Document 7277723
Download
Report
Transcript Document 7277723
Objectives
Introduction
Code Modules
General
Creating a Function
String Functons
Creating a Sub
Passing Arguments
Exit
Introduction to Computer
Programming IT-104
Unit Ten – Security Concepts –
Applications in Visual Basic Projects
5/22/2016
Intro to Comp. Programming - IT
104
1
Objectives
Discuss the concept of security as it relates to the
computer world in general, and Visual Basic in
particular.
Discuss the need to implement security in the modern
world to control access to systems and data.
Discuss some common security measures.
Identify and discuss the typical internal and external
threats to systems and data.
Identify and discuss some solutions to these threats.
5/22/2016
Intro to Comp. Programming - IT
104
2
Objectives
Learn how to add a password form to any Visual
Basic project.
Learn how to create a simple password file.
Discuss network security and some common
techniques to improve the security of any network.
Learn what encryption is.
Learn some common encryption techniques in use in
today’s computer environment.
5/22/2016
Intro to Comp. Programming - IT
104
3
Introduction
Home
Technology has allowed us to do many amazing
things today.
Some of these things would have been impossible
just a few generations ago :
Space travel
The human genome project
Global positioning and satellite navigation
The Earth sciences in general
5/22/2016
Intro to Comp. Programming - IT
104
4
Introduction
The one thing each of the previous items had in
common is that they all involve manipulating large
amounts of data, and some of them require that data
to be manipulated very rapidly.
This was not possible before the invention of the
modern digital computer, and it is this device that has
revolutionized our lives.
Technology is now an integral part of the human
experience. The Internet, which was a curiosity a
5/22/2016
Intro to Comp. Programming - IT
104
5
Introduction
mere decade ago, has now become THE medium for
moving information and communicating in general.
Organizations have now become dependent on
information technology simply to survive and
compete in the market place today.
Disruption of this information flow, be it by accident
or by deliberate means, is not something any
organization can tolerate.
5/22/2016
Intro to Comp. Programming - IT
104
6
Introduction
Organizations are now vulnerable as never before to
security risks. The recent terrorist attacks as well as
simple hardware failures (the northeast computer
assisted power grid failure) have illustrated this
weakness.
As a response to the perceived and real threats,
software companies are developing robust software
applications and network systems that are designed to
complicate and slow the process of hacking into
5/22/2016
Intro to Comp. Programming - IT
104
7
Introduction
a system, and make it much more difficult to infect
systems with viruses, bugs, and malicious code.
No system (or software package) is perfect. By their
very nature, they will have some weakness, which a
determined hacker or cracker will eventually discover
and exploit, but the existence of these systems greatly
hinder and slow the evil doer in the pursuit of his
agenda.
5/22/2016
Intro to Comp. Programming - IT
104
8
Introduction
Unauthorized entry into applications, as well as
systems is needed in today’s computer world.
The use of validations, using accounts and passwords
is an effective measure against unauthorized access
and use of systems and software.
5/22/2016
Intro to Comp. Programming - IT
104
9
Security Measures
Every organization faces external threats from
competitors as well as hackers.
Additionally there are internal threats as well.
The external threats are summarized on the next
slide.
5/22/2016
Intro to Comp. Programming - IT
104
10
External Threats
A competitor could gain access to restricted or confidential
data and gain a competitive edge or compromise restricted
research data.
Hackers can gain access to client credit card numbers of other
personal information that can be used for criminal purposes.
Hackers can take control of a computer system, which could
be used to propagate malicious attacks on other computer
systems. These types of attacks happen without the
knowledge of the organization.
Hackers can gain access to the systems or databases of the
organization, thus exposing them to critical information.
5/22/2016
Intro to Comp. Programming - IT
104
11
Internal Threats
Internal sources, such as disgruntled or incompetent
employees, can also harm the organization by :
Not keeping the anti-virus software updated on their
systems.
Stopping anti-virus scanning to speed up data access.
Reading e-mail received from unknown sources.
Downloading programs from non-trustworthy sources.
Not installing security patches for operating system, e-mail
clients, or Internet browsers.
5/22/2016
Intro to Comp. Programming - IT
104
12
Internal Threats
Using modems for data transfer from the Internet, without being
disconnected from the LAN.
Revealing passwords to colleagues and friends.
Using new systems without installing anti-virus or firewall software on
it.
Testing computers with blank password after connecting to the
Internet.
Using plain text or unencrypted password to control devices, such as
servers, routers, and switches.
Enabling file and printer sharing on the network without any
requirement.
Allowing unrestricted data FTP to users.
5/22/2016
Intro to Comp. Programming - IT
104
13
Home
Solutions
Using password-protected systems.
Passwords should be a minimum of six (some think
eight) characters, and the user should be required to
change the password each month.
The users should not be allowed to re-use old
passwords.
Users should be educated as to words, phrases, and
other things to avoid when choosing passwords.
5/22/2016
Intro to Comp. Programming - IT
104
14
Home
Solutions
Passwords should never, never, never be given to
users whose identity has not been thoroughly
investigated, validated, and documented.
Passwords should be implemented on all e-mail, and
some organizations even implement them on Internet
Access.
Passwords should also be implemented to enforce
control and access to sensitive, proprietary, or other
mission-critical data and applications that access that
data.
5/22/2016
Intro to Comp. Programming - IT
104
15
Adding a Password Form in VB
The password form can be added to a Visual Basic
application just as we have added several other
template type forms.
Visual Basic contains a Logon Dialog form that
comes already pre-coded.
The programmer can then either plug in his own
access file, or remove the code and supply his own
custom coding.
5/22/2016
Intro to Comp. Programming - IT
104
16
Adding a Password Form in VB
To use this form, a password file should be created.
A simple text file will serve to illustrate this process.
The file should contain at least two fields,
UserAccount – a unique string identifying the user.
UserPassword – a string attached to the user account.
The file could also contain other ‘profile’ information that
would indicate the level of responsibility/trust that this person
has to the organization; typically the applications that he can
access, and what his interaction with that software
encompasses (can he add, delete, or edit data in addition to
just browsing).
5/22/2016
Intro to Comp. Programming - IT
104
17
Adding a Password Form in VB
Additionally, the file should certainly have some encryption
protection, so that if a hacker somehow manages to obtain a
copy of this file, the data will be unreadable unless he also has
access to the encryption method.
The next slide will illustrate a very simple password file for a
particular application.
The file contains the account, password, and the data
privileges assigned to him by the application administrator,
who may or may not be the same person as the LAN
administrator.
5/22/2016
Intro to Comp. Programming - IT
104
18
A Sample Password File
5/22/2016
Intro to Comp. Programming - IT
104
19
A Sample Password File
The first two lines of this file are simply a note to the
person allowed to access the file.
The third line begins the user definitions, which
contain the account password, and then either TRUE
or FALSE indicating which of the five successive
forms in the application the user is allowed to interact
with. A TRUE value gives him full functionality, a
FALSE value gives him limited browse only
capability in this application.
5/22/2016
Intro to Comp. Programming - IT
104
20
Implementing the Password Form
Once a password form has been added to an
application, it should immediately be either the first,
or the second form that the user sees.
The only form that should be allowed to precede the
password form is the Splash screen.
The password form should allow the user three tries
(the standard in the computer world today) to
correctly enter both his account and password.
5/22/2016
Intro to Comp. Programming - IT
104
21
Implementing the Password Form
The profiles can be used to set menu options,
command buttons and other controls’ visible property
or enabled property to control access to data.
If he doesn’t succeed, he should then be locked out of
the application, requiring an administrator to verify
and reset his access to the application.
An example of the Visual Basic Logon Dialog form
is shown on the next slide.
5/22/2016
Intro to Comp. Programming - IT
104
22
A Logon Dialog Form
5/22/2016
Intro to Comp. Programming - IT
104
23
Network Security
Home
A network can use one or more of the following firewall
techniques :
Packet filter : scans each packet, which enters or leaves the network. If
the packet adheres to the security policy defined through the firewall, it
is allowed to pass through, other wise it is blocked. A packet is a piece
of message transmitted over a packet-switching network. Packet-filter
technique is quite effective, but it is quite time-consuming and difficult
to configure.
Application gateway : Scans data over specific applications such as
FTP and Telnet servers. This gateway is very effective, but causes
performance degradation.
5/22/2016
Intro to Comp. Programming - IT
104
24
Network Security
Circuit-level gateway : Activates a security mechanism whenever a
Transfer Control Protocol (TCP) or User Datagram Protocol (UDP)
connection is established. TCP and UDP are protocols that connect
between hosts on the Internet. Once the connection has been made,
packets can flow between the hosts without further checking.
Proxy server : Inspects all messages that leave or enter a network. As
the name suggests a proxy server hides the true network addresses.
Creating a firewall is the most basic mode of security against
any external threat. It doesn’t solve all security problems, but
serves as a basic preventive measure.
5/22/2016
Intro to Comp. Programming - IT
104
25
Network Security
Update anti-virus software regularly – virus attacks causing
huge loss of data and effort has become common news.
Organizations are under a constant threat from virus attacks.
A virus is a parasitic program written intentionally to enter a computer
without the user’s permission or knowledge. A virus can replicate
itself and infect several machines over a network.
Viruses can be transmitted to a network via e-mail, by downloading the
file from the Internet, or by direct copy from a removable media
source. To prevent data against virus attacks, anti-virus software is
used. This software scans the computer for any possible virus
signatures, and it can intercept and isolate the virus before it creates
any havoc within an organization.
5/22/2016
Intro to Comp. Programming - IT
104
26
Network Security
Deploy Web Monitoring Services – tampering of an
organization’s Internet resources is a common form
of security abuse. This leads to lost productivity,
legal costs, and drainage of network resources. Over
time, several Internet Usage Policies have emerged to
deal with this problem. Acceptance of these policies
have not been satisfactory. One of the popular
preventive measures against unauthorized access to
Internet resources is Web monitoring.
5/22/2016
Intro to Comp. Programming - IT
104
27
Network Security
Various organizations offer Web monitoring services
to tackle this issue. These services can :
Block or filter Web sites.
Report on employee’s usage habits.
Restrict access to non-business-related sites.
Provide different levels of access to different departments.
Provide offline and real-time alerting of Internet misuse.
Provide greater management accountability of your
Internet resources.
5/22/2016
Intro to Comp. Programming - IT
104
28
Data Encryption
Passing messages so that only the sender and the
receiver can read the message lies at the heart of data
encryption.
The technique is as old as human civilization.
The Romans used it effectively, and one of the first
methods documented is the so-called Caesar method
in which he transposed the letters of the roman
alphabet using a key. Recipients of his messages
would be required to have a matching copy of the
key in order to decode and read the message that
5/22/2016
Intro to Comp. Programming - IT
104
29
Data Encryption
Caesar had sent.
The weaknesses of this system are obvious.
The key could fall into the wrong hands, and then the message, if
intercepted, could be decoded and read by someone other than the
intended recipient.
The key could be lost or destroyed, thus preventing the recipient from
decoding vital messages.
Those intent on defeating the system, after deciphering the coding
scheme could then send false messages among participants in the
network.
5/22/2016
Intro to Comp. Programming - IT
104
30
Data Encryption
Home
Cryptography is defined by Webster as ‘hidden
writing’.
Cryptography works as in the case of the Caesar
example to make the message from one sender to the
recipient unintelligible unless the recipient has the
key to decipher the message.
Modern computers are able to implement a number
of excellent encryption schemes that are extremely
difficult to defeat.
5/22/2016
Intro to Comp. Programming - IT
104
31
Data Encryption
Modern systems us a digital signature and digital timestamp
to ensure that data received is from an authentic sender and
not an intruder. This is referred to as authentication.
As mentioned previously, the advent of computer technology
has allowed more complex cryptography algorithms and more
secure key systems to be developed. Computers not only
encrypt and decrypt huge amounts of data much faster, they
also develop codes which are much harder to break. Based on
the number of keys used, the cryptographic systems are
divided into two categories.
5/22/2016
Intro to Comp. Programming - IT
104
32
Data Encryption
Home
Types of keys :
Symmetric-key systems – these encryption systems us a single key that
both the sender and recipient have. The Caesar method was an
example of such a method. Some recent examples of this kind of
system are Rijndahl, Blowfish, RC2, RC4, Triple DES, and CAST.
Symmetric encryption is very fast and easy to implement. However, it
has one main drawback, that is, secure key distribution. For a sender
and recipient to communicate securely using SE, they must agree upon
a key and keep it secret amongst themselves. If they are in different
physical locations, they need a secure communication medium to
prevent the disclosure of the secret key during transmission. Anyone
who overhears or intercepts the key in transit can later read, modify,
and forge all information encrypted or authenticated with that key.
5/22/2016
Intro to Comp. Programming - IT
104
33
Data Encryption
Public-key systems : these systems use two keys, a public
key known to everyone, and a private key, which only the
recipient of the message can use. Anyone who has a public
key can encrypt information but cannot decrypt it. Only
the person who has the corresponding private key can
decrypt the information. Some examples of public-key
encryption are PGP (Pretty Good Privacy), Algamal, RSA,
Diffie-Hellman, and DSA. The primary advantage of PK
systems is that it eliminates the need for a sender and
receiver to share secret keys via some secure channel; all
communications involve only public keys, and no private
key is ever transmitted or shared.
5/22/2016
Intro to Comp. Programming - IT
104
34
Some Password Dos and Don’ts
Change passwords at regular intervals.
Use passwords that have more than six characters.
Create passwords with unrelated words separated by non-alphabetic
characters.
When changing a password, the new one should not bear any relation to
the old.
Avoid passwords that have already been used in the last 12 months.
Avoid passwords that bear personal information, such as name, address,
birth date, relatives, personal attributes, etc.
Change passwords on the machine immediately after it has been accessed
by any outside engineer or maintenance person.
Use passwords auto-generated by machines (ugh!)
5/22/2016
Intro to Comp. Programming - IT
104
35
Summary
Discuss the concept of security as it relates to the
computer world in general, and Visual Basic in
particular.
Discuss the need to implement security in the modern
world to control access to systems and data.
Discuss some common security measures.
Identify and discuss the typical internal and external
threats to systems and data.
Identify and discuss some solutions to these threats.
5/22/2016
Intro to Comp. Programming - IT
104
36
Summary
Learn how to add a password form to any Visual
Basic project.
Learn how to create a simple password file.
Discuss network security and some common
techniques to improve the security of any network.
Learn what encryption is.
Learn some common encryption techniques in use in
today’s computer environment.
5/22/2016
Intro to Comp. Programming - IT
104
37
LAB Work
Add a Logon Dialog to your menu demo
project from last lab session.
Create a simple logon file to control
access to the application.
Complete any missed lab assignments
from previous weeks.
5/22/2016
Intro to Comp. Programming - IT
104
38
Assignment
Study quizzes, presentations, your text book,
and prepare for the final exam, which will be
given next week.
At the beginning of the hour next week, I will
expect someone to present to me, the CEO of
the BigBucks Corp. your project, and to
convince me that I must buy it.
5/22/2016
Intro to Comp. Programming - IT
104
39
Next Week :
Your project!
The final exam!
The last of Mr. Etter (at least for this
quarter)!
5/22/2016
Intro to Comp. Programming - IT
104
40