8. A hybrid cryptosystem uses public key encryption to securely exchange secret keys, and then uses secret key encryption for subsequent encryption. 9. Authentication is used to determine the identity of a user. 10. Challengeresponse authentication is used to prevent replay attacks.

11. Using unpredictable sequence numbers secures sessions against hijacking.

12. Pseudorandom numbers appear to be random, but occur in a predefined sequence. 13. A digital signature is identity information that can be decoded by anyone but only encoded by the holder of a specific key. 14. A certificate is a digital signature that has been digitally signed by a trusted authority.

15. Biometric authentication includes the use of fingerprints, speech patterns, facial features,

retinal patterns, and DNA. Terms to Know • algorithm • asymmetrical algorithm • authentication • biometric authentication • brute-force attack • certificate • challengeresponse • cipher • cryptography • cryptosystem • digital signature • encryption • hash • hybrid cryptosystem • key • one-way function • pass phrase • password • private key • pseudorandom number • Pseudorandom Number Generator PRNG • public key • public key authentication • public key encryption replay attack • Root Certifying Authority • secret key • secret key encryption seed • session • symmetrical algorithm

Chapter 4: Managing Security

Overview Managing computer and network security is easier than it may seem, especially if you establish a process of continual improvement-to keep the various requirements in perspective and to avoid forgetting about aspects of security. Security management centers on the concept of a security policy, which is a document containing a set of rules that describes how security should be configured for all systems to defend against a complete set of known threats. The security policy creates a balance between security and usability. The executive management of your organization should determine where to draw the line between security concerns and ease of use. Just think of a security policy as the security rules for your organization, along with policies for continual enforcement and improvement. Developing a Security Policy The first step in developing a security policy is to establish your network usability requirements by examining what things users must be able to do with the network. For example, the ability to send e-mail may be a requirement. Once you know what you are required to allow, you have a basis to determine which security measures need to be taken. policy A collection of rules. requirements A list of functions which are necessary in a system. Tip Physically, a security policy document is just a document, not software or software settings. I recommend creating your security policy document as an HTML web page that can be stored on your organizations intranet. This makes it easy to update and ensures that whenever someone reads it, theyre reading the most recent version. After youve got your requirements, make a list of features users may want but which are not expressly required. Add these to the list of requirements, but be sure to indicate that they can be eliminated if they conflict with a security requirement. Finally, create a list of security requirements-things users should not be able to perform, protections that should be taken against anonymous access, and so forth. The list of all of these requirements should simply be a series of sweeping statements, like: • Users must be able to send and receive e-mail on the Internet. use requirement • Users must be able to store documents on internal servers. use requirement • Hackers should have no access to the interior of the network. security requirement • There should be no way that users can accidentally circumvent file system permissions. security requirement • Passwords should be impossible to guess and take at least a year to discover using an automated attack with currently available technology. security requirement