Public key Infrastructure

Public key Infrastructure

A Public Key Infrastructure (PKI) enables users of an unsecure public network, such as the Internet, to securely and privately exchange data through the use of a public cryptographic key and a private cryptographic key pair that are obtained and shared through a trusted authority. The key pair consists of one public key and one private key that are mathematically related. An individual must keep the private key a secret. Content encrypted by using one of the keys can be decrypted by using the other. PKI can be a very complex but important subject. A PKI lets you:

-          Authenticate users more securely than standard usernames and passwords

-          Encrypt sensitive information

-          Electronically sign documents more efficiently

PKI's provide a digital certificate that can identify an individual, an organization, and directory services that can store, and when necessary, revoke the certificates. A PKI allows you to bind public keys contained in certificates, with a person in a way that allows you to trust the certificate. Public Key Infrastructures most commonly use a Certificate Authority (also known as a Registration Authority) to verify the identity of an entity and create unforgeable certificates. Web browsers, web servers, email clients, smart cards, and many other types of hardware and software all have integrated standards-based PKI support that can be used with each other.

Understanding Digital Certificates

Certificates are electronic credentials that bind the identity of the certificate owner to a pair (public and private) of electronic keys that can be used to encrypt and sign information digitally. These electronic credentials assure that the keys actually belong to the person or organization specified. Messages can be encrypted with either the public or the private key and then decrypted with the other key. Each certificate contains at least the following information:

-          Owner's public key

-          Owner's name or alias

-          Expiration date of the certificate

-          Serial number of the certificate

-          Name of the organization that issued the certificate

-          Digital signature of the organization that issued the certificate

           Certificates can also contain other user-supplied information, including a postal address, an e-mail address, and basic registration information, such as the country or region, postal code, age, and gender of the user. Certificates form the basis for secure communication and client/server authentication on the Web. You can use certificates to do the following:

-          Verify the identity of clients and servers on the Web

-          Encrypt channels to provide secure communication between clients and servers

-          Encrypt messages for secure Internet e-mail communication

-          Verify the sender's identity for Internet e-mail messages

-          Put your digital signature on executable code that users can download from the Web

-          Verify the source and integrity of signed executable code that users can download from the       Web

Using Digital Certificates

You can install certificates and configure certificate settings for Internet Explorer by using the following methods:

-          Within the browser, you can use the Internet Explorer Certificate Manager to install                   certificates

-          Configure advanced security options for certificates on the advanced tab in the Internet             Options dialog box

-          Use the Internet Explorer Customization Wizard to create custom packages of Internet               Explorer that include preconfigured lists of trusted certificates, publishers, and CAs for             your user groups

-          If you are a corporate administrator, you can also lock down these settings to prevent users       from changing them

-          After deploying the browser, you can use the IEAK Profile Manager to manage certificate         settings through the automatic browser configuration feature of Internet Explorer

-          Automatically push the updated information to each user's desktop computer, enabling you t       to manage security policy dynamically across all computers on the network

Hardening your computer for internet use

Hardening your computer is an important step in the fight to protect your personal data and information. Hardening a computer for internet use requires several steps to form layers of protection. This process works to eliminate means of attack by patching vulnerabilities and turning off inessential services. This approach to safer computing is often called “defense in depth”.

The first step in layering to help harden your computing system is to regularly apply vendor security patches. Many security experts recommend installing a firewall on your computer. Windows and MAC operating systems have firewalls on by default. Additional hardening actions include closing server ports, disabling Windows and other programs file-sharing, and hardening email programs. Another layer of protection for your computer is to install and regularly use virus and spyware protection software. Scheduling daily automatic definition updates and scans to be performed on your computer are vital steps to harden your system. 

Here are some helpful tips for hardening computers:

-          Patch Microsoft Windows automatically

-          Use strong passwords or pass phrases for all Windows user accounts on your PC

-          Use and properly maintain good anti-virus software, and anti-spyware software

-          Do not open suspicious email attachments or respond to suspicious requests

-          If you're not using it, disable the Windows File and Printer Sharing service

-          Disable any unneeded user accounts

-          Where possible, consider using a web browser other than Internet Explorer, and treat all           "free" software with suspicion

Good computer security is about finding the right balance between hardening your system against potential threats and maintaining usability. If you do not require a particular software application or service it should be disabled and removed. Extra software just requires more work on your part to make it harder to a computer attack to be successful.

Risk Mitigation

    The heart of information security is the concept of RISK. Every organization encounters different types of risks.The range of risks run from the smallest impact that can be easily managed, to other risks that threaten the very existence of the organization. The importance of safeguarding information security risks from attackers, who seen these avenues as opportunity to cripple businesses,  has risen from obscurity to the forefront of most organizations business plans.

     The multifaceted approach to information security is essential for a solid foundation of risk mitigation. It encompasses 3 basic strategies:

     - Control risks through several different management techniques
   
     - Develop a security policy

     - Promote awareness and training with employees

Controlling Risks

There are several different terms used in context of information security and controlling risk:

     * Threat- A type of action that has potential to cause harm

     * Threat agent- A person or element that has the power to carry out the threat

     * Vulnerability- A flaw or weakness that allows a threat to bypass security

     * Risk- The likelihood the threat agent will exploit the vulnerability

As with the different terms, there are also different strategies for controlling risk. Three of the most common are privilege management, change management, and incident management.

     Privilege management is a persons access level over an object such as a users ability to open a payroll file.. It cover the procedures for managing object authorizations. One element of privilege management is periodic review of subjects privilege over an object. This is known as privilege auditing. Audits server to verify that the security protections implemented by an organization are being followed.The correct privileges should follow the principal of least privilege or minimal amount of privileges need by the employee to perform their job. Most organizations have a written policy that mandates regular reviews.

     Change management refers to the method making modifications and keeping track  of those modifications to network or system configurations. Prevents making changes in a haphazardly way
which could impact future changes and possibly exposing a vulnerability a attacker could exploit.
Two type of changes regarding security need proper documentation, architecture and classification. Architecture deals with devices such as routers, switches or other devices being introduced into the network. A detailed list of their attributes needs complied also. The second type of change is classification, which primarily refers to files or documents. Classification levels are typically standard documents and confidential documents. Uncoordinated changes can result in security vulnerabilities. Many organizations create a change management team to oversee the changes.

     Incident  management refers to when an unauthorized incident occurs, such as an employee copying sensitive material, a response is required. The incident response is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence. These incidents within a structured organization are normally dealt with by either an Incident Response Team (IRT), or an Incident Management Team (IMT). These are often designated before hand, or during the event and are placed in control of the organization which the incident is dealt with, to restore normal functions

List the types of security policies

   Security policies are a set of requirements or rules which are required to set a path to a specific objective. Security policies attempt carefully balance two key elements, balance and trust. An effective security policy should minimize risk while not imposing undue access restrictions on those who need access to resources. A security policy attempts to provide the right amount of trust by balancing no trust and too much trust. Control is the second element that must be balanced. Designing a security  policy involves defining what the policy is, understanding the security policy cycle, and knowing the steps in policy development. The different types of policies are:

Acceptable Use Policy
Access Control Policy
Application Control Policy
Antivirus Policy
Asset Management Policy
Electronic Messaging Policy
IT User Accounts Policy
Monitoring and Logging Policy
Passwords Policy
Remote Access Policy

Describe how awareness and training can provide increased security.

     Security awareness training is a formal process for educating employees about computer security.
A good security awareness program should educate employees about corporate policies and procedures for working with information technology (IT).  Employees should receive information about who to contact if they discover a security threat and be taught that data is a valuable corporate asset. Regular training is particularly necessary in organizations with high turnover rates and those that rely heavily on contract or temporary staff.  Confirming how well the awareness program is working can be difficult. The most common metric looks for a downward trend in the number of incidents over time.


http://www.comptechdoc.org/independent/security/policies/

http://www.slideshare.net/R_Yanus/Employee-Security-Training1
http://searchconsumerization.techtarget.com/definition/security-awareness-training

Business Continuity

Business continuity is defined as " the ability of an organization to maintain its operations and services in the face of a disruptive event." The event could be as basic as an electrical outage or as catastrophic as a category 5 hurricane. When business is disrupted, it can cost money. Lost revenues plus extra expenses means reduced profits. Insurance does not cover all costs and cannot replace customers that defect to the competition. A business continuity plan to continue business is essential. Development of a business continuity plan includes four steps:

 - Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.

 - Identify, document, and implement to recover critical business functions and processes.

 - Organize a business continuity team and compile a business continuity plan to manage a business disruption.

 - Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.

Define environmental controls-

As the saying goes, "An ounce of prevention is worth a pound of cure!" Its better to take steps that avoid disruptions rather then trying to recover from them. Preventing disruptions through environmental controls involves using fire suppression, proper shielding, and configuration of HVAC systems. 

Describe the components of redundancy planning-

 - Redundancy planning is crucial part of business continuity. It involves building excess capacity (or redundancy) for your network and computer systems, to protect them against failure. Redundancy planning ultimately ensures the availability of your network infrastructure, including servers, storage, networks, power, and even sites. 

List disaster recovery procedures-

The disaster recovery procedures every enterprise should  incorporate includes the guidelines and procedures to be followed to effectively respond to and recover from  different disaster recovery scenarios. Plan steps that minimize the effects of the disaster and resume mission-critical functions quickly.

 - Implement a Disaster Recovery Plan and test its efficiency.

 - Identify a Recovery Team and their specific responsibilities.

 - Identify what steps to take in advance of an event, and during the event. 

 - Identify Recovery procedures  

Describe incident response procedures-

Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a step-by-step process that should be followed when an incident occurs.

 - Secure the crime scene

 - Preserve the evidence

 - Establish a chain of custody

 - Examine the evidence

http://www.ready.gov/business/implementation/continuity

http://dtechghana.com/security/business-continuity/redundancy-planning/

http://searchsecurity.techtarget.com/definition/incident-response

Importance of Passwords

Importance of Passwords

Why length and complexity is important -

As we know, passwords are used to identify yourself, or authenticate your ability to enter a network, your computer, your banking information, and a host of other internet sites we visit daily. "For years we’ve been hearing that a random jumble of letters, numbers and symbols is the recipe for a strong password. But is there more to password security than a few dollar signs and ampersands? (1)" Many sites only require a 6 character password. But as time has progressed and the attackers have refined their craft, more sites are requiring 8 characters minimum with at least one number and a capital letter. As we have come to learn, the longer the password is, the harder it is for attackers to crack.

Attacks on passwords-

Passwords are a secret combination of letters, numbers, and/or characters only the user should know, but  one weakness is that it often requires being committed to memory. There are a variety of attacks that can be used on passwords:

Brute Force- Uses every possible combination of letters, numbers and characters.
Dictionary- Common dictionary words.
Hybrid attacks- Uses both Dictionary and Brute Force.
Rainbow tables- Creating a large pre generated data set.
Social engineering- phishing, shoulder surfing, dumpster diving!
Capturing- Use of a key logger, man-in-the-middle attack.

Limitations on password supplements-

Many people find creating strong passwords for each account cumbersome. One solution is to rely on technology rather then human memory. Modern web browsers such as Firefox, Internet Explorer, and Google chrome allow a user to save a password that has been entered into the web browser (called auto complete Password in IE) through a separate dialog box that pops up over the browser. Auto complete passwords are stored in the Microsoft Windows registry.

There are several disadvantages to using the auto complete feature:
   
    - The user is restricted to that computer where the passwords are located.
    - If other people are allowed to use that computer,  the passwords are accessible to them.

Other types of authentication-

Tokens are typically a small device that share a unique algorithm with the corresponding authentication server. The use of tokens provide a significant increase to the level of security and authentication credentials. The Token generates a code from the algorithm once every 30 to 60 seconds. The code is valid for only brief period of time.

Smart cards can be used as authentication credentials also. They contain an integrated circuit chip that contains the information.

1. security.com/2013/07/09/which-is-more-important-password-complexity-or-length/