W9: Flashcards
Credentials:
Identification
Association
Authentication:
Verifying the identity implies valid association
Authorization is…
giving someone permission to do or to access something
ex. access to a system/network, a directory/folder, to read and/or write a file
“least privilege” principle:
grant only the minimum authority needed
Where high level authority is needed, e.g. to reset a password, wrap it inside a program/script which inherits the needed authority but restricts action and effects.
Minimum THREE UserIDs:
- one for development system (all authorities)
- one for production server (read only authority)
- one used only for admin and security
What is authorization?
4 points
Permission = access rights = authorization
Windows: object, right click, select Properties, click on Security tab
*nix: chmod command
OS security controls the ability of users to view, change, navigate, and execute the contents of a file system
Browser security:
HTTPS needed for sign on
Domain Validation (DV) certificate
DNS privacy security, block malware, botnets, malicious domains
EFF’s Privacy Badger blocks inivisible trackers
EFF’S Panopticlick online tracking test
What are the most common methods of cracking?
Social engineering, weak paswords
Social Engineering
You are your own security hole by posting your life on the internet
Spear Phishing has 35% success rate
Social media makes it easier to guess credentials, answer security questions, pretend to be you when calling the help-desk, and perform identity theft
Weak passwords
Weak passwords are not unique Commonly used and/or reused 25 passwords used in 10% accounts 10,000 passwords used by 30% users Humans do not create random values: brute-force cracking is unnecessary
Forget/Recover your password
“I forgot my password” relies on the strength of your email account’s security and its password
Security questions recovery: not recommended
- Easy to hack by Googling you and reading social media
Security Questions Defence:
Use diceware phrase regardless of security question
Bad password rules:
Length: min-max -> both too short
Strength: alphA + digits + 5?#80!$ (symbols) -> too cryptic
Not in dictionary -> too cryptic
Expiry: periodic change -> too often
Password defense
long length bets cryptic strength
Password managers
unique, long, strong, random char passwords, per account
Must remember one loss passphrase
ex. 1Password, LastPass
Diceware Passphrase
long memorable password of random words
Generates a 5 digit random number using dice. Look up the word on the list. Do it six times. Good for password managers and security questions
