5. Computer Security - Lec 4.pdf

Full Transcript

Computer Security CO1201 - Introduction to Computer Systems June 2024 Deshan Kalupahana Today’s topics Network security System security 2 Deshan Kalupahana Computer Security / Cybersecurity Protection of computer...

Computer Security CO1201 - Introduction to Computer Systems June 2024 Deshan Kalupahana Today’s topics Network security System security 2 Deshan Kalupahana Computer Security / Cybersecurity Protection of computer systems and networks from ○ Information disclosure ○ Theft ○ Damage to hardware, software, or electronic data ○ Disruption of services 3 Deshan Kalupahana Network Security 4 Deshan Kalupahana Network security categories Physical Network Security ○ Prevent unauthorized physical access to network components Administrative Network Security. ○ Controls user behaviour of using the network. Technical Network Security ○ Protect data stored and in transit. 5 Deshan Kalupahana Physical Network Security Access control ○ Badges/ IDs ○ Biometrics (face detection,Iris and Fingerprints) ○ Smart locks ○ Key pads Surveillance ○ 24/7 cameras ○ Guards ○ Sensors based mechanisms Keep a backup station (DR) 6 Deshan Kalupahana Administrative Network Security Allow only privileged personals to make the changes to the network. Keep a log of the changes made. 7 Deshan Kalupahana Technical Network Security 8 Deshan Kalupahana Network based attacks Sniffing/ Eavesdropping Man in the middle attack Spoofing Denial of service 9 Deshan Kalupahana Eavesdropping Information like passwords, card details, and other sensitive data is easily stolen while it is getting transferred from one device to another. Also known as sniffing attack. 10 Deshan Kalupahana Sniffing Access to the network and intercept packets passing through the network. 11 Deshan Kalupahana Man in the middle attack https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/ 12 Deshan Kalupahana Spoofing IP spoofing ○ Convince system that they are communicating with a trusted system. DNS spoofing ○ Resolve vulnerable IP addresses for a domain name. 13 Deshan Kalupahana Denial of Service Attacks (DoS) Disrupt the ability use resources like ○ Network bandwidth ○ CPU and memory resources ○ Applications (Web server, File Server etc.) Types ○ Ping attacks ○ Smurfing ○ SYN attacks DDoS 14 Deshan Kalupahana Ping attack Smurfing Ping requests sends Ping requests sends to all the hosts indefinitely to a victim in a network through broadcast machine address. Start network congestion With a alternating source address as the victim address (IP Spoofing) 15 Deshan Kalupahana SYN attack Attack Servers with TCP connections. Increase the number of parallel connections making server not responding for other user requests. Transport layer based attack. 16 Deshan Kalupahana DDoS - Distributed Denial of Service Attack 17 Deshan Kalupahana Prevention Management ○ Segment the network ○ Up to date prevention software ○ Change default configurations Filtering ○ Firewalls Filtering in network, transport and application layer protocols. ○ Intrusion detection systems (IDS) ○ Encryption 18 Deshan Kalupahana Encryption Information is converted into secret code that hides the information's true meaning Use a key ○ To make the secret code ○ And again get the message from secret code. Process ○ Encrypt at the sender ○ Decrypt at the receiver Encryption methods https://en.wikipedia.org/wiki/Encryption ○ WEP, WPA, WPA2, RSA, ○ IPSec 19 Deshan Kalupahana Firewall Filters packets ○ receiving to the network (Ingress traffic) ○ sending from the network (Egress traffic) Check the rules in Windows firewall for filtering packets. 20 Deshan Kalupahana Prevention ctd. Attack Prevention Method Sniffing, Eavesdropping, MitM Encryption Spoofing, DoS IDS, Firewall 21 Deshan Kalupahana System security 22 Deshan Kalupahana System security Controls and safeguards taken to minimize ○ Downtime ○ Interference ○ Malicious intrusion Physical security OS and application security. 23 Deshan Kalupahana Physical threats to a system Treats ○ Physical access to devices ○ Attaching components to devices ○ Tamper with devices ○ Jamming the wires. Similar to Physical network security ○ Access control ○ Surveillance ○ Backup 24 Deshan Kalupahana Attacks on OS and applications Password attacks Malware attacks Pharming Spams Phishing attacks 25 Deshan Kalupahana Password attacks Common technique to authenticate systems Can extract by ○ Sniffing ○ Bruteforce ○ Dictionary attack Prevention ○ Set a good password that cannot guess easily. ○ Account lock features ○ Multi-factor authentication ○ Encryption 26 Deshan Kalupahana Issues related to passwords Design problems ○ Eg:- Use personal data Operation issues ○ Common password ○ Easy to guess Application issues ○ Password checking issues 27 Deshan Kalupahana Good practices for creating passwords Dos Don’ts Lengthy password Don’t use personal data ○ Name, home town, birthday Case sensitive password Short passwords Numbers and special characters Repetitive characters included Same password for multiple Random characters applications Memorable password 28 Deshan Kalupahana Good practices for creating passwords Eg:- Use a sentence to create a password ‘I am an Engineering Student’ Probable passwords ○ iaaes ○ IaAEs ○ I’aAEs ○ 1’mAengStd ○ 1’mAen6Std@ 29 Deshan Kalupahana Evaluation of password strength Password Cracking time iaaes 200us IaAEs 9ms I’aAEs 400ms 1’mAengStd 7 months 1’mAen6Std@ 400 years https://www.security.org/how-secure-is-my-password/ 30 Deshan Kalupahana Alternatives to the passwords : Biometric data Signature Face recognition Voice recognition Finger print Iris pattern 31 Deshan Kalupahana Self Study Advantages and disadvantages of biometrics 32 Deshan Kalupahana Alternatives to the passwords : Additional Questions Provide multiple questions in addition to the passwords. Eg:- ○ What is your pet’s name? ○ What is your hometown? ○ Where did you completed to your secondary school? User has to remember the questions. Vulnerable to the attacks 33 Deshan Kalupahana Additional Check: CAPTCHA 34 Deshan Kalupahana Additional Check : Selecting Images 35 Deshan Kalupahana Multi-Factor authentication Additional login steps after given username and password. https://www.imperva.com/learn/application-security/2fa-two-factor-authentication/ 36 Deshan Kalupahana Malware attacks Unwanted software that is installed in your system without your consent Risks ○ Steal, encrypt or delete sensitive information ○ Hijack or alter core system functions ○ Monitor user activity without permission ○ Extort money ○ Introduce spam or forced advertising 37 Deshan Kalupahana Malware attacks Ransomware ○ disables victim's access to data until ransom is paid Spyware ○ collects user activity data without their knowledge Adware ○ serves unwanted advertisements Trojan ○ disguises itself as desirable code or software ○ Distributes viruses, worms, spyware etc. 38 Deshan Kalupahana Malware attacks ctd. Worms ○ spreads through a network by replicating itself Virus ○ piece of code that inserts itself into an application and executes when the app is run. Rootkits ○ gives hackers remote control of a victim's device Keyloggers ○ spyware that monitors user activity Bots/ Botnet ○ software application that performs automated tasks on command 39 Deshan Kalupahana Virus vs Worms vs Trojan Virus Worms Trojan What does it do? Insert malicious code into Exploits a vulnerability in Do something malicious a program or data file an application or or spy for the attacker operating system How does it spread? User transfers infected Uses network to travel User transfers Trojan file files to other devices from one computer to to other computers another Does it infect a file? Yes No It can Does there need to be Yes No Yes user action for it to spread? 40 Deshan Kalupahana Spams Send multiple unsolicited messages to large numbers of recipients. ○ Advertising ○ Prohibited purposes Risks ○ Clog email servers ○ Time wastage Prevention ○ Not sharing email to public ○ Aware when registering to new websites. ○ IDS or tools to detect spam 41 Deshan Kalupahana Methods of infection Network ○ Spread other devices in the network and newly connecting devices Infected Files ○ Viruses can be spread when infected files opened by the user. Websites ○ Hackers uses websites to deliver the malware Email ○ Can be attached with an email USB ○ Plugging USB with malware will infect the host machine Phishing 42 Deshan Kalupahana Malware : Prevention Install anti-virus software and anti-spyware software. ○ Keep your security tools updated ○ Immediately remove detected malware ○ Check for missing files and altered files Educate users Monitor suspicious activity Implement email security and spam protection Use administrator privileges only when necessary. 43 Deshan Kalupahana Phishing Attack Social engineering attack Dupes a victim to click a malicious link from ○ Email ○ Chat message ○ Text message Can cause ○ Install malware ○ Freeze the system ○ Ransomware attack 44 Deshan Kalupahana Phishing Attack https://www.simplilearn.com/tutorials/cryptography-tutorial/what-is-phishing-attack 45 Deshan Kalupahana Detecting Phishing Email https://www.urmconsulting.com/latest-new s/what-to-look-out-for-in-a-phishing-email/ 46 Deshan Kalupahana Detecting Phishing Email Check from email address Watch for misspelling and incorrect grammar Be suspicious of hyperlinks Be careful with attachments, do not open suspicious attachments. Be skeptical of urgency Protect your personal information Check for Time & Date Trust your gut feeling 47 Deshan Kalupahana Phishing Email : Example 48 Deshan Kalupahana Phishing Email : Example 49 Deshan Kalupahana Phishing Email : Example 50 Deshan Kalupahana Phishing Email : Example 51 Deshan Kalupahana Avoid social engineering attacks Do not disclose your credentials Inform the necessary authorities Change password regularly Get training and educated about threats Prevent access to password database 52 Deshan Kalupahana Pharming redirect a website's traffic to another, fake site by installing a malicious program on the computer. https://www.techtarget.com/searchsecurity/definition/ pharming 53 Deshan Kalupahana Credit and Debit cards 54 Deshan Kalupahana Credit/ Debit Cards Allows cardholders to borrow funds ○ To pay for goods and services. Credit cards ○ Customer have to pay back the amount to the bank after the purchase in a given time. ○ Otherwise, interest is added. Debit cards ○ Customer directly debits money from the bank account. 55 Deshan Kalupahana Credit / Debit cards https://www.investopedia.com/terms/c/creditcard.asp 56 Deshan Kalupahana Usage 57 Deshan Kalupahana Credit / Debit Cards Frauds ○ Using credit card number and PIN number for transaction without the knowledge of the owner Forgery ○ Opens a credit under victims name without his knowledge. ○ Create a fraudulent card using existing card number and a PIN. 58 Deshan Kalupahana Improve security Request additional information ○ Eg:- Postal code PIN number Date of Birth Verification code ○ Via email ○ Via text Daily transaction limit 59 Deshan Kalupahana Smart cards Most of the credit and debits cards are now smart cards. It includes ○ Microprocessor ○ Memory chip ○ RFID addition to the magnetic strip Has to place in the device instead of swiping. RFID allows to create virtual cards instead of physical cards using smartphones. 60 Deshan Kalupahana This Lecture Network Security System Security ○ Physical Network Security ○ Physical Security ○ Administrative Network Security ○ OS and application security ○ Technical Network Security Password attacks Sniffing Password issues Eavesdropping Good practices Man in the middle attack Spoofing Alternatives DoS Malware attacks Ping attack Types Smurfing Methods of infection SYN attack Pharming DDoS Detecting Phishing attack Prevention Spams Encryption Phishing attacks Firewall ○ Credit / Debit Cards 61 Deshan Kalupahana END 62 Deshan Kalupahana

Use Quizgecko on...
Browser
Browser