Author: Prof Bill Buchanan

Bob Alice

Eve

Proxy

Trent

Delegate

Intrusion

Detection

Defence

Suspect

Trap-door

Trojan horse

Spoofing

25 May15

MCQ Test18 May14

Professional Certification11 May13

Professional Certification4 May12

Lab 12: Signature Analysis

Lab 13: Role-based Security

C/W hand-in (IDS)7: Forensic Computing27 Apr11

Lab 10: TCP Forensics

Lab 11: Binary Analysis/Sig Detection

6: Network Security6 Apr10

READING WEEKREADING WEEKREADING WEEK30 Mar9

Lab 9: Log/Process/Hashing5: Software Security23 Mar 8

Lab 8: Public-key EncryptionMCQ Test16 Mar 7

Lab 7: Private-key Encryption4: Authentication (Part 2)9 Mar 6

Lab 6: IDS Snort 24: Authentication (Part 1)2 Mar5

Lab 5: IDS Snort 13: Encryption23 Feb 4

Lab 3: Packet Capture (IDS)

Lab 4: Packet Capture (IDS – ARP)

2: IDS16 Feb 3

Lab 1: Packet Capture

Lab 2: Packet Capture (Filter)

1: Security Fundamentals9 Feb 2

Lab/TutorialAssessmentAcademicDateWeek

25 May15

18 May14

11 May13

ASA_NewPIX Challenge J41-604 May12

ASA_NewPIX Challenge J11-4027 Apr11

20 Apr

13 Apr

ASA_NewPIX Challenge J1-206 Apr10

30 Mar9

PIX_SNPA Challenge I71-9623 Mar 8

PIX_SNPA Challenge I51-7016 Mar 7

PIX_SNPA Challenge I31-509 Mar 6

PIX_SNPA Challenge I11-302 Mar5

PIX_SNPA Challenge I1-1023 Feb 4

CCNA Challenge A11-A2016 Feb 3

CCNA Challenge A1-A109 Feb 2

Lab/TutorialDateWeek

Author: Prof Bill Buchanan

Alice

EveBob

Author: Prof Bill Buchanan

Alice

EveBob

Author: Prof Bill Buchanan

FundamentalsIntroductionISO 27002Risk AnalysisSecurity PolicyThreatsKey PrinciplesConclusions

Visual spying

Eavesdropping

Mis-

representation

Logical

scavenging

Interference

Physical

removal Spoofing

Trojan horse

Logic bombs

Author: Prof Bill Buchanan

Outside and inside threats

Intrusion

Detection

Assets

Users

Systems

Data

Data

stealing

DoS (Denial-of-

sevice)

Personal

abuse

Worms/viruses

Terrorism/

extortionFraud

External

hack

Corporate access

Network/

Organisational

perimeter

Firewall/

Gateway

(cannot deal with internal threats)

CSI (Computer Security Institute) found:

70% of organisation had breaches60% of all breaches came from inside their own systems

`

Author: Prof Bill Buchanan

Intrusion Detection SystemsIntroductionThreatsTypesHost or Network?Agent-basedSnortA simple ruleA few intrusionsUser profilingHoneypotsIPSConclusions

Eve

(Intruder)

Defence

Intrusion

Detection

Defence

Author: Prof Bill Buchanan

User profiling for on-line purchases

Name: Fiona SmithNationality: BritishLocation: EdinburghGender: FemaleTypical purchase: Computer equipmentAverage Purchases/week: 5Average Value of purchases: £30Browser used: MozillaDate of last purchase: 6 May 2008Email address: f.smith@nowhere

Name: Fred McLeanNationality: USALocation: WashingtonGender: MaleTypical purchase: Fish FoodAverage Purchases/week: 50Average Value of purchases: $4Browser used: IEDate of last purchase: 18 Sept 2008Email address: f.mclean@usa

Name: Michel WeberNationality: GermanLocation: MunichGender: MaleTypical purchase: FlowersAverage Purchases/week: 0.005Average Value of purchases: €43Browser used: OperaDate of last purchase: 1 Mar 2007Email address: m_weber@de

Name: Amélie CheneyNationality: FrenchLocation: ParisGender: FemaleTypical purchase: ClothesAverage Purchases/week: 70Average Value of purchases: €13Browser used: MozillaDate of last purchase: 16 Sept 2008Email address: a.cheney@fr.edu

Name: A.N.OtherNationality: AnyLocation: NowhereGender: Female/MaleTypical purchase: High-value goodsAverage Purchases/week: 1000Average Value of purchases: $9999Browser used: Not knownDate of last purchase: TodayEmail address: doesnt@exist

User profiler (such as bank transaction agent)

Transactions are checkedagainst user profile

Profiles

User/behaviour profiling is especially useful in fraud detection

`

Author: Prof Bill Buchanan

EncryptionIntroductionBefore electronic communicationsCodesA few fundamentalsKey-based encryptionCracking the codeBrute forceBlock or streamPrivate-key methodsEncryption keysPassing keysPublic-key encryptionOne-way hashEncrypting disksPGP encryption

Bob

Eve

Alice

Trent

Author: Prof Bill Buchanan

Diffie-Hellman

One of the most widely method for creating a secret key which is the same for Bob and Alice

Communications

ChannelEncryption Decryption

Bob Alice

Eve

How do Bob and Alice send their private (secret) key without Eve getting it?

This problem was solved by Whitfield Diffie, who created the Diffie-Hellman algorithm,

which is the most widely used method for passing

secret keys

`

Author: Prof Bill Buchanan

AuthenticationIntroductionMethodsUsernames/passwordsBiometric issuesBiometric methodsMessage hashAuthenticating with private keyHMACDigital certificatesTrustCardspaceEmail encryptionConclusions

Bob

Eve

Alice

Trent

Author: Prof Bill Buchanan

One-way server.One-way client.Two-way.

Authentication type

Device

ID

Server

One-way server authentication. Server provides authentication to the client, such as SSL (HTTPS, FTPS, etc).

User

Device

One-way client authentication. Client provides authentication to the server such as EAP-TLS in Wireless.

User

Mutual authentication. Client and server provide ID to authenticate each other. Examples include PEAP in wireless.

UserID

ID

ID

Author: Prof Bill Buchanan

Network SecurityIntroductionScreening FirewallsNATStateful FirewallsPIX/ASA FirewallProxiesVPNTunnelling

Proxy

VPN

Eve

Bob

Alice

Tunnelling mode or transport mode

Intrusion Detection System

Intrusion Detection System

Firewall

Firewall

Internet

Switch

Router

Proxyserver

Emailserver

Webserver

FTPserver

Switch

Bob Alice

Traffic only

encrypted over the public

channel

Traffic is encrypted and cannot be

checked by firewalls, IDS, and so on

Stateful firewall

`

Role-based security

Application/

Web Application

Operating System

Bob

GuestsAliceAdmin

Bob

Admin

Alice

Guests

ID (Bob)

Role

(Admin)Role

(Guests)

ID (Carol)

Carol

ID (Alice)

Application/

Web Application

With Role-based

Security

Bob

Guests

AliceAdmin

Application

method:

Windows built-in authentication

Passport base authentication

Form-based authentication

IIS Authentication

Most applications/Web pages to not take into

account ID or role

Author: Prof Bill Buchanan

Forensic ComputingIntroductionLegal InfrastructureComputer ForensicsOTPCPAREvent Logs

Bob

Eve

Alice

Trent

Author: Prof Bill Buchanan

CPAR

NetworkInfrastructure

Security/

Audit

Policy

Networklogs

Networklogs

Networklogs

Event

detection

Network

sensors

Hostlogs

Hostlogs

Collection

Preservation

Analysis

Reporting

Eventlogs

Eventlogs

Serverlogs

OrganisationalPerimeter

Networklogs

Forensic Computing

Investigation