Data breaches occur nearly every day. From very large retailers, down to your fantasy football website, and anywhere in between, they have been compromised in some way. How did the attackers get in? What did they do with the data they compromised? What should I be concerned with in my own business or my systems? This course is the second course in the Practical Computer Security. It will discuss types of threats and attack vectors commonly seen in today’s environment. I hate to be the bearer of bad news, but threats are all over the place! This course isn’t designed to insight fear that there is no hope for keeping systems and business secure, but rather educate you on how attacks are carried out so that you have a better sense of what to look out for in your business or with your systems.
Authentication based attacks
Loading...
Del curso dictado por University of Colorado System
Cyber Threats and Attack Vectors
138 calificaciones
Explore Related Videos
At Coursera, you will find the best lectures in the world. Here are some of our personalized recommendations for you
University of Colorado System
138 calificaciones
Curso 2 de 4 en SpecializationCybersecurity for Business
De la lección
THREATS AND ATTACK VECTORS IN COMPUTER SECURITY
Welcome! This week we'll explore users and user based attacks. User based attacks are common because it may be easier to compromise a human rather than a computer.
Conoce a los instructores
Greg WilliamsLecturer
Department of Computer Science
In this lesson, I'll discuss authentication and authentication based attacks.
So by the end of the video you'll be able to discuss
whether authentication is and how it's performed but
also be able to understand what points in the authentication process are vulnerable to
attack and also discuss how user habits can
introduce risk in the way that they authenticate to systems and services.
Authentication: Believe it or not there's actually an RFC written for authentication.
It's 4949 and it defines the way user authentication is a whole.
How we authenticate systems or we authenticate users or objects.
And according to the RFC,
the definition of authentication is the process of
verifying the identity claimed by or for a system entity.
So in other words,
how do we verify that something is or somebody is who they say they are.
So this could be a user.
This could be a system.
We also call this a security principle and that's with an A L at
the end instead of an L E. Security principal with
an L E would be something like use anti-virus or don't use weak passwords
but a security principal with the AL at the end is an object or a person,
file something that authenticates or is the authenticator.
So, it is really an object.
So, how can an object actually authenticate?
Well, think of two factor authentication.
We'll talk about this here in a minute but a a key fob
that is a two factor authentication it is
a hardware token that provides the authentication to a system.
Also passwords, if you consider passwords and how a user is an object to
authenticate to a system or service the object in this case is the security principal.
Let's talk about identification or authentication steps.
In identification or in authentication we have two different steps.
We have the identification step and then we also have the verification step.
The identification step presents an identifier to the system.
This also could be an object like a security principle.
So a system, a file,
a person, one computer to another computer.
Think of something like that.
Verification is the second step.
Is there something that validates or verifies
the identity presented or a security principle presented?
So we have something that needs to be identified and we have
something that is identifying and those two together,
form the authentication process.
There are many different kinds of authentication systems out there.
Think about all the devices that you own.
Right now if I actually had my my bag with me,
I have a phone,
I've got a hardware token,
which is my two factor authentication.
I've got my laptop.
I myself am an identifier.
My driver's license for example,
these are all things that present some kind of
identification and authorization which makes up the entire authentication system.
Think about how many times you have to log in to something today.
Well, I had to authenticate into my car with my keys.
I had to log into my computer.
Actually, I went to the gym today and I had to
present my identification card there to say that yes I could actually be there.
So authentications systems come in many size shapes and forms.
But the more common authentication systems are computers.
So Windows, for example,
uses credential providers in Windows 10 and on.
They started introducing this around Windows 8 but Windows 10 and windows 2016,
they they've completely changed the way that identification happens.
So credential providers are a way for third party companies
to provide authentication mechanisms into Windows.
Linux is another good example of this where we have a shared architecture for it then
location using pluggable authentication modules or PAM.
So PAM modules includes things like passwords and two factor authentication,
Kerberos and many different other kinds of
modules that allow us to have a commonality and a way to authenticate into a system.
The thing we don't want to have is a bunch of authentication models
out there and identification,
so that we may mess up on
one portion of authentication or we lose some part of authentication.
We can see this is the case in the use of
CAD's that CAS or single sign on or an authentication server for Microsoft.
It's AD FS - Active Directory Federated services.
So, I guess shibboleth is
another good example of
an authentication system that takes all these providers and sticks them
into one identification system so that
one system can then verify the identity of a person.
So we don't have these little authentication systems all over the place.
In NIST-800-63 there are sixty three.
It provides a model for the identification architecture.
It identifies the registration,
the credential insurance and the maintenance level of
an authentication system and how we authenticate from one party to another.
So it identifies the verifier.
It looks at the registration authority.
And you can see this from your screen now.
But in further reading,
you can read about the authentication model.
This is the de facto standard for any
U.S. Federal Information systems that need authentication.
It's based off of this model and what we really see.
You may think it's actually simple to provide
authentication but you have to think all the way from
how it registers a user or an object all the way to how
we authenticate that user and how do we destroy the user as well.
How do we authenticate through the entire process?
Factors of identification.
There are four different factors of identification: something that you know,
something that you have,
something that you are,
and something that you do.
So something that you know is going to be a password.
It's going to be a pin or security questions.
These are all knowledge based something that you know and nobody else knows.
Now the identification system or the authentication system is going to have some kind of
representation of that value of something that you know.
It may just be the password or it may just be
the pin but it needs to secure that credential in some way.
Something that you have includes things like smart cards and physical tokens.
Something that you are might be a fingerprint reader or iris scanner.
So that's that's something that you cannot get rid of.
Maybe you can file your finger fingerprints off but why in the world would you do that.
That presents a representation of who you are.
Iris scanner it's very expensive to put in an iris scanner but it is the most accurate.
Something that you do includes voice pattern recognition and handwriting.
Also facial recognition as well is included in this.
So some threats to something that you know: password up authentication.
This comes in the form of somebody phishing your password or poor password management.
Key logging for example or other eavesdropping techniques that are
designed to steal your password password based attacks
are also an attack against user authentication where we can see password
cracking rainbow tables and password storage based attacks as well.
Secret questions are easy to obtain answers if you just
look at social media and look at somebody who's posts you
can figure out who their favorite pet is or
where they went to high school and what their favorite mascot is or
their mother's maiden name by looking at
public records something that you know is very easy to attack.
Threats to something that you have include very very few things.
So usually they're protected by hardware and they're not easy to clone.
For example, past U.S. passports.
They do have RFID chips in them,
you can copy them,
magnetic stripe swipe cards as well.
Those are easy to copy like credit cards or
the number is easy to copy that's way we actually have chips now inside of them.
But it is hard to duplicate;
it's not hard to steal somebody's password but it is
hard to have actually compromise something that you have physically.
Threats to something that you are.
Well, the industry really isn't there yet.
Many facial recognition systems are fooled actually with a print out of your face.
The latest Samsung S8 for example,
their facial recognition system if you put the camera up to your up to
your face and authenticate your facial features,
it's fooled with a picture of your face.
So, false positives or false negatives,
which are even worse are issues with something that you are.
The industry has not caught up to this yet.
Except in the case of some fingerprint scanners and iris scanners,
those are much much more expensive but they do provide another level of security.
We also see overall security issues: eavesdropping,
replay malware, denial service attacks,
host and client based attacks.
And it really depends on how clever you are how we get around authentication.
But the easiest one again to compromise is password and pin based attacks. It's funny.
I actually saw a funny post of somebody.
The title of the email was
all bank pins listed on this paste.
And what was it? Well, there are four digit combinations.
So it was 0 through 9999 just in a file.
It was it was pretty funny but the reality is,
there's only 10,000 combinations of your bank card PIN or your ATM pin.
Explora nuestro catálogo
Inscríbete de manera gratuita y obtén recomendaciones personalizadas, actualizaciones y ofertas.
Coursera brinda acceso universal a la mejor educación del mundo, al asociarse con las mejores universidades y organizaciones, para ofrecer cursos en línea.
© 2019 Coursera Inc. Todos los derechos reservados.
