Advertise Search Free Magazines Newest Links Categories Register Login

Application Security Architecture Authentication Certifications Corporate Compliance Cryptology Disaster Recovery Enterprise Security Exploits Firewalls Incident Handling Intrusion Detection Link Directory OS Security Podcasts Policies and Procedures Security Basics Security Management Security Tools Servers Standards Techie Humor Video VoIP Vulnerability Management Web Security WIFI Security Worms and Viruses Definition of Authentication What is authentication? Authentication is the process by which a computer, computer program, or another user attempts to confirm that the computer, computer program, or user from whom the second party has received some communication is, or is not, the claimed first party. Most Popular Sponsor Backup & Recovery - Top 10 Reasons to Upgrade

Authentication Biometrics Passwords PKI Securely Implementing LDAP This paper will discuss the various security exposures and possible solutions when implementing LDAP directories. Risk is a product of threat, vulnerability, and cost. However, always keep in mind that anything times zero is zero. Even though the level of confidentiality of the data in a public directory may be very low, the integrity of that data always needs to be protected. Thus, we always need to factor in security considerations in our LDAP implementations. For a good overview of LDAP itself, please see the web articles, "LDAP: Use as Directed"1 by Tim Howes, and "Overview & Security Aspects of the Lightweight Directory Access Protocol (LDAP)"2 by Louis R. Brand. Read the Article Proximity Authentication As a result of the World Wide Web (WWW), the Internet, and the low price, computers became an important tool at home and work. They are being used as a research tool, shopping tool and a publishing tool. As an outcome of these services, people started to utilize the computers for most of their daily tasks. Which meant that people started to store private, personal, and valuable data on their computers. At work, sensitive data become very accessible to workers on their desktop. The availability of information and computers made the private/sensitive data vulnerable and tempting to unauthorized people to access that data. Furthermore, users have the habit of logging-in when they start their day and stay logged-in all day regardless if they are by the computer or not. Which makes the computer vulnerable to unauthorized access, "The weak link in securing access to PCs and data is undoubtedly the user". Read the Article Implementing Identity Management with BMC Control-SA Identity Management is a relatively new concept, which aims at solving the issue of centralized access control security administration across multiple platforms and applications. "Identity Management is essentially an infrastructure that encompasses many technologies from user provisioning to authentication and access management." With centralized security administration, one company could enforce a consistent security policy (such as password policy, user rights, etc) as well as manage user accounts, users groups or other entities across the entire enterprise from a central point. This paper is a case study describing how the organization I work for implemented Identity Management using BMC Control-SA product. I will present the situation before and after implementing Control-SA and outline the benefits realized from this implementation. Read the Article Programmatic Management of Active Directory Groups Management of security group memberships in midsize and larger organizations has always been a problematic issue. If individuals are not in the correct groups, they usually need to call the company's security department, explain the issue, and get approval to gain access to the security group before they can perform job related tasks. For large companies with high turnover this can result in hundreds of security requests per week. The impact to the bottom line of a company due to lost productivity and salaries for the additional help desk personnel required to handle these requests can be significant. Even if we ignore the additional cost required to manually process security requests, manually maintaining security rights can lead to an auditing nightmare. Few organizations actively monitor the membership of security groups. Even though an employee's job responsibility may change over time, access to applications and data that is no longer required is seldom removed. Read the Article Exploring Identity Management Identity management is the concept of centralizing the control of resource provisioning and system access. Leveraging human resources software, corporate directories, and centralized servers, it provides large enterprises with the means to initiate workflow for automatically allocating and de-allocating physical and computing resources to users. Poor or no identity management can open many security holes and this class of software, combined with effective policy, promises to counter these vulnerabilities. Some software solutions cover all areas of identity management while others only address a specific concern. This document aims to provide a guide to the various ways it can be implemented and show how identity management can lead to improved security. Read the Article Infrastructure Design Considerations When Using Client Certificates This paper will investigate some of the considerations that should be evaluated when looking to bring a new technology into the design of an application. The security technology that will be used as an example is client-based certificates. It is easy to see that there are increasing requirements for web-based applications to use the Internet for conducting private business. This will sometimes require two-way authentication between the client and the server in addition to the more frequently addressed issues of integrity and privacy that certificate use has provided. As with any design, there are several ways to accomplish a given task, with each one providing unique advantages and disadvantages that must be weighed against the criteria of the implementation goals. These points will be discussed and summarized to assist the reader in understanding the trade-offs associated with each approach. Read the Article Identification with Zero Knowledge Protocols Modern cryptography is based on the secrecy of the key, in Secret-Key Cryptosystems, two parties have to meet and agree on a common secret key before any communication can happen. In Public-key Cryptosystems, each party has a pair of keys, one published in a database available to everybody and the other kept secret. This scheme eliminates the need for a preliminary secure interaction between the two parties. The strength of this scheme rests on the limited computational resources available to each user, legitimate or malicious. The main idea in any public key cryptosystem is a difficult computational problem. The security is based on the fact that the private key can be computed from the public key only by solving this difficult problem. With the public key, a user could encrypt messages, and another could decrypt them with the private key. The owner of the private key would be the only one who could decrypt the messages, but anyone knowing the public key could send them in privacy. Read the Article Securing FTP Authentication The File Transfer Protocol, or FTP, is an industry standard method of data exchange between computers. Widely used because of its flexibility and ubiquity, FTP has also become a frequent point of attack. Though certainly not the only issue, one frequently cited area of concern is the use of a clear-text data stream for passing authentication and control information. Intended for a novice to intermediate level administrator, this paper briefly examines how a nonsecure FTP implementation functions and demonstrates how the clear-text control connection can be exploited. A common misconception is that switched network architectures adequately protect an organization from network eavesdropping. Several ways of bypassing switch security are outlined, illustrating the continuing need for protecting the FTP data streams. Read the Article Securing Time - The Autokey Protocols This paper investigates the authentication protocols used with NTP-V4. It does not review the NTP protocol itself, nor does it cover in detail the authentication protocol used in its predecessor, NTP-V3. For those new to the topic, NTP is the Network Time Protocol, used to acquire a reliable time standard for a site/host from the Internet. A brief overview of the full NTP protocol can be found in Addendum 1. NTP Authentication is unique in that it must operate in an initial environment of untrusted sources coupled with inaccurate clocks. The problem is exacerbated by computational overhead constraints which impact the ultimate accuracy of the timestamps required for proper operation of the NTP Protocol. These unique requirements are why standard techniques such as IPSEC, and the naive approach of signing each timestamp message are inappropriate for use as an authentication mechanism. Read the Article The Use and Administration of Shared Accounts This paper will discuss the use and security of shared accounts. While shared accounts exist on other systems, this paper has been limited in scope to focus on UNIX- and Microsoft Windows-based systems, however the basic principles should be applicable to other systems as well. The paper will start by defining what shared accounts are, some of their uses, and some of associated risks of those uses. Read the Article Page: 1 2 3 4 5 Members currently browsing this category:

Copyright 2008 AttackPrevention