23.09.2003/andreas steffen nds_crm_security_1 seite 1 e-security und datenschutz zürcher hochschule...

23.09.2003/Andreas SteffenNDS_CRM_Security_1

Modul 3Technologie – Überblick

Seite 1 E-Security und Datenschutz

ZürcherHochschuleWinterthurNDS CRM Modul 3

Prof. Dr. Andreas Steffen© 2003 Zürcher Hochschule Winterthur

E-Security und Datenschutz IIntroduction




ZürcherHochschuleWinterthurToday's Agenda

• Security Goals

• Common Threats

• CRM and Privacy

• Security Policies




ZürcherHochschuleWinterthurE-Security und Datenschutz I

Security Goals




ZürcherHochschuleWinterthurSecurity Goals in e-Commerce: CIA + Privacy +

Identity• Confidentiality

Sensitive company information and customer data must beprotected from unauthorized access.

• IntegrityData must be protected from getting accidentally or mischievously changed either in its storage location or during transmission.

• AvailabilityIn a global business environment the server and communications infrastructure must be available on a 24/7 basis.

• PrivacyThe privacy rights of the customers must be protected. Collected personaldata shall be used only for those purposes the customer agreed upon.

• AuthenticationIn any electronic transaction the true identity of customers and company staff should be established.

• Non-RepudiationThere should be a provable association between an electronictransaction and the person who initiated it.





Need for ConfidentialityThreat by Foreign

Governments




ZürcherHochschuleWinterthurEchelon – Global Eavesdropping Network

• Run by the National Security Agency (NSA)• Monitoring of global satellite communications (phone, fax, e-mail)

Bad Aibling, Bavaria




ZürcherHochschuleWinterthur




ZürcherHochschuleWinterthurMany Hops to www.novartis.com

traceroute to www.novartis.com (164.109.68.201)

1 is1-svn.zhwin.ch (160.85.128.1) Winterthur 2 intfw.zhwin.ch (160.85.111.1) 3 160.85.105.1 (160.85.105.1) 4 130.59.38.93 (130.59.38.93) 5 rtrZUSW1-A4-0-1135.switch.ch (130.59.38.250) Zurich 6 swiEZ2-G6-1.switch.ch (130.59.33.249) 7 swiIX1-G2-3.switch.ch (130.59.36.250) 8 zch-b1-geth4-1.telia.net (213.248.79.189) 9 ffm-bb2-pos0-3-1.telia.net (213.248.79.185) Frankfurt10 prs-bb2-pos0-2-0.telia.net (213.248.64.197) Paris11 ldn-bb2-pos0-2-0.telia.net (213.248.64.165) London12 nyk-bb2-pos6-0-0.telia.net (213.248.65.94) New York13 nyk-i1-pos2-0.telia.net (213.248.82.22)14 so-0-1-0.edge1.NewYork1.Level3.net (209.244.160.161)15 ge-2-1-0.bbr2.NewYork1.level3.net (64.159.4.149)16 unknown.Level3.net (64.159.3.254)17 gige7-0.ipcolo1.Washington1.Level3.net (64.159.18.3) Washington18 unknown.Level3.net (209.246.46.90)19 gigabitethernet7-0.dca2c-fcor-rt2.netsrv.digex.net (164.109.3.94)20 164.109.3.166 (164.109.3.166)21 164.109.92.14 (164.109.92.14)22 164.109.68.201 (164.109.68.201)




ZürcherHochschuleWinterthurGlobal Submarine Cable Map 2003

• Cable tapping pod laid byUS submarine off Khamchatka




ZürcherHochschuleWinterthurKnown Cases of Industrial Espionage

• Airbus, 1994, fax and phone calls intercepted by NSAMcDonnell-Douglas won 6 billion $US contract with Saudi Arabiannational airline. Reason: Uncovering of bribes.

• ICE/TGV, 1993, phone and fax tapped in Siemens Seoul officeSiemens lost contract for Korean high-speed train to GEC-Alsthom. Reason: Competitor knew cost calculations done by Siemens.

• Thomson-CSF, 1994, communications intercepted by NSA/CIAThomson-CSF lost huge Brazilian rainforest radar contract to Raytheon. Reason: Uncovering of bribes.

• Estimated yearly damage due to industrial espionage10 billion Euro p.a. for Germany alone

Source: European Commission Final Report on ECHELON, July 2001





Need for ConfidentialityThreat by Hackers




ZürcherHochschuleWinterthurWorld Economic Forum 2001 in Davos

• Entire WEF database was stolen by hackers• 161 Mbytes of data• 27'000 names• 1'400 credit card numbers• phone numbers and home addresses




ZürcherHochschuleWinterthurWeb Defacing




ZürcherHochschuleWinterthurWeb Defacing

Source: Ruben Kuswanto, "Web Defacing", February 25 2003




ZürcherHochschuleWinterthurWLAN War Driving




ZürcherHochschuleWinterthurWLAN War Driving Map of Southern California

http://pasadena.net/apmap/

1500 mapped Access Points




ZürcherHochschuleWinterthurWLAN War Driving Map of Zurich

Source:Tages-Anzeiger, Oct. 14 2002

• >700 access points,a majority of them with disabled WEP encryption




ZürcherHochschuleWinterthurWLAN War Driving using NetStumbler

• NetStumbler available from http://www.netstumbler.com• Laptop or PDA platform, optionally equipped with GPS

device




ZürcherHochschuleWinterthurCain Password Recovery Tool

• Cain available from http://www.oxid.it• ARP poisoning, SSH and HTTPS man-in-the-middle attacks




ZürcherHochschuleWinterthurSniffing is easy!




ZürcherHochschuleWinterthurNetwork Setup

default gateway160.85.160.1

00:D0:03:22:7C:0A

Targetmobt6103e

160.85.169.5000:C0:97:14:B8:71

Attacker

usrw3200160.85.162.21900:02:B3:21:2C:

8CVictim

ZHW NetzInternet

kermit160.85.134.140

08:00:20:C3:CE:48

Destination

EDU Netz

HostnameIP network addressMAC interface card address

Switch





Need for AvailabilityThreat by DoS Attacks




ZürcherHochschuleWinterthurDenial of Service (DoS) Attacks

ping –c 1 160.85.143.25513:36:52.196291 pluto.zhwin.ch > 160.85.143.255: icmp: echo request13:36:52.196513 janus.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.196560 labserver03.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.196586 labserver01.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.196603 is1-svn.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.196871 notekgc.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.196910 statler.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.196940 andromeda.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.197296 iplds2.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.197325 milkyway.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.197410 kermit.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.197584 e520ks01.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.197653 console.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.197670 charly.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.197960 www.frau-und-technik.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.198017 splash.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.198363 iplds1.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.198652 twins.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.198937 mac608.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.199915 draco.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.201847 inpc9.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.205905 e321lj.zhwin.ch > pluto.zhwin.ch: icmp: echo reply13:36:52.216502 pmsrv.zhwin.ch > pluto.zhwin.ch: icmp: echo reply




ZürcherHochschuleWinterthurDoS – Ping Attack with IP Spoofing

CorporateNetwork

Victim

Internet

Attacker

pings to broadcast address of corporate network with spoofed source address of victim

Firewall




ZürcherHochschuleWinterthurState-of-the-Art Distributed DoS Attack

Victim

Internet

AttackerAttacker feeds a virus e.g.via email into the Internet

Virus infects thousandsof hosts and installs aTrojan horse

On a given date all Trojans start flooding the Victim e.g. with HTTP requests





CRM and Privacy




ZürcherHochschuleWinterthurCRM and Privacy

Source: PriceWaterhouseCoopers, "Risks of Customer Relationship Management", ISACF, 2003

• TrustA customer who trusts the organization to respect personal information is more likely to transact with the organization and to provide more information to allow the organization to service his/her need.

Contrary Viewpoints:• Marketers

see enormous possibilities for targeted advertising and cross-selling.• Privacy Advocates

want organizations to collect minimal information, do as little as possible with that information, and ask for permission first.

• Regulatorsare looking at more effective enforcement.

• Lawyersjuggle new compliance requirements and legal risks.

• Consumersare left wondering if they really have any privacy left at all.




ZürcherHochschuleWinterthurE-Risks jeopardizing Customer Privacy

An organization risks violating the privacy of its customers inseveral of the following ways:

• Security BreachesUnintentional security breaches that allow unauthorized people to view personal information about customers.

• Faulty AuthenticationFailing to correctly authenticate customers before allowing them toaccess personal data.

• Missing or Unheeded Confidentiality AgreementsFailing to secure confidentiality agreements with vendors that hostparts of the system or have access to the data.

• Unsufficient Access RestrictionsFailing to restrict employee access at the application or database level to prevent customer data being used in profiling or other marketing activities that breach the organization's privacy policy,e.g. failing to honor customer opt-outs.





ZürcherHochschuleWinterthurConclusions

• Due to the large amount of personal data maintained by organizations implementing CRM strategies,

• the ease with which the data can be electronically transferred,• and the threat to personal privacy if they are misused, …


• … organizations must establish formal programs to address privacy in the context of CRM deployments.

• In order to be effective, these programs need executive support, appropriate resources and representation from a significant portion of the organization.





Security Policies




ZürcherHochschuleWinterthurSecurity Policies

"There should be a commonly understood set of practices and procedures to define management's intentions for the security of e-Commerce."

Deloitte&Touche, "E-Commerce Security – Enterprise Best Practices", ISACF, 2000




ZürcherHochschuleWinterthurEffectiveness of Security Policies

• Research has shown that there is only limited correlation between a written statement of policy and management's statisfaction with the attainment of its security objectives.

• The reason seems to be that so-called Internet time is too fast to merit taking the time to write down all the policies that have evolved.

• Overall information protection policies are required. Simply to address confidentiality, integrity and availablity (CIA) as they apply to e-Commerce is to miss the unique policy issues prescribed for doing business on the Internet.

• It appears that the highest level of satisfaction with security – policy, direction and enforcement – is achieved when many parties (e.g. sales, marketing, supply chain management, and information technology) are involved and responsible.

Source: Deloitte&Touche, "E-Commerce Security – Enterprise Best Practices", ISACF, 2000, pp. 41-44




ZürcherHochschuleWinterthurThe five Elements of Effective Security Policies

• LanguageLoosely constructed statements potentially lead to misinterpretations of the policies. The policies must be written such that expectations are clear.

• FeasabilityPolicies must be reasonable and practical. If policies are not logical, or within reasonability, they may not be implemented.

• ResponsibilityPolicies must clearly define who is responsible and to whom the policy applies.

• ConsistencyInconsistent use of word and definitions can mislead the reader and potentially confuse the message of the policy. Examples include "data" vs. "information" and "approval" vs. "authorization".

• ComprehensiveGaps in the coverage of policies will discredit them. The policies must consider all aspects of information security and where possible, the policies should be linked to other corporate policies.Source: PriceWaterhouseCoopers, "Risks of Customer Relationship Management", ISACF, 2003




ZürcherHochschuleWinterthurSecurity Policies

"Policies enable; they do not just deny."

PriceWaterhouseCoopers, "Risks of Customer Relationship Management", ISACF, 2003

23.09.2003/andreas steffen nds_crm_security_1 seite 1 e-security und datenschutz zürcher hochschule...

Documents