Question 1 (6 marks)
Assume that you are only allowed to use the 15 characters “ABCDEFGHIJKLMNO” to construct passwords.
a) How many different passwords are possible if a password is at most:
1) five characters long,
2) seven characters long,
3) nine characters long and the system makes no distinction between upper case and lower case characters (i.e. there is no case-sensitivity) ?
(3 marks)
|
Number of Characters |
Number of Permutations |
Equivalent Binary Bits |
|
5 |
155 = 759 375 |
~ 20 |
|
7 |
157 = 170 859 375 |
~ 28 |
|
9 |
159 = 38 443 359 375 |
~ 36 |
b)
Now assume that passwords are
case-sensitive and constructed from upper case and lower case characters drawn
from the same set of 15 characters stated in (a).
What is the maximum number of attempts required to guess the case-sensitive
version of a password which is
1) five characters long,
2) seven characters long,
3) nine characters long ?
(3 marks)
|
Number of Characters |
Number of Permutations |
Equivalent Binary Bits |
|
5 |
305 = 24 300 000 |
~ 25 |
|
7 |
307 = 21 870 000 000 |
~ 35 |
|
9 |
309 = 19 683 000 000 000 |
~ 45 |
Question 2 (4 marks)
If you have multiple accounts, each with a different password, you may consider keeping the passwords in a single master password file where access to the master password file is controlled through a master password. List and briefly discuss two major advantages and two major disadvantages of this scheme.
(4 marks)
Advantages
Centralised
storage of passwords – ‘all the eggs in the one basket’, one location, storage, and access method.
Only one password needed to be memorised. Ugly yellow ‘post-it’ notes and other scrap pieces of paper will not be created and littered in desk draws or such because ‘it was too hard to remember’. These ‘notes’ have a habit of containing additional information (such as the system function/name associated with it) or to disappear when needed the most.
A single location
to storage and access the passwords. Is implemented with access control, thus
authorised access should be only mechanism to access the password ‘list’.
Written down passwords dependent on their storage location, could allow
somebody to acquire the password passively without any knowledge of the user.
Disadvantages
Centralised
storage of passwords – ‘all the eggs in the one basket’, prime target. Could be portable (PDA), what
happens if it gets stolen?
Having all the
passwords in one location creates a more temping target. Break the one
password, and get them all! Along similar lines to data aggregation, password
aggregation can led to a greater vulnerability as the passwords most likely
related to different locations within a LAN/WAN with differing (maybe pseudo)
security zones.
With the number of
portable organisers increasingly used, it is very likely that the storage of
the passwords is going to be on a PDA. If it was to be stolen then, hopefully
you have a backup of the contents of the PDA (was it also encrypted and
secured?). Hopefully your chosen password to secure the lot will not be guessed
easy – the new owner certainly can spend as long as they wish to trying to
break it. A lot of PDAs use NVRAM, which allows the state to be saved when
power is turned off, which leads into another issue with a stolen (or lent –
could be just as bad) PDA. To access the password list, you enter your ‘master’
password and all is displayed until you tell it that you have finished – using
the off switch may not provide such a function, hence turning the system on
restores it to the revealed password list. An example is Memo Safe 1.1 for
PalmOS.
Question 3 (18 marks)
Do a Web search for commercially-available biometric authentication systems. Select two products which measure different biometric attributes, that you consider have merit. For each product:
a) Provide an electronic copy of the list of URLS which you accessed and which describe the product and its main features.
(1 mark for each product)
The
Fingerprint Sensor developed by Fujitsu comes to two parts, the direct contact
hardware component (a capacitance fingerprint scanner) and optional software.
The hardware
component comes in three sizes: from 15mm x 15mm, to 15mm x 12.8mm, and lastly
14mm x 4.3mm. All are completely integrated circuits with three standard bus
interfaces (8-bit microprocessor, USB, or serial). Scanned image is 500 dpi,
and number of frames per second is dependent on the frame size and bus
interface chosen. 10 frames per second for the largest, 30 for the mid-sized,
and 1000 per second for the smallest - based on using 8-bit microprocessor bus.
The software
component is provided by a development API (dll’s) and an executable. All are
Win32 modules and include functionality such as image capture, enhancement, and
verification. Example source code is also provided.
The face (and
image) recognition software, developed by Imagis Technologies, is based on a
client/server model. The software is developed for the 64-bit Itanium windows
platform, and the backend server can be local or remote (via TCP/IP). Can
support most databases – such as Oracle, ODBC, and MS-SQL. A software
development kit is available which includes example code for C++, and web based
clients (ActiveX, javascript, and VisualBasic).
A 3D image
of the face is described by using over 115 facial descriptors, which is feed
into a proprietary algorithm to produce a ‘wavelet’ that is stored or compared.
The face and
image recognition software is able to take input from photos, digital images,
and surveillance cameras. The software is capable of the identification of a
face at the rate of 60 million per minute.
b) In your own words, describe a situation where this product would be suitable for access control purposes (half page).
(3 marks for each product)
Biometric devices are primary identification devices based on the
principal of ‘what you are’.
The fingerprint sensor, because of its size can be integrated into most electronic devices. Integration can occur into laptops, PDA’s PC keyboards, PC mouse, mobile telephones and even car keys. It could be used to provide controlled access to physical environments, such as access to your vehicle, or to some controlled access area within a building. In the case of car keys the biometric device can also be an authorisation device – you are in possession of the keys ‘what you have’.
The fingerprint sensor could also be used
in EFTPOS and ATM terminals. In fact in general it can be used as a replacement
for a PIN, password, or passphrase.
The face and image recognition software is likely to be a more
passive (non-intrusive) identification methodology.
An advantage is that you are able to use a number of existing images
to enrol subjects, including usage of video data.
c)
In your own words, discuss any disadvantages or limitations that you
feel this product may have in its application to the situation in
(b).
If you feel there are no disadvantages or limitations, discuss why this is the
case. (one page)
(5
marks for each product)
When enrolling users with the fingerprint device, then all ten
fingers should be evolved. Employees/clients could loose fingers to accidents,
or may already have missing digits at enrolment time. A second finger could be
scanned if a reject resulted from first scan, this could continue until the system
has confidence in the users identification. A second finger could also be
utilised if some kind of contaminant is found on the finger – for example biro
or newsprint.
The use of a capacitance fingerprint reader
reduces the likelihood of a contaminant affecting the scan, but it provides a
small scan frame compared to the optical fingerprint devices. Capacitance
fingerprint readers are also sensitive to electric interference – a big concern
if used in the car key example.
As artificial fingers and/or fingerprint are easily producible[1], a two-factor authentication system should
be considered where possible, or some kind of ‘live’ finger detection would be
required.
The use of image recognition software on passports could be utilised
in airports for alien identification. This could occur at customs where
passengers are already accepting of bag inspections and the like. The process
could be speed up by forwarding duplicates of passports before the passengers
arrive – this obviously raises additional issues of confidentiality and
integrity in the delivery of this information.
A 4 digit PIN has 104 possible values – thus if you are
trying increase your security then the false accept rate (type II) of your
biometric system should be a similar rate. While mathematically, we have a
false accept rate of one in 104 for PINs, other risk factors such as
insecure storage of these values by ‘post it’ notes and other written prompts,
would decrease this value.
When biometric devices are integrated into
electric devices such has PC components, EFTPOS and ATMs, a concern is access
to the verification database. Remote communications via private line or LAN
could be disrupted; information could be inserted, deleted, duplicated, fabricated, and/or modified.
What is the default behaviour to an access failure, could/should it lock
everybody out?
Malicious software could also determine the interactions of the
biometric devices with the PC and/or database; this again leads to a
compromised system. Numerous possible attacks are possible –
‘man-in-the-middle’, masquerading of the biometric device, and/or the
verification database.
Verification information is likely to be greater than the detail that can currently be placed on the standard 3 band magnetic strip ‘credit card’ that is commonly used. Implementing a local verification database on a personal system, would require some kind of escrow mechanism to be deployed – the owner can not resell their PC, the employee has left the company and all client X’s files are stored on the company supplied laptop.
The last minute replacement or ‘temp’ will
not be able access locations/devices, unless previously enrolled; otherwise
they become a hindrance and not the extra helper required.
The ‘yin and yang’ of Type I (false rejection) errors and Type II (false acceptance) errors, would be adjusted to suit the implemented application. A large false rejection rate in a high usage area, such as a passive facial recognition system would be ideal, but usage as access control to a busy office would be impractical.
In summary I believe that the reviewed biometric devices available
in the market place do not offer greater security in user identification than
using the current generally accepted methods of passwords and PINs. There are just too many
usage exceptions that these devices currently are unable to cope for. The
reviewed biometric devices can be utilised as additional information in a
multiple factor identification process – enter a PIN or password along with
your fingerprint or face scan.
Question 4 (20 marks)
In a medical information system that controls access to patient records and prescriptions:
You have been asked to write a report (2-3 pages) for the manager of the medical information system outlining the access control issues and possible solutions that may be considered. Your report should include a description of at least one possible course of action for each of the following points:
For each course of action, discuss possible advantages and disadvantages.
(Each point is worth 4 marks)
Note that it is important to answer this question in your own words and relate the discussion to the medical information system. Do not just reproduce the lecture notes.
With the advent of
the PC, a discretionary access model has become the norm for low-cost computing
systems. Computing systems have also moved away from the centrally controlled
and guarded mainframes to distributed networks.
The advent of
these computer access models has created an access control system that is user
based, user enforced, and user supplied. Permission to access and perform an
operation on a resource (such as a file or equipment component) is restricted
based on a user identity or on groupings of users. This allows the user to
grant or revoke access to any resource under their control without the
intervention of a system operator.
In a medical
organisation such as a hospital no one person owns the resources. Access to
patient records, equipment, and many other resources are defined by an
individual’s role within the organisation, along such lines as duties (doctor,
nurse, cleaner), responsibilities (accountant, auditor, stock controller,
supplier), and qualifications (trainee).
Allocation of
privileges for the medical information system is to be likewise handled by a
Role Based Access Control (RBAC) system. Roles in the organisation would have
to be equivalent in the computer system. Access control lists and/or matrixes
are not required and would be unmanageable in a distributed network anyway.
Instead of ‘who is allowed to do what’, we have a ‘which role is allowed to do
what’ model.
The roles within
the organisation are stable (unless the whole nature of the organisation itself
changes), users and resources become the variable commodities within
information system. Roles are groupings of PERMISSIONS, and are implemented as
least privilege – ‘allow only what is required’. A role can also be
hierarchical; those higher in the hierarchy inherit all roles below.
When an employee
joins the organisation they are added to a role within the enforcement
‘database’. If their role within the organisation changes with a restructure or
promotion then their role within the ‘database’ is also changed. If they were
to leave or go on an extended break, their role in the database would be
removed.
For example
doctors would have read and write access to patient records and prescriptions,
while nurses would only have read and write access to patient prescriptions.
A quandary arises
from a need to enforce strict separation of duties within the information
system. While a user can have conflicting roles within the organisation, they
can only access the system in one role during a login/access session, which
correctly enforces constraints on each role and reduces the likelihood of
committing fraud. In Addition a user must not be able to login more than once
at the same time regardless if the additional session is a different role.
Management of the
information system falls into two distinct categories, user administration
(described previously) and resource administration. When a new resource (file,
application) is added to the system, the administrator (of that resource)
defines or allocates which roles can access it. Users can’t pass access
permissions at their own discretion to others.
With the
introduction RBAC there is an argument that individual userid’s are not
required and that generic userid’s could be utilised instead. This would imply
that authentication of the role is required at login, and not the
authentication of identity. To provide for accountability and legal auditing
requirements the user has be identifiable. A user assigned to a role should
still have access to personal resources like e-mail and journals that have
nothing to do with their assigned role.
In a busy working
in environment, workstations are likely to be left unattended for periods, or
are a shared resource. Automatic locking/logoff or login switching (as used in
terminal server sessions) must be enabled and strictly enforced.
Additionally,
policies are required by the organisation to provide an underlying platform for
the use and administration of the information system. Another activity to be
pursued is providing information security and privacy training for all
employees including management.
Question 5 (20 marks)
Write a two page report discussing one of the following topics:
You should include examples to help support your arguments.
Referencing your sources
If you use material from a Web site, it needs to be properly acknowledged. Where you have made use of the material, cite the source of the material using an appropriate referencing style (see below) and include a list of references at the end of your report.
There are various ways of setting out references / bibliographies. One style is the Author-Date (HARVARD) referencing style. Read the article Bibliographic & Electronic Resources: Citations & Referencing for more information. Use the Harvard style in your report. Note that is not sufficient to only have a list of references at the end of your report - materials must be cited in your text.
Explain what risk analysis
is and its relevance in data security, discussing how risk analysis is used in
the process of providing solutions for data security in an organisation.
The OECD
Guidelines for the Security of Information Systems[i] state the following (which is
commonly referred as the CIA ‘model’):
The objective of security of information systems is the
protection of the interests of those relying on the information systems from
harm resulting from failure of:
- availability
- confidentiality, and
- integrity
Where:
"availability" means the characteristic of
data, information and information systems being accessible and usable on a
timely basis in the required manner;
"confidentiality" means the characteristic of
data and information being disclosed only to authorised persons, entities and
processes at authorised times and in the authorised manner;
"integrity" means the characteristic of data
and information being accurate and complete and the preservation of accuracy
and completeness.
Information risk
analysis is the scrutiny and breakdown of components (by defined steps) within
an organisations information system to risks of harm to an information
resource. This analysis identifies information resources and threats to that
resource. These vulnerabilities or harms provide an insight into the (hopefully
existing or planned) protecting countermeasures that are to be put into place.
A resultant risk is also calculated in terms of balancing the value of the
information resource with the ‘costs’ of the countermeasures.
Information resources, the systems that provide
access to the information, and the procedures for management of the information
are organisational assets. ISO
17799-2001 Code of Practice for Information Security Management[ii]
outlines four categories for asset identification: Information Assets; Software
Assets; Physical Assets; and Services. The Australian
Defence Signals Directorate (DSD) ACSI 33[iii]
outlines five categories: Confidentiality of Information; Availability of
Resources and Services; Integrity of Information; Equipment, including
Software; and Staff.
Harms or threats
can be physical: such as Earthquake, Flooding, Lighting, Power Failure, Fire,
Theft, and Terrorist Attack. Logical threats include: Software Failure,
Malicious Usage (virus/hacker), Denial of Service Attack (CPU or Network), and
Data Theft. Some of these ‘harms’ are easily noticed such as availability type
events, while others could remain unnoticed and can affect confidence in
the information or the integrity of the organisations information and the
organisations internal processes. Most threats can be categorised into groups based the CIA ‘model’;
a possible additional characteristic that could be added is reputation.
The consequences of the threat to the organization
should also be considered. The vulnerability in fact becomes a function of
likelihood and consequences.
Once the
vulnerability of an asset is determined, a number of countermeasures or
controls can be applied. ISO 17799 details ten security controls to help in the
categorisation of existing and planned processes (policies and countermeasures)
they are: Security Policies; Organisational Security; Asset Classification and
Control; Personnel Security; Physical and Environmental Security;
Communications and Operational Management; Asset Control; System Development
and Maintenance; Business Continuity; and Compliance.
ACSI 33 Hand Book 3 outlines a risk assessment methodology to be
used of Australian Commonwealth Agencies. It is a stepped approach that should
lead to information management policies and procedures. These policies and
procedures are then re-inputted into the assessment. DSD uses a qualitative risk analysis methodology.
The
methodology can be summarised as:
Once a risk assessment has been completed and accepted by an organisation, it should be regularly reviewed for changes in the value of assets, nature of threats, and new functionality that could introduce new vulnerabilities.
[1]
2002 T. Matsumoto, H. Matsumoto, K. Yamada, S. Hoshino, "Impact
of Artificial Gummy Fingers on Fingerprint Systems," Proceedings of SPIE
Vol. #4677, Optical Security and Counterfeit Deterrence Techniques IV, 2002,
http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf, or
http://www.totse.com/en/bad_ideas/locks_and_security/164704.html
[i]
OECD, 1992, Guidelines for
the Security of Information Systems, Ad Hoc Group of Experts, Information,
Computer and Communications Policy (ICCP) Committee, Directorate for Science,
Technology and Industry (DSTI), Organisation for Economic Co-operation and
Development (OECD), DSTI/ICCP/AH(90)21/Rev3,
http://www.oecd.org/dsti/sti/it/secur/prod/e_secur.htm#2 or
http://webnet1.oecd.org/oecd/pages/home/displaygeneral/0,3380,EN-document-43-1-no-no-10249-0,00.html
[ii]
ISO, 2001, 17799-2001 Code of Practice for Information
Security Management, International
Standards Organization (ISO)
[iii]
Commonwealth of Australia, 2000, Australian Communications-Electronic Security
Instructions 33 (ACSI 33) – Security Guidelines for Australian Government IT
Systems, Defence Signals Directorate, Australian Department of Defence,
http://www.dsd.gov.au/infosec/acsi33/acsi_index.html
|
Negligible |
Unlikely to occur |
|
Very Low |
Likely to occur two/three times every five years |
|
Low |
Likely to occur once every year or less |
|
Medium |
Likely to occur once every six months or less |
|
High |
Likely to occur once per month or less |
|
Very High |
Likely to occur multiple times per month or less |
|
Extreme |
Likely to occur multiple times per day |
|
Insignificant |
Will have almost no impact if threat is realised. |
|
Minor |
Will have some minor effect on the asset value. Will
not require any extra effort to repair or reconfigure the system. |
|
Significant |
Will result in some tangible harm, albeit only small
and perhaps only noted by a few individuals or agencies. Will require some
expenditure of resources to repair (eg "political embarrassment"). |
|
Damaging |
May cause damage to the reputation of system
management, and/or notable loss of confidence in the system's resources or
services. Will require expenditure of significant resources to repair. |
|
Serious |
May cause extended system outage, and/or loss of
connected customers or business confidence. May result in compromise of large
amounts of Government information or services. |
|
Grave |
May cause system to be permanently closed, and/or be
subsumed by another (secure) environment. May result in complete compromise
of Government agencies. |
|
|
|
Consequence
Estimation |
|||||
|
|
|
Insignificant |
Minor |
Significant |
Damaging |
Serious |
Grave |
|
Threat
Likelihood |
Negligible |
Nil |
Nil |
Nil |
Nil |
Nil |
Nil |
|
Very Low |
Nil |
Low |
Low |
Low |
Medium |
Medium |
|
|
Low |
Nil |
Low |
Medium |
Medium |
High |
High |
|
|
Medium |
Nil |
Low |
Medium |
High |
High |
Critical |
|
|
High |
Nil |
Medium |
High |
High |
Critical |
Extreme |
|
|
Very High |
Nil |
Medium |
High |
Critical |
Extreme |
Extreme |
|
|
Extreme |
Nil |
Medium |
High |
Critical |
Extreme |
Extreme |
|
|
Nil |
0 |
|
Low |
1 |
|
Medium |
2 |
|
High |
3 |
|
Critical |
4 |
|
Extreme |
5 |