Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
This paper will attempt to describe what application and operating system (OS) fingerprinting are and discuss techniques and methods used by three of the most popular fingerprinting applications: nmap, Xprobe2, and p0f.
The practice of using passwords for user authentication exposes organizations' and individual users' data to disclosure alteration and/or destruction. However, a large portion of the security issues that make this true can be satisfactorily addressed using a simple method that I would like to introduce as the Simple Formula for Strong Passwords (SFSP) [Note 1].
One limitation of DHCP is that there is no accountability for IP address usage. NetReg is a Network DHCP Registration System which provides a means of linking user information to MAC and IP addresses on the network.
By: Ravikanth Ponnapalli (posted on January 18, 2005)
Single Sign-On is a very important component of the security architecture of an organization. In IT, it is generally believed that it is expensive to deploy an enterprise Single Sign-On solution that is secure and scalable. However, there is a growing awareness in IT management about the advantages of implementation of enterprise Single Sign-On.
Biometrics is, in the simplest definition, something you are. It is a physical characteristic unique to each individual. Using biometrics to identify individuals is a practice as old as ancient Egypt. Today, it is becoming more and more popular to use biometrics to identify people and authenticate them for access to secure areas and systems.
This paper describes the characteristics and concepts of a few important protocols and technologies that have been used for implementing authentication and single sign-on (SSO) mechanisms for computer networks.
This paper will demonstrate that the convergence of logical and physical security brings significant benefits, specifically identifying areas where the two can interconnect to the greatest positive effect, and also recommends practical steps to take in this direction.
This paper categorizes and then simplifies some of the core fundamentals of electronic security controls and mechanisms and concludes that authentication is the single most important aspect in information security.
The purpose of this document is to offer a broad overview of current identity management technologies and provide a framework for determining when an identity management system would benefit your company.
This paper explores how a combination of user education, strict password policies, encrypted network traffic, onetime passwords, Public-Key Infrastructure systems, and the use of biometrics, authentication can make computer systems less vulnerable to attacks.
By: Daniel E. Williams (posted on October 31, 2003)
The goal of this paper is to provide a detailed look at a new perspective for a unified, secure and consolidated form of personal identification. The advanced yet inexpensive technology exists today to step up modern identification to the next level.
By: Michael Zimmerman (posted on October 31, 2003)
The purpose of this paper will be to look at the use of biometrics technology to determine how secure it might be in authenticating users, and how the users job function or role would impact the authentication process or protocol. We will also examine personal issues of privacy in the methods used for authentication; the cost of implementing a biometrics authentication system; the efficiency of biometrics authentication; and the potential for false positive or negative recognition of individual users.
By: Seyoum "Zeg" Zegiorgis (posted on October 31, 2003)
This paper discusses the benefits of implementing a biometric technology product--one more tool for safeguarding the information assets and key installations of an organization--the privacy issues associated with the deployment of a BTP
The purpose of this paper is to show you (the System Administrator) how to break free from the mundane task of periodically changing user passwords (in keeping with good security practices from GIAC Security Essentials). This document is designed to show you step-by-step how to build a web page for users to update their passwords on a UNIX or Windows server, easily, securely and without spending too much money on software!
In this paper, the author describes the extensive security layers involved in Java smart cards, as well as their vulnerabilities. The conclusion is that the benefits seem to outweigh the disadvantages, since certain sectors of society have already accepted the risks.
This paper discusses some of the real-world operational challenges in getting a Web-only SSO deployed, starting with the impetus for why to deploy SSO; some considerations in vendor selection; operational considerations in a deployment, including challenges with having SSO and load balancing work effectively together; and, some compensating security controls.
The author looks at the history, types and uses of smart cards and how they may be vulnerable. Since smart cards were never designed to be standalone systems, the author examines some of the applications that have incorporated smart cards into their design to see how they work, looks at the motivation for why they might be threatened, reviews some of the documented attacks, and puts forth a cost/benefit analysis of incorporating smart cards. Finally, there is a determination of how secure smart cards really are.
Iris recognition technology does provide a good method of authentication to replace the current methods of passwords, token cards or PINs and if used in conjunction with something the user knows in a two-factor authentication system then the authentication becomes even stronger.
This paper will look at login commands, authentication mechanisms, passwords and password management programs used in several UNIX platforms, highlighting aspects of Solaris 8 and Red Hat Linux (RH) 7.3.
This paper presents an overview of biometrics in general and describes some of the issues related to biometrics vulnerabilities and security, and its other side, the protection of one's privacy. It considers that for biometrics to be publicly accepted, implementations will require cooperation between organizations and individuals, working with developed open standards that meet the demand for security and demonstrate the protection of personal privacy.
The time has come for enterprises to begin considering whether smart cards can be used to improve security in their environments. Smart cards offer a secure and convenient form factor on which employees can carry digital credentials for accessing parking facilities, buildings, computers, and network resources. Indeed, the ability for an employee to carry both physical and logical access credentials can be provided on a single card. Adding to the significance of smart cards, that same card can also be used for employee photo identification, and potentially a multitude of other applications, including encryption, digital signatures, secure storage of employee medical information, and electronic wallet for cafeterias and vending machines. Done right, a single-card solution can provide return on investment in the forms of vastly improved security, reduced need for certain security and IT personnel functions, and customer satisfaction. This paper examines some of the key benefits that can be realized from employing smart cards, and it explains how smart cards can be used to significantly improve both physical and logical security. Additionally, it provides an overview of some strategic infrastructure elements needed to make smart cards work in an enterprise environment, including complimentary technologies, personnel, hardware, software, and perhaps most importantly, policies and procedures.
The purpose of this paper is to provide information that will assist a biometric implementer evaluate and select biometric technology. The scope of this paper is limited to the selection of biometric technology as an authenticator in a networked environment.
This paper demonstrates that many published policies and guidelines will allow for the creation of weak passwords by lazy or inexperienced users. This paper also makes recommendations by which the Security Administrator can improve the strength of the passwords which are created by the users on his system.
By: Miltiades Leonidou (posted on October 31, 2003)
This overview covers the new and emerging biometric technique of Iris Recognition, with focus on image processing and computer vision aspects. Algorithms, systems and their experimental results will be reported.
This paper looks at the danger and cost of identity theft, uncover the problem with current authentication practices, demonstrate how a biometric solution can be used to provide stronger authentication, and look at the added benefit of using multiple factor authentication practices.
Kerberos has been the default authentication protocol for Windows since XP/2000.
Although the protocol enjoys many benefits over its predecessors, it does have some weaknesses. One unintended weakness of Kerberos is the ability of the Kerberos token size to grow to the point where Denial of Service (DoS) issues arise. This is especially prevalent in large enterprises where during the 10 years that Kerberos has been the primary Windows protocol, some users have found their accounts to be members of several hundred groups. The result of this scenario includes inability to use important company resources such as Exchange Servers and the ability to authenticate to web sites. Additionally, this weakness can be used maliciously to cause widespread DoS throughout an enterprise.
...class was well done, and I genuinely appreciate you "breathing life" into 7799. The anecdotal stories were worth the trip as were the experiences of those in classroom who shared. -Liam Doyle, Regions Financial Corporation