SlideShare uma empresa Scribd logo

Access Control - Week 4

Transferir como PPTX, PDF
J
jemtallon
EducaçãoTecnologia
1 de 48
CISSP CBK WEEK 4 ● By: Jessamyn Tollefson ● (pages 194-251)
UNDERSTANDING THREATS (FORCES OF EVIL) ● Access control threats can be a negative impact on confidentiality, integrity, and availability of information assets. ● There are threats that attack the network systems, and applications that store and process an organization's data. ● There many different types of threats and it's important for us to understand how the threats work.
EXAMPLES OF THREATS: ● Denial of service ● Buffer overflows ● Mobile code ● Malicious software ● Password crackers ● Spoofing/masquerading ● Sniffers ● Eavesdropping ● Emanations
EXAMPLES OF THREATS (CONTINUED): ● Shoulder surfing ● Tapping ● Object reuse ● Data remnants ● Unauthorized targeted data mining ● Dumpster diving ● Backdoor/trapdoor ● Theft ● Intruders ● Social engineering
DENIAL OF SERVICE(DOS): ● DoS can range from consumption of specific resources, preventing resources, and preventing networks to communicate to preventing communication, performance of system service or application unusable, or a complete outage. ● Known as SYN floods, attacker would make to many SYN packets without completing the proper setup, taking all available server and making sure that the owner would never gain access to the server.
DOS(CONTINUED): ● DDoS is where DoS only attacks from one location, DDoS attacks from many different locations. ● Attackers built a vast networks of commandeered system, known as "Zombies", zombies make millions of request to the web site at once and fully floods the system, and thus it shuts down.
BUFFER OVERFLOWS: ● Buffering is for controlling data inputs and outputs at all levels of a system interaction. ● Buffer overflow is an attack that handles the system's capability to operate it's buffers, causing system failures and outages, fail to control an application state, not able to control a running program, or the performance of code of an attacker's choosing.
BUFFER OVERFLOWS (CONTINUED): ● Buffer overflows can also be used to insert malicious software for processing for the attacker. Also because memory buffers are used in network interfaces, video systems, RAM, or virtual memory on hard disks, all are vulnerable to a buffer overflow. ● Buffering overflows are mostly caused by poor application or system memory management.
MOBILE CODE: ● Mobile code is a software that is transmitted across a network from a remote source to a local system. ● Security involvement are important because distribution capability, limited user awareness, and potential for harm. ● Mobile code is designed to be provided to an end-user device. If device is not configured properly it can infect or manipulate system. ● Organizations should make its users aware of the dangers of mobile code.
MALICIOUS SOFTWARE (MALWARE): ● Malware any digital material that is deliberately designed to perform undesirable tasks. ● ○Virus: Parasitic code that requires human action or insertion. ● ○ Worm: Self-propagation code that exploits system or application vulnerability to replicate. ● ○ Trojan Horse: Is general temp referring to programs that appear desirable, but contains something harmful. ● ○ Spyware: Spyware was a hidden application injected through poor browser security by companies seeking:
MALWARE (CONTINUED): a) Malvertisement: are web advertisements which appear to be legitimate yet direct users to download malware onto system. b) Malnets: are malware networks which typically consist of numerous infected websites, desktops, laptops, and increasingly mobile devices to gain more information about user's Internet activity.
PASSWORD CRACKERS: ● Key factor is the saving of the hashed password, and that is where password cracker comes in. ● Password crackers are one of the few tools that are equally effective for security administrators and attackers alike. ● Rainbow table: attack has revolutionized password cracking is being rapidly adopted by tool creators.
SPOOFING/MASQUERADING ● Is the act of appearing to a system as if a communication from an attacker is coming from a known and trusted source ● Early versions of spoofing were performed by manipulating the packets of data used in the IP protocol. ● Not common because todays computers are prepared from the systems and firewalls. ● Have a profound effect on access control system because they move the assurance that a person is dealing with a trusted entity.
SNIFFERS,EAVESDROPPERS. AND TAPPING ● All communications, weather wired or wireless need to travel from point to point over some medium. ● Sniffers are devices that can collect information from a communication medium, such as a network. ● Sniffing can be used for good and evil. ● Best protecting against sniffing, eavesdropping, and tapping is to intercept transmission between devices.
EMANATION: ● Is the proliferation or propagation at those signals. ● By intercepting and interpreting the emanations coming from a particular device, an attacker can often by reconstruct the information that is being shown or processed on the device. ● There are materials that restrict the ability for radio waves to propagate through them. This involves the use of special point on the walls and special window coverings that can be placed on windows or other weak points to further disrupt the emanation of
SHOULDER SURFING ● Is the act of surreptitiously gathering information from a user by, means of direct observation of the users activity, by looking over their shoulder as they perform some action.
OBJECT REFUSE: ● Refers to the allocation or reallocation of system resources to a user or to an application or process. ● There are two areas of concern with application object reuse: the direct employment of the objects, or the data input or output from the object. ● Object reuse is also applicable to system media, such as a hard drive, magnetic media, RAM-based devices or other forms to data storage.
DATA REMANENCE ● It is becoming increasingly common place to bug used computers equipment, such as a hard drive, or router, and find information on the device left there by the previous owner, information they thought had been deleted. ● Another potential source of data exposure comes from the slack space at the end of a file. ● In early computer systems, the slack space at random portions of data pulled from memory.
DATA REMANENCE (CONTINUED): ● Slack space can also be used by an attacker. Some data is completely used to identify and extract the information. ● There are utilities that can be used to securely wipe the data from the hard drive by over writing the file information with bytes of 1's and 0's, or a random combination of both. This wipe includes the unusual stable space in clusters assigned to allocated files. ● The most effective mechanism to destroy data, either a single file or an entire disk-short of grinding the disk into little pieces, which is still no guarantee, is to over write the data several times.
UNAUTHORIZED TARGETED DATA MINING ● Is the act of collecting and analyzing large quantities of information to determine patterns of use or behavior and use those patterns to form conclusion about past, current, or future behavior. ● Attackers will perform reconnaissance against their target in an effort to collect as much information as possible to draw conclusions on operations, practices,
DUMPSTER DIVING ● Is simply the act of taking what people assume is trash and using that information, sometimes in combination with other data, to formulate conclusions or refine strategies for an attack. ● Most attackers don't want to risk physical contact with their target and the potential exposure of going through the organization's trash. ● The ability of an unauthorized person to get to the trash repository of a site also shows a weakness in the physical access controls of that facility.
BACKDOORS AND TRAPDOORS ● Applications may have hard-coded instructions that allow complete and unfettered access to those who know the existence of the backdoor. ● Most common method of backdoor access is the use of hidden accounts built within the application. ● The threat to access controls from backdoors and trapdoors is based on the existence of unknown configurations that will allow someone to circumvent established controls and gain full access to system.
LOGIC BOMBS: ● Attacks can be immediately seen or effect takes hold as soon as the attack is launched, or some attacks can hold for days, weeks, even years. These attacks are called logic bombs because the rely on a logical progression of events before they unleash their aggression. ● Can be difficult to find, particularly if they have been placed there by someone with intimate knowledge of the system of it's source code. ● Best way to defend against them is to include a through out code review on all software deployed throughout the enter prise.
THEFT: ● Is a simple concept anyone can grasp how ever, as the digital interaction between people and business expands, the exposure of valuable information continues to exceed the physical notion of the term theft. ● Physical theft includes anything of value an unauthorized entity can remove. ● Digital theft is when the thief has destroyed the information during the act of stealing it, original data is still there
SOCIAL ENGINEERING: ● Is the practice of misdirection to obtain information through social contacts. ● Can take many forms, ranging from telephone calls to e-mail to face to face interaction. ● Best prevention is effective and continues security awareness and education effort to all personnel within the organization.
E-MAIL SOCIAL ENGINEERING ● Can be a powerful persuasion device for attackers and con artists alike. ● E-mail has become a basic mode of communications for many people and is considered crucial for many companies to run a successful business. ● E-mail social engineering presents many problems to effective access control,but the primary problem is that it can be used to obtain enough personal or system information from a victim that the attacker can subsequently obtain or bypass legitimate authentication and authorization information.
HELP DESK FRAUD ● The goal of a helped desk attack is for the attacker to get a valid ID and password to an internal system. ● This technique is becoming harder and harder to use, because helped desk employees are usually trained to follow a specific protocol and providing passwords,and many of these protocols do not include furnishing passwords over the phone
THREAT MODELING ● In reviewing access control attacks and mitigating factors, several risk assessment methods can be considered. ● Threat modeling approaches vary from organization to organization but generally follow an approach of: ● Defining the scope and objectives ● Understanding or modeling the system ● Development of threats ● Development of vulnerabilities ● Determining the impact and risk ● Develop the mitigation plan
DEFINE THE SCOPE AND OBJECTIVES ● An effective threat modeling exercise must determine what is within the scope of the modeling. ● There is a trade off between the size of the scope and amount of effort required to provide meaningful recommendations. ● If scope is to narrow the assessor may neglect significant information. ● If scope is too large, resources available for mitigation are spent on assessment.
UNDERSTANDING OR MODELING THE SYSTEM: ● In understanding how the target system or application operates, collect as much information available about the system. ● Cost information about the operation, development and information contained in the system should also be understood as it will be required to make value based decisions.
DEVELOPMENT OF THREATS: ● Can be as much of an art as a science and will vary greatly depending on the threat information sources available. ● Classified or national security information, which may be relevant to the system.
DEVELOPMENT OF VULNERABILITIES: ● Using automated tools, a vulnerability scan of the target system or application should be performed. ● Weakness should also be reviewed.
DETERMINING IMPACTS AND RISK: ● There are several qualitative and quantitative ways to determine impacts and risks. ● Qualitative route is the simplest and helps determine the overall impact and risk to the organization. ● Once levels of risk are determined a value to mitigate each should be determined.
DEVELOP A MITIGATION PLAN: ● This plan should ideally identify residual risks, exposure, resources required to mitigate risks and time lines for mitigations. ● Plan should also have identify responsible party for each risk mitigation and who accepted residual risks on behalf of the organization.
ASSET VALUATION: ● In determining the value of information systems there are several components which must be accounted for: ● Hardware ● Software ● Integration ● Opportunity cost ● Regulatory exposure ● Information replacement ● Reputation exposure
HARDWARE, SOFTWARE, AND INTEGRATION: ● Hardware: ● The replacement cost of hardware can be significant and can increase dramatically when the hardware is out of support or the vendor has gone out of business. ● Software: ● Much like hardware, software can go out of support and vendors can dissolve or merge with other companies. ● Integration: ● Cost are often “sunk” invisible costs that are easily overlooked when considering the value of an asset.
OPPORTUNITY COSTS, REGULATORY AND REPUTATIONAL EXPOSURE, AND INFORMATION REPLACEMENT: ● Opportunity Costs: ● When a crucial business support system such as an e-commerce site for a major online retailer is down time is substantial money. ● Regulatory Exposure: ● In a regulated environment, there are stiff penalties for breaching information. ● Information Replacement: ● The information an organization develops as part of it's operation is most likely not going to be replaced overnight. ● Reputational Exposure: ● What's that cost of losing a reputation? Reputation is extremely difficult and expensive to achieve and mainstream.
ACCESS AGGREGATION: ● Is the act of collecting additional roles and responsibilities in organization or information system. ● The combination of systems may make it possible to commit fraud as separation of duties also breaks down as access aggregation occurs. ● Information security professionals should work with human resources and information technology administrators to ensure DE-provisioning of access is performed any time an human resource changes roles.
VULNERABILITY ASSESSMENT: ● To begin the vulnerability assessment process, assessor must have a good understanding of the business, it's mission and the system or application to be assessed. ● The next step is to examine the existing controls in place to protect the system or process. ● Once the vulnerability scanning is complete the security analyst must examine the results for accuracy. ● Once the final analysis is complete the assessor should discuss the findings with the business are to determine the appropriate course of remediation action to take.
PENETRATION TESTING: ● The next level in vulnerability assessment seeks to exploit existing vulnerabilities to determine the true nature and impact of a given vulnerability. ● Penetration testing goes by many names, such as ethical hacking, tiger teaming, red teaming and vulnerability testing. ● Penetration testing can be employed against any system or service. ● The key to successful and valuable penetration testing is clearing defined objectives, scope, started goals, agreed-upon limitations, and acceptable activities.
PENETRATION TEST STRATEGIES: ● Strategies are based on specific objectives to be achieved, are a combination of the source of the test, how the company's assets are targeted, and the information provided to the tester. ● The organization must determine the area of the organization or the service to be tested.
APPLICATION SECURITY TESTING: ● The objective of application security testing is to evaluate the controls within an application and it's information process flow. ● Application testing will test the flow of information through the application and it's susceptibility to intercept or alteration. ● Application will test for a wide range of common attack scenarios to gauge the level of resistance an application has to attacks of varying level of sophistication.
DENIAL-OF-SERVICE (DOS) TESTING: ● Goal is to evaluate the system's susceptibility to attacks that will render it inoperable or unable to provide needed services to the organization external users. ● Because the DoS testing presents such a risk to systems, many testers will perform the attack steps leading up up to the DoS but stop short of crashing the system. This saves a great deal of response and
WAR DIALING: ● Is a technique for systematically calling a range of telephone numbers in an attempt to identify modems, remote-access devices, and maintenance connections for computer that may exist within an organization's network. ● Organizations would be wise not to underestimate their reach into the infrastructure or their potential for creating vulnerabilities in the environment.
WIRELESS NETWORK TESTING: ● Wireless networks, whether through formal, approved network architecture or the inadvertent actions of well-meaning users, creates additional security exposures. ● Goal is to identify security gaps or flaws in the design, implementation, or operation of the organization's wireless network.
SOCIAL ENGINEERING: ● Often used in conjunction with blind and double-blind testing, social engineering refers to techniques used social interaction, typically with the organization's employees, suppliers, and contractors, to gather enough information to be able to penetrate the organization's physical premises or systems.
PBX AND IP TELEPHONY TESTING: ● Beyond war dialing, phone systems have been a highly vulnerable, yet often overlooked, method of gaining access to corporate resources. ● The potential threat profile represented by combining the threats associated with IP networks and those of telephone systems is one and organization should take seriously.
PENETRATION TEST METHODOLOGY: ● A methodology is an established collection of processes that are preformed in a predetermined order to ensure the job, function, or security test is accurately executed. ● (1)Reconnaissance/Discovery:Identify and document information about the target. ● (2)Enumeration:Gain more information with intrusive methods. ● (3)Vulnerability Analysis:Map the environment profile to known vulnerabilities. ● (4)Execution:Attempt to gain user and privileged access. ● (5)Document findings:Document the results of the test.

Recomendados

CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13jemtallon
 
CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16jemtallon
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system securityGary Mendonca
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit vArthyR3
 
M. FLORENCE DAYANA/DATABASE MANAGEMENT SYSYTEM
M. FLORENCE DAYANA/DATABASE MANAGEMENT SYSYTEMM. FLORENCE DAYANA/DATABASE MANAGEMENT SYSYTEM
M. FLORENCE DAYANA/DATABASE MANAGEMENT SYSYTEMDr.Florence Dayana
 
Intruders
IntrudersIntruders
IntrudersDr.Florence Dayana
 
CS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network SecurityCS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network Securityvishnukp34
 

Recomendados

CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13jemtallon
 
CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16jemtallon
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system securityGary Mendonca
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit vArthyR3
 
M. FLORENCE DAYANA/DATABASE MANAGEMENT SYSYTEM
M. FLORENCE DAYANA/DATABASE MANAGEMENT SYSYTEMM. FLORENCE DAYANA/DATABASE MANAGEMENT SYSYTEM
M. FLORENCE DAYANA/DATABASE MANAGEMENT SYSYTEMDr.Florence Dayana
 
Intruders
IntrudersIntruders
IntrudersDr.Florence Dayana
 
CS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network SecurityCS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network Securityvishnukp34
 
Intruders
IntrudersIntruders
Intruderstechn
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 introKhawar Nehal khawar.nehal@atrc.net.pk
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 
Protecting Sensitive Data using Encryption and Key Management
Protecting Sensitive Data using Encryption and Key ManagementProtecting Sensitive Data using Encryption and Key Management
Protecting Sensitive Data using Encryption and Key ManagementStuart Marsh
 
Crypto academy
Crypto academyCrypto academy
Crypto academyPaul Gillingwater, MBA
 
Intruders detection
Intruders detectionIntruders detection
Intruders detectionEhtisham Ali
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Can a firewall alone effectively block port scanning activity
Can a firewall alone effectively block port scanning activityCan a firewall alone effectively block port scanning activity
Can a firewall alone effectively block port scanning activitysameer farooq
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber securityKAMALI PRIYA P
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Kabul Education University
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...UzairAhmad81
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
INTRUSION DETECTION TECHNIQUES
INTRUSION DETECTION TECHNIQUESINTRUSION DETECTION TECHNIQUES
INTRUSION DETECTION TECHNIQUESTrinity Dwarka
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion DetectionGregory Hanis
 
Introduction IDS
Introduction IDSIntroduction IDS
Introduction IDSHitesh Mohapatra
 
Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23jemtallon
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7jemtallon
 

Mais conteúdo relacionado

Mais procurados

Intruders
IntrudersIntruders
Intruderstechn
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 
Protecting Sensitive Data using Encryption and Key Management
Protecting Sensitive Data using Encryption and Key ManagementProtecting Sensitive Data using Encryption and Key Management
Protecting Sensitive Data using Encryption and Key ManagementStuart Marsh
 
Intruders detection
Intruders detectionIntruders detection
Intruders detectionEhtisham Ali
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Can a firewall alone effectively block port scanning activity
Can a firewall alone effectively block port scanning activityCan a firewall alone effectively block port scanning activity
Can a firewall alone effectively block port scanning activitysameer farooq
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber securityKAMALI PRIYA P
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...UzairAhmad81
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
INTRUSION DETECTION TECHNIQUES
INTRUSION DETECTION TECHNIQUESINTRUSION DETECTION TECHNIQUES
INTRUSION DETECTION TECHNIQUESTrinity Dwarka
 

Mais procurados (20)

Intruders
IntrudersIntruders
Intruders
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection Systems
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 intro
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network Security
 
Protecting Sensitive Data using Encryption and Key Management
Protecting Sensitive Data using Encryption and Key ManagementProtecting Sensitive Data using Encryption and Key Management
Protecting Sensitive Data using Encryption and Key Management
 
Crypto academy
Crypto academyCrypto academy
Crypto academy
 
Intruders detection
Intruders detectionIntruders detection
Intruders detection
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
Can a firewall alone effectively block port scanning activity
Can a firewall alone effectively block port scanning activityCan a firewall alone effectively block port scanning activity
Can a firewall alone effectively block port scanning activity
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer Attacks
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer Attacks
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
INTRUSION DETECTION TECHNIQUES
INTRUSION DETECTION TECHNIQUESINTRUSION DETECTION TECHNIQUES
INTRUSION DETECTION TECHNIQUES
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion Detection
 
Introduction IDS
Introduction IDSIntroduction IDS
Introduction IDS
 

Destaque

Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23jemtallon
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7jemtallon
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9jemtallon
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6jemtallon
 
CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12jemtallon
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20jemtallon
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22jemtallon
 
CISSP Week 21
CISSP Week 21CISSP Week 21
CISSP Week 21jemtallon
 
CISSP Week 18
CISSP Week 18CISSP Week 18
CISSP Week 18jemtallon
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24jemtallon
 
CISSP week 25
CISSP week 25CISSP week 25
CISSP week 25jemtallon
 
Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2infosecedu
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26jemtallon
 
CISSP Proposal
CISSP ProposalCISSP Proposal
CISSP Proposaljemtallon
 
CISSP Week 5
CISSP Week 5CISSP Week 5
CISSP Week 5jemtallon
 
access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2jemtallon
 
access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3jemtallon
 

Destaque (18)

Cissp Week 23
Cissp Week 23Cissp Week 23
Cissp Week 23
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9
 
CISSP Week 6
CISSP Week 6CISSP Week 6
CISSP Week 6
 
CISSP Week 12
CISSP Week 12CISSP Week 12
CISSP Week 12
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
 
CISSP Week 21
CISSP Week 21CISSP Week 21
CISSP Week 21
 
CISSP Week 18
CISSP Week 18CISSP Week 18
CISSP Week 18
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24
 
CISSP week 25
CISSP week 25CISSP week 25
CISSP week 25
 
Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
 
CISSP Proposal
CISSP ProposalCISSP Proposal
CISSP Proposal
 
CISSP Week 5
CISSP Week 5CISSP Week 5
CISSP Week 5
 
access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2
 
access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3
 
SlideShare 101
SlideShare 101SlideShare 101
SlideShare 101
 

Semelhante a Access Control - Week 4

Complete notes security
Complete notes securityComplete notes security
Complete notes securityKitkat Emoo
 
M1-02-HowCriminalsPlan.pdf
M1-02-HowCriminalsPlan.pdfM1-02-HowCriminalsPlan.pdf
M1-02-HowCriminalsPlan.pdfShylesh BC
 
Implications of Computer Misuse and Cyber Security (Teaching) (1).pdf
Implications of Computer Misuse and Cyber Security (Teaching) (1).pdfImplications of Computer Misuse and Cyber Security (Teaching) (1).pdf
Implications of Computer Misuse and Cyber Security (Teaching) (1).pdfsrtwgwfwwgw
 
Types of attack -Part3 (Malware Part -2)
Types of attack -Part3 (Malware Part -2)Types of attack -Part3 (Malware Part -2)
Types of attack -Part3 (Malware Part -2)SHUBHA CHATURVEDI
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)Zara Nawaz
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lectureZara Nawaz
 
2.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-112.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-11mrmwood
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer CrimesRaffa Learning Community
 
Digital Guardian and CDM
Digital Guardian and CDMDigital Guardian and CDM
Digital Guardian and CDMGreg Cranley
 
презентация1
презентация1презентация1
презентация1sagidullaa01
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer CrimesRaffa Learning Community
 
CyberSecurity Assignment.pptx
CyberSecurity Assignment.pptxCyberSecurity Assignment.pptx
CyberSecurity Assignment.pptxVinayPratap58
 

Semelhante a Access Control - Week 4 (20)

Complete notes security
Complete notes securityComplete notes security
Complete notes security
 
Ethical hacking ppt
Ethical hacking pptEthical hacking ppt
Ethical hacking ppt
 
Information Security
Information SecurityInformation Security
Information Security
 
M1-02-HowCriminalsPlan.pdf
M1-02-HowCriminalsPlan.pdfM1-02-HowCriminalsPlan.pdf
M1-02-HowCriminalsPlan.pdf
 
Implications of Computer Misuse and Cyber Security (Teaching) (1).pdf
Implications of Computer Misuse and Cyber Security (Teaching) (1).pdfImplications of Computer Misuse and Cyber Security (Teaching) (1).pdf
Implications of Computer Misuse and Cyber Security (Teaching) (1).pdf
 
Types of attack -Part3 (Malware Part -2)
Types of attack -Part3 (Malware Part -2)Types of attack -Part3 (Malware Part -2)
Types of attack -Part3 (Malware Part -2)
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
 
2.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-112.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-11
 
Computer security
Computer securityComputer security
Computer security
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes
 
Digital Guardian and CDM
Digital Guardian and CDMDigital Guardian and CDM
Digital Guardian and CDM
 
презентация1
презентация1презентация1
презентация1
 
2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes2014-09-03 Cybersecurity and Computer Crimes
2014-09-03 Cybersecurity and Computer Crimes
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
 
CyberSecurity Assignment.pptx
CyberSecurity Assignment.pptxCyberSecurity Assignment.pptx
CyberSecurity Assignment.pptx
 
Chapter 10.0
Chapter 10.0Chapter 10.0
Chapter 10.0
 
E04 05 2841
E04 05 2841E04 05 2841
E04 05 2841
 
Insecurity vssut
Insecurity vssutInsecurity vssut
Insecurity vssut
 
Computer-Security.pptx
Computer-Security.pptxComputer-Security.pptx
Computer-Security.pptx
 

Último

Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 

Último (20)

Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 

Access Control - Week 4

  • 1. CISSP CBK WEEK 4 ● By: Jessamyn Tollefson ● (pages 194-251)
  • 2. UNDERSTANDING THREATS (FORCES OF EVIL) ● Access control threats can be a negative impact on confidentiality, integrity, and availability of information assets. ● There are threats that attack the network systems, and applications that store and process an organization's data. ● There many different types of threats and it's important for us to understand how the threats work.
  • 3. EXAMPLES OF THREATS: ● Denial of service ● Buffer overflows ● Mobile code ● Malicious software ● Password crackers ● Spoofing/masquerading ● Sniffers ● Eavesdropping ● Emanations
  • 4. EXAMPLES OF THREATS (CONTINUED): ● Shoulder surfing ● Tapping ● Object reuse ● Data remnants ● Unauthorized targeted data mining ● Dumpster diving ● Backdoor/trapdoor ● Theft ● Intruders ● Social engineering
  • 5. DENIAL OF SERVICE(DOS): ● DoS can range from consumption of specific resources, preventing resources, and preventing networks to communicate to preventing communication, performance of system service or application unusable, or a complete outage. ● Known as SYN floods, attacker would make to many SYN packets without completing the proper setup, taking all available server and making sure that the owner would never gain access to the server.
  • 6. DOS(CONTINUED): ● DDoS is where DoS only attacks from one location, DDoS attacks from many different locations. ● Attackers built a vast networks of commandeered system, known as "Zombies", zombies make millions of request to the web site at once and fully floods the system, and thus it shuts down.
  • 7. BUFFER OVERFLOWS: ● Buffering is for controlling data inputs and outputs at all levels of a system interaction. ● Buffer overflow is an attack that handles the system's capability to operate it's buffers, causing system failures and outages, fail to control an application state, not able to control a running program, or the performance of code of an attacker's choosing.
  • 8. BUFFER OVERFLOWS (CONTINUED): ● Buffer overflows can also be used to insert malicious software for processing for the attacker. Also because memory buffers are used in network interfaces, video systems, RAM, or virtual memory on hard disks, all are vulnerable to a buffer overflow. ● Buffering overflows are mostly caused by poor application or system memory management.
  • 9. MOBILE CODE: ● Mobile code is a software that is transmitted across a network from a remote source to a local system. ● Security involvement are important because distribution capability, limited user awareness, and potential for harm. ● Mobile code is designed to be provided to an end-user device. If device is not configured properly it can infect or manipulate system. ● Organizations should make its users aware of the dangers of mobile code.
  • 10. MALICIOUS SOFTWARE (MALWARE): ● Malware any digital material that is deliberately designed to perform undesirable tasks. ● ○Virus: Parasitic code that requires human action or insertion. ● ○ Worm: Self-propagation code that exploits system or application vulnerability to replicate. ● ○ Trojan Horse: Is general temp referring to programs that appear desirable, but contains something harmful. ● ○ Spyware: Spyware was a hidden application injected through poor browser security by companies seeking:
  • 11. MALWARE (CONTINUED): a) Malvertisement: are web advertisements which appear to be legitimate yet direct users to download malware onto system. b) Malnets: are malware networks which typically consist of numerous infected websites, desktops, laptops, and increasingly mobile devices to gain more information about user's Internet activity.
  • 12. PASSWORD CRACKERS: ● Key factor is the saving of the hashed password, and that is where password cracker comes in. ● Password crackers are one of the few tools that are equally effective for security administrators and attackers alike. ● Rainbow table: attack has revolutionized password cracking is being rapidly adopted by tool creators.
  • 13. SPOOFING/MASQUERADING ● Is the act of appearing to a system as if a communication from an attacker is coming from a known and trusted source ● Early versions of spoofing were performed by manipulating the packets of data used in the IP protocol. ● Not common because todays computers are prepared from the systems and firewalls. ● Have a profound effect on access control system because they move the assurance that a person is dealing with a trusted entity.
  • 14. SNIFFERS,EAVESDROPPERS. AND TAPPING ● All communications, weather wired or wireless need to travel from point to point over some medium. ● Sniffers are devices that can collect information from a communication medium, such as a network. ● Sniffing can be used for good and evil. ● Best protecting against sniffing, eavesdropping, and tapping is to intercept transmission between devices.
  • 15. EMANATION: ● Is the proliferation or propagation at those signals. ● By intercepting and interpreting the emanations coming from a particular device, an attacker can often by reconstruct the information that is being shown or processed on the device. ● There are materials that restrict the ability for radio waves to propagate through them. This involves the use of special point on the walls and special window coverings that can be placed on windows or other weak points to further disrupt the emanation of
  • 16. SHOULDER SURFING ● Is the act of surreptitiously gathering information from a user by, means of direct observation of the users activity, by looking over their shoulder as they perform some action.
  • 17. OBJECT REFUSE: ● Refers to the allocation or reallocation of system resources to a user or to an application or process. ● There are two areas of concern with application object reuse: the direct employment of the objects, or the data input or output from the object. ● Object reuse is also applicable to system media, such as a hard drive, magnetic media, RAM-based devices or other forms to data storage.
  • 18. DATA REMANENCE ● It is becoming increasingly common place to bug used computers equipment, such as a hard drive, or router, and find information on the device left there by the previous owner, information they thought had been deleted. ● Another potential source of data exposure comes from the slack space at the end of a file. ● In early computer systems, the slack space at random portions of data pulled from memory.
  • 19. DATA REMANENCE (CONTINUED): ● Slack space can also be used by an attacker. Some data is completely used to identify and extract the information. ● There are utilities that can be used to securely wipe the data from the hard drive by over writing the file information with bytes of 1's and 0's, or a random combination of both. This wipe includes the unusual stable space in clusters assigned to allocated files. ● The most effective mechanism to destroy data, either a single file or an entire disk-short of grinding the disk into little pieces, which is still no guarantee, is to over write the data several times.
  • 20. UNAUTHORIZED TARGETED DATA MINING ● Is the act of collecting and analyzing large quantities of information to determine patterns of use or behavior and use those patterns to form conclusion about past, current, or future behavior. ● Attackers will perform reconnaissance against their target in an effort to collect as much information as possible to draw conclusions on operations, practices,
  • 21. DUMPSTER DIVING ● Is simply the act of taking what people assume is trash and using that information, sometimes in combination with other data, to formulate conclusions or refine strategies for an attack. ● Most attackers don't want to risk physical contact with their target and the potential exposure of going through the organization's trash. ● The ability of an unauthorized person to get to the trash repository of a site also shows a weakness in the physical access controls of that facility.
  • 22. BACKDOORS AND TRAPDOORS ● Applications may have hard-coded instructions that allow complete and unfettered access to those who know the existence of the backdoor. ● Most common method of backdoor access is the use of hidden accounts built within the application. ● The threat to access controls from backdoors and trapdoors is based on the existence of unknown configurations that will allow someone to circumvent established controls and gain full access to system.
  • 23. LOGIC BOMBS: ● Attacks can be immediately seen or effect takes hold as soon as the attack is launched, or some attacks can hold for days, weeks, even years. These attacks are called logic bombs because the rely on a logical progression of events before they unleash their aggression. ● Can be difficult to find, particularly if they have been placed there by someone with intimate knowledge of the system of it's source code. ● Best way to defend against them is to include a through out code review on all software deployed throughout the enter prise.
  • 24. THEFT: ● Is a simple concept anyone can grasp how ever, as the digital interaction between people and business expands, the exposure of valuable information continues to exceed the physical notion of the term theft. ● Physical theft includes anything of value an unauthorized entity can remove. ● Digital theft is when the thief has destroyed the information during the act of stealing it, original data is still there
  • 25. SOCIAL ENGINEERING: ● Is the practice of misdirection to obtain information through social contacts. ● Can take many forms, ranging from telephone calls to e-mail to face to face interaction. ● Best prevention is effective and continues security awareness and education effort to all personnel within the organization.
  • 26. E-MAIL SOCIAL ENGINEERING ● Can be a powerful persuasion device for attackers and con artists alike. ● E-mail has become a basic mode of communications for many people and is considered crucial for many companies to run a successful business. ● E-mail social engineering presents many problems to effective access control,but the primary problem is that it can be used to obtain enough personal or system information from a victim that the attacker can subsequently obtain or bypass legitimate authentication and authorization information.
  • 27. HELP DESK FRAUD ● The goal of a helped desk attack is for the attacker to get a valid ID and password to an internal system. ● This technique is becoming harder and harder to use, because helped desk employees are usually trained to follow a specific protocol and providing passwords,and many of these protocols do not include furnishing passwords over the phone
  • 28. THREAT MODELING ● In reviewing access control attacks and mitigating factors, several risk assessment methods can be considered. ● Threat modeling approaches vary from organization to organization but generally follow an approach of: ● Defining the scope and objectives ● Understanding or modeling the system ● Development of threats ● Development of vulnerabilities ● Determining the impact and risk ● Develop the mitigation plan
  • 29. DEFINE THE SCOPE AND OBJECTIVES ● An effective threat modeling exercise must determine what is within the scope of the modeling. ● There is a trade off between the size of the scope and amount of effort required to provide meaningful recommendations. ● If scope is to narrow the assessor may neglect significant information. ● If scope is too large, resources available for mitigation are spent on assessment.
  • 30. UNDERSTANDING OR MODELING THE SYSTEM: ● In understanding how the target system or application operates, collect as much information available about the system. ● Cost information about the operation, development and information contained in the system should also be understood as it will be required to make value based decisions.
  • 31. DEVELOPMENT OF THREATS: ● Can be as much of an art as a science and will vary greatly depending on the threat information sources available. ● Classified or national security information, which may be relevant to the system.
  • 32. DEVELOPMENT OF VULNERABILITIES: ● Using automated tools, a vulnerability scan of the target system or application should be performed. ● Weakness should also be reviewed.
  • 33. DETERMINING IMPACTS AND RISK: ● There are several qualitative and quantitative ways to determine impacts and risks. ● Qualitative route is the simplest and helps determine the overall impact and risk to the organization. ● Once levels of risk are determined a value to mitigate each should be determined.
  • 34. DEVELOP A MITIGATION PLAN: ● This plan should ideally identify residual risks, exposure, resources required to mitigate risks and time lines for mitigations. ● Plan should also have identify responsible party for each risk mitigation and who accepted residual risks on behalf of the organization.
  • 35. ASSET VALUATION: ● In determining the value of information systems there are several components which must be accounted for: ● Hardware ● Software ● Integration ● Opportunity cost ● Regulatory exposure ● Information replacement ● Reputation exposure
  • 36. HARDWARE, SOFTWARE, AND INTEGRATION: ● Hardware: ● The replacement cost of hardware can be significant and can increase dramatically when the hardware is out of support or the vendor has gone out of business. ● Software: ● Much like hardware, software can go out of support and vendors can dissolve or merge with other companies. ● Integration: ● Cost are often “sunk” invisible costs that are easily overlooked when considering the value of an asset.
  • 37. OPPORTUNITY COSTS, REGULATORY AND REPUTATIONAL EXPOSURE, AND INFORMATION REPLACEMENT: ● Opportunity Costs: ● When a crucial business support system such as an e-commerce site for a major online retailer is down time is substantial money. ● Regulatory Exposure: ● In a regulated environment, there are stiff penalties for breaching information. ● Information Replacement: ● The information an organization develops as part of it's operation is most likely not going to be replaced overnight. ● Reputational Exposure: ● What's that cost of losing a reputation? Reputation is extremely difficult and expensive to achieve and mainstream.
  • 38. ACCESS AGGREGATION: ● Is the act of collecting additional roles and responsibilities in organization or information system. ● The combination of systems may make it possible to commit fraud as separation of duties also breaks down as access aggregation occurs. ● Information security professionals should work with human resources and information technology administrators to ensure DE-provisioning of access is performed any time an human resource changes roles.
  • 39. VULNERABILITY ASSESSMENT: ● To begin the vulnerability assessment process, assessor must have a good understanding of the business, it's mission and the system or application to be assessed. ● The next step is to examine the existing controls in place to protect the system or process. ● Once the vulnerability scanning is complete the security analyst must examine the results for accuracy. ● Once the final analysis is complete the assessor should discuss the findings with the business are to determine the appropriate course of remediation action to take.
  • 40. PENETRATION TESTING: ● The next level in vulnerability assessment seeks to exploit existing vulnerabilities to determine the true nature and impact of a given vulnerability. ● Penetration testing goes by many names, such as ethical hacking, tiger teaming, red teaming and vulnerability testing. ● Penetration testing can be employed against any system or service. ● The key to successful and valuable penetration testing is clearing defined objectives, scope, started goals, agreed-upon limitations, and acceptable activities.
  • 41. PENETRATION TEST STRATEGIES: ● Strategies are based on specific objectives to be achieved, are a combination of the source of the test, how the company's assets are targeted, and the information provided to the tester. ● The organization must determine the area of the organization or the service to be tested.
  • 42. APPLICATION SECURITY TESTING: ● The objective of application security testing is to evaluate the controls within an application and it's information process flow. ● Application testing will test the flow of information through the application and it's susceptibility to intercept or alteration. ● Application will test for a wide range of common attack scenarios to gauge the level of resistance an application has to attacks of varying level of sophistication.
  • 43. DENIAL-OF-SERVICE (DOS) TESTING: ● Goal is to evaluate the system's susceptibility to attacks that will render it inoperable or unable to provide needed services to the organization external users. ● Because the DoS testing presents such a risk to systems, many testers will perform the attack steps leading up up to the DoS but stop short of crashing the system. This saves a great deal of response and
  • 44. WAR DIALING: ● Is a technique for systematically calling a range of telephone numbers in an attempt to identify modems, remote-access devices, and maintenance connections for computer that may exist within an organization's network. ● Organizations would be wise not to underestimate their reach into the infrastructure or their potential for creating vulnerabilities in the environment.
  • 45. WIRELESS NETWORK TESTING: ● Wireless networks, whether through formal, approved network architecture or the inadvertent actions of well-meaning users, creates additional security exposures. ● Goal is to identify security gaps or flaws in the design, implementation, or operation of the organization's wireless network.
  • 46. SOCIAL ENGINEERING: ● Often used in conjunction with blind and double-blind testing, social engineering refers to techniques used social interaction, typically with the organization's employees, suppliers, and contractors, to gather enough information to be able to penetrate the organization's physical premises or systems.
  • 47. PBX AND IP TELEPHONY TESTING: ● Beyond war dialing, phone systems have been a highly vulnerable, yet often overlooked, method of gaining access to corporate resources. ● The potential threat profile represented by combining the threats associated with IP networks and those of telephone systems is one and organization should take seriously.
  • 48. PENETRATION TEST METHODOLOGY: ● A methodology is an established collection of processes that are preformed in a predetermined order to ensure the job, function, or security test is accurately executed. ● (1)Reconnaissance/Discovery:Identify and document information about the target. ● (2)Enumeration:Gain more information with intrusive methods. ● (3)Vulnerability Analysis:Map the environment profile to known vulnerabilities. ● (4)Execution:Attempt to gain user and privileged access. ● (5)Document findings:Document the results of the test.