Microsoft Information Systems and Applications Security Introduction
The Information Systems and Applications Security course aims to familiarize students with the theoretical and practical approaches to modern technologies for protection of business applications on the Internet on the basis of software tools by Microsoft, USA (SecurityServicePack). The course material is structurally divided into modules, chapters and subchapters, and complies with the basic requirements of both the company itself – Microsoft Official Curriculum (MOC), and the recommendations of the ACM http://www.computer.org/education/cc2001/ . The contribution of the authors is as follows: Chapter No Chapter Name
Author
Pages
1 PHYSICAL METHODS FOR SECURITY MANAGEMENT
Stephen Drazhev
2 PUBLIC-KEY CRYPTOGRAPHIC ALGORITHMS
Radka Nacheva
15
3 PROTECTION OF WEB APPLICATIONS
Stephen Drazhev
14
Radka Nacheva
11
Stephen Drazhev
10
REMOTE CLIENTS AND NETWORKS ACCESS PROTECTION PROTECTION OF TRANSMITTED / RECEIVED 5 INFORMATION 4
6 MS SECURITY SOFTWARE TOTAL
© Stephen Drazhev :: Radka Nacheva
8
Radka Nacheva
7 65
Page 1
2
Microsoft Information Systems and Applications Security
Chapter 1. PHYSICAL METHODS FOR SECURITY MANAGEMENT According to the FBI, USA, each time the computer security of a large company is compromised, the company loses USD 700,000 on average, and banks lose USD 8,000 per second as a result of computer crashes and failures. Credit card fraud causes losses of about USD 5 bn a year. The answers to the question "Which system resources must be protected and at what price?" are not always clear. An offender who compromises or defaces a computer usually gets access to all its resources. Another one may be interested in the outgoing connections of the attacked system only as a staging ground for attacking other, more interesting targets. Protection methods which otherwise are sufficiently effective against beginner hackers are powerless against professional crackers. Another issue is the cost of security – there is a constantly "floating" line between excessive and poor security. Over the past twenty years the view known as "the CIA triad" (Fig. 1.1) has been established, according to which the basic principles of information security are: - Confidentiality; - Integrity; - Availability.
Fig. 1.1. CIA triad of Information Security
Š Drazhev / Nacheva
Page 2
Microsoft Information Systems and Applications Security
3
According to this concept, information systems are decomposed into three main components: hardware, software and communications, in order to define and implement the relevant standards as protection mechanisms at three levels (layers): -
Products (physical security);
-
People (personal security);
-
Procedures (organizational security).
Broadly speaking, the procedures are used to instruct people (administrators, users and operators) on how to use the products (software, hardware, etc.), in order to ensure information security in the organization. Physical methods for security management: •
Technical methods for hardware protection;
•
Control of the access of individuals to the building or the specific office;
•
Restricted access to specific technical devices, and reliable storage of
external memory (flash and magnetic data carriers); •
Formation and protection of personal or group perimeter (facility perimeter);
•
Monitoring for unwanted intrusion (physical and/or electronic)
•
General control of the environment.
The choice of specific measures and tools, and the development of respective mechanisms for physical and technical protection are part of the project to build a comprehensive protection system. The measures taken for physical and technical protection of facilities and resources are determined by the type of system (military, banking, industrial, etc.) and by its specific implementation. These measures are classic in nature and are aimed at: a) protection of facilities and resources against any physical intrusion by offenders; b) limiting the physical access of operators to the required minimum; c) shielding the technical devices from electromagnetic radiations; d) limiting the possibilities for remote monitoring of the facilities and of the work of operators; e) protection against fire and other malicious damage; © Drazhev / Nacheva
Page 3
Microsoft Information Systems and Applications Security
4
f) maintenance of spare emergency equipment, etc.
The physical access of unauthorized persons to computer systems and networks is a major problem in their protection. The choice of suitable premises largely reduces the risk of both physical intrusion by unauthorized people and natural disasters and accidents, but this is not always enough. Therefore, additional technical means of protection should be used at security sensitive places: •
fire alarm and sprinkler system – the system reacts to change of temperature,
increased concentration of smoke, and flame; •
burglar alarm system – it reacts to movement in the premises, to opening of
doors and windows, breaking glass, vibrations caused by breaking. It may be connected to a fast response team, and feature a "panic" function; •
CCTV (video surveillance) – video cameras placed at key spots for
surveillance; •
Access control system – restricts the access of unauthorized persons to the
premises of the company. Popular tools used in practice are: - code locks; - personal magnetic-stripe cards and contactless proximity card readers; - biometric systems – through sensors picking up the personal characteristics of the user (signature, voice timbre, fingerprints, iris, etc.); The technical methods for information protection can be: a) passive methods that reduce the intensity of undesirable radiations and fields: shielding (of entire premises, or partial shielding of the equipment); filtration of signals at the different levels of the equipment, filtration of signals in electrical power sources, in signaling and fire alarms; grounding (additional); use of absorbent and nonreflective coatings and coordinated loads; b) active methods that create noise fields ("jamming", "blanketing") within the possible range for interception of information – these are based on the creation of masking and imitating noises for energetic jamming of dangerous signals or on code blanketing. It is possible to use line blanketing (cables, wires, etc.) through noise © Drazhev / Nacheva
Page 4
Microsoft Information Systems and Applications Security
5
signal generators included in the respective circuits, and spatial blanketing (antennas broadcasting masking noises in the environment); c) use of highly protected physical components and technologies (e.g. optical fiber for the connection lines). The following solutions for isolation of parasitic electromagnetic radiation are possible: - The computer is located in a specially equipped shielded room (so-called Faraday cage). - Use of noise generator. - Use of protected computer. A protected computer's external design is in no way
different
from
the
ordinary
PC.
The
protection
technology
solves
comprehensively the problem with interception of information from the monitor, keyboard, hard drive, optical drives, flash drives, etc., without the need of a specially equipped room. The protection technology includes full radio opacity of the system unit on the PC and a maximum possible opacity of the video monitor, including extra shields and safety glass, double-shielding of cables, installing filters along the power supply circuits and along all signal cables, multiple shielding of the monitor and use of elements and materials that absorb electromagnetic radiation. Computers with such protection prevent theft of information, as the information leakage channels via parasitic electromagnetic radiation and the primary power supply circuit. The physical protection also includes methods of encrypting individual files, folders, and even the entire technical data carrier such as magnetic disks, flash drives and optical R/W drives. One of the universal encryption methods is the use of LUKS. LUKS (Linux Unified Key Setup) is a standard TKS1 method of encrypting Linux disks. This open-source software is available at: http://code.google.com/p/cryptsetup/ Besides using methods to encrypt files and data carriers, the so-called steganography methods are also often used in practice. Steganography, from ancient Greek, means concealed writing. It is necessary to distinguish encryption from Š Drazhev / Nacheva
Page 5
Microsoft Information Systems and Applications Security
6
steganography. Encryption transforms the content and thus makes it hard to read. Steganography makes uncertain the existence of a given content, it becomes "invisible". A typical example of the use of steganography is the presence of hidden digital watermarks. By "inserting" your important file in an image file, you make it invisible to the average user. The steganography application StegComm can be downloaded at http://www.datamark-tech.com. A detailed review of steganography technology and examples of its use are available at http://slidesha.re/171qvY2 .
Questions for self-preparation 1. Question 1 2. Question 2 3. Question 3 4. ..... Literature and Internet sources 1. Drazhev, St. et al. A social network for sharing knowledge and experience between teachers and students of the University of Economics – Varna. INSTRUCTION MANUAL., 2012, Published by the University of Economics – Varna, p. 196. 2. History of Information Security - Part 1 http://cio.bg/2552_istoriya_na_informacionnata_sigurnost__chast_1.2 Question 1: The CIA triad means? A. Confidentiality, intervalence, availability. B. Security, integrity, availability. C. Confidentiality, integrity, availability.
Question 2. Protection mechanisms are applied at the following three levels? A. Products, People, Procedures. B. Products, Devices, Procedures. C. Products, Programs, Procedures.
Question 3. Procedures are used to? © Drazhev / Nacheva
Page 6
7
Microsoft Information Systems and Applications Security
A. Instruct devices. B. Instruct people. C. Instruct the system programs.
Question 4. The technical methods of data protection are? A. Passive, active and through the use of highly protected physical elements. B. Passive, active and through the use of physical elements. C. Standard, active and through the use of physical elements.
Question 5. A Faraday cage is? A. A specially equipped biometric room. B. A specially equipped basement. C. A specially equipped shielded room.
Š Drazhev / Nacheva
Page 7
Microsoft Information Systems and Applications Security
8
Chapter 2. PUBLIC KEY CRYPTOGRAPHIC ALGORITHMS 2.1. Public Key Infrastructure
Public key cryptography (also known as asymmetric cryptography) is very important for secure data transmission on the Internet. It is based on the creation of a pair of keys – a public and a private one, used to encrypt and decrypt data. "Unlike the symmetric keys method, here the keys are generated simultaneously in a certain algorithm, and each participant in the encrypted data exchange must have their own unique pair of public and private keys: •
public key – it is used for data encryption and is publicly available to anyone who wants to send information to its owner. It can not decrypt the data.
•
private key – available only to its owner. It is used to decrypt the data encrypted by the public key." 1
Data encrypted with a public key (known to everyone) can be decrypted only with the corresponding private key that is held and kept secret by its owner. For example, if John wants to send an encrypted message to Peter, he will encrypt the information with Peter's public key and send it to him. Peter will decrypt (decipher) the information with his own private key. The reverse process also has its advantages, namely: encryption with a private key and decryption with the corresponding public key. This process is known as creating a digital signature. For example, John wants to verify his identity as the sender of the message. So he encrypts the message with his private key and sends it to Peter. Peter decrypts the message using John's public key and thus verifies that John was the sender of the message. "The great importance of public-key cryptography stems from the lack of necessity to pre-distribute or exchange keys between communicating parties. This makes it possible to offer a number of online services such as electronic payments,
1
Source: http://bg.wikipedia.org/wiki/Криптография
© Drazhev / Nacheva
Page 8
Microsoft Information Systems and Applications Security
9
secure data exchange, and others. Due to the larger computational capacity required for the implementation of public-key encryption algorithms, sometimes this method is applied for a short communication exchange during which both parties exchange keys in order to continue further communication through encryption with symmetrical encryption keys." 2 Figure 2.1. shows transmission of encrypted data by using a key pair. The public key is distributed freely, but only authorized people can decrypt the data using this key.
Figure 2.1. Public-key encryption The figure demonstrates the basic idea of public key cryptography – messages are sent in such a way that only the person who owns the decryption key will be able to read them, even if the encryption method is "intercepted" by an unauthorized person. For example, John sends an encrypted message that only Peter can decrypt, by turning it into a readable text again. Problems of public key cryptography 2
Source: http://bg.wikipedia.org/wiki/Криптография
© Drazhev / Nacheva
Page 9
Microsoft Information Systems and Applications Security
10
"The only problem is the time it takes to generate the two keys and to encrypt and decrypt the message. The time it takes to encrypt a message grows exponentially with its length. Simply put, this means that if a text of a given length requires 10 seconds to encode/decode, then the processing of a four times longer message will take 16 times longer timer, i.e. 160 seconds. Due to the encryption time these algorithms are unusable in real life for messages longer than 20 bytes. As you can imagine, this is a very short text (for example, the previous sentence is 115 bytes long). On the other hand, secret key cryptography is fast and applicable regardless of the length of the message." 3 This chapter dwells on the technology to verify the authenticity of an electronic document using a public key (Public Key Infrastructure) and RSA data encryption. 2.1.
Public Key Infrastructure
The term Public Key Infrastructure (abbreviated: PKI) refers to technology for verification of the authenticity of an electronic document using a public key. The pcmag.com encyclopedia gives the following definition for PKI: "A framework for creating a secure method for exchanging information based on public key cryptography." 4 PKI enables Internet users to exchange data and money securely using asymmetric encryption. This is performed through the relevant authorities. Public Key Infrastructure includes the following authorities (Table 2.1.): Table 2.1. Authorities in IPK Nature
Functions
Certification
Signs a digital certificate containing information on
Authority (CA)
the respective person/computer/network unit and its
3
Source:
http://www-it.fmi.uni-sofia.bg/ReDisInfo/courses/modules/module2/parts/module1/part3/lesson7.html 4
Source of definition: http://www.pcmag.com/encyclopedia/term/49333/pki
Š Drazhev / Nacheva
Page 10
11
Microsoft Information Systems and Applications Security
affiliated key. This process is called certification. The authority may be local for the organization or global. For example, Thawte, VeriSign, GlobalSign, Entrust, GTE CyberTrust and others; Registration Authority (RA)
This is a department of the certification authority (or an authorized external organization) which performs activities related to the acceptance, verification, approval or rejection of requests for issuance of certificates.
Validation Authority (VA)
Validates the digital certificate of the relevant person or entity.
Requests for certificates, renewed and canceled certificates and requests made by the certification and registration authority are stored in a Certificate Database. Figure 2.2. shows the work organization in the infrastructure. The user submits a request for certificate with his/her public key to the registration authority. The latter verifies the user's identity and forwards it to the certification authority, which in response returns the issued certificate. The user signs a contract electronically with the new certificate. His/her identity is verified by the validation authority, which receives information on the certificate being validated from the certification authority. If the user's identity is verified, the contract can be signed successfully or the purchase / money transfer can take place seamlessly.
Š Drazhev / Nacheva
Page 11
Microsoft Information Systems and Applications Security
12
Fig. 2.2. 5 Organization of PKI PKI offers a range of services that are combined to ensure the security of applications. Services may include: •
Key Backup and Recovery – tools for recovery of lost or damaged certificates. A backup server is used for this purpose;
•
Key History – certificates can be changed for various reasons (expiration or name change). It is therefore possible that protected data which use a previous version of the key can not be accessed unless the older keys are stored in an archive;
•
Certificate Repository – the place where the certificates are stored;
•
Certificate Revocation – if a person stops using the designated key
•
Automatic Key Recertification – the period of validity of expired certificates may be extended automatically;
•
Cross Certification – this is used to establish a trusted connection between the various authorities of the PKI. This means that the infrastructure may be decentralized.
5
Original address of the image: http://bg.wikipedia.org/wiki File: Public-Key-Infrastructure.svg
© Drazhev / Nacheva
Page 12
Microsoft Information Systems and Applications Security
13 •
Time stamp – verifies that the data are accurate and valid;
•
API for the customer – a set of tools for applications that use the services of PKI.
Purpose of PKI The infrastructure can be used for: •
Encryption and/or authentication of the sender of an e-mail (via OpenPGP or S/MIME).
•
Encryption and/or authentication of documents (for example, XML encryption).
•
Authentication of users of applications (for example, access with smart cards / SSL).
•
Secure communication using protocols such as Internet key exchange (IKE) and SSL. Both protocols use channels that are protected against tapping for the transmission of information using the asymmetric encryption method.
•
Mobile signatures – these are a type of electronic signatures created for use by mobile devices and relying on certification services by an independent telecommunications organization.
At http://msdn.microsoft.com/en-us/library/windows/desktop/bb427432(v=vs.85).aspx
you can find an example of PKI.
http://www.topsite.com/best/pki lists websites of companies offering PKI software.
Registration of electronic signature: http://www.stampit.org/bg/ 2.2.
RSA: Rivest, Shamir and Adleman
"RSA is a data encryption algorithm, which uses different keys for encryption and decryption. The name comes from the surnames of its founders: Ronald L. Rivest, © Drazhev / Nacheva
Page 13
Microsoft Information Systems and Applications Security
14
Adi Shamir and Leonard Adleman. It was patented in 1983 and made patent-free in 2000. The key with a length of 512 to 1024 bits is used for encryption and is different from the key used for decryption. The RSA algorithm provides a procedure for signing an electronic document and for verification of the authenticity of the signature. The signature pertaining to an electronic document is quite different from the signature affixed to a paper document, where it is the same for all paper documents. The electronic signature can not be constant – it is a requisite of the electronic document, whereto it was "affixed". RSA operations, whether encryption, decryption, signing or verification, are in fact a modular exponentiation. This calculation is performed as a series of modular "multiplications". RSA is now widely used in many products, platforms and industries worldwide. It is prevalent in many commercial software products and is planned to be used in many more. RSA is implemented in operating systems by Microsoft, Apple, Sun and Novell. In practice, RSA can be found in phones, Internet network cards and smart cards. Overall, RSA is implemented as a security measure in all major secure Internet communications protocols, including S/MIME, SSL and S/WAN. RSA is also used internally in many institutions, including departments of the US government, major corporations, national laboratories and universities. License for RSA technology has been acquired by about 350 companies. The approximate number of encryption machines based on RSA is about 300 million, making it so far the most widely used encryption algorithm in the world." 6 The encryption system is owned by RSA Security. The company owns a license for the algorithm and sells toolkits for developers.
Encryption methods using RSA
6
Source: http://bg.wikipedia.org/wiki/RSA
Š Drazhev / Nacheva
Page 14
Microsoft Information Systems and Applications Security
15
Before we present the mathematical details that make up the algorithm, we would like to give some details on its essence in a few simple sentences. The algorithm involves the application of two large prime numbers 7. These two numbers participate in the formation of the public and private keys, where both keys are composed of two numbers. After the keys are created, these prime numbers are no longer needed. The public and private keys are used for encryption and decryption, and the private key is known only to its owner and is not distributed through the Internet. The private key is used to decrypt a text encrypted with a public key, which in turn is published at a publicly accessible location. The sender of the letter uses the recipient's public key to encrypt it. When received, the letter is decrypted with the private key of the recipient. However, the sender can be identified by his/her digital signature using the private key. To establish the identity of the sender, the recipient uses the sender's public key for authentication. Table 2.2. demonstrates the sequence of the steps described above. Table 2.2. Sending an encrypted message with a digital signature Action
Whose key is used
Key type
Sending an encrypted message
Recipient
Public
Sending an encrypted signature
Sender
Private
Decrypting the message
Recipient
Private
Sender
Public
Decrypting the signature and authentication of the sender
The mathematical details of the algorithm used to generate public and private keys are posted on RSA's homepage: http://www.rsa.com/rsalabs/node.asp?id=2133.
7
A prime number is divisible only by itself and by one.
Š Drazhev / Nacheva
Page 15
Microsoft Information Systems and Applications Security
16
The steps of implementing the algorithm are as follows, complete with examples for better understanding:
1.
GENERATING PUBLIC AND PRIVATE KEY
First, the private key (which will be stored on the server) and the public key (which is publicly known) are generated. Two different prime numbers p and q are selected. For greater security, they must be random and have the same number of digits: p= 29, q = 31 To make sure that the numbers are really prime, we can conduct a primality test. This is an algorithm which determines whether the input number is prime 8. Then, we calculate n = p*q = 29*31 = 899 n is a module of the two keys. Its length, expressed in bits, is the length of the key. After that we calculate the Euler function 9: ϕ(n) = (p - 1) * (q - 1) = (29 - 1) * (31 - 1) = 840 We then choose a prime number e, which should be in the range of 1 < e < φ(n), where ϕ and e must not have common divisors. The number e is the exponent of the public key. We choose the number 11. The next step is to calculate the exponent of the private key, which is the number d. It is calculated using the formula d−1 ≡ e (mod φ(n)). d must satisfy the equation de≡1 (mod φ(n)), i.e. ed – 1 can be divided by ϕ without remainder. Following the example given, (d * 11) / ϕ will give us remainder 1. We have to find the inversely proportional to e mod ϕ. (611 * 11) = 6721, 6721 / 840 = 8 with remainder 1. Here are the results of the calculations: p — 29 8
More details on the said algorithm can be found at: http://en.wikipedia.org/wiki/Primality_test
9
Details on the purpose of the Euler function: http://bg.wikipedia.org/wiki/Функция_на_Ойлер
© Drazhev / Nacheva
Page 16
Microsoft Information Systems and Applications Security
17
q — 31 n — 899 ϕ — 840 e — 11 d — 611 The public key contains the module n and the public exponent e. The private key contains the module n and the private exponent d.
2.
MESSAGE ENCRYPTION
The public key is made available to those who want to send us a coded message. The message should be encrypted using the following formula: C = Me mod n C is the encrypted message. To give an example, we will choose the letter 'w', whose ascii code is 119 10. C = 11911 mod 899 = 595 The number 595 is sent to the server. As a rule, the following formula is used for encryption of the original message: , where the number m is the numeric alternative to the original message M. This means that, for greater security, M is converted into m, which is within the interval 0 ≤ m <n. The number is generated through the so-called padding scheme. Padding is the process of preparation of a message for encryption or signing using a specification or a scheme such as PKCS # 1 v1.5, OAEP, PSS, PSSR, IEEE P1363 EMSA2 and EMSA5. OAEP is the current method applied to the RSA algorithm when used for encryption of a limited number of bytes. Details about the schemes used to generate the random number that codes the original message can be found at: • Padding (cryptography): http://en.wikipedia.org/wiki/Padding_(cryptography)
10
ASCII Code - The extended ASCII table: http://www.ascii-code.com/
© Drazhev / Nacheva
Page 17
Microsoft Information Systems and Applications Security
18
• Optimal asymmetric encryption padding: http://en.wikipedia.org/wiki/Optimal_Asymmetric_Encryption_Padding • PKCS ♯1: http://en.wikipedia.org/wiki/PKCS1 Kiltz, E., K. Pietrzak, On the Security of Padding-Based Encryption Schemes, or: Why we can not prove OAEP secure in the Standard • Model: http://homepages.cwi.nl/~pietrzak/publications/KilPie09.pdf
• PKCS # 5 v2.0: Password-Based Cryptography Standard:
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-5v2/pkcs5v2-0.pdf
3.
MESSAGE DECRYPTION
To decrypt the message we need the private key: n and d, which, of course, must be kept secret. Use the formula to decipher the message: M = Cd mod n M = 595611 mod 899 = 119 M = 119 is the value of the letter 'w' in the original message! If we use the generated number
, the original message M can be restored by
reversing the scheme. Proof: . Since
, .
The latter reasoning is based on Euler's theorem where
is relatively prime to
. Using the Chinese remainder theorem 11 it can be demonstrated that the equation is true for all
.
This proves that we have arrived at the original message:
11
Chinese remainder theorem: http://en.wikipedia.org/wiki/Chinese_remainder_theorem
© Drazhev / Nacheva
Page 18
19
Microsoft Information Systems and Applications Security
At http://content.hccfl.edu/pollock/AUnixSec/PublicKeyDemo.htm you can read an explanation of the mathematical model of the method, presented in a different way compared to the one proposed in this textbook. The following documents contain detailed practical explanations of the RSA algorithm: • Lecture
12:
Public-Key
Cryptography
and
RSA:
https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture12.pdf • A
worked
example
of
RSA
public
key
encryption:
http://maths.mq.edu.au/~rody/math237/RSA.pdf • The
Mathematics
of
the
RSA
Public-Key
Cryptosystem:
http://www.mathaware.org/mam/06/Kaliski.pdf Practice unit The application of the RSA algorithm can be tested at the following addresses: • RSA Encryption : http://courses.gdeyoung.com/pages/encryption/rsa.php • Public-Key
Encryption
by
RSA
Algorithm:
http://logos.cs.uic.edu/340%20Notes/rsa.html • JavaScript
RSA
Cryptography
Demo:
http://www-cs-
students.stanford.edu/~tjw/jsbn/rsa2.html • RSA in JavaScript: http://www.ohdave.com/rsa/ The following list provides links to web sites with tutorials and software for the implementation of public key cryptography: • RSA Encryption in Pure PHP: http://stevish.com/rsa-encryption-in-purephp • Simple
RSA
public
key
encryption
algorithm
implementation:
http://www.java2s.com/Code/Java/Security/SimpleRSApublickeyencryptio nalgorithmimplementation.htm • Code
Examples
–
En-/Decryption
with
RSA:
http://www.flexiprovider.de/examples/ExampleRSA.html © Drazhev / Nacheva
Page 19
Microsoft Information Systems and Applications Security
20
• How
to
use
PKI
encryption
to
share
files
via
internet:
http://www.aeppro.com/file-encryption-software/screenshots/how-to-usepki-encryption-to-share-files-via-internet.shtml • Key
Manager:
http://www.goanywheremft.com/products/openpgp-
studio/documentation/key-manager •
Open
Source
PKI
Software:
http://middleware.internet2.edu/hepki-
tag/opensrc.html Literature 1. Salomaa, A., Public-Key Cryptography. Springer, 2009 2. Katz, J., Introduction to Modern Cryptography: Principles and Protocols. Chapman and Hall / CRC, 2007 3. Paar, C., Understanding Cryptography: A Textbook for Students and Practitioners. Springer, 2010 4. Menezes, A., Handbook of Applied Cryptography (Discrete Mathematics and Its Applications). CRC Press, 1996 Internet sources 1. Public-Key Cryptography Standards (PKCS): http://www.rsa.com/rsalabs/node.asp?id=2124 2. Using PKI Certificates for Authentication: http://www.dartmouth.edu/comp/soft-comp/software/downloads/mac/pki/
Question 1: RSA is an acronym derived from: a. the names of its creators: Rivest, Shamir and Adleman b. Rational Security Algorithm c. the names of its creators: Ronald, Shamir and Adleman Question 2: RSA is an algorithm for: a. data encryption / decryption with public key b. data encryption / decryption with public and private key c. data encryption with public key Question 3: PKI stands for: © Drazhev / Nacheva
Page 20
21
Microsoft Information Systems and Applications Security
a. b. c.
Public Key Infrastructure Private Key Infrastructure Public Key Insurance
Question 4: PKI is: a. b. c.
Infrastructure providing transmission of classified government information Infrastructure creating a method for secure data transmission Service in the state administration dealing with e-government
Question 5: Public-key encryption is also called: a. Line encryption b. Symmetric encryption c. Asymmetric encryption Question 6: The public key is: a. publicly available b. available only to its owner c. available only to partner companies exchanging encrypted information Question 7: The private key is: a. publicly available b. available only to its owner c. available only to partner companies exchanging encrypted information Question 8: In asymmetric encryption it is necessary: a. b.
to have only one key, which plays the role of encryption and decryption key. to have a pair of keys – public and private, through which data encryption is carried out. c. to have three keys – one public and two private.
© Drazhev / Nacheva
Page 21
Microsoft Information Systems and Applications Security
22
CHAPTER 3. PROTECTION OF WEB APPLICATIONS Nowadays web technologies make it possible to create not only interactive and functional websites, but even fully functional web applications with interface, functionality and performance not only on a par with traditional desktop applications, but also in many respects surpassing them. The following short definition of the term Web application may be used: - A web application is software that runs in the browser. Traditional applications are installed or run from disk or other data carrier. They rely on an environment that is generally provided by the operating system, and in some cases is additionally installed on the respective computer (e.g. Java, .NET, etc.). Upon starting a traditional, so-called desktop application, it loads the interface needed to use that application. In most cases web applications are hosted on servers connected to the Internet and accessible from any device connected to the Internet. Restriction and regulation of access is of course a matter of choice of the administrator of the application, and is not only possible, but necessary. If a web application is vulnerable and has security issues, it becomes an easy target for hackers, who can get full control of: • the database of the respective website; • the files / pages of the respective website, etc. The significant information that can be found and used in a hacked website may include: - usernames and passwords that can also be used to access other web applications. For example, unauthorized access to the email address if the password is the same – e-mail addresses can be used for spamming, as well as any other information that is useful for the malicious user. Furthermore, incidents related to security breaches may include other actions by hackers, such as: • website defacement; © Drazhev / Nacheva
Page 22
23
Microsoft Information Systems and Applications Security
â&#x20AC;˘ destruction of all files; â&#x20AC;˘ destruction of the entire database.
One of the most common and well-established practices used for analyzing web applications are the following: The black-box principle. This constitutes an assessment of the security of the application without first obtaining any information about it. This is useful when it is necessary to assess the security level from the point of view of the hacker, who usually has a minimum knowledge of the studied system. Such assessments are most often made through penetration testing. All tests can be conducted with prior warning of the staff about planned operations, but also without any such warning. In the second case there is an opportunity to assess, how long after the start of the operation the staff will detect the incident, and how adequate the staff's actions to prevent or minimize its impact will be. The gray-box principle. This involves conducting a study after having acquired all necessary information about the application, in addition to ensuring immediate access to the server on which it operates. Usually the person conducting the study is provided the following information: structure of the application, data for authorized access (e.g., username, password and one-time passwords for executing transactions), the source code of some files or functions, etc. The white-box principle. This principle implies the transfer of the entire application and its installation to the analyzing consultant, or arranging a copy of the application in the information system and granting the analyzer full access to this resource. In this case we can see how the application reacts to any request submitted to it. This is the most productive method for analyzing the security of web applications, as it allows you to detect the largest number of vulnerabilities. It should be noted, however, that this method does not offer the opportunity to look at the application from the position of the attacker. 3.1. Organization of protection at the Web servers level Š Drazhev / Nacheva
Page 23
Microsoft Information Systems and Applications Security
24
Basic principles of protection at the Web server level. Principle of minimum privileges: According to this principle every user is granted minimum but sufficient privileges to perform their daily duties. Principle of use of protected protocols - SSL/TLS. The SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols are those that provide authentication of the server and the client. They, in turn, carry out the session encryption in the process of transmitting and receiving data. Principle of Web server configuration in accordance with best practices: •
Install the Web server software on a separate computer.
•
Select the necessary Web services; exclude those which are not necessary.
•
Promptly install all patches or updates related to detection of malicious
•
Provide protection to the Web server through configuration settings
codes.
disallowing access to files that are not public. To make additional settings, follow guidelines similar to those in FERPA 12. Principle of keeping daily log files for the purpose of conducting future investigations and recovery after attacks: •
For each virtual Web site, create different log files to the physical Web
•
Make sure there are mechanisms available for storing log files on physical
server.
data carriers. •
Make sure that log files actually record cases of vulnerabilities such as
attempts to compromise the system, changes to privileges and profiles, and other potentially hazardous activities. Protecting Web servers via htaccess codes. Here are some instructions on how to implement some necessary protections using an htaccess code:
12
The Family Educational Rights and Privacy Act of 1974
© Drazhev / Nacheva
Page 24
Microsoft Information Systems and Applications Security
25
Preventive protection against some common hacking techniques. It is ensured by the following code: RewriteEngine On # proc/self/environ? no way! RewriteCond %{QUERY_STRING} proc/self/environ [OR] # Block out any script trying to set a mosConfig value through the URL RewriteCond
%{QUERY_STRING}
mosConfig_[a-zA-Z_]{1,21}(=|\%3D)
[OR] # Block out any script trying to base64_encode crap to send via URL RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR] # Block out any script that includes a <script> tag in URL RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] # Block out any script trying to set a PHP GLOBALS variable via URL RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR] # Block out any script trying to modify a _REQUEST variable via URL RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2}) # Send all blocked request to homepage with 403 Forbidden error! RewriteRule ^(.*)$ index.php [F,L]
Preventive protection against access to directories on the server: # disable directory browsing Options All -Indexes # enable directory browsing Options All +Indexes
Preventive protection against access by users identified by domain name: # block visitors referred from indicated domains <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_REFERER} scumbag.com [NC,OR] Š Drazhev / Nacheva
Page 25
Microsoft Information Systems and Applications Security
26
RewriteCond %{HTTP_REFERER} wormhole.com [NC,OR] RewriteRule .* - [F] </ifModule>
Similar examples can be found at http://bit.ly/8Z0nmQ .
Create Proxy There are many options to access banned or restricted websites 13. One of these methods is to create a Proxy. Proxies contain different types of scripts, which will be dealt with here below: - PHProxy, as the name implies, is a script written in PHP, and is one of the most popular scripts at the moment. You will need to have your own web server or get a hosting account. There are many web hosts – both paid and free, and you will need one that enables PHP (e.g. awardspace.com). Download the script from the following address: http://sourceforge.net/projects/poxy and upload files to your server or webhost. This is all you need, but you can change the appearance of the proxy using CSS to customize the template. - CGI Proxy is another option. If you have your own server, install cgi/perl on it. If you have online webhost, find one that supports CGI scripts. One of the better ones is http://tripod.com. Now all you have to do is upload the nph-proxy file to the correct directory, but this may not work for various reasons. You can also test the automatic installer (search for it in Google), which will ask for an ftp account. Some, but not all free webhosts offer it. And that's it. Unless you have some voodoo knowledge, it is unlikely to succeed, which is completely normal – if you do not know how to use Perl, this script is impossible. - Glype is a very good script, which can be downloaded from http://glype.com. The script itself requires PHP and Curl access, and as regards the webhost, you may
13
The review of the methods is made according to http://bit.ly/1b3liDS
© Drazhev / Nacheva
Page 26
27
Microsoft Information Systems and Applications Security
check http://000webhost.com. Of course, the best option is to have your own server. Open the folder and zip the uploading folder. Upload this folder and * it. Run the program. Notes: Since free webhosts take up a large amount of resources, they will terminate the service within a week. There are many good proxy webhosts that you can look up in Google. The above are just some examples, and here are a few more: Netonomous.net (PHP based), UnlockMyspace.com (web based), AceVPN.com (openvpn based). Blocking Proxy servers without additional software Here we will present one of the technologies for protection against proxies, without installing additional software. For this purpose we will use HTTP protocols, inserting a script into the .htsaccess file of the website. Once you enter the code given below, upload it to your server. This is an efficient method that actually works: RewriteEngine on RewriteCond %{HTTP:VIA} !^$ [OR] RewriteCond %{HTTP:FORWARDED} !^$ [OR] RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR] RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR] RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR] RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$ RewriteRule ^(.*)$ - [F]
Results returned by from search engines that point to websites with potential threats Search engine poisoning is a practice based on the construction of pages or entire sites for the purpose of generating high visibility (in the search engines themselves), drawing benefit from a hot topic. For example, the search for games may Š Drazhev / Nacheva
Page 27
Microsoft Information Systems and Applications Security
28
return the World of Warcraft website as the first result, but it may actually lead to a different, infectious place. Another example â&#x20AC;&#x201C; according to a survey conducted by the antivirus company McAfee, 19% of the results returned when searching for "Cameron Diaz" lead to hazards. Hot new topics related to Facebook and Twitter should also be considered. To protect your device, take a look at the URL-addresses and if they seem suspicious or unknown, do not visit them. When searching for information, trust popular sites. Every site can be hacked, but popular sites, or more precisely â&#x20AC;&#x201C; the web portals are preferable to new, potentially harmful, sites. 3.2. Organization of protection on the databases level According to an HP report 14 on the greatest dangers to protection of information in 2010, the number of cyber crimes targeting database centers and networks is constantly increasing. The aim of the study was to help companies to introduce good practices in IT security. The report states that some attacks target known vulnerabilities for which producers have already taken measures, and other target completely new, weak points. Among the recommendations given by HP with a view to reduce opportunities for committing cyber crimes, is facilitating the inspection of information security and updating the technological tools used for this purpose. For the purposes of the report, HP analyzed data from thousands of HP TippingPoint Intrusion Prevention Systems (IPS). The data relate to information received from the attacks repulsed by TippingPoint IPS filters through the Digital Vaccine service. Data from other sources were also used. The mass implementation of Web applications, the emergence of new services, and the ballooning expansion of the IT infrastructure of organizations have led to the inability to control through conventional means the information flows and what users do with the data and the business applications. As a response to these trends, specialized solutions for protection of complex, territorially distributed systems have emerged. 14
Source: Cio.bg., October 2010.
Š Drazhev / Nacheva
Page 28
29
Microsoft Information Systems and Applications Security
Databases – the main target of attackers. There are several levels for penetrating an information system – at least five. Attackers use "holes" in the corporate network, the server operating system, the database management server, the applications server, and in the client module. At each of these levels there are vulnerabilities and at any of them a significant degree of control over the information stored in the system can be acquired. In recent years, many large organizations have suffered from information theft. The consequences for such organizations have been financial losses and damage to reputation. A number of incidents were related to leakage of personal information about customers. All this requires a revision of the requirements for the protection of information within the organizations themselves, and also higher requirements by regulatory authorities regarding this issue. Most standards regulating critical data protection – PCI DSS, HIPAA, SOX and others, require the availability of tools for continuous control on the access to data, for identification of vulnerabilities in the infrastructure and for protection of the information during its transmission. Regulations pay significant attention on the control of privileged users as the main source of threats in connection with the information leakage, and also on controlling access to business applications - as ERP, CRM, etc. from leading suppliers and own developments Monitoring of databases and applications. All major developers of database management systems offer functions for activity monitoring in their products. But embedded control tools have both advantages and disadvantages. The tools of the database management systems (DBMS) can not distinguish between the user and the attacker. The use of so-called "logs" for user activity increases the load on the servers, and consequently leads to a decline in the performance of the applications and in the quality of service. Often the optimization of application performance is carried out using "connection pooling", where there is one user of the database for the entire pool. Thus the application performance is increased, but the level of information security is starkly reduced, since there is no way to control the activities of end users. In short, if © Drazhev / Nacheva
Page 29
30
Microsoft Information Systems and Applications Security
we focus on increasing the level of information security, we will have to compromise on the quality of service, and vice versa. Avoiding such a situation requires specialized solutions that perform the function of information flow control without affecting the performance of the information systems. Awareness of the problems associated with ensuring the protection of information at the core of its storage, as well as the need to remove internal threats have led to the emergence of solutions such as DAM (Database Activity Monitoring), WAF (Web Application Firewall) and DLP (Data Leak Prevention). DAM systems are designed to control the activities of database servers, WAF solutions – to provide control on the access by business applications users to databases, and DLP – to provide control on information flows beyond the perimeter of the information environment of the organization. Web Application Firewall (WAF). Most often the solutions of this class constitute hardware-software complexes, applying a set of rules and security policies to the observed HTTP traffic coming from the applications to the database and in the reverse direction. These solutions allow controlling certain known types of attacks such as Cross-site Scripting (XSS) and SQL-injections. By setting the rules to the business applications, multiple attacks can be detected and blocked. However, the work volume in relation to these settings can be quite large, and in addition, any changes to the applications will require new settings. The emergence of solutions of this class was strongly influenced by the PCI DSS (Payment Card Industry Data Security Standard), http://bit.ly/12WuFjN, which requires protection of credit card information in public Web applications, by at least one of the following two methods: - Analysis of the Web applications code: manually, by scanning the source code, or by vulnerability assessment; - Establishing application point for the security policy. WAF solutions are often called Deep Packet Inspection Firewalls, as they analyze each request and each result of a request at the HTTP / HTTPS / SOAP / XML-RPC / Web-service levels. However, the data in the database remain © Drazhev / Nacheva
Page 30
31
Microsoft Information Systems and Applications Security
unprotected, their use is not monitored â&#x20AC;&#x201C; in fact only the part of network requests to the database coming from the application server are inspected. Like the traditional perimeter firewalls, WAF are necessary but not always sufficient.
Fig. 3.1. Example of a SQL injection attack (SQLIA)
Activity Monitoring (DAM). DAM stands for Database Activity Monitoring, i.e. a class of technology solutions designed to control the activities of database management servers. The multilayer architecture of corporate applications is constantly changing. Application users need to be controlled in accordance with their current roles, with particular attention to privileged users. Besides application users, database users also need to be controlled by monitoring both the access at the application level and the direct access at the DBMS level. Transparency of all activities is crucial for preventing irregularities. DAM solutions help control all sessions of the database management system (input, execution of SQL code, output, etc.), all exceptions (errors, failed authorization, etc.), blocking unwanted sessions, announcing events in relation to information security. Besides activity monitoring, DAM solutions allow controlling changes in DBMS objects and surroundings, as well as database vulnerabilities. The prevention of data leakage is realized through checks on extracted information, detection of anomalies in the functions, automatic detection and classification of critical data. Š Drazhev / Nacheva
Page 31
Microsoft Information Systems and Applications Security
32
Prevention of unauthorized actions is made possible through implementation of safety policies, through which access to databases or specific tables may be restricted on the basis of different parameters: user account, IP address, MAC address, network protocols, SQL command type, business applications, time of day, etc. DAM solutions control all database activities and provide detailed accounting of any investigation of events related to information security. They automate the audit of compliance with regulatory requirements and prevent data leakage. Reports can contain various information – all sorts of exceptions (SQL errors or authorization failures), commands changing the structure of the database (create, drop, alter), requests for data selection (select), commands controlling accounts, roles, rights (grant, revoke), etc. In short, the implementation of DAM solutions leads to transparency of the work with databases and fixes the actions of all users – administrators, developers, auditors, application users. In addition, system performance is not affected and one of the main postulates of IT security is realized in practice – separation of duties. However, a major disadvantage of DAM solutions is that the use of the data after their extraction from the database is not being tracked. This task can be performed by DLP (Data Leak Prevention) solutions. An efficient method of SQL database protection is described by Dr. Ivan Kuyumdzhiev. In order to improve the safety and protection of the system, it is possible to create mirror copies of databases 15. To be successful, the mirror copy strategy requires two existing installations of SQL Server, where it is highly recommended that these be located on different physical servers. One of the servers is used to access databases and the other receives all completed transactions. In the event of failure of the main server the roles can be interchanged and the mirror server can become main server until the damage is repaired. Such technology allows minimizing the system's downtime (Fig. 4.2).
15
Kuyumdzhiev, Ivan. INFORMATION SYSTEMS AUDIT. Thesis. University of Economics, Varna. 2012
© Drazhev / Nacheva
Page 32
33
Microsoft Information Systems and Applications Security
Figure 3.2. Topology of database replication This scheme allows sending different data to subscriber servers, who serve individual companies. Allocation of the database between different servers reduces the load, and the making of a mirror copy of the publisher server allows automatic response in the event of failure. Thus, companies will have continuous access to various information resources. Literature 1. Drazhev, St. et al. A social network for sharing knowledge and experience
between teachers and students of the University of Economics – Varna. INSTRUCTION MANUAL, 2012, Published by the University of Economics – Varna, p. 196. 2. Kuyumdzhiev,
Ivan.
INFORMATION
SYSTEMS
AUDIT.
Thesis.
University of Economics – Varna. 2012 Internet sources 1. Library of Assoc. Prof. Stefan Drazhev in SlideShare: (http://www.slideshare.net/stedrazhev/).
© Drazhev / Nacheva
Page 33
34
Microsoft Information Systems and Applications Security
2. Library of Assoc. Prof. Stefan Drazhev in Issuu: http://www.issuu.com/stedranet 3. Microsoft patterns & practices Volume I, Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication http://msdn.microsoft.com/en-us/library/aa302383.aspx 4. Microsoft patterns & practices Volume II, Building Secure ASP.NET Applications: Design Guidelines for Secure Web Applications http://msdn.microsoft.com/en-us/library/ff648647.aspx
Question 1. The "black box" principle in the analysis of web applications means? A. Assessment of the security of the application without first obtaining any information about it. B. Evaluation of the security of the application without first obtaining any information about the customer.
Question 2. The minimum privileges principle means? A. A user is given enough privileges to perform their daily duties. B. A user is given minimum but fully sufficient privileges to perform their daily duties.
Š Drazhev / Nacheva
Page 34
35
Microsoft Information Systems and Applications Security
CHAPTER 4. REMOTE CLIENTS AND NETWORKS ACCESS PROTECTION 4.1.
Introduction to the organization of VPN (Virtual Private Networks)
A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to ensure access to a corporate network for remote offices or individual users. VPN protects the data transmitted using tunneling protocols, such as Layer Two Tunneling Protocol (L2TP), and cryptographic algorithms. As a consequence, protocols send data through a tunnel, through which data that is not properly encrypted can not pass. The data are encrypted before sending and decrypted upon receipt. Not only the data, but also of the network addresses of the sender and recipient are encrypted. VPN can be opposed to a system of owned or leased lines used only by one company. In other words, VPN is communication equipment where access is controlled to allow equal connections only within the defined community of interest. In this case, the private resource is built up on the basis of a logical rather than a physical partition. To improve security, some organizations use hardware VPN solutions, while others use software or implementations based on protocols. Hardware solutions are offered by companies such as Cisco, Nortel, IBM, and Checkpoint. There is also a free software solution for Linux, called FreeS/Wan, which uses a standardized security protocol called Internet Protocol Security (IPsec). These VPN solutions, whether hardware or software based, act as specialized routers located between the IP connection from one office to another. Figure 4.1. shows a virtual private network, and in particular the connection established with corporate servers.
Š Drazhev / Nacheva
Page 35
Microsoft Information Systems and Applications Security
36
Fig. 4.1. Virtual private network 16 Operation of VPN When a packet is transmitted from a client, it is sent through a VPN router or a network gateway 17 which adds an authentication header (AH) for routing and authentication.
Data
are
encrypted
and
encapsulated
through
the
header
"Encapsulating Security Payload" (ESP) 18. Decryption and instructions processing are performed last. The receiving VPN router removes the header, decrypts the data and sends them to their destination (individual computer or node in the network). Using the "networkto-network" connection type, the receiving node on the local network receives the packets already decrypted and ready for processing. The process of encryption and decryption is transparent to the local node. With such an enhanced level of security, unauthorized people should not be able to intercept and/or decrypt packets. Offenders standing in the way between the server and the client will need any of the private keys for the authentication session, in order to be able to decode the transmitted data. That is why packets pass through
16
Image source: http://vpn.hardware-firewall.info/vpn.gif
17
"Gateway is basically a network device that serves as an entrance to another network. A gateway may be a
router or other routing device. "http://networkworld.bg/netdict:id_116 18
More information at http://www.networksorcery.com/enp/protocol/esp.htm
Š Drazhev / Nacheva
Page 36
37
Microsoft Information Systems and Applications Security
several stages of authentication and encryption, thus providing greater protection of information transmitted via VPN, achieving at the same time efficient access to multiple remote nodes.
Main objectives in building a VPN for the business The purpose of the VPN is to ensure a secure and reliable private connection between computers in a certain network through an existing public network (Internet). A well-designed VPN provides the following advantages for the business: •
Extended connections between multiple geographic locations without the use of a leased line;
•
Improved data exchange security;
•
Flexibility for remote offices and employees who use the company intranet through Internet connection;
•
Saving time and expenses for employees who do not need to come to the office, as they work remotely, at virtual workplaces. This is especially useful for outsourcing companies that are based in one country but their employees are located all over the world and work from home;
•
Improved performance of employees who work remotely.
The company may not have all listed requirements to its virtual private network, but it would certainly require the following: • Security – VPN must provide protection of data transmitted through a tunnel on the public network. If attackers try to take advantage of the transmitted data packets, they should not be able to read or use them; • Reliability – Employees and remote offices should have remote access without encountering any problems with the connection to company servers. Connection via VPN should be of the same quality for each user. • Scalability – As the business grows, it is normal to expand its VPN services, where such expansion should not require a complete replacement of the VPN technology. Otherwise, the company will have to make huge expenses and changes, which would affect its employees. © Drazhev / Nacheva
Page 37
Microsoft Information Systems and Applications Security
38
An interesting fact about the VPN is that there are no standards for their setting. Each implementer can decide which protocols and components to use, so as to ensure adequate security, reliability and scalability.
Advantages and disadvantages of VPN VPN is an economical way to build a private network. Using the Internet as a main communication channel between the parties is cost effective, as it reduces the high costs for establishing private communication lines. The costs for companies include hardware for network authentication and software for user authentication, as well as other mechanisms, such as security tokens 19 and other similar devices. The advantage of a VPN over leased lines is the relative simplicity, speed and flexibility, which make this type of network a very good choice for corporations who need flexibility in the work process. There are however some disadvantages in using VPN. For example, the lack of Quality of Service (QoS) 20 mechanism through the Internet can lead to a loss of packages and other consequences for the performance. Any adverse effects on the network caused outside the private network are beyond the authority of the network administrator. Therefore, many large corporations pay for the use of trusted VPN, which provide guarantees for QoS. Incompatibility of brands that offer similar services is another disadvantage with virtual private networks, i.e. the technology of a certain company proves incompatible with that of another company. The requirement for connection to the Internet at either end of the VPN can also be considered a disadvantage. This can be a problem if one or both ends have unreliable Internet connection.
Equipment used for providing VPN 19
This is a physical device used to further identify users. In most cases it is an electronic key that generates an
additional code. The code is entered together with the user password. 20
A set of different rules and technologies in the network used to ensure the quality of a certain
telecommunications service. For this to happen, it is necessary to establish a strategy for ensuring QoS in all network components and connections.
Š Drazhev / Nacheva
Page 38
Microsoft Information Systems and Applications Security
39
VPN can be configured with standard computer equipment, including standard servers. Most companies, however, prefer using special equipment optimized for VPN and general network security. Small companies choose one of the options for creating a VPN: with own standard equipment or through a supplier of VPN services who manages their private network. The approach taken by larger corporations is different. They prefer to centralize this equipment, i.e. to put it in a specialized data management center, called a colo center (derived from the English co-location). The center houses the necessary servers and other network equipment, and provides high-speed Internet connection. When planning or extending the VPN it is necessary to take into account the use of the following equipment: •
Network access server (NAS) – used to configure and control each tunnel in the VPN.
•
Firewall – acts as a barrier between the private network and the Internet. Administrators can configure firewalls so as to restrict traffic by limiting the access to the local network. TCP and UDP ports are used for this purpose. Firewalls are also used for local area networks that are not connected in a virtual private network. The main purpose of firewalls is protection against malicious access to private resources.
•
AAA server – the acronym is derived from the three responsibilities this server has: authentication, authorization and accounting. For each VPN connection, the AAA server confirms the identity of the person requesting access (authentication), determines whether they can get such access during the connection (authorization) and tracks what is being done during the session (accounting). One of the commonly used standards for AAA servers is RADIUS (Remote
Authentication Dial-in User Service). RADIUS is not applicable only to users who connect through a dial-up connection, although the name may evoke such associations. When the RADIUS server is part of the VPN, it controls the authentication process for all connections coming through NAS. © Drazhev / Nacheva
Page 39
Microsoft Information Systems and Applications Security
40
VPN components can work together with other software on a shared server, but this is not typical and may jeopardize the security and reliability of VPN. Small companies who use their own equipment place the firewall and RADIUS software on a shared server. When the need arises to expand the business and thus the VPN itself, the VPN equipment must be optimized. This is done by using other devices, such as: •
VPN Concentrator – this device replaces the AAA server installed on a
shared server. Hardware and software work together to create VPN tunnels and to control a large number of simultaneously established connections. •
VPN-optimized router – this delegates the traffic on the network. It has
different add-ons related to the route traffic, which use specific VPN protocols. •
VPN-enabled firewall – a conventional firewall that provides protection of
the traffic between networks, but with added properties for traffic control through specific VPN protocols. •
VPN Client – software installed on a special device that works as a tunnel
interface for multiple connections. This renders it unnecessary to install such software on each computer on the network. 4.2.
Configuring the protection in VPN
Encryption is a process in which certain data are coded so that only one computer with decryption key can decode them, read them and use them. Encryption can be used in many different situations, but we will take a closer look at the case of VPN. The computers at each end of the tunnel encrypt data transmitted through it and decrypted on the other side. In a virtual private network, more than a key pair is used to perform this process. For this purpose are used the IPSec or GRE (generic routing encapsulation) protocols. GRE is a protocol that encapsulates packets in the order in which other protocols must be executed in IP networks. GRE is defined in the RFC
© Drazhev / Nacheva
Page 40
Microsoft Information Systems and Applications Security
41
2784 document 21. It includes information on the type of packet to be encapsulated and on the relationship between sender and recipient. IPSec is widely used to ensure the safety of traffic on IP networks, including the Internet. IPSec can encrypt data passed between various devices, including router to router, firewall to router, computer to router and computer to server. IPSec has two subprotocols which instruct the VPN in order to provide secure transmission of packets: • Encapsulated Security Payload (ESP) – encrypts transmitted data with a symmetric key; • Authentication Header (AH) – uses specific operations (attaches header to the packets), which contribute to the proper packaging of information (e.g. the identity of the sender) until it reaches the destination. Network devices use IPSec in one of two encryption modes. In transport mode, the devices encrypt data traveling between them. In tunnel mode, the devices create a virtual tunnel between two networks. VPN use IPSec in tunnel mode with IPSec ESP and IPSec AH simultaneously. Remote access tunneling is usually provided by the Point-to-Point Protocol (PPP), which is part of the Internet protocols. VPN uses one of three PPP-based protocols for remote access: •
L2F (Layer 2 Forwarding) – developed by Cisco; uses any authentication scheme supported by PPP;
•
PPTP (Point-to-Point Tunneling Protocol) – supports 40-bit and 128-bit encryption and any authentication scheme supported by PPP;
•
L2TP (Layer 2 Tunneling Protocol) – combines the advantages of PPTP and L2F and provides full support of IPSec.
Computerworld Magazine offers the following tips for protection of VPNs 22:
21
http://www.faqs.org/rfcs/rfc2784.html
22
Source of information:
http://www.computerworld.com/s/article/9003779/10_tips_to_secure_client_VPNs?pageNumber=1
© Drazhev / Nacheva
Page 41
42
Microsoft Information Systems and Applications Security
1. Use the strongest possible authentication method for VPN access. This method is determined by the network infrastructure and requires verification of the VPN or operating system documentation to determine the exact options. For example, on a network with Microsoft servers, the most secure authentication is provided by Extensible Authentication Protocol-Transport Level Security (EAP-TLS) used with smart cards. These require a public key infrastructure (PKI) and incur the overhead of encoding and distributing smart cards securely. On these networks, Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP v2) and Extensible Authentication Protocol (EAP) provide the next best authentication security. Password Authentication Protocol (PAP), Shiva Password Authentication Protocol (SPAP) and Challenge Handshake Authentication Protocol (CHAP) are too weak (unreliable) to be applied. 2. Use the strongest possible encryption method for VPN access. On a network with Microsoft servers, this is Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPsec). Point-to-Point Tunneling Protocol (PPTP) is too weak to be allowed, unless your client passwords are guaranteed to be strong. OpenVPN, SSL VPN can be run with TLS-based session authentication, Blowfish or AES-256 encryption, and SHA1 authentication of tunnel data. 3. Limit VPN access to those with a valid business reason, and only when necessary. A VPN connection is a door to your LAN, and should only be open when it needs to be. 4. Provide access to selected files through intranets or extranets rather than VPNs. An HTTP Secure (HTTPS) Web site with safe password authentication exposes only selected files on a single server, not your whole network. 5. Enable e-mail access without requiring VPN access. On Microsoft
Exchange servers, set up an Exchange proxy server to allow Outlook to access Exchange via remote procedure call (RPC) protocol over HTTP, protected by SSL encryption.
Š Drazhev / Nacheva
Page 42
Microsoft Information Systems and Applications Security
43
On other mail servers, enable Post Office Protocol 3 (POP3) and/or Internet Message Access Protocol (IMAP) mail receipt and Simple Mail Transfer Protocol (SMTP) mail sending. Require secure password authentication (SPA) and SSL encryption to improve the security of these mail systems. Secure Web mail is another viable option for remote employees, especially when they are traveling and need to use other people's computers. 6. Implement and enforce a strong password policy. The password used should never be an existing word, a phone number, the name of a family member or pet. This would mean that the password is weak and easily guessed. It is recommended that passwords be unguessable even by family members and long enough with a large character set to be prohibitively hard for a password-guessing program. 7. Provide strong antivirus, antispam and personal firewall protection to your remote users. Potentially, any Internet connected computer can be infected with viruses that may infect the corporate network. 8. Quarantine users connecting to the VPN until their computer has been
verified as safe. When a client computer starts a VPN session, it should not have full access to the private network until performing full security check. This should include checking for current antivirus and antispam signatures, remedying possible security breaches in the operating system and disabling the remote access software. 9. Forbid the use of other VPNs while the user is connected to their VPN. Connecting two VPNs may expose them unprotected to each other, which would be dangerous for both. Most VPN software sets the client's routing to use the network's default gateway23. 10. Secure remote access wireless networks. Employees working from home often use laptops connected to a cable or DSL modem through their own wireless access point.
23
Node in a network that serves as access to another network:
http://en.wikipedia.org/wiki/Default_gateway
Š Drazhev / Nacheva
Page 43
Microsoft Information Systems and Applications Security
44
Unfortunately, many wireless routers are never configured for security: they are merely connected and turned on. They need to be configured for WPA key 24. The same should be done with personal firewalls, to ensure the safety of the home network. Literature 1. Olifer, V., Different Flavours of VPN: Technology and Applications. The JNT Association, 2007 Internet sources 1. Virtual Private Network Software:https://it.uoregon.edu/vpn 2. http://technet.microsoft.com/en-us/library/cc785364(v=ws.10).aspx
24
"WPA, short of Wi-FiÂŽ Protected Access, is a specific data encryption for wireless networks. It is an
improved security feature of WEP using Extensible Authentication Protocol (EAP) for secure network access encryption method for secure data transfer. WPA is designed for use with 802.1X authentication server that distributes different keys to each user. It can also be used in a lower security mode with a "Pre-Shared Key (PSK)". PSK is designed for home or small office networks, where each user has the same password. WPA-PSK is also called WPA-Personal. WPA-PSK enables the Brother wireless device to connect to an access point using the TKIP or AES encryption method. WPA2-PSK enables the
Brother
wireless
device
to
connect
to
an
access
point
using
the
AES
encryption
method."
http://stechkin.org/index.php/en/news/useful-information/item/4-bezjichna-sigurnost-gsm-lan-i-wifi-mreji
Š Drazhev / Nacheva
Page 44
Microsoft Information Systems and Applications Security
45
CHAPTER 5. PROTECTION OF TRANSMITTED / RECEIVED INFORMATION 5.1. Protection of information transmitted on cable networks Problems associated with the information transmission on complex multimachine networks and the provision of adequate protection against unauthorized access can be grouped into several network levels (layers). Although the hardware (physical) and software components are interrelated, the introduction of the OSI concept*. The acronym OSI (Open Systems Interconnection 25) means a conceptual model (ISO/IEC 7498-1) of a communication network formed by seven hierarchical layers (see. Fig. 5.1.).
OSI
Fig.5.1. Conceptual model of a communication network. In each of the layers of the OSI model, except the first and last ones, a grouping (packing) of the data in portions is carried out to form two or more packets. When packing, each layer adds its service information, such as sequence, error code, any addresses or number of service and other parameters depending on the necessary functionality of the respective level. Each layer performs the following predefined functions: â&#x20AC;˘
7th layer: Application. This layer works closely with the operating system or applications thereof which use the network when transmission of information is
25
The Open Systems Interconnection, http://bit.ly/NU8ssL
Š Drazhev / Nacheva
Page 45
Microsoft Information Systems and Applications Security
46
needed. For example, when a user wants to send a file, read his/her messages or do something else within the network. •
6th layer: Presentation. This layer takes the information it receives from the application layer and turns it into a standardized format that can be understood by the other layers.
•
5th layer: Session. Layer number 5 establishes, controls, maintains and may interrupt the communication with the receiving device.
•
4th layer: Transport. This layer provides control of the information flow – the manner in which it is transmitted, and enables checking for errors and repairing information that was damaged during transmission. Flow control also means that this layer separates the information received from the various applications and transmits it in separate flows over the network.
•
3rd layer: Network. The method of sending the information is determined by this layer. Here protocols are used that support addressing and routing.
•
2nd layer: Data Link. In this layer, information is processed to match the protocol used on the network. The sequence of the packets to be sent is also defined here.
•
1st layer: Physical. This layer is actually the hardware itself – it defines the physical network parameters – for example, voltage levels that define the 0's and 1's, data transmission synchronization and so on. To ensure the protection of information in the network, data transmission via
cable and wireless networks is of special interest to us. In this process, a key role is performed by the two main layers – Physical and Data Link. In turn, at the data link layer the protocols occupy a key position in the process of establishing and maintaining a reliable communication environment for exchanging data between two systems and the corresponding network application processes. The data link level determines the access to the physical channel. The key features (functionalities) are the following: • Control the access to the physical channel
© Drazhev / Nacheva
Page 46
47
Microsoft Information Systems and Applications Security
• Fragment the bit stream – formation of frames (the full functionality of the frame is decided at the data link level); • Control the frames flow, detect and correct errors in the bit exchange; • Control transparency; • How to use the physical environment if it was provided for collective access; According to functionality, the data link layer is divided into two sub-layers: • Media Access Control layer (MAC); • Logical Link Control layer (LLC). MAC-IDs (addresses) are organized in continuous non-hierarchical multitude ("flat" addressing scheme), where the indication of a pair of valid MAC-IDs (addresses) is sufficient for the establishing of a MAC link. The realization of a valid MAC link results in the functional conversion of the physical channel to a logical channel (independent of the physical topology and its inherent access control method). Technical failures related to the transmission of information in complex multimachine networks may occur as a result of a software error, hardware failure, natural disaster, human error, malicious acts of an employee or an outsider. Technical failures usually result in the suspension of services and interrupt certain processes in the organization. Failures can also lead to loss of information. To achieve an acceptable level of protection against technical failures, it is necessary to take the following actions: - implement adequate protection against harmful software; - implement automated archiving system; - provide redundancy by duplicating all important components of the computer systems; - prepare a response plan in case of incidents / plan for disaster recovery. 5.1. Protection of information transmitted by wired networks Unlike wireless dissemination of information, in the case of Ethernet cable networks, in general, it is about the protection of a system located in a building. In
© Drazhev / Nacheva
Page 47
Microsoft Information Systems and Applications Security
48
such a building there are physically connected computers establishing a Local Area Network (LAN). Given that each laptop has an integrated Ethernet-adapter for connection to LAN, we can easily imagine what would happen if a hacker/cracker sets to penetrate the network. In order to limit the potential attacks on LAN, nowadays each organization builds its own virtual private network. VPN technology allows the construction of a single encrypted computer network. This provides access to corporate databases and allows computers to share files regardless of their physical location. In short, VPN allows employees from different cities (offices) to work as if they were in adjacent rooms. Protection against unauthorized access to the cable VPN network may include the following technologies: • One or more 802.1X IEEE 802.3 Ethernet switches. These switches must be compatible with RADIUS-protocols (Remote Authentication Dial-In User Service). • Active Directory Domain Services (AD DS). AD DS contain user data for access authorization. • Group Policy Management. • One or more servers running NPS (Network Policy Servers). •
Mutual 802.1X authentication between clients and RADIUS servers; 802.1X uses server certificates for computers running NPS, and any of the following data:
•
-
User identification data (username and password);
-
Digital certificates for both the user and the computer;
-
Smart-cards for access.
Connecting a client computer through cable. This method of access requires the 802.1X authentication of certain domain users connected to a wired network by using a client computer operating under Windows 7/8 or Windows XP, Service Pack 3 (SP3).
© Drazhev / Nacheva
Page 48
49
Microsoft Information Systems and Applications Security
The Extensible Authentication Protocol (EAP) can be used to add another level of security to VPN. PPTP – Point-to-Point Tunneling Protocol and L2TP – Layer 2 Tunneling Protocol are also used. In order to implement EAP in the VPN, the server must be configured to accept EAP-authentication as a valid method and support X.509 user certificate. The client is in this case configured to apply EAP, if there is either SmartCard Certificate, or user certificate. 5.2. Protection of information transmitted over wireless networks Wireless networks are now a ubiquitous means of connecting computers to each other and to the Internet. The primary privacy concern with Wi-Fi is the interception of communications sent over the air. In some cases, wireless routers might also store a small amount of information, such as name and unique number assigned to the network card (MAC address). Wireless networks are particularly vulnerable to remote tapping; after all, "wireless" just means "broadcasting your messages over the radio," and anyone can intercept your wireless signals unless you use encryption. Listening in on unencrypted wireless communications is easy: almost any computer can do it using simple packetsniffing software. Special expertise or equipment is not necessary. Even worse, the legal protection of unencrypted wireless communications is unclear. Law enforcement authorities may argue that no "wiretap" order is needed for intercepting unencrypted wireless communications, because there is an exception to the rules requiring such orders, namely when the messages that are being intercepted are "easily accessible by the broad public." Basically, any communication over the radio spectrum that is not transmitted by your telephone company and is not scrambled or encrypted poses a privacy risk. In wireless communication the security of the connection is essential, as anyone within the range of an access point (AP) could gain access to the network. In order to avoid the consequences, most often the traffic over an AP is encrypted from the end nodes or by the condition *. © Drazhev / Nacheva
Page 49
50
Microsoft Information Systems and Applications Security
WAP (Wireless Access Point) - a device providing access of wireless devices to a connected network, using Wi-Fi, Bluetooth or similar standards.
Fig. 5.2. Hypothetical wireless network and access points. The connection to a connected network is usually established through a router, which distributes the traffic between the different devices. AP are divided into two main groups â&#x20AC;&#x201C; industrial AP, made with solid metal housing and very resistant to sudden temperature changes, moisture, dust and other contaminants, and home AP (shown in the picture), which are more compact and provide basic functions (industrial AP can, for example, perform the role of bridge, router or client device). Most wireless access points (WAP) use the 802.11 standard (and its variations) for data transmission over channels with different radio frequencies and speeds, and in terms of security they include mechanisms such as WPA-PSK, the newer WPA2, RADIUS, WDS , WEP, and others. Encryption algorithms are divided into several generations, where the oldest WEP is now considered unreliable, and its use is avoided. WPA and WPA2 offer better coding schemes and with the use of strong passwords and key phrases breaking them is considered virtually impossible. WPA - (Wi-Fi Protected Access) is a protocol that provides a more secure authentication than WEP. WPA offers improved coding and authentication features compared to WEP. In fact, WPA was created by the networking industry because of the disadvantages of WEP. One of the key technologies included in WPA, is the Temporal Key Integrity Protocol (TKIP). TKIP treats WEP's encryption weaknesses. Another key component Š Drazhev / Nacheva
Page 50
51
Microsoft Information Systems and Applications Security
of WPA is the built-in authentication, which is not provided by WEP. With this function, WPA provides security for the VPN tunnel with WEP, the benefit being easier administration and use. Another version of WPA is the so-called Pre-Shared Key, WPA-PSK in short. WPA-PSK is a simplified, but still a better form of WPA. To use WPA-PSK, a static key or password is set, as with WEP. However, when using TKIP, WPA-PSK automatically changes passwords at regular intervals of time. Thus the network is very hard to access for hackers. Best results are achieved when using a code of up to 63 characters, constituting a mixture of numbers and letters, and disallowing the use of existing English words. WEP (Wireless Equivalency Privacy) is a protocol which uses a key composed of numbers and letters, in order to prevent other devices from connecting to the wireless network. The WEP protocol is based on the RC4 security scheme, which uses a combination of a code entered by the user and a value generated by the system. WEP encryption used initially 40-bit encryption, 40 bits for user code and additional 24 bits generated by the system (64 bits in total). Over time it became clear that 40-bit encryption was too easy to decode, which led to the emergence of 128, 152 and 256 bit encryption. The keys are not sent over the network; they are stored in the wireless network adapter or the Windows registry. Depending on how the wireless network is build, WEP is only one element of the overall wireless networks security. The first breaches of WEP security took place as early as 2001, but at that time breaking the code required 4 million data packets (and the breaking itself took days). In recent years, through the use of fewer packets, the time it takes to hack the system may be as little as 10-20 minutes. Extraction of a 104-bit WEP key can be achieved in literally three seconds when using the 1.7GHz Pentium M processor. Collecting the necessary data packets (between 40 000 and 85 000 packets) takes about a minute, and the hacking itself could be done from a mobile phone or Pocket PC while walking down the street. The Š Drazhev / Nacheva
Page 51
Microsoft Information Systems and Applications Security
52
same applies for BlueTooth devices. There are a number of software applications running mostly on Linux and Android, through which access is gained to the information contained in devices with enabled BlueTooth. Enabled BlueTooth is detected by using so-called detection scanners such as BlueScanner, BlueSniff, BTBrowser, BTCrawler etc., and hacking is facilitated by BlueBugger, Bluediving, etc. Two methods of authentication can be used with WEP protocol: Open System and Shared Key: The Open System Authentication, which, strictly speaking, does not provide authentication, allows you to connect any device to the network without any security checks. Shared Key Authentication requires that entry points and wireless clients use the same WEP keys for authentication. This means that WEP must be enabled and configured in the same way at the clients and at the entry point. Security issues with multiple Cisco devices Secunia reported vulnerabilities in multiple Cisco devices. These vulnerabilities may be used by hackers to compromise a device or carry out a Denial of Service attack. Certain input data are not properly processed before they are used in commands. This fact allows the attacker to execute arbitrary commands on the device. Errors in the processing of HTTP/S and TCP connections can disrupt certain processes. A full list of affected products and versions can be found on the manufacturer's website. Literature 1. Drazhev, St. et al. A social network for sharing knowledge and experience
between teachers and students of the University of Economics – Varna. INSTRUCTION MANUAL., 2012, Published by the University of Economics – Varna, p. 196. 2. Special Intelligence Means Act.
Internet sources © Drazhev / Nacheva
Page 52
53
Microsoft Information Systems and Applications Security
1. Library of Assoc. Prof. Stefan Drazhev in SlideShare: (http://www.slideshare.net/stedrazhev/). 2. Library of Assoc. Prof. Stefan Drazhev in Issuu: http://www.issuu.com/stedranet 3. Networkworld Magazine, http://networkworld.bg/510_goreshti_vaprosi_za_bezzhichnite_mrezhi 7th
EU
Framework
Programme
for
security:
http://cordis.europa.eu/fp7/ict/security/projects_en.html
Š Drazhev / Nacheva
Page 53
Microsoft Information Systems and Applications Security
54
CHAPTER 6. MS SECURITY SOFTWARE 6.1. Classification and designation Microsoft Security Essentials (MSE) is an antivirus software. It acts against malicious software (malware 26) such as computer viruses, spyware, rootkits and Trojans. MSE can run on Windows XP, Windows Vista and Windows 7. It replaces Windows Live OneCare 27, a discontinued subscription-based commercial antivirus service, and the free Windows Defender 28, which prior to Windows 8 only protected consumers against adware and spyware. Microsoft Security Essentials is designed on the same basis as other antivirus products from Microsoft. They all use the same virus definition and software engine, known as the Microsoft Malware Protection Engine (MSMPENG). However, Microsoft Security Essentials does not offer the personal firewall and centralized control capabilities of OneCare and Forefront 29 Endpoint Protection (FEP) 30. Microsoft Security Essentials provides real-time protection. It continuously monitors the file and program activity of the computer and scans new files at the moment of their creation or download. Upon detection of danger, MSE disallows the activity and asks the user for instructions. If no response is received within ten minutes, the suspicious activity is treated according to the default settings defined in the Product Settings section. Depending on the settings, Microsoft Security Essentials may create a System Restore Point before removing the detected malware. As part of its real-time protection, Microsoft Security Essentials reports all suspicious activity to
26
Short for malicious software. This is a software created and used by malicious individuals to access the
private computer systems and extract personal information. The term is used to refer to hostile, intrusive software. The software, which is used to protect individual users and small and large organizations are antivirus software and antimalware and firewalls. 27
The original name is Windows Live OneCare - a service used to improve the safety and performance of a PC,
created by Microsoft and designed for Microsoft Windows. Product support was ended on April 11, 2011 (http://windows.microsoft.com/bg-bg/windows/security-essentials-onecare). 28
Software product by Microsoft, also known as Microsoft AntiSpyware and used to combat malware.
29
A software products family for protection of computer networks, network servers and individual devices.
30
Official website http://www.microsoft.com/en-us/server-cloud/system-center/endpoint-protection-2012.aspx
Š Drazhev / Nacheva
Page 54
Microsoft Information Systems and Applications Security
55
Microsoft SpyNet 31, a Web-based service. If the report refers to newly detected threats, for which common virus definitions have not yet been published, then Microsoft Security Essentials downloads the specific definition of the relevant malware in order to remove it. Microsoft Security Essentials uses virus definitions to combat malware. It automatically checks and downloads updates of virus definitions, which are published three times a day by Microsoft Update, a Web-based service for software update. Alternatively, users can download updates manually from the Microsoft Security portal. According to Microsoft, the hardware requirements for running Microsoft Security Essentials differ depending on the operating system. On a computer running under Windows XP, Microsoft Security Essentials requires CPU frequency of not less than 500 MHz, and a minimum of 256 MB of RAM. On a Windows Vista or Windows 7 computer, Microsoft Security Essentials requires a minimum of 1 GHz processor and 1 GB of RAM. Microsoft Security Essentials also needs a monitor with minimum screen resolution of 800x600 pixels, 200 MB of disk space and a network connection to the Internet. In addition, the operating system on which Microsoft Security Essentials is running must be licensed. Microsoft Security Essentials requires no registration or personal information." 32 Integration with Windows Firewall Maintaining an active firewall is a part of computer security. During installation, Microsoft Security Essentials scans the computer to determine whether it has an active firewall. If no firewall is available, you will be provided with the option to turn on the Windows Firewall. Dynamic Signatures Service Protection must be up to date in order to be effective. Dynamic signature is a way to check whether a suspicious program is dangerous or not. Before the normal
31
A network (an online community) for mutual aid among Windows Defender and Microsoft Security
Essentials users, which explains the purpose of the specialized software used to combat spyware. 32
Source of information: http://bg.wikipedia.org/wiki/Microsoft_Security_Essentials
Š Drazhev / Nacheva
Page 55
56
Microsoft Information Systems and Applications Security
execution of a suspicious program, that program is executed by Microsoft Security Essentials in order to determine what it intends to do. In this process, the programs are assigned special signatures, verified in our database of hazardous and safe programs. Even when programs are approved, they are monitored to ensure that they will not engage in potentially hazardous activities, such as unexpected establishment of network connection, changing basic components of the operating system or downloading malicious content. To find information, definition updates and analysis of all new threats, against which Microsoft Security Essentials can give protection, visit Microsoft's Malware Protection Center.
Protection against rootkits Rootkits are a type of malware, against which it is particularly difficult to protect. Microsoft Security Essentials includes a number of new and improved technologies to deal with rootkits and other aggressive threats. The kernel is located at the heart of the computer's operating system. Microsoft Security Essentials monitors it for attacks or harmful modifications. Rootkits use secret methods to conceal, but Microsoft Security Essentials has the latest technology against invisibility. For example, during direct analysis of the file system, malicious programs and drivers that rootkits attempt to penetrate, are detected and removed.
Protection against real threats, malicious software Microsoft Security Essentials blocks malware. We create a list of the most popular websites and downloads on the Internet and use it to test our updates and definitions against malware, before they reach you. This helps us to ensure that the protection we offer really works and does not block your computer.
Here's what you need in order for Microsoft Security Essentials to work efficiently: Š Drazhev / Nacheva
Page 56
Microsoft Information Systems and Applications Security
57
• Operating System: Windows XP SP3; Windows Vista (Service Pack 1 or Service Pack 2); Windows 7/8 •
For Windows XP: a computer with a CPU clock speed of 500 MHz or higher and 256 MB or more of RAM.
•
For Windows Vista and Windows 7: a computer with a CPU clock speed of 1.0 Ghz or higher and 1 GB or more of RAM.
•
VGA display of 800 × 600 or higher resolution.
•
200 MB free hard disk space.
•
Internet connection is required for installation and download of the latest definitions of viruses and spyware for Microsoft Security Essentials.
•
Internet browser.
•
Windows Internet Explorer 6.0 or newer version.
•
Mozilla Firefox 2.0 or newer.
•
Microsoft Security Essentials also supports Windows XP Mode in Windows 7. 6.2.
Application of security software
Microsoft has a Safety & Security Center, which provides detailed guidelines for work with Microsoft Security Essentials, and definitions of the various types of viruses. The center also provides detailed guidance to ensure family safety through Microsoft products. The official website is http://www.microsoft.com/security/. One of the useful products offered by the company is Microsoft Safety Scanner. This is a tool used to scan for viruses, spyware and other malware. It works together with the installed antivirus program. It can be downloaded free of charge from http://www.microsoft.com/security/scanner/. The program is available for 32 and 64 bit operating systems. In our opinion, the inconvenience this product may cause to end users is that the period of use is 10 days after the download date. After this period, the tool needs to be downloaded again with the latest malware definitions. Quick review of the antivirus software: © Drazhev / Nacheva
Page 57
Microsoft Information Systems and Applications Security
58
http://www.notebookreview.com/default.asp?newsID=5310&review=Microsoft +Security+Essentials+Review The following web addresses provide manuals for working with Microsoft Security Essentials:
•
How to install Microsoft Security Essentials for use on your personal computer: http://www.northumbria.ac.uk/static/5007/itspdf/MicrosoftSecurityEssentials .pdf
•
How to install Microsoft Security Essentials AntiVirus: https://it.usu.edu/servicedesk/files/uploads/Pamphlets/Microsoft%20Security %20Essentials.pdf
•
INSTALL THE "MICROSOFT SECURITY ESSENTIALS" AND "MALWAREBYTES' ANTIMALWARE FREE VERSION" TO PROTECT YOUR COMPUTER FROM VIRUSES AND MALWARE: http://aztcs.org/meeting_notes/winhardsig/MSE/MSE.pdf
Our Advice: How to create Strong Password Passwords are the first line of defense against break-ins to your online accounts and computer, tablet, or phone. Poorly chosen passwords can render your information vulnerable to criminals, so it’s important to make your passwords strong. To help you create strong passwords, follow the same network security guidelines required of all Microsoft employees: •
•
Strong passwords are phrases (or sentences) at least eight characters long— longer is better—that include at least three of the following: uppercase and lowercase letters, numerals, punctuation marks, and symbols. Give passwords the thought they deserve, and make them memorable. One way is to base them on the title of a favorite song or book, or a familiar slogan or other phrase. (Don’t use the examples below!)
© Drazhev / Nacheva
Page 58
Microsoft Information Systems and Applications Security
59
Example phrases: I love my new Xbox One Example passwords: Ilove!mynewxbox1 •
Don’t share passwords with others or store them on the device they’re designed to protect. (Get more tips for protecting your password.) Once you’ve come up with your password, you can test its strength at this UR: https://www.microsoft.com/security/pc-security/password-checker.aspx
Literature 1. Gibson, D., Microsoft Windows Security Essentials. Sybex, 2011 Internet sources 1. http://www.towson.edu/adminfinance/ots/Training/documentation/Tuning %20Up%20PC/MS16MSSecurityEssentials.pdf 2. http://free100.net/m/microsoft-security-essentials-vs-kaspersky-avastbitdefender-w6.pdf
© Drazhev / Nacheva
Page 59