ORGANIZATIONAL SECURITY BY JAIMINI SUTHAR PASSWORD SELECTION Password
ORGANIZATIONAL SECURITY BY: JAIMINI SUTHAR
PASSWORD SELECTION Password selection is one of those critical activities that if often neglected as part of a good security baseline. The heart of the problem is that most systems today are protected only by a simple user and password. If an attacker discovers the right user id and password combination-either by hand or using any of the numerous, freely available brute-force attack tools-they can access the system, and they have completely bypassed all the normal step taken to secure the system. Worse still, on a server system supporting multiple user, the attacker only has to guess one correct user id and password combination to gain access.
PIGGYBACKING(TAILGATING) Tailgating or piggybacking is the simple tactic of following closely behind a person who has just used their own access card or pin to gain physical access to a room or building. An attacker can thus gain access to the facility without having to know the access code or having to acquire on access card. It is similar to shoulder surfing in that it relies on the attacker taking advantage of an authorized user not following security procedures.
SHOULDER SURFING shoulder surfing is a type of social engineering technique used to obtain information such as personal identification number, password and other confidential data by looking over the victim's shoulder. This attack can be performed either from a closer range by directly looking over the victim's shoulder or from a longer range by using a pair of binoculars. To implement this technique attackers do not require any technical skills, keen observation of victims surroundings and the typing pattern is sufficient. Crowded places are the more likely areas for an attacker to shoulder surf the victim.
SHOULDER SURFING METHODOLOGIES Gaze-based password entry Painting album mechanism Text based graphical password schemes Secret tap method PIN entry Cognitive trapdoor game
DUMPSTER DIVING The attacker might find little bits of information that could be useful for an attack. This process of going through a target’s trash in hope of finding valuable information that might be used in a penetration attempt is known in the computer community as dumpster diving.
PHYSICAL ACCESS BY NON-EMPLOYEES As has been mentioned, if an attacker can gain physical access to a facility, chances are very good that the attacker can obtain enough information to penetrate computer system and networks. Many organizations require employees to wear identification badges when at work. This is an easy method to quickly spot who has permission to have physiccal access organization and who does not.
SECURITY AWARENESS Many government organizations have created security awareness posters to constantly remind individual of this possible avenue of attack. Security newsletters, of an in form of e-mail, have been used to remind employees of their security responsibility. An important element that should be stressed in training about social engineering is type of information that the organization considers sensitive social engineering attacks.
INDIVIDUAL USER RESPONSIBILITIES Lock the door to your office or workshop. Do not have sensitive information inside your car unprotected. Secure storage media containing sensitive information in a secure storage device. Shred paper containing organization information in a secure device. Do not divulge (make know) sensitive information with family members. (The most common violation of this rule occurs in regard to HR information, as employees, especially supervisors, may complain to their spouse about other employees or problems that are occurring at work). Protect laptop that contains sensitive or important organization information whenever the laptop may be stored or left. (it’s good idea to ensure that sensitive information is encrypted on the laptop so that, should the equipment to be lost or stolen, the information remain safe).
ACCESS CONTROL The term Access Control actually refers to the control over access to system resources after a user's account credentials and identity have been authenticated and access to the system granted. For example, a particular user, or group of users, might only be permitted access to certain files after logging into a system, while simultaneously being denied access to all other resources.
ACCESS CONTROL TYPES 1. 2. 3. 4. Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role Based Access Control Rule Based Access Control
BIOMETRICS Biometric security is a security mechanism used to authenticate and provide access to a facility or system based on the automatic and instant verification of an individual's physical characteristics. Because biometric security evaluates an individual’s bodily elements or biological data, it is the strongest and most foolproof physical security technique used for identity verification.
TYPES OF BIOMETRICS 3. Finger Print Hands Print Retina Pattern 4. VOICE PATTERN 5. signature and written patterns key strokes physical barriers 1. 2. 6.
PASSWORD MANAGEMENT Password is the most common method for users to authenticate themselves when entering computer systems or websites. It acts as the first line of defense against unauthorized access, and it is therefore critical to maintain the effectiveness of this line of defense by rigorously practicing a good password management policy. This topic aims to provide a set of guidelines and best practices for handling and managing passwords.
PASSWORD VULNERABILITIES 1. 2. Organizational or end-user vulnerabilities: This includes lack of password awareness on the part of end users and the lack of password policies that are enforced within the organization. Technical vulnerabilities: This includes weak encryption methods and insecure storage of passwords on computer systems.
PASSWORD PROTECTION STRATEGIES 1. 2. 3. 4. User Education Computer Generated Password Reactive Password Checking Proactive Password Checker
PASSWORD SELECTION STRATEGIES 1. 2. 3. 4. Computer generated passwords Eliminate guessable passwords while allowing the user to select a password that is memorable Reactive password checking Proactive password checking
HOW TO CHOOSE A GOOD PASSWORD 1. 2. 3. Use a password with a mix of at least six mixedcase alphabetic characters, numerals and special characters. Use a password that is difficult to guess but easy for you to remember, so you do not have to write it down. Use a password that you can type quickly, without having to look at the keyboard, thereby preventing passers-by seeing what you are typing.
SHORT QUESTIONS 1. What is Bio metrics? (May-16, Nov-16) 2. Write a component of a good password? (Dec-14, May-15) 3. List out password selection strategies. (May-16, May-17)
REVIEW QUESTION Explain Piggybacking. (Dec-15, Nov-16) Explain Shoulder surfing. (May-15, Nov-16) Explain Dumpster Diving in detail. (Dec-15, Nov-16) What is Biometrics? Write a short note on finger print. (Dec-14) List various methods of Biometrics Access. Explain any two in brief. (Nov-16) Write short note on Kerberos. (May-17) Explain password protection strategies. (May-15) Describe password and Explain characteristic of good password. (Nov 16) Explain components of a good password. (May-16) Explain “computer generated passwords” selection Strategy. (Dec-14) Explain Logical components of IDS. (Dec-15)
THANK YOU
- Slides: 21