February 11, 2012
Securing and Protecting Information
describes the security authentication process.
The use of information systems is a must for businesses of today. The main purpose is to carry out the daily tasks proficiently. In the work place it is crucial to have PC’s like laptops, desktops, and even I pads that are all networked together even include the printers that are also used on the same network. The two most treasured assets for any business are their employees and their networked information systems the main focus for my paper here is authentication process. Employees and their misuse of information systems pose huge challenges to companies for instance, loss of revenue, legal problems, loss of productivity, and all other problems that happen in the workplace. There needs to be countermeasures that would enforce the usage policies which in-turn minimizes losses and increases productivity. Securing and Protecting Information the issues related to Information System misuse, resulting threats and countermeasures. Learning from past mistakes, where Sony Security failed. “There is an urgent need of an authentication procedure able to support end-users in correctly identify their service web site. This procedure must be standard, simple enough to be usable and understandable by non-technically savvy end-users and easily deployable.” (A Server Authentication Procedure Proposal, 2005) • make the requirements for the end-users so that the authentication process is not changed; • be implemented both as a browser’s internal aspect and as a plugin, so that it can be quickly deployed; • If the end-users’ data are stolen from the web server(s) or the end-users’ data are lost it will still be safe; • minimize the computation on the server side;
• be able to operate even on an open HTTP connection, so that unprotected sites can still continue to operate;
“The authentication procedure is based on the following assumptions: • The information for the initial enrollment phase is provided to the end-users using an out-of band, non-compromised communication channel (e.g.: standard mail); • The service enrollment site is safe;
• The service X.509 private key(s) is not compromised;
• The end-user’s workstation is safe.” (W3.org, 2005)
“A remote web service is provided with an encrypted copy of the user specific secret data and additional info needed both to protect the preceding interactions and to provide to the client the key recovery information. These items are partially, or totally, updated each time a user completes an authentication.” (W3.org, 2005) “The secret data is created using the following set of information items: • The secret share: the core secret component; when combined with the share held by the user (or, exceptionally, by itself), is able to provide evidence of the remote server identity; • The Service X.509 Certificate: used to provide to the server the session key generated by the client; • A Timestamp: the date and time of the end-user last access; • A Nonce: a cryptographically strong random number” (W3.org, 2005)
“Now when it comes to the Sony Network here is what fixes to the security authentication process. It’s not just about vulnerabilities.” (Sony Compliance, 2011) Compliance covers storage of data, which data you are storing, how you are storing it, and how long you are storing it. An unofficial report, specifically a Pastebin link with a chat log, was published and disclosed that Sony was running outdated Linux software (Sony has since denied these claims):” (Sony Compliance, 2011) Apache 2.2.15
Linux kernel 2.6.9-2.6.24
“Being compliant to any particular standard is only one step towards security. If you do not have some process for implementing and maintaining compliance to either an external standard (such as the PCI DSS) or your own internally developed standards. Tenable chose to audit and report on the...