COMPUTER AND NETWORK SECURITY

(COURSE CODE: 3350704)

Unit-2 Organizational Security
2.1 Password selection, Piggybacking, Shoulder surfing, Dumpster diving, Installing
unauthorized software /hardware, Access by non-employees.
2.2 People as Security Tool: Security awareness, and Individual user responsibilities.
2.3 Physical security: Access controls
Biometrics: finger prints, hand prints, Retina, Patterns, voice patterns, signature and writing
patterns, keystrokes, Physical barriers
2.4 Password Management, vulnerability of password, password protection, password selection
strategies, components of a good password
2.1.1 Password Selection
Guidelines on to how-to make a hard-to-crack password:
1. Use appropriate length.
2. Form a "random" sequence of words and/or letters.
3. Add numbers to the base-word to make it more secure.
4. Use punctuation and symbols to make it “complicated".
5. Combine upper and lowercase letters.
6. Generate similar but altered passwords.
7. Change your passwords periodically or whenever it may have become compromised.
8. Don't re-use an expired password.
9. If you have trouble remembering all the passwords you need, try using a password manager.
10. Try to memorize the password, and avoid writing it down.
11. Do not use the same password for everything.
12. Do not tell anybody your password.

2.1.2 Piggybacking
In the context of computer science, "piggybacking" refers to a situation where an unauthorized
party gains access to some system in connection with an authorized party. This can happen in
several ways, including piggybacking on public wireless networks, and piggybacking into a
password-protected system.

VPMP POLYTECHNIC,COMPUTER DEPARTMENT.

 [ OR
In security, piggybacking, similar to tailgating, refers to when a person tags along with another
person who is authorized to gain entry into a restricted area, or pass a certain checkpoint. It can
be either electronic or physical.]
Piggybacking on wireless networks:

• Piggybacking on Internet access is the practice of establishing a wireless Internet connection

by using another subscriber's wireless Internet access service without the subscriber’s
permission or knowledge.
• Piggybacking is the unauthorized access of a wireless LAN.
• Piggybacking is sometimes referred to as "Wi-Fi squatting."
• The purpose of piggybacking is simply to gain free network access, but it can slow down
data transfer of the network.
• It's quite simple to access an unsecured wireless network: All you have to do is get into the
range of a Wi-Fi hotspot's signal and select your chosen network from the options presented.
• However, unauthorized network access, even to free Wi-Fi, may be illegal.
To protect network from piggybacking:
• To protect your network from piggybacking, ensure that encryption is enabled for your
router.
• Use Wireless Encryption Protocol (WEP), if possible use Wireless Protected Access (WPA)
or WPA2.
• Use a strong password for your encryption key, consisting of at least 14 characters and
mixing letters and numbers.
• Piggybacking can be defeated (overcome) by logging out before walking away from a
workstation or terminal.

2.1.3 Shoulder surfing

• A term used to describe a person that looks over another person's shoulder as they enter
data into a computer or other device.
• For example, someone might shoulder surf when you are entering your computer password,
ATM pin, or credit card number.
• Criminals often use used this technique to gain access to your personal accounts or read
personal information, such as e-mails.
• To implement this technique attackers do not require any technical skills, constant
observation of victim’s surroundings and the typing pattern is sufficient.
• Crowded places are the more likely areas for an attacker to shoulder surf the victim.

2.1.4 Dumpster Diving (Trashing)

• Dumpster diving involves searching through trash or garbage looking for something
useful. (Dumpster diving can mean looking through physical trash or searching discarded
digital data.)

VPMP POLYTECHNIC,COMPUTER DEPARTMENT.

 • Dumpster diving is the name of the technique where the attacker looks for information in
dustbins and trashes.
For example, after withdrawing money from ATM, the user usually throws the receipt in
which the total amount and account details are mentioned. This type of information becomes
helpful to a hacker, for which they use dumpster diving.
• Sensitive information may be available from trash, like company directory and phone
lists with email address,
company policies, procedures, systems, catalog
lists,
drafts and letters etc…
• Trashing is often done to uncover useful information that may help an individual get access
to a particular network.
• In many cases, dumpster diving involves getting data about a user in order to attack that user
and gain access to his or her user profiles or other restricted areas of the Internet or a local
network.
To prevent from Dumpster diving:
• Cross-cut papers, and then recycles the garbage collection.
• Lock the bins.
• Erase all data from tapes and hard disks.
• Breaking a CDROM and Place them in microwave and heat them.

2.1.5 Installing unauthorized software /hardware

• Many administrators faces that users installing unauthorized software on their notebook
computers. Here are a couple of approaches you can take to counteract this user behavior.
1. Organizations may want to limit the installation of applications on notebook computers that
they assign to employees.
• One way to do this is to make sure that all users are members of the users group, and NOT a
member of the administrators group. This will prevent the user from installing applications
that can alter the configuration.
• Another approach is to modify a sub key in the registry, and can lock the system down
thereby preventing the user from installing any new software.
It can be done by performing the following:
Start regedit
Go to HKEY_CURRENT_USER Software Microsoft Windows Current Version
Policies Explorer
Double-click the Prompt Runas Install Netpath value (If this is not present you
can create a new string value)
Set this value to 1
Click OK

2.2 People as Security Tool: Security awareness and Individual user responsibilities:

VPMP POLYTECHNIC,COMPUTER DEPARTMENT.

Security awareness:
• Security awareness is the knowledge regarding the protection of the physical, and
especially informational, assets of that organization.
• Being security aware means, you understand that there is the potential for some people to
steal, damage, or misuse the data that is stored within a company's computer systems and
throughout its organization.

Individual User Responsibilities:

• Be polite and use appropriate language:
• You are a representative of your organization.
• You should not submit threatening materials or messages either public or private.
• Privacy:
 Do not reveal (disclose) any personal information about yourself (like Home address, phone
no., photographs)
 Lock the door to your office or workshop.
 Do not have sensitive information inside your car unprotected.
 Secure storage media containing sensitive information in a secure storage device.
 Cut off paper containing organization information in a secure device.
 User should ensure that sensitive information is encrypted on the laptop so that, should the
equipment to be lost or stolen, the information remain safe.
• E-mail:
 Include your signature at the bottom of email message. 
Send email only to individuals and groups you know.
• Accountability:
• User should not provide their password to any person.

2.3 Physical security:

Access Control:
• Access control is a security technique that regulates who or what can view or use resources
in a computing environment.
• It is a fundamental concept in security that minimizes risk to the business or organization.
• There are two types of access control:
Physical access control
Logical access control
• Physical access control limits access to campuses, buildings, rooms and physical IT assets.
• Logical access control limits connections to computer networks, system files and data.

• [Access control authentication devices include id and password, digital certificates, security
tokens, smart cards and biometrics.
• Access control authorization means role based access control ( RBAC).
• Mandatory access control is access control policies that are determined by the system and not
the application or information owner.
• RBAC is commonly found in government, military and other enterprises where the role
definitions are well defined.]

VPMP POLYTECHNIC,COMPUTER DEPARTMENT.

 2.3.1 Physical access control
• Physical security is concerned with restricting physical access by unauthorized people
(commonly interpreted as intruders) .
• For instance, physical access controls are generally intended to:
• prevent potential intruders (e.g. warning signs and perimeter markings);
• distinguish authorized from unauthorized people (e.g. using keycards/access badges)
• delay and prevent intrusion attempts (e.g. strong walls, door locks and safes);
• detect intrusions and monitor/record intruders (e.g. intruder alarms and CCTV systems);
and
• Trigger appropriate incident responses (e.g. by security guards and police).
• Another Examples of physical access control include password coded doors. Access card
readers can track who is entering the facility. These readers only give access to special
employees with the right credentials.
• Many systems incorporate alarms features to prevent unauthorized access.
• The most common physical access controls are used at hospitals, police stations, government
offices, data centers, and any area that contains sensitive equipment and/or data.

2.3.2 logical access controls

• Logical access controls are tools used for identification, authentication, authorization in
computer information systems.
• Logical access controls use advanced password programs and advanced biometric security
features. These features identify the employee. The system then determines whether the
employee has appropriate authorization to access data.
• The access controls can be embedded within operating systems, applications, add-on security
packages, or database and telecommunication management systems.
• [The line between Logical access and physical access can be blurred when physical access is
controlled by software.
• For example, entry to a room may be controlled by a chip and PIN card and an electronic
lock controlled by software.
• Only those in ownership of an appropriate card, with an appropriate security level and with
knowledge of the PIN are permitted entry to the room.
• On swiping the card into a card reader and entering the correct PIN, the user's security level
is checked against a security database and compared to the security level required to enter the
room.
• If the user meets the security requirements, entry is permitted.]
• Logical Controls protect data and the systems, networks, and environments that protect them.
• In order to authenticate, authorize, or maintain accountability a variety of methodologies are
used such as password protocols, devices coupled with protocols and software, encryption,
firewalls, or other systems that can detect intruders and maintain security, reduce
vulnerabilities and protect the data and systems from threats.

2.3.3 Biometric

VPMP POLYTECHNIC,COMPUTER DEPARTMENT.

• Definition: Biometric security is a security mechanism used to authenticate and provide
access to a system based on the automatic and instant verification of an individual’s physical
characteristics.
 Why we use Biometric Security System?
• Each person has a set of unique characteristics that can be used for authentication.
• Biometrics uses these unique characteristics for authentication.
• Today’s Biometric systems examine fingerprints, handprints, retina patterns, iris
patterns, facial recognition, voice patterns, keystroke patterns etc for authentication.
• But most of the biometric devices which are available on the market, only retina pattern,
iris patterns, fingerprint and handprint systems are properly classified as biometric
systems. Others are more classified as behavioral systems.
• Biometric identification systems normally work by obtaining unique characteristics
from you, like a handprint, a retina pattern etc. The biometric system then compares that
to the specimen data stored in the system.
• Biometrics authentication is much better when compared with other types of
authentication methods. But some of the users avoid using biometric authentication.
• For example, many users feel that retina scanner biometric authentication system may
cause loss of their vision. False positives and false negatives are a serious problem with
Biometric authentication.

1. Finger Print
• Fingerprints are used in forensic science and in various areas for identification for long
time. Fingerprints of each individual are unique.
• Fingerprint Biometric Systems examine the unique characteristics of your fingerprints
and use that information to determine whether or not you should be allowed access.
• Smart phones also have sensors to capture our fingerprints and thus guarantee that we
are the only people who can unlock our phones.
• The user’s finger is placed on the scanner surface. Light flashes inside the machine, and
the reflection is captured by a scanner, and it is used for analysis and then verified
against the original specimen stored in the system. Advantages:
• Implementation costs are low
• This technology has good user acceptance.
• High performance

VPMP POLYTECHNIC,COMPUTER DEPARTMENT.

 • Short processing time
• Small storage
• Easy integration

Disadvantages:
• It can make mistake with the dryness or dirty of the finger’s skin.
• High chances of finger image degradation by age.
• Can be of chances of fake fingerprints.

Applications(usage):

• Access control
• Forensic science • ATM
• Border enforcement agency
• Checkout at retail etc…

2. Voice Pattern
• Voice biometric authentication is the use of the voice pattern to verify the identity of the
individual. It is fast becoming a widely deployed form of biometric authentication.
(Adv.)
• Voice biometrics works by digitizing a profile of a person's speech to produce a stored
model voice print, or template.
• Biometric technology reduces each spoken word to segments composed of several
dominant frequencies called formants. Each segment has several tones that can be
captured in a digital format. The tones collectively identify the speaker's unique voice
print. Voice prints are stored in databases in a manner similar to the storing of
fingerprints or other biometric data.
• Disadvantage: A person's speech is subject to change depending on health and emotional
state. Matching a voice print requires that the person speak in the normal voice that was
used when the template was created at enrollment.
• If the person suffers from a physical ailment, such as a cold, or is unusually excited or
depressed, the voice sample submitted may be different from the template and will not
match.
• Other factors also affect voice recognition results. Background noise and the quality of
the input device (the microphone) can create additional challenges for voice recognition
systems.
• If authentication is being attempted remotely over the telephone, the use of a cell phone
instead of a landline can affect the accuracy of the results.
• Voice recognition systems may be vulnerable to replay attacks: if someone records the
authorized user's phrase and replays it, that person may acquire the user's privileges.

3. Retina Pattern Biometric Systems

 Everybody has a unique retinal vascular pattern. Retina Pattern Biometric system uses an
infrared beam to scan your retina.

VPMP POLYTECHNIC,COMPUTER DEPARTMENT.

  Retina pattern biometric systems examine the unique characteristics of user’s retina and
compare that information with stored pattern to determine whether user should be allowed
access.
Advantages:
 Retina Pattern Biometric Systems are highly reliable. Disadvantages:
 Users are often worried in using retina scanners because they fear that retina scanners will
blind or injure their eyes.

4. Handprints Biometric Systems

• As in the case of finger print, everybody has unique handprints.
• A handprint Biometric Systems scans hand and finger, the data is compared with the
specimen stored for you in the system.
• The user is allowed or denied based on the result of this verification.
Advantages:
• Implementation costs are low
• This technology has good user acceptance.
• Easy to use
• Easy integration

Disadvantages:
• The shape of the hand may be changed due to illness, age or change in weight.

Applications(usage):

• Access control
• Immigration control

5. keystroke biometric system

• A keystroke biometric system for long-text input was developed and evaluated for
identification and authentication applications.
• TypeSense is a software-only authentication solution based on the science of typeprint
recognition that uses keystroke dynamics to accurately identify a user by the way they type
characters across a keyboard.
• How it works
• Keystroke Dynamics technology extracts the distinctive characteristics found in typed
sequences of characters, and creates a statistically unique signature from the typing patterns
of a person.
• These distinctive features include the duration for which keys are held and the elapsed time
between successive keystrokes.

VPMP POLYTECHNIC,COMPUTER DEPARTMENT.

 • Key Features
 No Hardware Required
o Unlike fingerprint and other biometric solutions that require a special hardware
reader or scanner, TypeSense does not need to install any new hardware – it works
with the standard computer keyboard.
 No Software Installed o Type Sense does not require any software to be pre-installed on
the user’s PC for web-based applications.
 Nothing to Carry, Lose, or Forget o Across all types of authentication technologies,
TypeSense is the only solution that does not require users to carry any device.
 Nothing Extra to Type at Logon o With TypeSense, you will be asked to type what you
always enter at logon: your username and password. TypeSense is completely transparent
to the users.
 Flexible Enrolment

6. Facial recognition system:

• Facial recognition is a way of recognizing a human face through technology.

• A facial recognition system uses biometrics to map facial features from a photograph or
video. It compares the information with a database of known faces to find a match.
• Facial recognition can help verify personal identity, but it also raises privacy issues.
Disadvantages:
• Full face template makes large database size
• Variation with expression and age Applications:
• In criminal investigation Physical barriers
• Barriers are used in physical security to define boundaries, delay or prevent access, restrict
movement to a particular area.
• Manmade structural barriers and natural barriers are two general types of barriers.
• Manmade structural barriers include fences and walls, doors, gates, park entrance,
vehicular barriers, glazing (usually glass), and nearly all building materials.
• Natural barriers include berms, rocks, trees, water features, sand and gravel, and other
natural land features that are difficult to traverse or that expose an attacker.

VPMP POLYTECHNIC,COMPUTER DEPARTMENT.

 • Barriers must be tested regularly and maintained.
• [Physical barriers such as fences, walls, and vehicle barriers act as the outermost layer of
security.
• They serve to prevent attacks, and also act as a psychological warning by defining the
perimeter of the facility and making intrusions seem more difficult.
• Tall fencing, topped with barbed wire, razor wire or metal spikes are often emplaced on
the perimeter of a property, generally with some type of signage that warns people not to
attempt to enter.
• However, in some facilities imposing perimeter walls/fencing will not be possible (e.g. an
urban office building that is directly adjacent to public sidewalks) or it may be aesthetically
unacceptable (e.g. surrounding a shopping center with tall fences topped with razor wire);
in this case, the outer security perimeter will be defined as the walls/windows/doors of the
structure itself.]

2.4 Password Protection: How to Create Strong Passwords

 Use Different Passwords Everywhere
• Why would you do this when it's so easy to just type "fido" at every password prompt?
• Here's why: If "fido" gets cracked once, it means the person with that info now has access to
all of your online accounts.
 Avoid Common Passwords
• If the word you use can be found in the dictionary, it's not a strong password.
• If you use numbers or letters in the order they appear on the keyboard ("1234" or "qwerty"),
it's not a strong password.
• If it's the name of your relatives, your kids, or your pet, favorite team, or city of your birth,
guess what—it's not a strong password.
• If it's your birthday, anniversary, date of graduation, even your car license plate number, it's
not a strong password.
• It doesn't matter if you follow this with another number.
• These are all things hackers would try first. They write programs to check these kinds of
passwords first, in fact.

2.4.1 Strong Password Solutions 

How to Build Strength
• To create a strong password, you should use a string of text that mixes numbers, letters that
are both lowercase and uppercase, and special characters.
• It should be eight characters, preferably many more. A lot more. The characters should be
random, and not follow from words, alphabetically, or from your keyboard layout.
• So how do you make such a password?
• Examples:
1) Spell a word backwards. (Example: Turn "New York" into "kroywen.")
2) Use l33t speak: Substitute numbers for certain letters. (Example: Turn "kroywen" into
"kr0yw3n.")

VPMP POLYTECHNIC,COMPUTER DEPARTMENT.

 3) Randomly throw in some capital letters. (Example: Turn "kr0yw3n" into "Kr0yw3n.") 4)
Don't forget the special character. (Example: Turn "Kr0yw3n" into "Kr0yw3^.")

2.4.2 Password selection strategies 

User Education:
• User can be told the importance of using hard to guess password.
• And user can be provided with guidelines for selecting strong passwords.  Computer
generated password:
• Computer generated password also have problems. They are hard to remember.
• If the passwords are quite random in nature, user will not be able to remember it, and write
it down.
 Reactive password checking:
• The system periodically runs its own password cracker to find guessable passwords.
• The system cancels passwords that are guessed and notifies user.
• It Consumes resources.
• Existing password remains vulnerable until reactive password checker finds them.
• Hackers can use this on their own machine with a copy of the password file.  Proactive
password checking:
• It is most promising approach to improve password security.
• The system checks at the time of selection if the password is allowable.
• With guidance from the system, users can select memorable passwords that are difficult to
guess.

2.4.3 Components of a Good Password

• Common guidelines to make the password more difficult to guess or obtain are as follows:
• It should be at least eight characters long.
• It should include uppercase and lowercase letters, numbers, special characters or
punctuation marks.
• It should not contain dictionary words.
• It should not contain the user's personal information such as their name, family member's
name, birth date, pet name, phone number or any other detail that can easily be identified.
• It should not be the same as the user's login name.
• It should not be the default passwords as supplied by the system vendor such as password,
guest, admin and so on.
• Change your passwords periodically.
• Don't re-use an expired password.
• Try to memorize the password, and avoid writing it down.
• Do not use the same password for everything.
• Do not tell anybody your password.

VPMP POLYTECHNIC,COMPUTER DEPARTMENT.

 Question Bank

Q-1 Define following Terms ( 2 marks )

1) Piggybacking
2) Biometrics

Q-2 Explain following questions ( 3 or 4 )

1) Explain Shoulder Surfing and Dumpster diving.

2) Explain Password protection.
3) Explain Password selection Strategies. 4) Write components of a good password
5) Write a short note on Finger prints and Hand Prints.
6) Write a short note on Retina Patterns and Voice Patterns.

VPMP POLYTECHNIC,COMPUTER DEPARTMENT.