4_internet security ch11(final

7/30/2019 4_Internet Security Ch11(Final

1/50


2/50

As e-business has evolved opportunities for

intrusion and attacks have increased.

Teenager hackers, industrial spies, corporate

insiders, criminal elements.

Internet security issues requires concertedeffort at all five levels.

2


3/50

Level 1The Home User/Small Business Individuals who are making payments online

Can be used as a base of operation to attack big enterprises,critical infrastructure.

Level 2Large Enterprises Common targets for cyber attacks

Can be part of critical infrastructure

Level 3Critical Sectors/Infrastructure Need to share cyber security problems between private,

government and academic organizations.

3


4/50

Level 4National Issues and Vulnerabilities In US many sectors use internet service as control system

of many sectors.

Level 5Global Internet boundaries are global one part of world can

impact another part.

International co-operation to detect, Prevent andminimize cyber attacks.

4


5/50

What kinds of basic security questions arise?

From the users perspective

How can the user be sure that the Web server isowned and operated by a legitimate company?

How does the user know that the Web page and

form do not contain some malicious or dangerous

code or content?

How does the user know that the owner of the Website will not distribute the information the user

provides to some other party?

5


6/50

From the companys perspective

How does the company know the user will not

attempt to break into the Web server or alter the

pages and content at the site? How does the company know that the user will

not try to disrupt the server so that it is not

available to others?

6


7/50

From both parties perspectives

How do both parties know that the network

connection is free from eavesdropping(listen to

private conversation) by a third party listening

on the line?

How do they know that the information sent back-

and-forth between the server and the users

browser has not been altered?

7


8/50

1-authentication

The process by which one entity verifies that

another entity is who he, she, or it claims to be

Website viewing

Filing a tax return

Receiving an email

Requires evidence in the form of credentials, can be

Password

Smart card

8


9/50

2-authorization

The process that ensures that a person has the right to

access certain resources (files, registers, directories)

Comparing information about the person / program with

access control information associated with resourcebeing accessed (e.g. Window XP admin user Vs. guest)

3-auditing

The process of collecting information about attempts to

access particular resources, use particular privileges, orperform other security actions

Actions are noted in a log file

Provide IT personnel to trace the specific actions thatwere taken the person or program that has performedthese actions.

9


10/50

4-Confidentiality (Privacy)

Information that is private or sensitive should notbe disclosed to unauthorised individuals, entities orcomputer software processes.

Health records, credit card numbers, site visits.

Confidentiality is ensured by encryption

5-Integrity The ability to protect data from being altered or

destroyed in an unauthorised manner is called

integrity Financial transactions need for integrity Encryption ensuring data integrity while it is in

transit

10


11/50

6-Availability

Availability in near real time of pages, data orservices provided by a site whenever needed.

7-Nonrepudiation

Ability to limit parties fromrefuting/cotradiction that a legitimatetransaction has taken place.

Use of digital signatures to prevent users todispute communication used to encrypt(sender) and decrypt (receiver) contents ofmessage with help of public/private keys.

11


12/50

Technologies designed to secure their

networks can be divided into 2 groups

12


13/50

Access control determines who (person or

machine) can legitimately use a network

resources

Web pages

Text files

Databases

Applications

Servers Printers

13


14/50

Access control lists defines Which users have access to which resources

What type of rights are given

Read, view, write, print, copy, delete, modify, move

Process of assigning rights simplified by

creating various roles /groups

System admin, sales reps, trading partners

Assigning rights to those groups

Specifying individuals within those groups Users denoted by network login ID checked at log in

time

14


15/50

After identification, the user needs to be authenticated

Process of verifying user is who he or she claims to be

Authentication based on distinguishing characteristics

Something one knows (password), something one has

(token) or something one is (fingerprint) Two factor authentication e.g. combining something

one knows with something one has

Passive Tokens

Storage devices that contain hidden code e.g. plasticcards with magnetic strips

Swipe token through reader attached to workstation toget access to network

15


16/50

Active Tokens

Less common

Small, stand-alone electronic devices

User enters a PIN into a token, generate one-time passwords can be used only for a single log

on authentication system

e.g. key chain tokens.

16


17/50

Two factor authentication based on something

one is

Recognition of a person by a physical trait.

e.g. fingerprint scanners, iris scanners, facialrecognition and voice recognition

Usage incidence has been low, 5% market share

of security product market, but gradually

improving due to declining system prices,terrorism, fraud cases.

17


18/50

Technical components, infrastructure andpractices needed to enable use of public keyencryption, digital signatures /certificates

A scheme for securing e-payments using theabove infrastructure

PKI works on encryptionThe process of scrambling (encrypting) a

message in such a way that it is difficult,expensive, or time-consuming for anunauthorized person to unscramble (decrypt) it

18


19/50

plaintextAn unencrypted message in human-readableform

cipher textA plaintext message after it has beenencrypted into a machine readable form

keyThe secret code used to encrypt and decrypta message

19


20/50


21/50

21


22/50

In the online world, how can one be sure that a message is actuallycoming from the person whom he or she thinks sent it? Similarly,how one be sure that a person cannot deny that he or she sent aparticular message?

One part of the answer is a digital signaturethe electronic

equivalent of a personal signature that cannot be forged. Digitalsignatures are based on public keys. They can be used toauthenticate the identity of the sender of a message or document.They also can be used to ensure that the original content of anelectronic message or document is unchanged. Digital signatureshave additional benefits in the online world. They are portable,cannot be easily repudiated or imitated, and can be time-stamped.

22


23/50

Exhibit 11.5 shows how a digital signature works. Suppose a person wants to send

the draft of a financial contract to a company with whom he or she plans to do

business as an e-mail message. The sender wants to assure the company that the

content of the draft has not been changed en route and that he or she really is thesender. To do so, the sender takes the following steps:

1. The sender creates the e-mail message with the contract in it.

2. Using special software, a mathematical computation called a hash function isapplied to the message, which results in a special summary of the message,

converted into a string of digits called a message digest.

3. The sender uses his or her private key to encrypt the hash. This is the sender'sdigital signature. No one else can replicate the sender's digital signature because it

is based on the sender's private key.

4. The sender encrypts both the original message and the digital signature using the

recipient's public key. This is the digital envelope.

5. The sender e-mails the digital envelope to the receiver.

6. Upon receipt, the receiver uses his or her private key to decrypt the contents of

the digital envelope. This produces a copy of the message and the sender's digital

signature.

7. The receiver uses the sender's public key to decrypt the digital signature, resulting

in a copy of the original message digest.

23


24/50

8. Using the same hash function employed in step 2, the recipient

then creates a message digest from the decrypted message (asshown in Exhibit 11.5).

9. The recipient compares this digest with the original message

digest.

10. If the two digests match, then the recipient concludes that the

message is authentic. In this scenario, the company has evidence that the sender sent

the e-mail because (theoretically) the sender is the only one with

access to the private key. The recipient knows that the message

has not been tampered with, because if it had been the two

hashes would not have matched.Companies providing DS are.

Avavoco, Chosen Security, Comodo, Geo Trust, GlobalSign,Intellisafe , Verisign.

24


25/50

25


26/50

Verification that the holder of a public or private key is who he or she

claims to be.

If one has to know someone's public key to send that person a message,

where does the public key come from and how can one be sure of the

person's actual identity? Digital certificates verify that the holder of a

public and/or private key is who he or she claims to be.

Third parties that issue digital certificates certificate authorities (CAs)

A certificate contains things such as the holder's name, validity period, public key

information, and a signed hash of the certificate data (i.e., hashed contents of the

certificate signed with the CA's private key). Certificates are used to authenticate

Web sites (site certificates), individuals (personal certificates), and softwarecompanies (software publisher certificates).

There are a large number of third-party CAs. VeriSign (verisign.com) is the best

known of the CAs. VeriSign issues three classes of certificates: Class 1 verifies that

an e-mail actually comes from the user's address. Class 2 checks the user's identity

against a commercial credit database. Class 3 requires notarized/certified

documents. Companies such as Microsoft offer systems that enable companies to

issue their own private, in-house certificates.26


27/50

If the average user had to figure out how to use encryption, digital certificates,

digital signatures, and the like, there would be few secure transactions on the Web.

Fortunately, many of these issues are handled in a transparent fashion by Web

browsers and Web servers. Given that different companies, financial institutions,

and governments in many countries are involved in e-commerce, it is necessary to

have generally accepted protocols for securing e-commerce. One of the major

protocols in use today is Secure Socket Layer (SSL), also known as Transport Layer

Security (TLS).

The Secure Socket Layer (SSL) was invented by Netscape to utilize standardcertificates for authentication and data encryption to ensure privacy or

confidentiality. SSL became a de facto/real standard adopted by the browsers and

servers provided by Microsoft and Netscape. In 1996, SSL was renamed TransportLayer Security (TLS), but many people still use the SSL name. It is the majorstandard used for online credit card payments.

SSL makes it possible to encrypt credit card numbers and other transmissions

between a Web server and a Web browser. In the case of credit card transactions,

there is more to making a purchase on the Web than simply passing an encrypted

credit card number to a merchant. The number must be checked for validity, the

consumer's bank must authorize the card, and the purchase must be processed. SSL

is not designed to handle any of the steps beyond the transmission of the card

number.

27


28/50

Securing an organisations boundaries of the network fromintrusion or attack

Layered Security

Relying on a single technology to stop attacks is doomed to failure. A variety oftechnologies must be applied at key points in a network (see Exhibit 11.6). This is

probably the most important concept in designing a secure system.

Controlling Access

Access to a network should to be based on the policy of least privilege(POLP=Policy of blocking access to network resources unless access isrequired to conduct business.).

By default, access to network resources should be blocked and permitted only

when required to conduct business.

Role specific security

Access to particular network resource based on users role in an organisation

28


29/50


30/50

The term firewall came into use in the 1700s to describe the gaps cut

into forests so that fires could be prevented from spreading to other

parts of the forest (Garfinkel 2002). The term also describes a protective

shield between a car engine and the interior of the car.

In the world of networked computing, a firewall is a network nodeconsisting of both hardware and software that isolates a privatenetwork from public network

Set of rules that determines if the data should be allowed entry

Firewall is located at the point of entry where data attempts to entercomputer from internet.

30


31/50

31


32/50

Packet-filtering routers:Some firewalls filter data and requests moving from the public Internet to a private

network based on the network addresses of the computer sending or receiving the

request. These firewalls are calledpacket-filtering routers .

Packets:Segments of data and requests sent from one computer to another on the Internet;

consist of the Internet addresses of the computers sending and receiving the data,

plus other identifying information that distinguish one packet from another.

packet filtersRules that can accept or reject incoming packets based on source and destination

addresses and the other identifying information .Some simple examples of packetfilters include the following

Block all packets sent from a given internet address(Companies

sometimes use this to block requests from computers owned bycompetitors.

Block any packet coming from outside that has the address of acomputer on the inside.(Companies use this type of rule to block requestswhere an intruder is using his or her computer to impersonate a computerthat belongs to the company.

32


33/50


34/50

34


35/50

Network area that sits between an organizations internal network

and an external network (Internet), providing physical isolation

between the two networks controlled by rules enforced by a

firewall. Firewall configured to direct outside requests to appropriate

network /servers.

35


36/50

36


37/50

always on DSL connections are more vulnerable than

dial up connections

a network node designed to protect an individual users

desktop system from the public network by monitoringall the traffic that passes through the computers

network interface card.

2 methods are usually followed

owner can set filtering rules (which packets to permit and

which one to delete) firewall can ask question from user how particular traffic

ought to be handled.

e.g. Norton Personal Firewall, CheckPoint, Zone Alarm.

37


38/50

Organisation wants to establish B2B connection with suppliers, partners,intermediaries

Traditionally, communications with the company would have taken place over aprivate leased line or through a dial-up line to a bank of modems or a remote accessserver (RAS] that provided direct connections to the company's LAN. With a privateline, the chances of a hacker to listen conversation dropping on the communications

between the companies would be nil, but it is an expensive way to do business. VPN is a less expensive alternative.

A network that uses the public Internet to carry information

but remains private by using encryption to scramble the communications,authentication to ensure that information has not been tampered with and accesscontrol to verify the identity of anyone using the network.

VPNs can reduce communication costs dramatically. The reduced costs come about

because VPN equipment is cheaper than other remote solutions, private leased linesare no longer needed to support remote access, remote users can place local calls oruse cable or DSL lines rather than long distance or international calls to access anorganization's private network, and a single access line can be used to supportmultiple purposes. The estimated cost savings for site-to-site networks is 20 to 40percent for sites in the same country and 60 : to 90 percent if they are in differentcountries

38


39/50

protocol tunneling The main technical challenge of a VPN is to ensure the confidentiality

and integrity of the data transmitted over the Internet. This is whereprotocol tunneling comes into play. With protocol tunneling, data packetsare first encrypted and then encapsulated into packetsthat can betransmitted across the Internet. The packets are decrypted at thedestination . address by a special host or router.

Three technologies can be used to create a VPN. First, many of the firewallpackages-hardware and softwareprovide VPN functionality. Second, routers(i.e., special network components for controlling communications) cannot onlyfunction as firewalls, but they also can function as VPN servers. Finally,software solutions are available that can be used to handle VPN connections.The VPN Consortium (vpnc.org/vpnc-features-chart.html) provides acomparison of a number of commercial VPN products.

Many telecommunications carriers and larger ISPs offer VPN services forInternet-based dial-up and site-to-site communications. These carriers usetheir own private network backbones to which they have added securityfeatures, intranet connectivity, and new dial-up capabilities for remoteservices. Two of the carriers providing these services are AT&T VPN services(att.com) and Cable & Wireless IP-VPN Internet (cw.com).

39


40/50

Even if an organization has a well-formulated security policy and a number of security

technologies in place, it still is vulnerable to attack. For example, most organizations have

Antivirus software, yet most are subjected to virus attacks. This is why an organization must

continually watch for attempted, as well as actual, security breaches/ leakage.

Today, a special category of software exists that can monitor activity across a network or on a

host computer, watch for suspicious activity,( failed log on attempts failed database access

attempts) and take automated action based on what it sees. This category of software is called

intrusion detection systems (IDSs).

IDSs are either host based or network based. A host-based IDS resides on the server or host system

that is being monitored. Host-based systems are particularly good at detecting whether critical or

security-related files have been tampered with or whether a user has attempted to access files

that he or she is not authorized to use. The host-based system does this by computing a special

signature or check-sum for each file. The IDS checks files on a regular basis to see if the current

signatures match the previous signatures. If the signatures do not match, security personnel are

notified immediately.

Some examples of commercial host-systems are Symantec's Intruder Alert (symantec.com),

Tripwire Security's Tripwire aresecurity.com), and McAfee's Entercept Desktop and Server Agents

(mcafee.com)

40


41/50

Honey nets are another technology that can be used to detect and analyzeintrusions. A Honey net is a network of honey pots designed to attract hackers likehoney attracts bees. In this case, the honey pots are information system resources,firewalls, routers, Web servers, data base servers, files, and the likethat are madeto look like production systems but do no real work. The main difference between ahoney pot and the real thing is that the activities on honey pot come from intrudersattempting to compromise the system. In this way, researchers watching the honey

net can gather information about why hackers attack, when they attack, how theyattack, what they do after the system is compromised, and how they communicatewith one another during and after the attack.

Honey net: A way to evaluate vulnerabilities of an organization by studying thetypes of attacks to which a site is subjected using a network of systems called honey

pots.

Honey pots: Production systems (e.g., firewalls, routers, Web servers, databaseservers) designed to do real work but that are watched and studied as networkintrusions occur.

Honey nets and honey pots originated in April 1999 with the Honey net Project(Honey-net 2004). The Honey net Project is a worldwide, not-for-profit researchgroup of security professionals. The group focuses on raising awareness of securityrisks that confront any system connected to the Internet and teaching and informingthe security community about better ways to secure and defend network resource

41


42/50


43/50

social engineering

A type of nontechnical attack that uses social pressures to trick computerusers into compromising computer networks to which those individualshave access

A multiprong approach should be used to combat social engineering

Education and training

Policies and procedures

Penetration testing

43


44/50

An attack committed using software and systems knowledge or expertise.

Common (Security) Vulnerabilities And Exposures (Cves)Publically known computer security risks, which are collected, listed, and

shared by a board of security-related organizations (cve.mitre.org)In 1999, Mitre Corporation (CVE.mitre.org) and 15 other

security related organizations began to count all Publiclyknown common (security) Vulnerabilities and exposures(CVEs).

National Infrastructure Protection Center (NIPC)A joint partnership under the auspices of the FBI between

government and private industry; designed to prevent andprotect the nations infrastructure

44


45/50

Denial-of-service (DoS) attack

An attack on a Web site in which an attacker uses specialized software to

send a flood of data packets to the target computer with the aim ofoverloading its resources.

Distributed denial-of Service (DDoS) attack

A denial-of-service attack in which the attacker gains illegal administrative

access to as many computers on the Internet as possible and uses themultiple computers to send a flood of data packets to the target computer.

The machines on which the DDoS software is loaded are known as zombies.Zombies are located at university and government sites and, increasingly,on home computers that are petted to the Internet through cable modemsor DSL modems

45


46/50

46


47/50

MalwareA generic term for malicious software

A number of factors have contributed to the overall increase in

malicious code. Among these factors, the following are paramount:

Mixing data and executable instructions Increasingly homogenous computing environments

Unprecedented/ Unmatched connectivity

Larger clueless user base

47


48/50

virus

A piece of software code that inserts itself into a host, including the operating

systems, in order to propagate; it requires that its host program be run toactivate it.

worm

A software program that runs independently, consuming the resources of its host

in order to maintain itself, that is capable of propagating a complete workingversion of itself onto another machine.

48


49/50

Common mistakes in managing security risks: Undervalued information

Narrowly defined security boundaries

Reactive security management

Dated security management processes

Lack of communication about security responsibilities

49


50/50

Security Risk Management

A systematic process for determining the likelihood of various security

attacks and for identifying the actions needed to prevent or mitigate thoseattacks.

4_internet security ch11(final

Documents