography
- The traditional definition of cryptography is the science of secret
writing. - Roots in communications security to enable two users to secretly
communicate without third-party eavesdropping. - The aim of Cryptography is to provide:
- Confidentiality –hiding the content of messages;
- Integrity – by detecting whether a message has been changed;
- Authentication –digital signature provides the means to verify the source
and integrity of a message.
Cryptography in Computer Security
- Symmetric encryption mechanisms – Vault for useful secrets.
- Private key – Select people who can add to the Vault.
- Public key – Select people who can take select information from
the vault. - Fingerprints (hashes) – a unique identifier for a document.
Digital Signatures
The verification process in a digital signature involves a key generation, signing, and verification algorithm. The document’s contents and secret are known to the signer, and the signature associates it with a public verification key. In some cases, the document can be recovered from the signature.
Encryption
Two ways encryption algorithms use keys:
* Deterministic - always maps a plaintext to the same ciphertext for a fixed key.
- Probabilistic - gives different results for different encryptions of the same
plaintext under the same key. - Encryption algorithms come in two flavours:
- Symmetric, where the same key is used for encryption and decryption.
- Asymmetric, or public-key algorithms, use different keys for encryption
and decryption.
Encryption Cypher
- Block ciphers
- encrypts larger blocks of data, typically 64-bit blocks, with a complex encryption
function
Stream ciphers
* Encrypts smaller blocks of data, typically bits or bytes, with a simple encryption
function, e.g. bitwise exclusive-OR
Communications Security
The attacker can be passive or active.
* A passive attacker just listens to traffic.
* An active attacker may modify messages, insert new messages, or
corrupt network management information
- Secure Tunnels
- Secure tunnels tend to be built in the following steps:
- key establishment
- key derivation
- Further traffic
IP Security
Authentication Header
* Protects the integrity and authenticity but not confidentiality.
Encapsulating Security Payloads
* Provide confidentiality, data origin authentication, data integrity, replay
protection, and limited traffic flow confidentiality
