• Law or set of rules.
• a rule of conduct or action prescribed or formally recognized as binding or enforced by a controlling authority.
• mplies imposition by a sovereign authority and the obligation of obedience on the part of all subject to that authority

Ethics

• a set of moral principles or values.
• the principles of conduct governing an individual or a group.
• an objectively defined standard of right and wrong.

Categories of Law

• Civil Law
• Criminal Law
• Tort Law

Differences between Laws and Ethics

Ethics Concept in Information Security

1. Ethical Differences Across Cultures
2. Software License Infringement
3. Illicit Use
4. Misuse of Corporate Resources’
5. Ethics and Education
6. Deterrence to Unethical and Illegal Behavior

Three general categories of unethical and illegal behavior:

1.    Ignorance

• ignorance of the law is no excuse, however ignorance of policy and procedures is

2.    Accident

• Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident

3.    Intent

• Intent is often the cornerstone of legal defense, when it becomes necessary to determine whether or not the offender acted out of ignorance, by accident, or with specific intent to cause harm or damage

A security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

Intrusion Detection

A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.

Hackers

- Motivated by thrill of access and status

• Hacking community a strong meritocracy
• Status is determined by level of competence

- Benign intruders might be tolerable

• Do consume resources and may slow performance
• Can’t know in advance whether benign or malign

- IDS / IPS / VPNs can help counter

• Awareness led to establishment of CERTs
• Collect / disseminate vulnerability info / responses
• Intrusion Detection Systems

- classify intrusion detection systems (IDSs) as:

• Host-based IDS: monitor single host activity
• Network-based IDS: monitor network traffic

- Logical components:

• Sensors – collect data
• Analyzers – determine if intrusion has occurred
• User interface – manage / direct / view IDS

IDS Principles

• assume intruder behavior differs from legitimate users

1. expect overlap as shown
2. observe deviations from past history
3. Problems of:

• False positives
• False negatives
• Must compromise

IDS Requirements

• run continually
• be fault tolerant
• resist subversion
• impose a minimal overhead on system
• configured according to system security policies
• adapt to changes in systems and users
• scale to monitor large numbers of systems
• provide graceful degradation of service
• allow dynamic reconfiguration

Host-Based IDS

1.    Specialized software to monitor system activity to detect suspicious behavior

• Primary purpose is to detect intrusions, log suspicious events, and send alerts
• Can detect both external and internal intrusions

2.    Two approaches, often used in combination:

• Anomaly detection – defines normal/expected behavior

3.    Threshold detection

4.    Profile based

• Signature detection – defines proper behavior

Audit Records

1.    A fundamental tool for intrusion detection

2.    Two variants:

• Native audit records – provided by O/S

3.    Always available but may not be optimum

• Detection-specific audit records – IDS specific

4.    Additional overhead but specific to IDS task

5.    Often log individual elementary actions

- E.g. may contain fields for: subject, action, object, exception-condition, resource-usage, time-stamp.

Anomaly Detection

1.    Threshold detection

• Checks excessive event occurrences over time
• Alone a crude and ineffective intruder detector
• Must determine both thresholds and time intervals

2.    Profile based

• Characterize past behavior of users / groups
• Then detect significant deviations
• Based on analysis of audit records

3.    gather metrics: counter, gauges, interval timer, and resource utilization

4.    analyze: mean and standard deviation, multivariate, markov process, time series, operational model.

Signature Detection

1.    observe events on system and applying a set of rules to decide if intruder

2.    Approaches:

• Rule-based anomaly detection

3.    analyze historical audit records for expected behavior, and then match with current behavior

• Rule-based penetration identification

4.    Rules identify known penetrations / weaknesses

5.    Often by analyzing attack scripts from Internet

6.    Supplemented with rules from security experts

Distributed Host-Based IDS

Network-Based IDS

1.    Network-based IDS (NIDS)

• Monitor traffic at selected points on a network
• In (near) real time to detect intrusion patterns
• May examine network, transport and/or application level protocol activity directed toward systems

2.    comprises a number of sensors

• Inline (possibly as part of other net device)
• Passive (monitors copy of traffic)

NIDS Sensor Deployment

Intrusion Detection Techniques

1.    Signature detection

• At application, transport, network layers; unexpected application services, policy violations

2.    Anomaly detection

• Of denial of service attacks, scanning, worms

- When potential violation detected sensor sends an alert and logs information

• Used by analysis module to refine intrusion detection parameters and algorithms
• By security admin to improve protection

Distributed Adaptive Intrusion Detection

Intrusion Detection Exchange Format

Honeypots

1.    Are decoy systems

• Filled with fabricated info
• Instrumented with monitors / event loggers
• Divert and hold attacker to collect activity info
• Without exposing production systems

2.    Initially were single systems

3.    More recently are/emulate entire networks

Honeypot Deployment

SNORT

Snort is an open source network intrusion prevention system (IPS) capable of performing real-time traffic analysis and packet-logging on IP networks. It can perform protocol analysis, content searching & matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts and more.

Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that uses a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user-specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba’s smbclient. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging and so), or as a full-blown network intrusion prevention system.

SNORT Rules

• Use a simple, flexible rule definition language
• With fixed header and zero or more options
• Header includes: action, protocol, source IP, source port, direction, destination IP, and destination port
• Many options

A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Firewall Techniques

• Packet filter : Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.

• Application gateway : Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.

• Circuit-level gateway : Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

• Proxy server : Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

Packet filtering firewall

• Packet filters act by inspecting the “packets” which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter’s set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send “error responses” to the source).

• This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection “state”). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet’s source and destination address, its protocol, and, for TCP and UDP traffic, the port number).

Stateful Inspection Firewall

• Third generation firewalls in addition regard placement of each individual packet within the packet series. This technology is generally referred to as a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules.

• This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks.

Application Proxy Firewall & Circuit-level Proxy Firewall

Firewall hosting :

• Bastion host = single firewall that cover a network territory
• Host-base = single firewall protect a single workstation/server

Virtual Private Network (VPNs)

• In essence, a VPN consists of a set of computers that interconnect by means of a relatively unsecure network.
• Use of a public network exposes corporate traffic to eavesdropping and provides an entry point for unauthorized users. To counter this problem, a VPN is needed.
• In essence, a VPN uses encryption and authentication in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet.
• VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption and authentication system at both ends.
• The encryption may be performed by firewall software or possibly by routers.
• The most common protocol mechanism used for this purpose is at the IP level and is known as IPSec.

Distributed Firewall

• A distributed firewall configuration involves standalone firewall devices plus host-based firewalls, personal firewall working together under a central administrative control.

• Administrators can configure host-resident firewalls on hundreds of servers and workstation as well as configuring personal firewalls on local and remote user systems. Tools let the network administrator set policies and monitor security across the entire network.

A wireless local area network (WLAN) is a local area network (LAN) that doesn’t rely on wired Ethernet connections. A WLAN can be either an extension to a current wired network or an alternative to it. Use of a WLAN adds flexibility to networking. A WLAN allows users to move around while keeping their computers connected.

WLANs have data transfer speeds ranging from 1 to 54Mbps, with some manufacturers offering proprietary 108Mbps solutions. The 802.11n standard can reach 300 to 600Mbps.  Because the wireless signal is broadcast so everybody nearby can share it, several security precautions are necessary to ensure only authorized users can access your WLAN.

A WLAN signal can be broadcast to cover an area ranging in size from a small office to a large campus. Most commonly, a WLAN access point provides access within a radius of 65 to 300 feet.

WLAN standards

Several standards for WLAN hardware exist:

802.11a, b, and g

The 802.11a, b, and g standards are the most common for home wireless access points and large business wireless systems. The differences are:

• 802.11a: With data transfer rates up to 54Mbps, it is faster than 802.11b and can support more simultaneous connections. Because it operates in a more regulated frequency, it gets less signal interference from other devices and is considered to be better at maintaining connections. In areas with major radio interference (e.g., airports, business call centers), 802.11a will outperform 802.11b. It has the shortest range of the three standards (generally around 60 to 100 feet), broadcasts in the 5GHz frequency, and is less able to penetrate physical barriers, such as walls.
• 802.11b: It supports data transfer speeds up to 11Mbps. It’s better than 802.11a at penetrating physical barriers, but doesn’t support as many simultaneous connections. It has better range than 802.11a (up to 300 feet in ideal circumstances; tests by independent reviewers commonly achieve between 70 and 150 feet), and uses hardware that tends to be less expensive. It’s more susceptible to interference, because it operates on the same frequency (2.4GHz) as many cordless phones and other appliances. Therefore, it’s not considered a good technology for applications that require absolutely reliable connections, such as live video streaming.
• 802.11g: It’s faster than 802.11b, supporting data transfer rates up to 54Mbps. It has a slightly shorter range than 802.11b, but still better than 802.11a. Most independent reviews report around 65 to 120 feet in real-world situations. It is backward-compatible with 802.11b products, but will run only at 802.11b speeds when operating with them. It uses the 2.4GHz frequency, so it has the same problems with interference as 802.11b.

802.11n

The Institute of Electrical and Electronics Engineers (IEEE) has not yet ratified the 802.11.n standard. Because of this, some manufacturers advertise their 802.11n equipment as “draft” devices.

Though specifications may change once the standard is finalized, it is expected to allow data transfer rates up to 600Mbps. Product manufacturers are advertising ranges twice as large as those of as 802.11b/g devices, but as with any wireless devices, range ultimately depends more on the manufacturer and the environment than the standard.

802.11 Confidentiality

Security standards

The 802.11x standards provide some basic security, but they’re becoming less adequate as use of wireless networking spreads. Security standards exist that extend or replace the basic standard:

WEP (Wired Equivalent Privacy)

One of the earliest security schemas, WEP was originally created for 802.11b, but migrated to 802.11a as well. It encrypts data traffic between the wireless access point and the client computer, but doesn’t actually secure either end of the transmission. Also, WEP’s encryption level is relatively weak (only 40 to 128 bits). Many analysts consider WEP security to be weak and easy to crack.

WPA (Wi-Fi Protected Access)

WPA implements higher security and addresses the flaws in WEP, but is intended to be only an intermediate measure until further 802.11i security measures are developed.

802.1x

This standard is part of a full WPA security standard. WPA consists of a pair of smaller standards that address different aspects of security:

• TKIP (Temporal Key Integrity Protocol encryption), which encrypts the wireless signal
• 802.1x, which handles the authentication of users to the network

Commonly, wireless systems have you log into individual wireless access points or let you access the wireless network, but then keep you from accessing network data until you provide further authentication (e.g., VPN).

802.1x makes you authenticate to the wireless network itself, not an individual access point, and not to some other level, such as VPN. This boosts security, because unauthorized traffic can be denied right at the wireless access point.

WPA2/802.11i

The Wi-Fi Alliance has coined the term “WPA2″, for easy use by manufacturers, technicians, and end users. However, the IEEE name of the standard itself is 802.11i. The encryption level is so high that it requires dedicated chips on the hardware to handle it.

In practical use, WPA2 devices have interoperability with WPA devices. When not interfacing with older WPA hardware, WPA2 devices will run strictly by the 802.11i specifications.

WPA2 consists of a pair of smaller standards that address different aspects of security:

• WPA2-Personal, which uses a pre-shared key (similar to a single password available to groups of users, instead of a single individual); the pre-shared key is stored on the access point and the end user’s computer
• WPA2-Enterprise, which authenticates users against a centralized authentication service

• Identify the vulnerabilities of FTP.
• Using Wireshark to capture FTP username and password.
• Explain what is IPSec.
• Enabling IPSec for securing FTP session.

Does FTP secure?

• by using Wireshark, I will prove that FTP is not a secure connection whereby we can see the username and  password during the packets captured. Below are the steps for this testing :

1. Two workstation with platform windows server 2003 – as server and client.
2. Install wireshark application on server.
3. Assign static IP addresses : server – 192.168.1.2 & client -192.168.1.3
4. Test the connection by using PING.
5. Start Telnet & FTP services for both platforms.
6. Test FTP connection : client logon to server using username & password.
7. Server should be capturing the packets using wireshark
8. The packet that has been captured by Wireshark will show you the username and password.
9. It is proved that FTP is not secure!!!

Email is shothand term meaning Electronic Mail. Email much the same as a letter, only that it is exchanged in a different way. Computers use the TCP/IP protocol suite to send email messages in the form of packets. The first thing you need to send and recieve emails is an email address. When you create an account with a Internet Service Provider you are usually given an email address to send from and recieve emails. If this isn’t the case you can create an email address / account at web sites such as yahoo, hotmail and gmail.

Anatomy of an E-Mail Message

• The header of an email includes the From:, To:, Cc: and Subject: fields. So you enter the name and address of the recipient in the Fom: field, the name and address of anyone who is being copied to in the Cc: field, and the subject of the message obviously in the Subject: field.
• The part below the header of the email is called the body, and contains the message itself.
• Spelling the correct address is critical with an email. Like with a normal postal letter, if you get the address wrong it won’t go the correct receiver. If you send an email to an address which doesnt exist the message will come back to you as a Address Unknown erro routine.

Security provided in Email

• Confidentiality
• Data origin authentication
• Message integrity
• Non-repudiation
• Key management

MIME (Multipurpose Internet Mail Extensions)

• Extends the capabilities of RFC 822 to allow e-mail to carry non-textual content, non-ASCII character sets, long messages.
• Uses extra header fields in RFC 822 e-mails to specify form and content of extensions.
• Supports a variety of content types, but e-mail still ASCII-coded for compatibility.
• Specified in RFCs 2045-2049.

How E-mail Transported?

Email security threat

• Two main group:

- Threats to the security of e-mail itself

- Threats to an organisation that are enabled by the use of e-mail.

• Loss of confidentiality.

- E-mails are sent in clear over open networks.

- E-mails stored on potentially insecure clients and mail servers.

- Ensuring confidentiality may be important for e-mails sent within an organization.

• Loss of integrity.

- No integrity protection on e-mails; body can be altered in transit or on mail server.

• Lack of data origin authentication.

- Is this e-mail really from the person named in the From: field?

- How many Kenny.Paterson’s are there?

- Recall SMTP directly over telnet allows forgery of all e-mail fields!

- E-mail could also be altered in transit.

- Even if the From: field looks fine, who was logged in as Kenny.Paterson when the e-mail was composed?

- Sharing of e-mail passwords common.

• Lack of non-repudiation.

- Can I rely and act on the content? (integrity)

- If so, can the sender later deny having sent it? Who is liable if I have acted?

- Example of stock-trading via e-mail.

• Lack of notification of receipt.

- Has the intended recipient received my e-mail and acted on it?

- A message locally marked as ‘sent’ may not have been delivered.

S/MIME

• Originated from RSA Data Security Inc. in 1995.
• Further development by IETF S/MIME working group at: www.ietf.org/html.charters/smime-charter.html.
• Version 3 specified in RFCs 2630-2634.
• Allows flexible client-client security through encryption and signatures. Widely supported, e.g. in Microsoft Outlook, Netscape Messenger, Lotus Notes

PGP

• PGP=“Pretty Good Privacy”
• First released in 1991, developed by Phil Zimmerman, provoked export control and patent infringement controversy.
• Freeware: OpenPGP and variants: www.openpgp.org, www.gnupg.org
• Commercial: formerly Network Associates International, now PGP Corporation at www.pgp.com
• OpenPGP specified in RFC 2440 and defined by IETF OpenPGP working group. www.ietf.org/html.charters/openpgp-charter.html
• Available as plug-in for popular e-mail clients, can also be used as stand-alone software.
• Functionality similar to S/MIME:
• encryption for confidentiality.
• signature for non-repudiation/authenticity.
• One level of processing only, so less flexible than S/MIME.
• Sign before encrypt, so signatures on unencrypted data.
• Sigs can be detached and stored separately.
• PGP-processed data is base64 encoded and carried inside RFC822 message body.

How to secure the Web?

• Authentication

• Describe the flaw of web application and how it is exploited.
• Exploit web application vulnerabilities.
• List prevention method that can be taken to overcome web
  application vulnerabilities.

WebGoat

• simulation toolkit used to demonstrate how we can exploit the vulnerabilities of a poorly design web application.
• create a de-facto interactive teaching environment for web application
  security.

WebScarab

• it is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.
• is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.

In regard to computer technology, a network represents nodes or points that are interconnected with communicating paths. It may consists of numerous sub-networks or interact with other networks. The most common configuration includes a Token Ring, star, bus and mesh topologies. It may also be defined in a sense of spatial distance or a community environment as within a LAN (local area network), a WAN (wide area network) and a MAN (metropolitan area network). In many of these instances, users are able to share resources, such as computer software and peripheral equipment. Any given network can also be classified by the technology used in its data transmission procedure. A TCP/IP or Systems Network Architecture network can be characterized on whether it transmits voice, data or both signals. A large telephone-based network, like the internet, utilizes methods of sharing with other companies so that smaller and larger networks can be created.

Network Architecture

Network architecture is the design of a communication network. It is a framework for the specification of a network’s physical components and their functional organization and configuration, its operational principles and procedures, as well as data formats used in its operation.

In computing, the network architecture is a characteristics of a computer network. The most prominent architecture today is evident in the framework of the Internet, which is based on the Internet Protocol Suite.

What is a Network can provide?

Logical interface function:

• sending messages
• receiving messages
• executing program
• obtaining status information
• obtaining status information on other network users and their status

Basic Terminology

1. Node – single computing system in a network.
2. Host – a single computing system’s processor.
3. Link – a connection between two hosts.
4. Topology – the pattern of links in a network.

Types of Network

Network Topology

1. Bus Topology

• To provide a single communication network on which any node can place information and from which any code can retrieve information.
• Attachments to the bus do not impact the other nodes on the bus.

2.  Star Topology

• Has a central switch
• All nodes wishing to communicate do so through the central host
• The central host receives all messages, identifies the addresses, selects the link appropriate for that addresses and forwards the messages.

3.  Ring Topology

• To connect a sequence of nodes in a loop or ring
• Can be implemented with minimum cabling
• Containing a token can control a “synchronous” loop

4.  Mesh Topology

• Each node can conceptually be connected directly to each other node
• Has integrity and routing advantages
• Not easily subject to destructive failures
• Routing logic can be used to select the most efficient route through multiple nodes

ISO Reference Model

Open Systems Interconnection (OSI):

• Describes computer network communications.
• Developed by the International Standards Organization (ISO).
• Consists of Seven Layers.
• Model describes peer-to-peer correspondence, relationship between corresponding layers of sender and receiver.
• Each layer represents a different activity performed in the actual transmission of a message.
• Each layer serves a separate function.
• Equivalent layers perform similar functions for sender and receiver.

Layer Responsibilities:

Who can cause security problem?

• Hacker
• Spy
• Student
• Businessman
• Ex-employee
• Stockbroker
• Terrorist

Network Security Control

• Encryption
• Strong Authentication
• IPSec, VPN, SSH
• Kerberos
• Firewallt
• Intrusion Detection System (IDS)
• Intrusion Prevention System (IDS)
• Honeypot

Encryption

2 types :

1. Link to link

• cover layer1 and layer 2 of the OSI Model.
• decryption occurs just as the communications arrives and enters the receiving computer.

2.   End to end

• Some assert that the end-to-end principle is one of the central design principles of the Internet and is implemented in the design of the underlying methods and protocols in the Internet Protocol Suite. It is also used in other distributed systems. The principle states that, whenever possible, communications protocol operations should be defined to occur at the end-points of a communications system, or as close as possible to the resource being controlled.

Strong Authentication

• Strong authentication is a notion with several unofficial definitions; is not standardized in the security literature.
• Often, strong authentication is associated with two-factor authentication or more generally multi-factor authentication. It should also be remembered, however, that “strong authentication” and “multi-factor authentication” are fundamentally different processes. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves ‘something you have’ or ‘something you are’, it would not be considered multi-factor.

IPSec, SSH and SSL

1.     IPSec

• optional in IPv4
• define a standard mean for handling encrypted data
• Implemented at IP layer, so affects all layer above it, in particular TCP and UDP.
• provide authentication (AH) & encryption (ESP)

2.    SSH

• secure remote login (encrypt data send over the network)

3.    SSL

• Secure socket layer, encrypt data over the transport layer.
• SSL interfaces between applications (such as browsers) and the TCP/IP protocols to provide server authentication, optional client authentication, and an encrypted communications channel between client and server.

4.    Kerberos

• Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
• Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric key cryptography and requires a trusted third party. Extensions to Kerberos can provide for the use of public-key cryptography during certain phases of authentication.

A simplified and more detailed description of the protocol follows. The following abbreviations are used:

• AS = Authentication Server
• SS = Service Server
• TGS = Ticket-Granting Server
• TGT = Ticket-Granting Ticket

Firewall

• A firewall is a set of related programs, located at a network gateway server,that protects the resources of a private network from users from other networks. (The term also implies the security policy that is used with the programs.) An enterprise with an intranet that allows its workers access to the wider Internet installs a firewall to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own users have access to.

• Basically, a firewall, working closely with a router program, examines each network packet to determine whether to forward it toward its destination. A firewall also includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can get directly at private network resources.

Intrusion Detection System (IDS)

• An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. In some cases the IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network.

• IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. There are IDS that detect based on looking for specific signatures of known threats- similar to the way antivirus software typically detects and protects against malware- and there are IDS that detect based on comparing traffic patterns against a baseline and looking for anomalies. There are IDS that simply monitor and alert and there are IDS that perform an action or actions in response to a detected threat. We’ll cover each of these briefly.

Intrusion Prevention System (IPS)

• Intrusion prevention is a preemptive approach to network security used to identify potential threats and respond to them swiftly. Like an intrusion detection system (IDS), an intrusion prevention system (IPS) monitors network traffic. However, because an exploit may be carried out very quickly after the attacker gains access, intrusion prevention systems also have the ability to take immediate action, based on a set of rules established by the network administrator. For example, an IPS might drop a packet that it determines to be malicious and block all further traffic from that IP address or port. Legitimate traffic, meanwhile, should be forwarded to the recipient with no apparent disruption or delay of service.

Hacking involve:
1. Reconnaissance – gain general info on target host
2. Scanning
3. Gaining access
4. Maintaining access
5. Covering track

Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of logon passwords. Knowledge of the password is assumed to guarantee that the user is authentic. Each user registers initially (or is registered by someone else), using an assigned or self-declared password. On each subsequent use, the user must know and use the previously declared password. The weakness in this system for transactions that are significant (such as the exchange of money) is that passwords can often be stolen, accidentally revealed, or forgotten.

Password

A password is an unspaced sequence of characters used to determine that a computer user requesting access to a computer system is really that particular user. Typically, users of a multiuser or securely protected single-user system claim a unique name (often called a user ID) that can be generally known. In order to verify that someone entering that user ID really is that person, a second identification, the password, known only to that person and to the system itself, is entered by the user. A password is typically somewhere between four and 16 characters, depending on how the computer system is set up. When a password is entered, the computer system is careful not to display the characters on the display screen, in case others might see it.

Good criteria when choosing a password or setting up password guidelines include the following:

• Don’t pick a password that someone can easily guess if they know who you are (for example, not your Social Security number, birthday, or maiden name)
• Don’t pick a word that can be found in the dictionary (since there are programs that can rapidly try every word in the dictionary!)
• Don’t pick a word that is currently newsworthy
• Don’t pick a password that is similar to your previous password
• Do pick a mixture of letters and at least one number
• Do pick a word that you can easily remember

Biometric

Access Control

Access control is a term taken from the linguistic world of security. In general, it means the execution of limitations and constrictions on whoever tries to occupy a certain protected property. Guarding an entrance of a person is also a practice of access control.

An access control matrix is often defined as an abstract security model that only gives permissions at a specific time. This is because it’s implementation as a two-dimensional model would likely have strict memory requirements. Access control lists and capability-based security are two categories of concrete access control mechanisms. Both of their static permissions can be modeled using an access control matrix. Though both mechanisms have been presented as column-based and simple row-based implementations of the access control matrix, this view has been criticized due to misleading beliefs of equivalence amongst the two systems.  There are many types of access control.  For this chapter, we will discuss more on access control for computer.

Access Control for Computers (Anti-Virus etc)

Nowadays, almost every computer user has a firewall or antivirus running on his computer, a popup blocker and many other programs. All of these are with access control functions. All of these programs guard us from intruders of sorts. They inspect everything trying to enter the computer and let it in or leave it out. Computers have complicated access control abilities. They ask for authentication and search for the digital signatures.

Access Control Principles

Access Control Requirements:

• reliable input
• fine and coarse specifications
• least privilege
• separation of duty
• open and closed policies
• policy combinations, conflict resolution
• administrative policies

Example Access Control Matrix

• Consider system with two files and two processes. Set of rights is – r,w,x,a,o (read, write, execute, append, own).

• Can get very large and hence inefficient in general purpose scenarios – seldom used.

Access control List

In computer security, an access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. In a typical ACL, each entry in the list specifies a subject and an operation: for example, the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY.

UNIX File Access Control