7: Security Technology 2

Intrusion

occurs when an attacker attempts to enter or disrupt the normal operations of an information system, almost always with the intent to do harm

Intrusion prevention

consists of activities that seek to deter an intrusion from occurring

Intrusion detection

consists of procedures and systems created and operated to detect system intrusions

Intrusion reaction

encompasses actions an organization undertakes when intrusion event is detected

Intrusion correction activities

finalize restoration of operations to a normal state

IDS

operate as network-based, host-based, or application-based systems

Network-based IDPS

focused on protecting network information assets

Wireless IDPS

focuses on wireless networks

Network behavior analysis IDPS

examines traffic flow on a network to recognize abnormal patterns

Network-based IDPS

Resides on computer or appliance connected to segment of an organization's network; looks for signs of attacks;

Network-based IDPS

When examining packets, a -- looks for attack patterns;

Network-based IDPS

Installed at specific place in the network where it can watch traffic going into and out of particular network segment

Wireless NIDPS

Monitors and analyzes wireless network traffic;

Wireless NIDPS

Issues associated with it include physical security, sensor range, access point and wireless switch locations, wired network connections, cost

Network behavior analysis systems

Examine network traffic in order to identify problems related to the flow of traffic;

Host-based IDPS

Resides on a particular computer or server and monitors activity only on that system;

Host-based IDPS

Advantage over NIDPS: can usually be installed so that it can access information encrypted when traveling over network

Honeypots

decoy systems designed to lure potential attackers away from critical systems and encourage attacks against themselves

Honeynets

collection of honeypots connecting several honey pot systems on a subnet

Honeypots

Divert attacker from accessing critical systems;

Honeypots

Collect information about attacker's activity;

Honeypots

Encourage attacker to stay on system long enough for administrators to document event and, perhaps, respond

Padded cell

honeypot that has been protected so it cannot be easily compromised

Padded cell

In addition to attracting attackers with tempting data, a operates in tandem with a traditional IDS

Biometric Access Control

Based on the use of some measurable human characteristic or trait to authenticate the identity of a proposed systems user (a supplicant);

Biometric Access Control

Relies upon recognition;

Biometric Access Control

Includes fingerprint comparison, palm print comparison, hand geometry, facial recognition using a photographic id card or digital camera, retinal print, iris pattern

Characteristics considered truly unique in biometrics

fingerprints, retina of the eye, iris of the eye

False reject rate

the rejection of legitimate users

False accept rate

the acceptance of unknown users

Crossover error rate (CER)

the point where false reject and false accept rates cross when graphed

Cryptology

science of encryption; combines cryptography and cryptanalysis

Cryptography

process of making and using codes to secure transmission of information

Cryptanalysis

process of obtaining original message from encrypted message without knowing algorithms

Encryption

converting original message into a form unreadable by unauthorized individuals

Decryption

the process of converting the ciphertext message back into plaintext(original message)

Cipher Methods

Substitution Cipher, Transposition Cipher, Book or Running Key Cipher, Hash Functions

Cryptographic Algorithms categories

Often grouped into two broad categories, symmetric and asymmetric; Today's popular cryptosystems use hybrid combination of symmetric and asymmetric algorithms;

Symmetric Encryption

Uses same "secret key" to encipher and decipher message;

Asymmetric Encryption

Also known as public-key encryption;

Asymmetric Encryption

Uses two different but related keys; Either key can encrypt or decrypt message

cryptovariable

When using ciphers, size of -- or key is very important;

key size

Strength of many encryption applications and cryptosystems measured by -- ;

cryptosystems

For --, security of encrypted data is not dependent on keeping encrypting algorithm secret

Cryptosystem

-- security depends on keeping some or all of elements of cryptovariable(s) or key(s) secret

Public-Key Infrastructure (PKI)

Integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services enabling users to communicate securely

Digital Signatures

Verify information transferred using electronic systems;

Digital Signatures

Asymmetric encryption processes used to create digital signatures

Nonrepudiation

the process that verifies the message was sent by the sender and thus cannot be refuted

Digital Certificates

Electronic document containing key value and identifying information about entity that controls key;

Digital signature

-- attached to certificate's container file to certify file is from entity it claims to be from

Steganography

Process of hiding information; Has been in use for a long time;

Steganography

Most popular modern version hides information within files appearing to contain digital pictures or other images;

Steganography

Some applications hide messages in .bmp, .wav, .mp3, and .au files, as well as in unused space on CDs and DVDs

Secure Socket Layer (SSL) protocol

uses public key encryption to secure channel over public Internet

Secure Hypertext Protocol (S-HTTP)

extended version of Hypertext Transfer Protocol; provides for encryption of individual messages between client and server across Internet;

S-HTTP

-- is the application of SSL over HTTP

Secure Multipurpose Internet Mail Extensions (S/MIME)

builds on Multipurpose Internet Mail Extensions (MIME) encoding format by adding encryption and authentication

Privacy Enhanced Mail (PEM)

proposed as standard to function with public-key cryptosystems; uses 3DES symmetric key encryption

Pretty Good Privacy (PGP)

uses IDEA Cipher for message encoding

Secure Electronic Transactions (SET)

developed by MasterCard and VISA in 1997 to provide protection from electronic payment fraud;

Secure Electronic Transactions (SET)

Uses DES to encrypt credit card information transfers;

Secure Electronic Transactions (SET)

Provides security for both Internet-based credit card transactions and credit card swipe systems in retail stores

Wired Equivalent Privacy (WEP)

early attempt to provide security with the 8002.11 network protocol

Wi-Fi Protected Access (WPA and WPA2)

created to resolve issues with WEP

Next Generation Wireless Protocols

Robust Secure Networks (RSN), AES - Counter Mode Encapsulation, AES - Offset Codebook Encapsulation

Internet Protocol Security (IPSec)

open source protocol to secure communications across any IP-based network

Attacks on Cryptosystems

Attempts to gain unauthorized access to secure communications have used brute force attacks (ciphertext attacks);

Attacks on Cryptosystems

Attacker may alternatively conduct known-plaintext attack or selected-plaintext attach schemes

Man-in-the-Middle Attack

Designed to intercept transmission of public key or insert known key structure in place of requested public key;

Man-in-the-Middle Attack

From victim's perspective, encrypted communication appears to be occurring normally, but in fact, attacker receives each encrypted message, decodes, encrypts, and sends to originally intended recipient;

Man-in-the-Middle Attack

Establishment of public keys with digital signatures can prevent traditional man-in-the-middle attack

Correlation Attacks

Collection of brute-force methods that attempt to deduce statistical relationships between structure of unknown key and ciphertext;

Correlation Attacks

Differential and linear cryptanalysis have been used to mount successful attacks;

Correlation Attacks

Only defense is selection of strong cryptosystems, thorough key management, and strict adherence to best practices of cryptography in frequency of changing keys

Dictionary Attacks

Attacker encrypts every word in a dictionary using same cryptosystem used by target;

Dictionary attacks

-- can be successful when the ciphertext consists of relatively few characters (e.g., usernames, passwords)

Timing Attacks

Attacker eavesdrops during victim's session

Timing Attacks

Uses statistical analysis of user's typing patterns and inter-keystroke timings to discern sensitive session information;

Timing Attacks

Can be used to gain information about encryption key and possibly cryptosystem in use

Replay attack

an attempt to resubmit recording of deciphered authentication to gain entry into secure source; may be launched once encryption is successfully broken via timing attacks