W10 - SECURE COMPUTING Flashcards
#W10-1: (a) Credentials (b) Authentication
(a) represent WHO you are:
_ Photo ID: passport, student card, driver’s license
_ Seneca Diploma (CPA/CPD)
_ User ID + Password
(b) is the VERIFICATION and ACCEPTANCE of Credentials.
W10-2: What is “Authorization”?
_ is “giving s.o PERMISSION to do or to access sth.”
e.g. access to a system/network, a directory/folder, to read and/or write a file.
_ Grant the MINIMUM authority a user needs to do their job and no more.
_ Where HIGH level authority is needed
e.g. to reset a password, wrap it inside a program/script which inherits the needed authority but restricts user actions.
_ Minimum TWO UserIDs:
+ one for DEVELOPMENT (cannot change production)
+ one for ADMINISTRATION and/or SECURITY
+ almost never be Superuser or root (mistakes can be fatal to your career)
W10-3: Browser Security
_ Look for HTTPS before signing on.
_ Use HTTPS on your server
_ OpenDNS blocks malicious domains, optional DNS filtering
_ DNSCrypt and/or 1.1.1.1 or Quad9 DNS servers for privacy
_ NoScript – additional defence against cross-site scripting, cross-site request forgery, clickjacking, man-in-the-middle attacks, and DNS rebinding.
+ Firefox only, similar tools for other browsers.
_ chrome://settings/cleanup
W10-4: Password Defense
_ Password Managers: e.g. LastPass or Dashlane
+ Creates long, strong, with random char passwords, unique per account.
+ Must remember one quite long (and strong and random) password.
_ Diceware PassPhrase: long memorable password of random words
+ Generate a 5 digit random number using dice.
+ Look up the word on the list with that number. Do it five or six times.
_ I have a User ID and Password! Third party authentication
+ Use your Google / Facebook account. Now Google and FB know another site you use. That site will ask for access to your Google or FB account info. READ THE AUTHORIZATION PERMISSIONS REQUESTED!
+ use OpenID Connect or SecureKey, not OAuth 2.0
W10-5: Two Factor Authentication – 2FA
Many organizations use 2 factor authentication to verify password sign on and guard against phishing + cracking:
1/ Something I know (user ID + password, PIN)
2/ Something I have FIDO2 Universal 2nd Factor (U2F), phone, bank / credit / access card, dongle)
W10-6: PIN: Probably Insecure Number
4 digit PINs used by banks and credit cards as 2FA
W10-7: Three Factor Authentication – 3FA
Most secure and most expensive:
1/ Something I know: user ID + password, PIN
2/ Something I have: phone, dongle, bank / credit / access card
3/ Something I am: iris scan, fingerprint, face,heart’s EKG pattern.
EX: Nymi is 2. + 3.
A wrist band + electrocardiogram, uses NFC.
Newer phones scan fingerprint.
W10-8: Security Needs
_ Stop fixing, blaming, and micro-managing the user for their behaviour.
_ Security must work given or despite what people do.
_ Security must be usable, flexible, mostly invisible…as frictionless as possible.
_ IBM Future of Identity. MyID DIACC
W10-9: Better Password Policies
Storage
_ In a salted and hashed format using a standard library that employs Argon2, Bcrypt, or PBKDF2 (RFC2898)
_ Do not invent your own. Obscurity ≠ Security
Just say no to passwords.
_ Web Authentication API
_ Authenticator device /phone app + fingerprint
