Professional Documents
Culture Documents
security
Prof. dr. Frederik Questier - Vrije Universiteit Brussel
Workshop for Lib@web 2015 - International Training Program @ University of Antwerp
Management of Electronic Information and Digital Libraries
This presentation can be found at
http://questier.com
http://www.slideshare.net/Frederik_Questier
Main objectives
of computer security
Confidentiality
of data (secrecy)
of persons (privacy)
access only by authorized parties
Integrity
data only correctly modified or deleted by authorized parties
Availability
correctly accessible in a timely manner
the failure to meet this goal is called a denial of service
Assignment 1
personal computer security
Throughout this workshop: write down all possible ways
how your personal computer system could be
compromised. What are the possible attack vectors?
Assignment 2:
institutional
data security
Congratulations!
You are elected member of the newly established
computer and data security team in your institution.
lightning strike
fire
flood
earthquake
tsunami
volcano eruption
social engineering
phishing
(identity) theft
vandalism
unhappy employees
sabotage (time bomb)
terrorism
war
nuclear bomb
What can go wrong?
Malware (malicious software)
virus
keylogger
worm
network sniffer
trojan horse
back door
rootkit
dialer
spyware
ransomware
What can go wrong?
Infrastructure or services problems
Failure of
software (bugs)
hardware
electricity
power outage or power surge
network (cable cut saturation)
airconditioning
water pipes > leak
system upgrades
service providers (e.g. cloud)
Weak security
Loss of laptops, smartphones, USB-sticks,
No encryption
Passwords leaks or cracks
Computer console left unlocked
Confiscation of machines
Tools for computer security
Tools for confidentiality
Overview
Authorization - Access policies - access control
Authentication identification
Passwords
Encryption
Virtual private networking
Auditing logging
...
Tools for integrity
Overview
Backups
Checksums
Antivirus
...
Tools for availability
Overview
Disaster recovery planning
Physical protections
Anti-theft
Uninterruptible Power Supply
Redundancies
Intrusion-detection systems
Antivirus software
Firewall
...
TOOLS FOR CONFIDENTIALITY
Passwords
Don't share them
Not even with computer administrators
Don't write them down
Don't reuse them among different sites
Change them often
Select wise:
Easy to remember
Hard to guess (resistant to dictionary attacks)
Password length
Large set of characters (caps, lower case, numbers, symbols)
Some notorious password leaks
2014: 5M Gmail passwords
2013: 38M Adobe passwords (and source code)
2013: 250K Twitter passwords
2012: 12M Apple User IDs stolen by FBI, 1M leaked
2012: 6M LinkedIn passwords
2012: 450K plaintext Yahoo passwords
2012: 1.5M plaintext Youporn passwords
2009: 10K MS Hotmail, MSN and Live passwords
Johannes Weber, http://blog.webernetz.net/2013/07/30/password-strengthentropy-characters-vs-words/
Biometric identification
Finger print
Voice print
Iris scan
Retinal scan
Convenient
Relative safe
But...
Danger of
biometric identification?
Danger of
biometric identification?
You can't change your biometric password once it
got leaked
Interception Spoofing
Integrity Non-repudiation
Asymmetric encryption
Sender only needs to know the public key of receiver!
Public key encryption
The private key can unlock (decrypt)
what is locked (encrypted) with the public key
Public key encryption
Creation of keys
Man-in-the-middle attack
Version #
Serial #
Signature Algorithm
Issuer Name
Validity Period
Subject Name
Subject Public Key
Issuer Unique ID
Subject Unique ID
Extensions
Digital Signature
HTTPS SSL exchange
CAcert.org is a community-driven certificate authority that
issues free public key certificates to the public (unlike
other certificate authorities which are commercial and sell
certificates).
CAcert has over 200,000 verified users.
These certificates can be used to digitally sign and encrypt
email, authenticate and authorize users connecting to
websites and secure data transmission over the Internet.
Web of trust
Keysigning parties
Avoid non-encrypted protocols!
Encrypted protocols
Non-encrypted protocols
HTTPS
HTTP
SFTP
FTP
SSH
TELNET
TOR
BitTorrent
VPN
WEP
(Wired Equivalent Protocol. Weak!)
WPA - WPA2
Wi-Fi Protected Access
Full disk encryption
Full disk encryption
Android encryption
Virtual drive in file container
Thesis20131030.odt
Thesis20131031.odt
Thesis20131101.odt
...
TOOLS FOR AVAILABILITY
Prepare for disasters!
Business continuity planning
Disaster recovery
Preventive measures
Detective measures
Corrective measures
Uninterruptible Power Supply
UPS
1)Flywheel
2)Diesel generators
3)Batteries (UPS)
fault tolerance
high availability
redundancy
fail over
RAID: Redundant Array
of Independent Disks
DDoS
Distributed Denial of Service
Questier.com
Frederik AT Questier.com
www.linkedin.com/in/fquestie
www.diigo.com/user/frederikquestier
www.slideshare.net/Frederik_Questier
Qu
est
ion
s?
Th
ank
s!
Credits
Hacker - Hacking Symbol.jpg, CC BY-SA, www.elbpresse.de
Internet Archive, Copyright Bibliotheca Alexandrina, International School of
Information Science (ISIS), http://www.bibalex.org/isis/large/000.jpg
Password Strength, Creative Commons BY-NC http://xkcd.com/936/
Security, Creative Commons BY-NC http://xkcd.com/538/
Zimmermann Telegram, 1917, no known copyright restrictions
Assymetric and symmetric encryption by Jeremy Stretch,
http://packetlife.net/blog/2010/nov/23/symmetric-asymmetric-encryption-hashing/
Orange blue public key cryptography, Creative Commons CC0 by Bananenfalter
HTTPS SSL Exchange by Robb Perry,
http://coding.smashingmagazine.com/2012/05/17/backpack-algorithms-and-public-key-cryptography-made-easy/