SlideShare uma empresa Scribd logo

Network security desighn principles and authentication

Transferir como PPT, PDF
E
Edgar Mwangangi

software application desighn principles,authentication and penetration tests

Educação
1 de 31
Prepared by EDGAR 1 NETWORK SECURITY PRESENTATION
DISCUSSION ON 1. Identification of security principles in data access design 2. Analyze Systems access and authentication 3. Identifying penetration tests EDI Prepared by EDGAR 2
SECURITY PRINCIPLES IN DATA ACCESS DESIGN 1. Principle of least privilege The principle of least privilege states that a subject should be given only those privileges that it needs in order to complete its task. • If a subject does not need an access right, the subject should not have that right.  i.E Append permission only for logging process.  Temporary elevation of privilege should be relinquished immediately  Granularity of privileges The UNIX operating system does not apply access controls to the user root. That user can terminate any process and read, write, or delete any file. Thus, users who create backups can also delete files. The administrator account on Windows has the same powers. EDI Prepared by EDGAR 3
2 .PRINCIPLE OF FAIL-SAFE DEFAULTS • The principle of fail-safe defaults states that, unless a subject is given explicit access to an object, it should be denied access to that object. • Whenever access, privileges, or some security-related attribute is not explicitly granted, it should be denied. Moreover, if the subject is unable to complete its action or task, it should undo those changes it made in the security state of the system before it terminates. This way, even if the program fails, the system is still safe.  Default access to an object is none „  Access Control Lists (ACLs), firewall examples. „  Restricting privileges at the time of creation EDI Prepared by EDGAR 4
2 .PRINCIPLE OF FAIL-SAFE DEFAULTS….Cont • If the mail server is unable to create a file in the spool directory, it should close the network connection, issue an error message, and stop. It should not try to store the message elsewhere or to expand its privileges to save the message in another location, because an attacker could use that ability to overwrite other files or fill up other disks (a denial of service attack). The protections on the mail spool directory itself should allow create and write access only to the mail server and read and delete access only to the local server. No other user should have access to the directory. • In practice, most systems will allow an administrator access to the mail spool directory. By the principle of least privilege, that administrator should be able to access only the subjects and objects involved in mail queueing and delivery. As we have seen, this constraint minimizes the threats if that administrator's account is compromised. The mail system can be damaged or destroyed, but nothing else can be. EDI Prepared by EDGAR 5
3. Principle of Economy of Mechanism • states that security mechanisms should be as simple as possible.  Fewer errors „  Testing and verification is easy  „ Assumptions are less If a design and implementation are simple, fewer possibilities exist for errors. The checking and testing process is less complex, because fewer components and cases need to be tested. The ident protocol [861] sends the user name associated with a process that has a TCP connection to a remote host. A mechanism on host A that allows access based on the results of an ident protocol result makes the assumption that the originating host is trustworthy. If host B decides to attack host A, it can connect and then send any identity it chooses in response to the ident request. EDI Prepared by EDGAR 6
4 Principle of Complete Mediation • The principle of complete mediation requires that all accesses to objects be checked to ensure that they are allowed. Whenever a subject attempts to read an object, the operating system should mediate the action. First, it determines if the subject is allowed to read the object. If so, it provides the resources for the read to occur. If the subject tries to read the object again, the system should check that the subject is still allowed to read the object. Most systems would not make the second check. They would cache the results of the first check and base the second access on the cached results. Achieved through;  UNIX file descriptor „  DNS cache poisoning. „  Restrict caching policies „  Security vs. performance issues EDI Prepared by EDGAR 7
4 Principle of Complete Mediation Cont… • The Domain Name Service (DNS) caches information mapping host names into IP addresses. If an attacker is able to "poison" the cache by implanting records associating a bogus IP address with a name, one host will route connections to another host incorrectly EDI Prepared by EDGAR 8
5 Principle of Open Design • The principle of open design states that the security of a mechanism should not depend on the secrecy of its design or implementation Designers and implementers of a program must not depend on secrecy of the details of their design and implementation to ensure security. EDI Prepared by EDGAR 9
5 Principle of Open Desighn Cont… • Example • The Content Scrambling System (CSS) is a cryptographic algorithm that protects DVD movie disks from unauthorized copying. The DVD disk has an authentication key, a disk key, and a title key. The title key is enciphered with the disk key. A block on the DVD contains several copies of the disk key, each enciphered by a different player key, and a checksum of the disk key. When a DVD is inserted into a DVD player, the algorithm reads the authentication key. It then deciphers the disk keys using the DVD player's unique key. When it finds a deciphered key with the correct hash, it uses that key to decipher the title key, and it uses the title key to decipher the movie EDI Prepared by EDGAR 10
6 Principle of Separation of Privilege • The principle of separation of privilege states that a system should not grant permission based on a single condition This principle is equivalent to the separation of duty principle Company checks for more than Ksh500,000 must be signed by two officers of the company. If either does not sign, the check is not valid. The two conditions are the signatures of both officers. Similarly, systems and programs granting access to resources should do so only when more than one condition is met. This provides a fine-grained control over the resource as well as additional assurance that the access is authorized. EDI Prepared by EDGAR 11
6 Principle of Separation of Privilege,Cont… • On Berkeley-based versions of the UNIX operating system, users are not allowed to change from their accounts to the root account unless two conditions are met. The first condition is that the user knows the root password. The second condition is that the user is in the wheel group (the group with GID 0). Meeting either condition is not sufficient to acquire root access; meeting both conditions is required. EDI Prepared by EDGAR 12
7 Principle of Least Common Mechanism • The principle of least common mechanism states that mechanisms used to access resources should not be shared. Sharing resources provides a channel along which information can be transmitted, and so such sharing should be minimized. • A Web site provides electronic commerce services for a major company. Attackers want to deprive the company of the revenue it obtains from that Web site. They flood the site with messages and tie up the electronic commerce services. Legitimate customers are unable to access the Web site and, as a result, take their business elsewhere. • Here, the sharing of the Internet with the attackers' sites caused the attack to succeed. The appropriate countermeasure would be to restrict the attackers' access to the segment of the Internet connected to the Web site. EDI Prepared by EDGAR 13
8. Principle of Psychological Acceptability • The principle of psychological acceptability states that security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present. Configuring and executing a program should be as easy and as intuitive as possible, and any output should be clear, direct, and useful. If a configuration file has an incorrect parameter, the error message should describe the proper parameter through recognizing the most important element in computer security; which is Human EDI Prepared by EDGAR 14
8. Principle of Psychological Acceptability,Cont… • When a user supplies the wrong password during login, the system should reject the attempt with a message stating that the login failed. If it were to say that the password was incorrect, the user would know that the account name was legitimate. If the "user" were really an unauthorized attacker, she would then know the name of an account for which she could try to guess a password. EDI Prepared by EDGAR 15
QUIZ 2 ANALYZING SYSTEM ACCES AND AUTHENTICATION Typically the process of identifying a certain user by a system •Authenticatio is based on; Something that the user knows Eg Passwords •Something that the user has Eg Key,Smartcard •Something that the user is Eg FingerPrinting,Voice recognition or Retinal scan systems EDI Prepared by EDGAR 16
AUTHENTICATION: 2 SUB CONCERNS • GENERAL ACCESS AUTHENTICATION To control whether or not a particular user has ANY type of access right to the element in question. Usually we consider these in the form of a “User Account”. • FUNCTIONAL AUTHORIZATION Concern with individual user “rights”. What, for example, can a user do once authenticated? Can they figure the device or only see data. EDI Prepared by EDGAR 17
AUTHENTICATION: MAJOR PROTOCOLS EDI Prepared by EDGAR 18
AUTHENTICATION: PROCEDURE • Authentication procedure – Two-Party Authentication • One-Way Authentication • Two-Way Authentication – Third-Party Authentication • Kerberos • X.509 – Single Sign ON • User can access several network resources by logging on once to a security system. EDI Prepared by EDGAR 19
AUTHENTICATION:Two-Party Authentication PROCEDURE EDI Prepared by EDGAR 20 C l i e n t U s e r I D & P a s s w o r d S e r v e r I D & P a s s w o r d A u t h e n t i c a t e d A u t h e n t i c a t e d S e r v e r O n e - w a y A u t h e n t i c a t i o n T w o - w a y A u t h e n t i c a t i o n T w o - P a r t y A u t h e n t ic a t io n s
AUTHENTICATION:Third-Party Authentication PROCEDURE EDI Prepared by EDGAR 21 Authenticated ClientID,Passw ord ServerID,Passw ord Authenticated E x c h a n g e K e y s E x c h a n g e D a t a C l i e n t S e r v e r S e c u r i t y S e r v e r T h ir d - P a r t y A u t h e n t ic a t io n s
IDENTIFYING PENETRATION TESTS • The practice of testing a computer system, network or web application to find vulnerabilities that an attacker could exploit by simulating attacks from both internal and external threats • To prevent a thief, you may need to think like a thief Using tools and techniques very similar to those employed by criminals • Goals – Determine the adequacy of security measures – Identify security deficiencies – Recommend training EDI Prepared by EDGAR 22
WHY PENETRATION TEST? • To find poorly configured machines. • Verify that security mechanisms are working. • Help organizations to tighten the Security system. EDI Prepared by EDGAR 23
PHASES OF A PENETRATION TEST EDI Prepared by EDGAR 24
PROFILING • Research phase – Passive Reconnaissance – Strategy • Obtain publicly available information on target – Tactics • Query publicly accessible data sources • Observe physical defenses • Covertly survey company and employees EDI Prepared by EDGAR 25
ENUMERATION • Discovery Phase – Active Reconnaissance – Strategy • Find detailed information • Find possibly vulnerable points of entry – Tactics • Map the network • Analyze and identify each individual host • Survey physical security mechanisms • Compile list of possible entry points for an attacker EDI Prepared by EDGAR 26
VULNERABILITY ANALYSIS • Systematic examination of vulnerabilities – Procedure • Using all the information gathered in the previous phases, identify vulnerabilities in the system – Tactics • Prioritize analysis of commonly misconfigured services • Use automated tools if applicable/available EDI Prepared by EDGAR 27
EXPLOITATION – Gaining access – Procedure • Verify previously identified vulnerabilities by attempting to exploit them • Show what access can be gain and what assets can be affected EDI Prepared by EDGAR 28
REPORTING • The important part – Procedure • Compile findings into a complete report – Include methods as well • Make suggestions to fix vulnerabilities EDI Prepared by EDGAR 29
TYPES OF PENETRATION TESTING • Overt – Also known as White Hat Testing, involves performing external and/or internal testing with the knowledge and consent of the organization’s IT staff, enabling comprehensive evaluation of the network or system security posture. • Covert – Also known as Black Hat Testing, takes an adversarial approach by performing testing without the knowledge of the organization’s IT staff but with the full knowledge and permission of upper management • External – This testing is conducted from outside the organization’s security perimeter. This offers the ability to view the environment’s security posture as it appears outside the security perimeter—usually as seen from the Internet—with the goal of revealing vulnerabilities that could be exploited by an external attacker • Internal – In this type of testing, assessors work from the internal network and assume the identity of a trusted insider or an attacker who has penetrated the perimeter defenses. This kind of testing can reveal vulnerabilities that could be exploited from inside, and demonstrates the potential damage an internal attacker could cause EDI Prepared by EDGAR 30
REFRENCES • http://www.informit.com/articles/article.as • https://www.cs.bham.ac.uk/~mdr/teachin • https://www.blackhat.com/docs/us- 16/materials/us-16-McGrew-Secure- Penetration-Testing-Operations- Demonstrated-Weaknesses-In- Learning-Material-And-Tools-wp.pdf EDI Prepared by EDGAR 31

Recomendados

Network Security
Network SecurityNetwork Security
Network SecurityMAJU
 
Computer and network security
Computer and network securityComputer and network security
Computer and network securityKarwan Mustafa Kareem
 
Network security
Network securityNetwork security
Network securityNandini Raj
 
Network security presentation
Network security presentationNetwork security presentation
Network security presentationKudzai Rerayi
 
What is Network Security?
What is Network Security?What is Network Security?
What is Network Security?Faith Zeller
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Network security - Basic concepts
Network security - Basic conceptsNetwork security - Basic concepts
Network security - Basic conceptsKhoa Nguyen
 
Basics of Network Security
Basics of Network SecurityBasics of Network Security
Basics of Network SecurityDushyant Singh
 

Recomendados

Network Security
Network SecurityNetwork Security
Network SecurityMAJU
 
Computer and network security
Computer and network securityComputer and network security
Computer and network securityKarwan Mustafa Kareem
 
Network security
Network securityNetwork security
Network securityNandini Raj
 
Network security presentation
Network security presentationNetwork security presentation
Network security presentationKudzai Rerayi
 
What is Network Security?
What is Network Security?What is Network Security?
What is Network Security?Faith Zeller
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Network security - Basic concepts
Network security - Basic conceptsNetwork security - Basic concepts
Network security - Basic conceptsKhoa Nguyen
 
Basics of Network Security
Basics of Network SecurityBasics of Network Security
Basics of Network SecurityDushyant Singh
 
Network Security Research Paper
Network Security Research PaperNetwork Security Research Paper
Network Security Research PaperPankaj Jha
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security PresentationAllan Pratt MBA
 
Tutorial 9 - Security on the Internet
Tutorial 9 - Security on the InternetTutorial 9 - Security on the Internet
Tutorial 9 - Security on the Internetdpd
 
Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)sayyed azam
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and SolutionsColin058
 
Introduction Network security
Introduction Network securityIntroduction Network security
Introduction Network securityIGZ Software house
 
Network basic security
Network basic securityNetwork basic security
Network basic securityMohamed Radji
 
Network Security
Network SecurityNetwork Security
Network Securityforpalmigho
 
Network security
Network security Network security
Network security Madhumithah Ilango
 
Seminar (network security)
Seminar (network security)Seminar (network security)
Seminar (network security)Gaurav Dalvi
 
5 Network Security Threats Facing Businesses Today
5 Network Security Threats Facing Businesses Today5 Network Security Threats Facing Businesses Today
5 Network Security Threats Facing Businesses TodayVelocity Network Solutions
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Network Security ppt
Network Security pptNetwork Security ppt
Network Security pptSAIKAT BISWAS
 
Network security
Network securityNetwork security
Network securityNkosinathi Lungu
 
Rashed al kamdah network security threats
Rashed al kamdah network security threatsRashed al kamdah network security threats
Rashed al kamdah network security threatsrashidalkamdah
 
Network security
Network securityNetwork security
Network securityAkhilesh Jain
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security conceptssonuagain
 
Computer Network Security
Computer Network SecurityComputer Network Security
Computer Network SecurityBryley Systems Inc.
 
Network security threats and solutions
Network security threats and solutionsNetwork security threats and solutions
Network security threats and solutionshassanmughal4u
 
Web Security
Web SecurityWeb Security
Web SecurityTripad M
 
Network security
Network security Network security
Network security Madhumithah Ilango
 
Network security
Network securityNetwork security
Network securityGichelle Amon
 

Mais conteúdo relacionado

Mais procurados

Network Security Research Paper
Network Security Research PaperNetwork Security Research Paper
Network Security Research PaperPankaj Jha
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security PresentationAllan Pratt MBA
 
Tutorial 9 - Security on the Internet
Tutorial 9 - Security on the InternetTutorial 9 - Security on the Internet
Tutorial 9 - Security on the Internetdpd
 
Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)sayyed azam
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and SolutionsColin058
 
Network basic security
Network basic securityNetwork basic security
Network basic securityMohamed Radji
 
Network Security
Network SecurityNetwork Security
Network Securityforpalmigho
 
Seminar (network security)
Seminar (network security)Seminar (network security)
Seminar (network security)Gaurav Dalvi
 
5 Network Security Threats Facing Businesses Today
5 Network Security Threats Facing Businesses Today5 Network Security Threats Facing Businesses Today
5 Network Security Threats Facing Businesses TodayVelocity Network Solutions
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Network Security ppt
Network Security pptNetwork Security ppt
Network Security pptSAIKAT BISWAS
 
Rashed al kamdah network security threats
Rashed al kamdah network security threatsRashed al kamdah network security threats
Rashed al kamdah network security threatsrashidalkamdah
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security conceptssonuagain
 
Network security threats and solutions
Network security threats and solutionsNetwork security threats and solutions
Network security threats and solutionshassanmughal4u
 
Web Security
Web SecurityWeb Security
Web SecurityTripad M
 

Mais procurados (20)

Network Security Research Paper
Network Security Research PaperNetwork Security Research Paper
Network Security Research Paper
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
 
Tutorial 9 - Security on the Internet
Tutorial 9 - Security on the InternetTutorial 9 - Security on the Internet
Tutorial 9 - Security on the Internet
 
Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
 
Introduction Network security
Introduction Network securityIntroduction Network security
Introduction Network security
 
Network basic security
Network basic securityNetwork basic security
Network basic security
 
Network Security
Network SecurityNetwork Security
Network Security
 
Network security
Network security Network security
Network security
 
Seminar (network security)
Seminar (network security)Seminar (network security)
Seminar (network security)
 
5 Network Security Threats Facing Businesses Today
5 Network Security Threats Facing Businesses Today5 Network Security Threats Facing Businesses Today
5 Network Security Threats Facing Businesses Today
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7
 
Network Security ppt
Network Security pptNetwork Security ppt
Network Security ppt
 
Network security
Network securityNetwork security
Network security
 
Rashed al kamdah network security threats
Rashed al kamdah network security threatsRashed al kamdah network security threats
Rashed al kamdah network security threats
 
Network security
Network securityNetwork security
Network security
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security concepts
 
Computer Network Security
Computer Network SecurityComputer Network Security
Computer Network Security
 
Network security threats and solutions
Network security threats and solutionsNetwork security threats and solutions
Network security threats and solutions
 
Web Security
Web SecurityWeb Security
Web Security
 

Destaque

Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security ApplicationsHatem Mahmoud
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and CryptographyAdam Reagan
 
Extract Network and System resource for analysis of Network Security Modeling
Extract Network and System resource for analysis of Network Security ModelingExtract Network and System resource for analysis of Network Security Modeling
Extract Network and System resource for analysis of Network Security ModelingDhiraj Gajurel
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4koolkampus
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecturebabak danyal
 
Data Network Security
Data Network SecurityData Network Security
Data Network SecurityAtif Rehmat
 
Intro. to prog. c++
Intro. to prog. c++Intro. to prog. c++
Intro. to prog. c++KurdGul
 
Basics of c++ Programming Language
Basics of c++ Programming LanguageBasics of c++ Programming Language
Basics of c++ Programming LanguageAhmad Idrees
 
Network Security
Network SecurityNetwork Security
Network SecurityJaya sudha
 
Network security
Network securityNetwork security
Network securityAli Kamil
 

Destaque (18)

Network security
Network security Network security
Network security
 
Network security
Network securityNetwork security
Network security
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security Applications
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
 
Extract Network and System resource for analysis of Network Security Modeling
Extract Network and System resource for analysis of Network Security ModelingExtract Network and System resource for analysis of Network Security Modeling
Extract Network and System resource for analysis of Network Security Modeling
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecture
 
Functional C++
Functional C++Functional C++
Functional C++
 
Data Network Security
Data Network SecurityData Network Security
Data Network Security
 
Network Security
Network SecurityNetwork Security
Network Security
 
Intro. to prog. c++
Intro. to prog. c++Intro. to prog. c++
Intro. to prog. c++
 
Basics of c++ Programming Language
Basics of c++ Programming LanguageBasics of c++ Programming Language
Basics of c++ Programming Language
 
Network Security
Network SecurityNetwork Security
Network Security
 
Network Security
Network SecurityNetwork Security
Network Security
 
Network security
Network securityNetwork security
Network security
 
Network security
Network securityNetwork security
Network security
 
Security
SecuritySecurity
Security
 

Semelhante a Network security desighn principles and authentication

Security Principles and Protection Mechanism
Security Principles and Protection MechanismSecurity Principles and Protection Mechanism
Security Principles and Protection MechanismMona Rajput
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksSecurity Bootcamp
 
Principles for Secure Design and Software Security
Principles for Secure Design and Software Security Principles for Secure Design and Software Security
Principles for Secure Design and Software Security Mona Rajput
 
documentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesdocumentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesSahithi Naraparaju
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecurityMetrics
 
Mitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerMitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerDigital Shadows
 
Network Security_4th Module_Dr. Shivashankar
Network Security_4th Module_Dr. ShivashankarNetwork Security_4th Module_Dr. Shivashankar
Network Security_4th Module_Dr. ShivashankarDr. Shivashankar
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Data base security & integrity
Data base security & integrityData base security & integrity
Data base security & integrityPooja Dixit
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Achieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing reportAchieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing reportKiran Girase
 
ITE v5.0 - Chapter 10
ITE v5.0 - Chapter 10ITE v5.0 - Chapter 10
ITE v5.0 - Chapter 10Irsandi Hasan
 
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersITExamAnswers.net
 
Computer Networks 4
Computer Networks 4Computer Networks 4
Computer Networks 4Mr Smith
 

Semelhante a Network security desighn principles and authentication (20)

Security Principles and Protection Mechanism
Security Principles and Protection MechanismSecurity Principles and Protection Mechanism
Security Principles and Protection Mechanism
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
Principles for Secure Design and Software Security
Principles for Secure Design and Software Security Principles for Secure Design and Software Security
Principles for Secure Design and Software Security
 
documentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesdocumentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemes
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
Mitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerMitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed Programmer
 
Network Security_4th Module_Dr. Shivashankar
Network Security_4th Module_Dr. ShivashankarNetwork Security_4th Module_Dr. Shivashankar
Network Security_4th Module_Dr. Shivashankar
 
Security issues in cloud database
Security issues in cloud database Security issues in cloud database
Security issues in cloud database
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Data base security & integrity
Data base security & integrityData base security & integrity
Data base security & integrity
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Achieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing reportAchieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing report
 
ITE v5.0 - Chapter 10
ITE v5.0 - Chapter 10ITE v5.0 - Chapter 10
ITE v5.0 - Chapter 10
 
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
 
Computer Networks 4
Computer Networks 4Computer Networks 4
Computer Networks 4
 

Último

Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Shubhangi Sonawane
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxNikitaBankoti2
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 

Último (20)

Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 

Network security desighn principles and authentication

  • 1. Prepared by EDGAR 1 NETWORK SECURITY PRESENTATION
  • 2. DISCUSSION ON 1. Identification of security principles in data access design 2. Analyze Systems access and authentication 3. Identifying penetration tests EDI Prepared by EDGAR 2
  • 3. SECURITY PRINCIPLES IN DATA ACCESS DESIGN 1. Principle of least privilege The principle of least privilege states that a subject should be given only those privileges that it needs in order to complete its task. • If a subject does not need an access right, the subject should not have that right.  i.E Append permission only for logging process.  Temporary elevation of privilege should be relinquished immediately  Granularity of privileges The UNIX operating system does not apply access controls to the user root. That user can terminate any process and read, write, or delete any file. Thus, users who create backups can also delete files. The administrator account on Windows has the same powers. EDI Prepared by EDGAR 3
  • 4. 2 .PRINCIPLE OF FAIL-SAFE DEFAULTS • The principle of fail-safe defaults states that, unless a subject is given explicit access to an object, it should be denied access to that object. • Whenever access, privileges, or some security-related attribute is not explicitly granted, it should be denied. Moreover, if the subject is unable to complete its action or task, it should undo those changes it made in the security state of the system before it terminates. This way, even if the program fails, the system is still safe.  Default access to an object is none „  Access Control Lists (ACLs), firewall examples. „  Restricting privileges at the time of creation EDI Prepared by EDGAR 4
  • 5. 2 .PRINCIPLE OF FAIL-SAFE DEFAULTS….Cont • If the mail server is unable to create a file in the spool directory, it should close the network connection, issue an error message, and stop. It should not try to store the message elsewhere or to expand its privileges to save the message in another location, because an attacker could use that ability to overwrite other files or fill up other disks (a denial of service attack). The protections on the mail spool directory itself should allow create and write access only to the mail server and read and delete access only to the local server. No other user should have access to the directory. • In practice, most systems will allow an administrator access to the mail spool directory. By the principle of least privilege, that administrator should be able to access only the subjects and objects involved in mail queueing and delivery. As we have seen, this constraint minimizes the threats if that administrator's account is compromised. The mail system can be damaged or destroyed, but nothing else can be. EDI Prepared by EDGAR 5
  • 6. 3. Principle of Economy of Mechanism • states that security mechanisms should be as simple as possible.  Fewer errors „  Testing and verification is easy  „ Assumptions are less If a design and implementation are simple, fewer possibilities exist for errors. The checking and testing process is less complex, because fewer components and cases need to be tested. The ident protocol [861] sends the user name associated with a process that has a TCP connection to a remote host. A mechanism on host A that allows access based on the results of an ident protocol result makes the assumption that the originating host is trustworthy. If host B decides to attack host A, it can connect and then send any identity it chooses in response to the ident request. EDI Prepared by EDGAR 6
  • 7. 4 Principle of Complete Mediation • The principle of complete mediation requires that all accesses to objects be checked to ensure that they are allowed. Whenever a subject attempts to read an object, the operating system should mediate the action. First, it determines if the subject is allowed to read the object. If so, it provides the resources for the read to occur. If the subject tries to read the object again, the system should check that the subject is still allowed to read the object. Most systems would not make the second check. They would cache the results of the first check and base the second access on the cached results. Achieved through;  UNIX file descriptor „  DNS cache poisoning. „  Restrict caching policies „  Security vs. performance issues EDI Prepared by EDGAR 7
  • 8. 4 Principle of Complete Mediation Cont… • The Domain Name Service (DNS) caches information mapping host names into IP addresses. If an attacker is able to "poison" the cache by implanting records associating a bogus IP address with a name, one host will route connections to another host incorrectly EDI Prepared by EDGAR 8
  • 9. 5 Principle of Open Design • The principle of open design states that the security of a mechanism should not depend on the secrecy of its design or implementation Designers and implementers of a program must not depend on secrecy of the details of their design and implementation to ensure security. EDI Prepared by EDGAR 9
  • 10. 5 Principle of Open Desighn Cont… • Example • The Content Scrambling System (CSS) is a cryptographic algorithm that protects DVD movie disks from unauthorized copying. The DVD disk has an authentication key, a disk key, and a title key. The title key is enciphered with the disk key. A block on the DVD contains several copies of the disk key, each enciphered by a different player key, and a checksum of the disk key. When a DVD is inserted into a DVD player, the algorithm reads the authentication key. It then deciphers the disk keys using the DVD player's unique key. When it finds a deciphered key with the correct hash, it uses that key to decipher the title key, and it uses the title key to decipher the movie EDI Prepared by EDGAR 10
  • 11. 6 Principle of Separation of Privilege • The principle of separation of privilege states that a system should not grant permission based on a single condition This principle is equivalent to the separation of duty principle Company checks for more than Ksh500,000 must be signed by two officers of the company. If either does not sign, the check is not valid. The two conditions are the signatures of both officers. Similarly, systems and programs granting access to resources should do so only when more than one condition is met. This provides a fine-grained control over the resource as well as additional assurance that the access is authorized. EDI Prepared by EDGAR 11
  • 12. 6 Principle of Separation of Privilege,Cont… • On Berkeley-based versions of the UNIX operating system, users are not allowed to change from their accounts to the root account unless two conditions are met. The first condition is that the user knows the root password. The second condition is that the user is in the wheel group (the group with GID 0). Meeting either condition is not sufficient to acquire root access; meeting both conditions is required. EDI Prepared by EDGAR 12
  • 13. 7 Principle of Least Common Mechanism • The principle of least common mechanism states that mechanisms used to access resources should not be shared. Sharing resources provides a channel along which information can be transmitted, and so such sharing should be minimized. • A Web site provides electronic commerce services for a major company. Attackers want to deprive the company of the revenue it obtains from that Web site. They flood the site with messages and tie up the electronic commerce services. Legitimate customers are unable to access the Web site and, as a result, take their business elsewhere. • Here, the sharing of the Internet with the attackers' sites caused the attack to succeed. The appropriate countermeasure would be to restrict the attackers' access to the segment of the Internet connected to the Web site. EDI Prepared by EDGAR 13
  • 14. 8. Principle of Psychological Acceptability • The principle of psychological acceptability states that security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present. Configuring and executing a program should be as easy and as intuitive as possible, and any output should be clear, direct, and useful. If a configuration file has an incorrect parameter, the error message should describe the proper parameter through recognizing the most important element in computer security; which is Human EDI Prepared by EDGAR 14
  • 15. 8. Principle of Psychological Acceptability,Cont… • When a user supplies the wrong password during login, the system should reject the attempt with a message stating that the login failed. If it were to say that the password was incorrect, the user would know that the account name was legitimate. If the "user" were really an unauthorized attacker, she would then know the name of an account for which she could try to guess a password. EDI Prepared by EDGAR 15
  • 16. QUIZ 2 ANALYZING SYSTEM ACCES AND AUTHENTICATION Typically the process of identifying a certain user by a system •Authenticatio is based on; Something that the user knows Eg Passwords •Something that the user has Eg Key,Smartcard •Something that the user is Eg FingerPrinting,Voice recognition or Retinal scan systems EDI Prepared by EDGAR 16
  • 17. AUTHENTICATION: 2 SUB CONCERNS • GENERAL ACCESS AUTHENTICATION To control whether or not a particular user has ANY type of access right to the element in question. Usually we consider these in the form of a “User Account”. • FUNCTIONAL AUTHORIZATION Concern with individual user “rights”. What, for example, can a user do once authenticated? Can they figure the device or only see data. EDI Prepared by EDGAR 17
  • 18. AUTHENTICATION: MAJOR PROTOCOLS EDI Prepared by EDGAR 18
  • 19. AUTHENTICATION: PROCEDURE • Authentication procedure – Two-Party Authentication • One-Way Authentication • Two-Way Authentication – Third-Party Authentication • Kerberos • X.509 – Single Sign ON • User can access several network resources by logging on once to a security system. EDI Prepared by EDGAR 19
  • 20. AUTHENTICATION:Two-Party Authentication PROCEDURE EDI Prepared by EDGAR 20 C l i e n t U s e r I D & P a s s w o r d S e r v e r I D & P a s s w o r d A u t h e n t i c a t e d A u t h e n t i c a t e d S e r v e r O n e - w a y A u t h e n t i c a t i o n T w o - w a y A u t h e n t i c a t i o n T w o - P a r t y A u t h e n t ic a t io n s
  • 21. AUTHENTICATION:Third-Party Authentication PROCEDURE EDI Prepared by EDGAR 21 Authenticated ClientID,Passw ord ServerID,Passw ord Authenticated E x c h a n g e K e y s E x c h a n g e D a t a C l i e n t S e r v e r S e c u r i t y S e r v e r T h ir d - P a r t y A u t h e n t ic a t io n s
  • 22. IDENTIFYING PENETRATION TESTS • The practice of testing a computer system, network or web application to find vulnerabilities that an attacker could exploit by simulating attacks from both internal and external threats • To prevent a thief, you may need to think like a thief Using tools and techniques very similar to those employed by criminals • Goals – Determine the adequacy of security measures – Identify security deficiencies – Recommend training EDI Prepared by EDGAR 22
  • 23. WHY PENETRATION TEST? • To find poorly configured machines. • Verify that security mechanisms are working. • Help organizations to tighten the Security system. EDI Prepared by EDGAR 23
  • 24. PHASES OF A PENETRATION TEST EDI Prepared by EDGAR 24
  • 25. PROFILING • Research phase – Passive Reconnaissance – Strategy • Obtain publicly available information on target – Tactics • Query publicly accessible data sources • Observe physical defenses • Covertly survey company and employees EDI Prepared by EDGAR 25
  • 26. ENUMERATION • Discovery Phase – Active Reconnaissance – Strategy • Find detailed information • Find possibly vulnerable points of entry – Tactics • Map the network • Analyze and identify each individual host • Survey physical security mechanisms • Compile list of possible entry points for an attacker EDI Prepared by EDGAR 26
  • 27. VULNERABILITY ANALYSIS • Systematic examination of vulnerabilities – Procedure • Using all the information gathered in the previous phases, identify vulnerabilities in the system – Tactics • Prioritize analysis of commonly misconfigured services • Use automated tools if applicable/available EDI Prepared by EDGAR 27
  • 28. EXPLOITATION – Gaining access – Procedure • Verify previously identified vulnerabilities by attempting to exploit them • Show what access can be gain and what assets can be affected EDI Prepared by EDGAR 28
  • 29. REPORTING • The important part – Procedure • Compile findings into a complete report – Include methods as well • Make suggestions to fix vulnerabilities EDI Prepared by EDGAR 29
  • 30. TYPES OF PENETRATION TESTING • Overt – Also known as White Hat Testing, involves performing external and/or internal testing with the knowledge and consent of the organization’s IT staff, enabling comprehensive evaluation of the network or system security posture. • Covert – Also known as Black Hat Testing, takes an adversarial approach by performing testing without the knowledge of the organization’s IT staff but with the full knowledge and permission of upper management • External – This testing is conducted from outside the organization’s security perimeter. This offers the ability to view the environment’s security posture as it appears outside the security perimeter—usually as seen from the Internet—with the goal of revealing vulnerabilities that could be exploited by an external attacker • Internal – In this type of testing, assessors work from the internal network and assume the identity of a trusted insider or an attacker who has penetrated the perimeter defenses. This kind of testing can reveal vulnerabilities that could be exploited from inside, and demonstrates the potential damage an internal attacker could cause EDI Prepared by EDGAR 30
  • 31. REFRENCES • http://www.informit.com/articles/article.as • https://www.cs.bham.ac.uk/~mdr/teachin • https://www.blackhat.com/docs/us- 16/materials/us-16-McGrew-Secure- Penetration-Testing-Operations- Demonstrated-Weaknesses-In- Learning-Material-And-Tools-wp.pdf EDI Prepared by EDGAR 31