Organizational Security

Password selection

• Good v/s Bad password

• Rules of good password
– No Dictionary words
– No names
– Use of Special Characters
– No relation to UserId/Personal info
– Different password for different Account
– Frequent change
–  longer passwords are better than shorter ones
– Consider using a secure password manager.Pros &
Cons
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 2
Jamnagar
 Human Security threats
– 1. Shoulder surfing
– 2. Piggybacking
– 3. Dumpster diving
– 4. Installing unauthorized hardware and software
– 5. Access by non-employees

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 3
Jamnagar
 1. Shoulder Surfing
• Attackers position themselves in such a way as to be
able to observe the authorized user entering the
correct access code.
• Avoidance:
– aware of proximities while entering password
– Use invisible pattern
– Use of Biometric Tool

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 4
Jamnagar
 2. Piggybacking (Tailgating)
• Type of Social Engineering Attack
• Impersonating some one’s identity
• Piggybacking with out knowledge of receiver
• Here Attacker Follow The Authenticate User

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 5
Jamnagar
 3. Dumpster Diving
• The process of going through a target’s trash is known as
dumpster diving
• When Dumpster Diving is Proceed The Attackers or Hackers are
looking for,
1.PhoneList
2.Memos
3.PolicyManuals
4.Calendarsofevent
5.SystemManuals
6.PrintOuts
7.DiskTapes,CD,DVD
8.Oldharddrives

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 6
Jamnagar
• security measures include the use of firewalls
and other precautions to stop dumpster divers
from getting access to discarded or loose data,
such as ensuring that data is wiped off of old
hard drives and destroying old storage media.

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 7
Jamnagar
 4. Installing unauthorized hardware and
software
• Organizations should have a policy to restrict
normal users from installing software and
hardware on their systems
• To avoid backdoor entry for attacker with out
the knowledge of user
• Separation of user account
• Use of some software like deep freeze
• Creating separate user space
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 8
Jamnagar
 5. Access by Non-employees
• If an attacker gains access to a facility, there
are chances of obtaining enough information
to penetrate computer systems and networks.
–Many organizations require employees to wear
identification badges at work.
– This method is easy to implement and may be a
deterrent to unauthorized individuals.
– It also requires that employees challenge
individuals not wearing identification badges.
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 9
Jamnagar
 Password Protection
• The front line of defense against intruders is the
password system. Virtually all multiuser systems
require that a user provide not only a name but also a
password.
• The password serves to authenticate the ID of the
individual logging on to the system.
• In turn,The ID provides security in the following ways:
– 1.The Id determines whether the user is authorized to gain
access to a system.
– 2.The ID determines the privileges accordedtotheuser.
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 10
Jamnagar
 Password Selection Strategies
• Use different strategies for different risk level sites
1.The password manager:
– This is software such as lastpass or roboform.
2. The password list or book where you keep site
names and passwords:
– Use short hand text instead of password
3. Your brain and a system combination
– Site code such as tax for the abcxyz+ expiration code
for the other piece such as Q1
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 11
Jamnagar
• 4.The password hasher:
– Uses algorithm to generate hash value of entered
textual password
– Example MD5 Algorithm
– One way process
– Use salt to append to password for creation of
hash
– Create fixed size hash output for variable length
data
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 12
Jamnagar
 Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 13
Jamnagar
 Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 14
Jamnagar
• Let us consider a scheme that is widely used on
UNIX:
– Each user selects a password up to eight characters
– This is converted into a 56-bit value
– The encryption routine is based on DES.
– This value is related to the time at which the password
is assigned to the user.
– The output of the algorithm then serves as input for a
second encryption.
– This process is repeated for a total of 25 encryptions.
– The resulting 64-bit output is then translated into an
11-character sequence.
– The hashed password is then stored, together with a
plaintext copy of Kunal
10/16/2021 theThanki.
salt, in the password file
Lecturer, Govt Polytechnic ,
Jamnagar
15
• The salt serves this purposes:
– It prevents duplicate passwords from being visible
in the password file.
– It effectively increases the length of the password
without requiring the user to remember
additional characters

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 16
Jamnagar
 The Vulnerability of Passwords
• Vulnerability is the intersection of three
elements:
– A system’s invalidation.
– Attacker access to the invalidation.
– Attacker capability to exploit the invalidation.
• Vulnerability management is the cyclical
practice of identifying , classifying ,
remediating vulnerabilities. This practice
generally refers to software vulnerabilities in
computing systems.
10/16/2021
Kunal Thanki. Lecturer, Govt Polytechnic ,
Jamnagar
17
 People as a Security Tool
1.Security Awareness
2.Individual User Responsibilities

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 18
Jamnagar
 Physical Security
• Protection of Data, Software, Hardware or Any
Network from physical attacks or physical
events that could cause serious damage to
Organization
• Main goal: safe environment to the
organization
• 1. AccessControl.

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 19
Jamnagar
 Biometrics
• The Architecture

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 20
Jamnagar
• The Process are done in following steps:
1. The Biometric sensor measure the users
physiological or behavioral characteristic
pattern, This pattern is captured and sent to
the Processing Module
2.Processing Module performs a comparison
between the biometrics pattern stored in the
database and the information pattern just
received from the sensor.
3.Results are then transmitted to the
application which grants or denies access
based upon the results of the comparison
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 21
Jamnagar
 Biometrics Techniques

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 22
Jamnagar
 1.Fingerprint Authentication
• Process of obtaining a digital representation of
a fingerprint and comparing it to a stored
digital version of a finger print.
• Minutiae

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 23
Jamnagar
Minutiae:

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 24
Jamnagar
 Finger print scanning (Minutiae based
approach)

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 25
Jamnagar
• Advantages:
1.High Accuracy
2.Easy to use
3.Mature technology
4.Small Storage space required of biometric
template which is stored in database
5.Lowcost
• Disadvantages:
1.It can make mistake with the dryness or
dirty figures skin
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 26
Jamnagar
 2. Hand scanning
• Advantages:
– Easy to store
– Multiple data
– Easy to integrate
• Disadvantages:
– Expensive
– Not valid for arthritic person.

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 27
Jamnagar
 3. Retina scanning
• Based on the blood vessel pattern in the retina
of the eye and it provides unique basis for
identification
• Technique
Step1:
–Person looks in to a focusing camera at close
range for several seconds
• Step2:
–Low power InfraRed Waves (~7mW) is
directed into the pupil
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 28
Jamnagar
• Step3:
–Resulting picture is captured by the camera
and barcode is generated
• Step4:
–Image processing filters out relevant feature
points.(Blood vessel distribution)
• Step5:
– Pattern is matched against stored templates

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 29
Jamnagar
• Advantages:
– Very High Accuracy
– There is no known way to replicate a retina
• Disadvantages
– Very Expensive
– Time consuming process.
– Inconvenient for persons with eyeglasses or lenses
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 30
Jamnagar
 4. Voice Recognition
• The electrical signal from the microphone is digitized
by an "analog-to-digital (A/D) converter“ , and is
stored in memory.
• Works on the frequency and modulations principle

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 31
Jamnagar
Voice Recognition Modalities
• speaker dependent
– relies on the knowledge of candidate's particular
voice characteristics.
– The system needs to be trained on the users to
accustom it to a particular accent and tone before
employing to recognize what was said.
• speaker independent.
– able to recognize the speech from different users
by restricting the contexts of the speech such as
words and phrases. 

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 32
Jamnagar
Advantages:
-Low cost
-Usable over existing telephone system
-Good for remote access and monitoring
-Speedy
• Disadvantage:
– Less Accuracy
– It is susceptible to quality of microphone and noise.
– Not secure- susceptible to spoofing attacks through
recorded voice.
– Possibility of Voice variability
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 33
Jamnagar
 5. Signature Recognition
• Process used to recognize an individuals
handwritten signature
• The technology examines the behavioural
components of the signature such as stroke
order , speed and pressure , etc and then if
match found then authentication is success
otherwise not.

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 34
Jamnagar
• Static V/s Dynamic

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 35
Jamnagar
 Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 36
Jamnagar
• Advantages:
1. Highly resistant to impostors : it is very difficult
to mimic the behavioral patterns which are
inherent in the process of signing.
2.High Social acceptance
3.Easy to change its structure.
4. Low implementation cost
• Disadvantages:
1.Less Accuracy
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 37
Jamnagar
 6. Keystroke Recognitions
• Based on manner and rhythm of typing
• Based on Dwell Time and Flight time.
• No additional hardware is required.
• Features:
Often used
–Latency between keystrokes: Dwell and flight
Time
–Duration of keystroke, hold-time
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 38
Jamnagar
•Seldom used
–Overall typing speed
–Frequency of errors
–Habit of using additional keys (numpad etc)
–Capital letters (order of releasing shift and
letter)
–Force of hitting keys (special keyboard
needed)
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 39
Jamnagar
Latencies between keystrokes when writing “password” by
three persons

Kunal Thanki. Lecturer, Govt Polytechnic ,

10/16/2021 40
Jamnagar
•Advantages:
1.Universality : Access by all who access keyboard
2.Lowcost
3. Collectability: It uses existing hardware. Work in
background
•Disadvantages:
1.LessAccuracy
2. Hard to categorize uniqueness
3. Varying rhythm
4. Acceptability: Violation of Cyber law
Kunal Thanki. Lecturer, Govt Polytechnic ,
10/16/2021 41
Jamnagar