DOCSLIB.ORG

Session Presentation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Session Presentation #CLUS Securely Designing Your Wireless LAN for Threat Mitigation, Policy and BYOD Ali H. Ali Technical Marketing Engineer CCIE – 44526 (Wireless) BRKEWN-2005 #CLUS Session Objectives What this session will cover… …and what it won’t… • AP and WLC secure • configuration details; connection; • version discrepancies; • wireless radio threats; • roadmap; • secure/open SSID • IPv6; BRKEWN-2010 fundamentals; BRKIP6-2191 • not too much for guests. • client secure connection options; BRKEWN-2014 • use cases; …except when it does. • mainly CUWN and AireOS. #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 BRKEWN-2670 Disclaimer New kids on the block • Catalyst 9800 Wireless Controllers based on IOS-XE. • Support for (almost) the same security features as for AireOS based Wireless LAN Controllers (i.e., Mobility Express, vWLC, 3504, 5520, 8540). • Dedicated references will be provided in case of specific configuration examples. #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 For your For your reference reference • There are slides in your PDF that will not be presented, or quickly presented. • They are valuable, but included only “For your reference”. For your reference #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#BRKEWN-2005 by the speaker until June 16, 2019. #CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 We do everything by the book… Not that much left on TV anyway… http://www.ciscopress.com/store/ccie-wireless-v3-study-guide-9781587206207 #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 For your Session Abstract reference • Learn how to design a secure wireless networks from A to Z. • In this session we will cover some of the major threats associated with wireless networks and the tools we have to mitigate and prevent them, such as rogue AP detection, wIPS and spectrum intelligence. • We will also take a look at the principles of secured wireless networks (encryption, 802.1X, guest access, etc.) and will dive into the latest identity services available to address different kinds of devices (laptops, tablets, smartphones, etc.) and users (employees, guests, contractors, etc.). • Prerequisites: knowledge of 802.11 and 802.1X fundamentals is recommended. #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Agenda • Secure the infrastructure • Over the Air Security • Secure the clients • Use cases #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Secure the infrastructure Securing the infrastructure • How to secure the AP connectivity and access. Access Point Wireless LAN Controller (AP) Data Encapsulation – UDP 5247 (WLC) Control Messages – UDP 5246 • How to secure the CAPWAP communication between the WLC and the AP. • How to secure the radio: • Intrusion detection/prevention; • Rogue access points; • Interferences. #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 For your WLC connectivity and access reference WLC HTTP / HTTPS / telnet / SSH Control requests from wireless clients or wired clients on the same subnet as a dynamic interface: (Cisco Controller) >config network mgmt-via-wireless enable (Cisco Controller) >config network mgmt-via-dynamic-interface enable * * Available via CLI only and needed when sourcing RADIUS traffic from a dynamic interface instead of the management one. #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 For your WLC connectivity and access reference WLC HTTP / HTTPS / telnet / SSH Control requests from specific networks/clients through CPU ACLs: http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109669-secure-wlc.html#t4 Logical example (not a real configuration one): • deny tcp [other client subnets] [WLC mgmt IP] eq 443 • deny tcp [other client subnets] [WLC mgmt IP] eq 22 • permit ip any any (otherwise you may lock lot of things out!!!) #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 For your reference WLC management authentication / authorization AireOS Local DB: read-only read-write WLC * Tasks are the WLC’s menu tabs. Fail / Success RADIUS + Even when tasks are not explicitly authorized, users have RO access to them. privileges (RO / RW) RO access to a task grants RO access to all the sub-menus. RW access to a task grants RW access to all the sub-menus. Fail / Success + tasks access * Config. examples: TACACS http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71989-manage-wlc-users-radius.html http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/91631-uwn-tacacs-config.html #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 For your reference C9800 management authentication / authorization IOS-XE Local DB: • GUI: read-only / read-write C9800 • CLI: privilege 0-15 RADIUS RO access to the GUI grants access to the Dashboard and Monitoring menus. Fail / Success + RW access to the GUI grants RW access to all menus. Privileges (CLI) Fail / Success + Command AuthZ (CLI) TACACS Read-Only Read-Write #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 For your AP management access reference #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 AP control at the access layer A few words on 802.1X Layer 2 Point-to-(Multi)Point Layer 3 Link Supplicant EAP over LAN Authenticator RADIUS AuthC Server (EAPoL) EAPoL Start Beginning EAPoL Request Identity EAP-Response Identity: Printer RADIUS Access Request [AVP: EAP-Response: Printer] EAP-Request: EAP-FAST RADIUS Access-Challenge Middle [AVP: EAP-Request EAP-FAST] Multiple EAP-Response: EAP-FAST Challenge- RADIUS Access Request Request [AVP: EAP-Response: EAP-FAST] Exchanges Possible RADIUS Access-Accept EAP Success End [AVP: EAP Success] [AVP: VLAN 10, dACL-n] #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 AP control at the access layer 802.1X credentials for the AP * Access Point (AP) Layer 2 Point-to-(Multi)Point Layer 3 Link Supplicant EAP over LAN Authenticator RADIUS AuthC Server (EAPoL) AP# capwap ap dot1x username [USER] password [PWD] * AireOS 8.6 for 802.11ac Wave 2 APs (EAP-FAST MS-CHAPv2 as for other AP series) AireOS 8.7+ for EAP-TLS or PEAP MS-CHAPv2 support (802.11ac Wave 2 APs and later) AireOS #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 AP control at the access layer 802.1X credentials for the AP * Access Point (AP) Layer 2 Point-to-(Multi)Point Layer 3 Link Supplicant EAP over LAN Authenticator RADIUS AuthC Server (EAPoL) AP# capwap ap dot1x username [USER] password [PWD] * AireOS 8.6 for 802.11ac Wave 2 APs (EAP-FAST MS-CHAPv2 as for other AP series) AireOS 8.7+ for EAP-TLS or PEAP MS-CHAPv2 support (802.11ac Wave 2 APs and later) IOS-XE #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 AP control at the access layer The FlexConnect challenge Layer 2 Point-to-(Multi)Point Layer 3 Link Supplicant EAP over LAN Authenticator RADIUS AuthC Server (EAPoL) FlexConnect AP 802.1X (usually) “needs” a trunk port. needs an access port. interface GigabitEthernet1/0/1 switchport access vlan 100 switchport mode access authentication port-control auto dot1x pae authenticator ... #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 AP control at the access layer The FlexConnect challenge Layer 2 Point-to-(Multi)Point Layer 3 Link Supplicant EAP over LAN Authenticator RADIUS AuthC Server (EAPoL) “What do you think?” “Here I am.” “Accept. Here is the interface template *” cisco-av-pair=interface-template-name=FLEXCONNECT_AP_TRUNK_TEMPLATE template FLEXCONNECT_AP_TRUNK_TEMPLATE switchport trunk native vlan 100 switchport trunk allowed vlan 100,110,120,130 switchport mode trunk * IOS 15.2(2)E+ spanning-tree portfast trunk #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 BRKEWN-2010 Securing the AP-WLC communication BRKEWN-2670 CAPWAP tunnels DTLS, UDP 5246 CAPWAP Control CAPWAP Data (DTLS) UDP 5247 config ap link-encryption enable all/[AP-NAME] AireOS IOS-XE #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Securing the AP-WLC communication Manufacturer Installed Certificate (MIC) DTLS, UDP 5246 CAPWAP Control CAPWAP Data (DTLS) UDP 5247 #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Securing the AP-WLC communication Local Significant Certificate (LSC) - AireOS Your PKI CAPWAP Example: http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Secure Isolation with Guest Anchor Guest Tunnel Firewall Enterprise Users CAPWAP Internet Wireless LAN Controller DMZ or Anchor Wireless Guests LAN Controller #CLUS BRKEWN-2005 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Securing the AP-WLC communication Local Significant Certificate (LSC) – IOS-XE ap lsc-provision ! In Non-WLANCC mode APs will be provisioning with RSA certificates with specified key-size configuration. In WLANCC mode APs ! will be provisioning with EC certificates with a 384 bit key by-default or 256 bit key if configured.
Load more

Recommended publications
  • IBM Multi-Factor Authentication for Z/OS
    Multi Factor Authentication for Linux on IBM Z using a centralized z/OS LDAP infrastructure Dr. Manfred Gnirss Thomas Wienert Z ATS IBM Systems IBM Germany R & D Boeblingen, 18.7.2018 © 2018 IBM Corporation 2 Trademarks The following are trademarks of the International Business Machines Corporation in the United States, other countries, or both. Not all common law marks used by IBM are listed on this page. Failure of a mark to appear does not mean that IBM does not use the mark nor does it mean that the product is not actively marketed or is not significant within its relevant market. Those trademarks followed by ® are registered trademarks of IBM in the United States; all others are trademarks or common law marks of IBM in the United States. For a complete list of IBM Trademarks, see www.ibm.com/legal/copytrade.shtml: *BladeCenter®, DB2®, e business(logo)®, DataPower®, ESCON, eServer, FICON, IBM®, IBM (logo)®, MVS, OS/390®, POWER6®, POWER6+, POWER7®, Power Architecture®, PowerVM®, S/390®, System p®, System p5, System x®, System z®, System z9®, System z10®, WebSphere®, X-Architecture®, zEnterprise, z9®, z10, z/Architecture®, z/OS®, z/VM®, z/VSE®, zSeries® The following are trademearks or registered trademarks of other companies. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc.
    [Show full text]
  • SANS Spearphishing Survival Guide
    SANS Spearphishing Survival Guide A SANS Whitepaper Written by Jerry Shenk December 2015 Sponsored by Proofpoint ©2015 SANS™ Institute Executive Summary Organizations are constantly under attack. Nearly every week comes a news headline of another breach affecting millions of people. Organizations that experience “small” breaches spend hundreds of thousands of dollars on forensic examinations, infrastructure upgrades and identity monitoring. Those that get hit by a large breach spend millions. The majority of those threats still arrive by email in the form of weaponized file attachments, malicious links, wire-transfer fraud and credential phishing. In most cases, attackers deploy email-borne attacks that target specific individuals and fool them into believing they are from someone they do business with or someone in authority who knows them. Often, attackers gather the information they need to pull off these sorts of phishing attacks over social media, where employees share significant amounts of personal and contextual information. Just as often, employees leak information over mobile applications that make it easier for criminals to target their attacks. While most antivirus, anti-malware and email security systems are good at catching traditional mass email phishing attacks with known malicious attachments, links and content, they are not catching the most sophisticated targeted attacks on email recipients. These types of attacks, called spearphishing, gather information on high- value targets who have direct access to company financial or customer information.1 Using social media, mobile apps and other sources of information (such as a company website), criminals can make connections between business associates and third parties in order to craft emails that look like they come from someone the targets work with—and neither network-based nor email-based security tools are catching them consistently.
    [Show full text]
  • The Rise of Cyber-Espionage
    Case Study: THE RISE OF CYBER-ESPIONAGE 5HFUXLWPHQW3ODQ CounterTh e 20 7KH&RXQWHU7HUURULVW ~ June/July 2012 ©istockphoto/loops7 By Chris Mark At a Hopkinton, Massachusetts, offi ce, an executive received an email that appeared to be from a coworker on March 1, 2011. Attached to the email was an Excel spreadsheet titled “2011 Recruitment Plan.” The man opened the spreadsheet. The email was not from a coworker, it was a carefully crafted attack known as ”spearfi shing” in which a fraudulent email is sent to a specifi c person. he spearfi shing email contained an system, SecurID. SecurID is used by an Excel spreadsheet with a zero- estimated 250 million people worldwide. Tday exploit and a version of the Poison Th e attack was believed to have been ini- Ivy RAT (remote administration tool) tiated using a zero-day exploit created by payload embedded. Th e RAT enabled a Chinese hacker. Evidence suggests the a hacker to gain privileged access to the possibility of Chinese-sponsored cyber- network of RSA Security (an American espionage.1 RSA’s CEO, Art Coviello, computer and network security com- stated the stolen SecurID information pany). Th e company had been founded “could potentially be used to reduce by Ron Rivest, Adi Shamir, and Leonard the eff ectiveness of a current two-factor Adleman, the inventors of the RSA public authentication implementation as part key cryptographic algorithm. Th is single of a broader attack (italics added).”2 Th is The US government event initiated an attack that would result proved to be an ominous prediction.
    [Show full text]
  • Security Features
    Security Features SL1 version 10.1.0 Table of Contents Introduction 4 Who Should Read This Manual? 4 Built-In Security for Appliances and Data 5 Hardened Operating System 6 Limited Open Ports 6 Firewalls and White Lists 6 Hardened Configuration on Each Appliance 7 Root Access 7 API 7 All-In-One 7 Administration Portal 8 Database Server 8 Data Collectors and Message Collectors 8 Multiple Tenancy and Segregation of Duties 9 Account Types 9 Access Keys 9 Segregation by Organization 10 Credential Management 10 User Policies 11 Protection Against Injections and Cross-Site Scripting 12 Operating System Scan 12 Data Integrity 12 Backups 13 Disaster Recovery and High Availability 13 Audit Logs 13 Manage the Security of Your Network 15 Monitoring IDS, Firewalls, and Security Hardware 16 Security Events 16 Monitoring Changes to Device Configuration 16 Monitoring for Illicit Behavior 17 Blueprinting Windows Services 17 Blueprinting System Processes 17 Blueprinting DNS 18 Monitoring Open Ports 18 Monitoring Bandwidth Usage 18 Monitoring Hardware Performance 19 Managing Patches and Hot Fixes 21 Using Standard Deviation To Calculate "Normal" Conditions and Abnormal Conditions 21 Using Run Book Automation to Automate Responses to Security Events 21 Reports 22 Proxied Web Services 23 Security Settings 24 Access Control 25 Authentication 30 Multiple Tenancy and Segregation of Duties 31 Protection of Shared Content 33 Data Integrity 33 Security Events 34 Monitoring Changes to Device Configuration 35 Monitoring for Illicit Behavior 35 Blueprinting DNS, System Processes, and Windows Services 36 Monitoring Open Ports 37 Monitoring Bandwidth Usage 37 Monitoring Hardware Performance 39 Monitoring Patches and Hot Fixes 40 Using Run Book Automation to Automate Responses to Security Events 41 Reports 41 Proxied Web Services 41 Audit Logs 42 Chapter 1 Introduction Overview SL1 addresses two major aspects of system and network security: l SL1 appliances are lean, hardened, and configured for maximum security.
    [Show full text]
  • VULNERABLE by DESIGN: MITIGATING DESIGN FLAWS in HARDWARE and SOFTWARE Konoth, R.K
    VU Research Portal VULNERABLE BY DESIGN: MITIGATING DESIGN FLAWS IN HARDWARE AND SOFTWARE Konoth, R.K. 2020 document version Publisher's PDF, also known as Version of record Link to publication in VU Research Portal citation for published version (APA) Konoth, R. K. (2020). VULNERABLE BY DESIGN: MITIGATING DESIGN FLAWS IN HARDWARE AND SOFTWARE. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal ? Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. E-mail address: [email protected] Download date: 07. Oct. 2021 VULNERABLE BY DESIGN: MITIGATING DESIGN FLAWS IN HARDWARE AND SOFTWARE PH.D. THESIS RADHESH KRISHNAN KONOTH VRIJE UNIVERSITEIT AMSTERDAM, 2020 Faculty of Science The research reported in this dissertation was conducted at the Faculty of Science — at the Department of Computer Science — of the Vrije Universiteit Amsterdam This work was supported by the MALPAY consortium, consisting of the Dutch national police, ING, ABN AMRO, Rabobank, Fox-IT, and TNO.
    [Show full text]
  • EC-Council Certified Security Specialist Course Outline (Version 9)
    EC-Council Certified Security Specialist Exam ECSS Course Outline EC-Council Certified Security Specialist Course Outline (Version 9) Module 01: Information Security Fundamentals . Data Breach Statistics . Data Loss Statistics . The Global State of Information Security Survey 2016 . Information Security . Need for Security . Elements of Information Security . The Security, Functionality, and Usability Triangle . Security Challenges . Information Security Attack Vectors . Information Security Threat Categories . Types of Attacks on a System . Trends in Security . Information Security Laws and Regulations Module 02: Networking Fundamentals . Introduction . Types of Networks . OSI (Open Systems Interconnection) Reference Model o OSI Reference Model: Diagram Page | 1 EC-Council Certified Security Specialist Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Certified Security Specialist Exam ECSS Course Outline o Application Layer o Presentation Layer o Session Layer o Transport Layer o Network Layer o Data Link Layer o Physical Layer . OSI Layers and Device Mapping . Protocols . TCP/IP Model . Comparing OSI and TCP/IP . Network Security . Essentials of Network Security . Data Security Threats over a Network . Basic Network Security Procedures . Network Security Policies . Types of Network Security Policies o Data Policy: Example o Computer Usage Policy: Example o E-mail Policy Module 03: Secure Network Protocols . Introduction . Terminology . Secure Network Protocols o E-mail Security Protocol – S/MIME o E-mail Security Protocol – PGP o Web Security Protocol – SSL Steps to Establish Connection Between Browser and Web server using SSL o Web Security Protocol – SSH (Secure Shell) o Web Security Protocol – HTTPS Page | 2 EC-Council Certified Security Specialist Copyright © by EC-Council All Rights Reserved.
    [Show full text]
  • Protecting Merchant Point of Sale Systems During the Holiday Season
    Protecting Merchant Point of Sale Systems during the Holiday Season November 7, 2014 Executive Summary This advisory was prepared in collaboration with the Financial Services Information Sharing and Analysis Center (FS-ISAC), the United States Secret Service (USSS), and the Retail Cyber Intelligence Sharing Center (R-CISC), and is directed towards retailers or companies which are processing financial transactions and managing customer personally identifiable information (PII) during the upcoming holiday season and beyond. This advisory serves to provide information on and recommends possible mitigations for common cyber exploitation tactics, techniques and procedures (TTPs) consistently and successfully leveraged by attackers in the past year. Many of these TTPs have been observed by the FS- ISAC, through its members, and identified in Secret Service investigations. The TTPs discussed in this report include: • Exploiting commercial application vulnerabilities • Unauthorized access via remote access • Email phishing • Unsafe web browsing from computer systems used to collect, process, store or transmit customer information This document provides recommended security controls in these four commonly observed areas to protect customer data and also provides recommendations to smaller merchants who should work with their vendors to implement these recommendations (see Appendix A). This advisory is not intended to be a robust, all-inclusive list of procedures as attackers will modify TTPs depending upon the target’s network and vulnerabilities. This report does not contain detailed information about memory scraping Point of Sale (PoS) malware that has been used in recent high- profile data breaches. Secret Service investigations of many of the recent PoS data breaches have identified customized malware only being used once per target.
    [Show full text]
  • Leadership and Responsibility for Cybersecurity
    Leadership and Responsibility for Cybersecurity Melissa E. Hathaway Melissa Hathaway According to Darwin, “it is not the most intellectual of the is President of Hatha- species that survives; it is not the strongest that survives; but way Global Strategies, LLC and former Act- the species that survives is the one that is able best to adapt ing Senior Direc- and adjust to the changing environment in which it finds tor for Cyberspace, 1 U.S. National Secu- itself.” We have certainly adapted to the Internet and the rity Council. Hathaway technology that underpins it. In fact, we have made it an served as Cyber Coor- dination Executive and integral part of just about everything in our life; and in many Director of the Joint ways we take it for granted that it will always work twenty-four Interagency Cyber Task Force in the Office hours a day, seven days a week. There are approximately 2.5 of the Director of billion Internet users around the world of which nearly half National Intelligence. 2 Previously, Hathaway are below the age of twenty-five. Yet, there is another set of was a Principal with actors that have adapted more successfully: criminals, spies, Booz Allen & Hamil- and some clever guys. Media headlines announce daily that ton, Inc. our bank accounts are being robbed, our intellectual prop- erty is being illegally copied, and our critical infrastructures are penetrated and could stop working at any moment. The very fabric that contributes to nearly 40 percent of the productivity growth of the global economy also facilitates an equally robust underground economy.3 These messages appear to fall on deaf ears as our corpo- rate and political leaders continue to talk about the troubled environment, yet too few are adapting to or assuming the [71] LEADERSHIP AND RESPONSIBILITY FOR CYBERSECURITY responsibility for resolving it.
    [Show full text]
  • Comptia® Security+® Review Guide: Exam SY0-601
    Telegram Channel @nettrain Telegram Channel @nettrain Telegram Channel @nettrain Telegram Channel @nettrain CompTIA® Security+® Review Guide Exam SY0-601 Fifth Edition Telegram Channel @nettrain Telegram Channel @nettrain CompTIA® Security+® Review Guide Exam SY0-601 Fifth Edition James Michael Stewart Telegram Channel @nettrain Copyright © 2021 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-119-73538-0 ISBN: 978-1-119-73542-7 (ebk) ISBN: 978-1-119-73536-6 (ebk) No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation.
    [Show full text]
  • USC Csci530 Computer Security Systems Lecture Notes Fall 2018 All
    USC CSci530 Computer Security Systems Lecture notes Fall 2018 Dr. Clifford Neuman University of Southern California Information Sciences Institute All lectures prior to mid-term exam Copyright © 1995-2018 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Security Systems Lecture 1 – August 24, 2018 – OHE122 The Security Problem Dr. Clifford Neuman University of Southern California Information Sciences Institute http://ccss.usc.edu/530 Copyright © 1995-2018 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Administration • Class home page http://ccss.usc.edu/530 – Preliminary Syllabus – Assigned Readings – Lecture notes – Assignments Copyright © 1995-2018 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Who gets in • If you wish to enroll and do not have D clearance yet, send an email to [email protected] with: – Your name – If you meet the prerequisites – A phone number – Request to received D clearance • I will assess and approve if appropriate. Copyright © 1995-2018 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Structure of lecture • Classes from 9:00 AM – 11:50 AM – 10 minute break halfway through – Before or after break, 10 minutes for discussion of two current events, to be led by students. ▪ Groups of 1 to 3. Send two sentences on topic by Wed, selected Thu AM then prepare slides. Copyright © 1995-2018 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Administration • Lab Component (see http://ccss.usc.edu/530L) – 1 of the 4 units – Instructor is David Morgan – Instruction 4:30-5:20 Fridays in OHE 122 ▪ WebCast via DEN ▪ Today’s Lab instruction is only a 30 minute introduction – Hands on sections, choose from several sessions ▪ Provides an opportunity to do hands on work in OHE 406 lab.
    [Show full text]
  • The Need for Certainty
    ® TRUSTLEAP The Need For Certainty Mathematically-Proven Unbreakable Security www.trustleap.com This document is aimed at helping people to understand the TrustLeap technology. A cryptographic oracle (where users chose and submit the plaintext: an ASCII classic English book and a sentence that they type, an encryption key, the standard encryption algorithm to secure like AES or RC4, and get the ciphertext, with the sentence injected at a random position that they must guess to demonstrate that teir plaintext attack is successful) as well as further information regarding the internals of TWD Industries AG's technology are available under a proper NDA, to selected partners. TrustLeap 2 | Copyright © 2013, TWD Industries AG. All rights reserved. I. Definition, Promotion, Reality TrustLeap 3 | Copyright © 2013, TWD Industries AG. All rights reserved. The Oxford Dictionary Encryption: to convert (information or data) into a code, especially to prevent unauthorized access. Origin: 1950s (in the US), from English 'in' and Greek kruptos 'hidden'. TrustLeap 4 | Copyright © 2013, TWD Industries AG. All rights reserved. Promotion “no one ever lost money to an attack on a properly designed [standard] cryptosystem” – Peter Gutmann TrustLeap 5 | Copyright © 2013, TWD Industries AG. All rights reserved. Reality 2007 – RC4 / WEP 802.11 wireless standard Used to Steal 45 millions of Credit-Card Numbers Legal Costs: $40,900,000 TrustLeap 6 | Copyright © 2013, TWD Industries AG. All rights reserved. Reality 2010 – A5-1 / GSM Phones wireless standard Spy, Trace and Impersonate Billion of Mobile Phone Users. – Karsten Nohl TrustLeap 7 | Copyright © 2013, TWD Industries AG. All rights reserved. Reality 2011 – GPRS / Web - Mail wireless standard Spy, Trace and Impersonate Billion of Mobile Phone Users.
    [Show full text]
  • IBM Multi-Factor Authentication for Z/OS
    IBM Multi-Factor Authentication for z/OS Ross Cooper, *CISSP IBM z/OS Security Software Design and Development NewEra – The z Exchange 10/24/2017 Current Security Landscape 1,935 81% Number of security incidents Number of breaches in 2016 with confirmed data due to stolen and/or disclosure as a result of weak passwords.1 stolen credentials.1 (18% worse than prior year) (506 worse than prior year) 60% $4 million Number of security The average total cost incidents that are from 2 of a data breach. insider threats. 3 Criminals are identifying key employees at organizations and exploiting them with savvy phishing attacks to gain initial access to the employees’ system and steal their account credentials. This puts emphasis on the need for tighter restrictions on access privileges to key data repositories.1 1 2017 Verizon Data Breach Investigations Report 2 Ponemon: 2016 Cost of Data Breach Study: Global Analysis 2 3 IBM X-Force 2016 Cyber Security Intelligence Index User Authentication Today on z/OS • Users can authenticate with: ‒ Passwords ‒ Password phrases ‒ Digital Certificates ‒ via Kerberos • Problems with passwords: ‒ Common passwords ‒ Employees are selling their passwords ‒ Password reuse ‒ People write down passwords ‒ Malware ‒ Key log ‒ Password cracking 3 Compliance PCI DSS v3.2 8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication. 8.3.1 Incorporate multi-factor authentication for all non-console access into the Cardholder Data Environment (CDE) for personnel with administrative access. Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
    [Show full text]