4_internet security ch11(final
TRANSCRIPT
-
7/30/2019 4_Internet Security Ch11(Final
1/50
-
7/30/2019 4_Internet Security Ch11(Final
2/50
As e-business has evolved opportunities for
intrusion and attacks have increased.
Teenager hackers, industrial spies, corporate
insiders, criminal elements.
Internet security issues requires concertedeffort at all five levels.
2
-
7/30/2019 4_Internet Security Ch11(Final
3/50
Level 1The Home User/Small Business Individuals who are making payments online
Can be used as a base of operation to attack big enterprises,critical infrastructure.
Level 2Large Enterprises Common targets for cyber attacks
Can be part of critical infrastructure
Level 3Critical Sectors/Infrastructure Need to share cyber security problems between private,
government and academic organizations.
3
-
7/30/2019 4_Internet Security Ch11(Final
4/50
Level 4National Issues and Vulnerabilities In US many sectors use internet service as control system
of many sectors.
Level 5Global Internet boundaries are global one part of world can
impact another part.
International co-operation to detect, Prevent andminimize cyber attacks.
4
-
7/30/2019 4_Internet Security Ch11(Final
5/50
What kinds of basic security questions arise?
From the users perspective
How can the user be sure that the Web server isowned and operated by a legitimate company?
How does the user know that the Web page and
form do not contain some malicious or dangerous
code or content?
How does the user know that the owner of the Website will not distribute the information the user
provides to some other party?
5
-
7/30/2019 4_Internet Security Ch11(Final
6/50
From the companys perspective
How does the company know the user will not
attempt to break into the Web server or alter the
pages and content at the site? How does the company know that the user will
not try to disrupt the server so that it is not
available to others?
6
-
7/30/2019 4_Internet Security Ch11(Final
7/50
From both parties perspectives
How do both parties know that the network
connection is free from eavesdropping(listen to
private conversation) by a third party listening
on the line?
How do they know that the information sent back-
and-forth between the server and the users
browser has not been altered?
7
-
7/30/2019 4_Internet Security Ch11(Final
8/50
1-authentication
The process by which one entity verifies that
another entity is who he, she, or it claims to be
Website viewing
Filing a tax return
Receiving an email
Requires evidence in the form of credentials, can be
Password
Smart card
8
-
7/30/2019 4_Internet Security Ch11(Final
9/50
2-authorization
The process that ensures that a person has the right to
access certain resources (files, registers, directories)
Comparing information about the person / program with
access control information associated with resourcebeing accessed (e.g. Window XP admin user Vs. guest)
3-auditing
The process of collecting information about attempts to
access particular resources, use particular privileges, orperform other security actions
Actions are noted in a log file
Provide IT personnel to trace the specific actions thatwere taken the person or program that has performedthese actions.
9
-
7/30/2019 4_Internet Security Ch11(Final
10/50
4-Confidentiality (Privacy)
Information that is private or sensitive should notbe disclosed to unauthorised individuals, entities orcomputer software processes.
Health records, credit card numbers, site visits.
Confidentiality is ensured by encryption
5-Integrity The ability to protect data from being altered or
destroyed in an unauthorised manner is called
integrity Financial transactions need for integrity Encryption ensuring data integrity while it is in
transit
10
-
7/30/2019 4_Internet Security Ch11(Final
11/50
6-Availability
Availability in near real time of pages, data orservices provided by a site whenever needed.
7-Nonrepudiation
Ability to limit parties fromrefuting/cotradiction that a legitimatetransaction has taken place.
Use of digital signatures to prevent users todispute communication used to encrypt(sender) and decrypt (receiver) contents ofmessage with help of public/private keys.
11
-
7/30/2019 4_Internet Security Ch11(Final
12/50
Technologies designed to secure their
networks can be divided into 2 groups
12
-
7/30/2019 4_Internet Security Ch11(Final
13/50
Access control determines who (person or
machine) can legitimately use a network
resources
Web pages
Text files
Databases
Applications
Servers Printers
13
-
7/30/2019 4_Internet Security Ch11(Final
14/50
Access control lists defines Which users have access to which resources
What type of rights are given
Read, view, write, print, copy, delete, modify, move
Process of assigning rights simplified by
creating various roles /groups
System admin, sales reps, trading partners
Assigning rights to those groups
Specifying individuals within those groups Users denoted by network login ID checked at log in
time
14
-
7/30/2019 4_Internet Security Ch11(Final
15/50
After identification, the user needs to be authenticated
Process of verifying user is who he or she claims to be
Authentication based on distinguishing characteristics
Something one knows (password), something one has
(token) or something one is (fingerprint) Two factor authentication e.g. combining something
one knows with something one has
Passive Tokens
Storage devices that contain hidden code e.g. plasticcards with magnetic strips
Swipe token through reader attached to workstation toget access to network
15
-
7/30/2019 4_Internet Security Ch11(Final
16/50
Active Tokens
Less common
Small, stand-alone electronic devices
User enters a PIN into a token, generate one-time passwords can be used only for a single log
on authentication system
e.g. key chain tokens.
16
-
7/30/2019 4_Internet Security Ch11(Final
17/50
Two factor authentication based on something
one is
Recognition of a person by a physical trait.
e.g. fingerprint scanners, iris scanners, facialrecognition and voice recognition
Usage incidence has been low, 5% market share
of security product market, but gradually
improving due to declining system prices,terrorism, fraud cases.
17
-
7/30/2019 4_Internet Security Ch11(Final
18/50
Technical components, infrastructure andpractices needed to enable use of public keyencryption, digital signatures /certificates
A scheme for securing e-payments using theabove infrastructure
PKI works on encryptionThe process of scrambling (encrypting) a
message in such a way that it is difficult,expensive, or time-consuming for anunauthorized person to unscramble (decrypt) it
18
-
7/30/2019 4_Internet Security Ch11(Final
19/50
plaintextAn unencrypted message in human-readableform
cipher textA plaintext message after it has beenencrypted into a machine readable form
keyThe secret code used to encrypt and decrypta message
19
-
7/30/2019 4_Internet Security Ch11(Final
20/50
-
7/30/2019 4_Internet Security Ch11(Final
21/50
21
-
7/30/2019 4_Internet Security Ch11(Final
22/50
In the online world, how can one be sure that a message is actuallycoming from the person whom he or she thinks sent it? Similarly,how one be sure that a person cannot deny that he or she sent aparticular message?
One part of the answer is a digital signaturethe electronic
equivalent of a personal signature that cannot be forged. Digitalsignatures are based on public keys. They can be used toauthenticate the identity of the sender of a message or document.They also can be used to ensure that the original content of anelectronic message or document is unchanged. Digital signatureshave additional benefits in the online world. They are portable,cannot be easily repudiated or imitated, and can be time-stamped.
22
-
7/30/2019 4_Internet Security Ch11(Final
23/50
Exhibit 11.5 shows how a digital signature works. Suppose a person wants to send
the draft of a financial contract to a company with whom he or she plans to do
business as an e-mail message. The sender wants to assure the company that the
content of the draft has not been changed en route and that he or she really is thesender. To do so, the sender takes the following steps:
1. The sender creates the e-mail message with the contract in it.
2. Using special software, a mathematical computation called a hash function isapplied to the message, which results in a special summary of the message,
converted into a string of digits called a message digest.
3. The sender uses his or her private key to encrypt the hash. This is the sender'sdigital signature. No one else can replicate the sender's digital signature because it
is based on the sender's private key.
4. The sender encrypts both the original message and the digital signature using the
recipient's public key. This is the digital envelope.
5. The sender e-mails the digital envelope to the receiver.
6. Upon receipt, the receiver uses his or her private key to decrypt the contents of
the digital envelope. This produces a copy of the message and the sender's digital
signature.
7. The receiver uses the sender's public key to decrypt the digital signature, resulting
in a copy of the original message digest.
23
-
7/30/2019 4_Internet Security Ch11(Final
24/50
8. Using the same hash function employed in step 2, the recipient
then creates a message digest from the decrypted message (asshown in Exhibit 11.5).
9. The recipient compares this digest with the original message
digest.
10. If the two digests match, then the recipient concludes that the
message is authentic. In this scenario, the company has evidence that the sender sent
the e-mail because (theoretically) the sender is the only one with
access to the private key. The recipient knows that the message
has not been tampered with, because if it had been the two
hashes would not have matched.Companies providing DS are.
Avavoco, Chosen Security, Comodo, Geo Trust, GlobalSign,Intellisafe , Verisign.
24
-
7/30/2019 4_Internet Security Ch11(Final
25/50
25
-
7/30/2019 4_Internet Security Ch11(Final
26/50
Verification that the holder of a public or private key is who he or she
claims to be.
If one has to know someone's public key to send that person a message,
where does the public key come from and how can one be sure of the
person's actual identity? Digital certificates verify that the holder of a
public and/or private key is who he or she claims to be.
Third parties that issue digital certificates certificate authorities (CAs)
A certificate contains things such as the holder's name, validity period, public key
information, and a signed hash of the certificate data (i.e., hashed contents of the
certificate signed with the CA's private key). Certificates are used to authenticate
Web sites (site certificates), individuals (personal certificates), and softwarecompanies (software publisher certificates).
There are a large number of third-party CAs. VeriSign (verisign.com) is the best
known of the CAs. VeriSign issues three classes of certificates: Class 1 verifies that
an e-mail actually comes from the user's address. Class 2 checks the user's identity
against a commercial credit database. Class 3 requires notarized/certified
documents. Companies such as Microsoft offer systems that enable companies to
issue their own private, in-house certificates.26
-
7/30/2019 4_Internet Security Ch11(Final
27/50
If the average user had to figure out how to use encryption, digital certificates,
digital signatures, and the like, there would be few secure transactions on the Web.
Fortunately, many of these issues are handled in a transparent fashion by Web
browsers and Web servers. Given that different companies, financial institutions,
and governments in many countries are involved in e-commerce, it is necessary to
have generally accepted protocols for securing e-commerce. One of the major
protocols in use today is Secure Socket Layer (SSL), also known as Transport Layer
Security (TLS).
The Secure Socket Layer (SSL) was invented by Netscape to utilize standardcertificates for authentication and data encryption to ensure privacy or
confidentiality. SSL became a de facto/real standard adopted by the browsers and
servers provided by Microsoft and Netscape. In 1996, SSL was renamed TransportLayer Security (TLS), but many people still use the SSL name. It is the majorstandard used for online credit card payments.
SSL makes it possible to encrypt credit card numbers and other transmissions
between a Web server and a Web browser. In the case of credit card transactions,
there is more to making a purchase on the Web than simply passing an encrypted
credit card number to a merchant. The number must be checked for validity, the
consumer's bank must authorize the card, and the purchase must be processed. SSL
is not designed to handle any of the steps beyond the transmission of the card
number.
27
-
7/30/2019 4_Internet Security Ch11(Final
28/50
Securing an organisations boundaries of the network fromintrusion or attack
Layered Security
Relying on a single technology to stop attacks is doomed to failure. A variety oftechnologies must be applied at key points in a network (see Exhibit 11.6). This is
probably the most important concept in designing a secure system.
Controlling Access
Access to a network should to be based on the policy of least privilege(POLP=Policy of blocking access to network resources unless access isrequired to conduct business.).
By default, access to network resources should be blocked and permitted only
when required to conduct business.
Role specific security
Access to particular network resource based on users role in an organisation
28
-
7/30/2019 4_Internet Security Ch11(Final
29/50
-
7/30/2019 4_Internet Security Ch11(Final
30/50
The term firewall came into use in the 1700s to describe the gaps cut
into forests so that fires could be prevented from spreading to other
parts of the forest (Garfinkel 2002). The term also describes a protective
shield between a car engine and the interior of the car.
In the world of networked computing, a firewall is a network nodeconsisting of both hardware and software that isolates a privatenetwork from public network
Set of rules that determines if the data should be allowed entry
Firewall is located at the point of entry where data attempts to entercomputer from internet.
30
-
7/30/2019 4_Internet Security Ch11(Final
31/50
31
-
7/30/2019 4_Internet Security Ch11(Final
32/50
Packet-filtering routers:Some firewalls filter data and requests moving from the public Internet to a private
network based on the network addresses of the computer sending or receiving the
request. These firewalls are calledpacket-filtering routers .
Packets:Segments of data and requests sent from one computer to another on the Internet;
consist of the Internet addresses of the computers sending and receiving the data,
plus other identifying information that distinguish one packet from another.
packet filtersRules that can accept or reject incoming packets based on source and destination
addresses and the other identifying information .Some simple examples of packetfilters include the following
Block all packets sent from a given internet address(Companies
sometimes use this to block requests from computers owned bycompetitors.
Block any packet coming from outside that has the address of acomputer on the inside.(Companies use this type of rule to block requestswhere an intruder is using his or her computer to impersonate a computerthat belongs to the company.
32
-
7/30/2019 4_Internet Security Ch11(Final
33/50
-
7/30/2019 4_Internet Security Ch11(Final
34/50
34
-
7/30/2019 4_Internet Security Ch11(Final
35/50
Network area that sits between an organizations internal network
and an external network (Internet), providing physical isolation
between the two networks controlled by rules enforced by a
firewall. Firewall configured to direct outside requests to appropriate
network /servers.
35
-
7/30/2019 4_Internet Security Ch11(Final
36/50
36
-
7/30/2019 4_Internet Security Ch11(Final
37/50
always on DSL connections are more vulnerable than
dial up connections
a network node designed to protect an individual users
desktop system from the public network by monitoringall the traffic that passes through the computers
network interface card.
2 methods are usually followed
owner can set filtering rules (which packets to permit and
which one to delete) firewall can ask question from user how particular traffic
ought to be handled.
e.g. Norton Personal Firewall, CheckPoint, Zone Alarm.
37
-
7/30/2019 4_Internet Security Ch11(Final
38/50
Organisation wants to establish B2B connection with suppliers, partners,intermediaries
Traditionally, communications with the company would have taken place over aprivate leased line or through a dial-up line to a bank of modems or a remote accessserver (RAS] that provided direct connections to the company's LAN. With a privateline, the chances of a hacker to listen conversation dropping on the communications
between the companies would be nil, but it is an expensive way to do business. VPN is a less expensive alternative.
A network that uses the public Internet to carry information
but remains private by using encryption to scramble the communications,authentication to ensure that information has not been tampered with and accesscontrol to verify the identity of anyone using the network.
VPNs can reduce communication costs dramatically. The reduced costs come about
because VPN equipment is cheaper than other remote solutions, private leased linesare no longer needed to support remote access, remote users can place local calls oruse cable or DSL lines rather than long distance or international calls to access anorganization's private network, and a single access line can be used to supportmultiple purposes. The estimated cost savings for site-to-site networks is 20 to 40percent for sites in the same country and 60 : to 90 percent if they are in differentcountries
38
-
7/30/2019 4_Internet Security Ch11(Final
39/50
protocol tunneling The main technical challenge of a VPN is to ensure the confidentiality
and integrity of the data transmitted over the Internet. This is whereprotocol tunneling comes into play. With protocol tunneling, data packetsare first encrypted and then encapsulated into packetsthat can betransmitted across the Internet. The packets are decrypted at thedestination . address by a special host or router.
Three technologies can be used to create a VPN. First, many of the firewallpackages-hardware and softwareprovide VPN functionality. Second, routers(i.e., special network components for controlling communications) cannot onlyfunction as firewalls, but they also can function as VPN servers. Finally,software solutions are available that can be used to handle VPN connections.The VPN Consortium (vpnc.org/vpnc-features-chart.html) provides acomparison of a number of commercial VPN products.
Many telecommunications carriers and larger ISPs offer VPN services forInternet-based dial-up and site-to-site communications. These carriers usetheir own private network backbones to which they have added securityfeatures, intranet connectivity, and new dial-up capabilities for remoteservices. Two of the carriers providing these services are AT&T VPN services(att.com) and Cable & Wireless IP-VPN Internet (cw.com).
39
-
7/30/2019 4_Internet Security Ch11(Final
40/50
Even if an organization has a well-formulated security policy and a number of security
technologies in place, it still is vulnerable to attack. For example, most organizations have
Antivirus software, yet most are subjected to virus attacks. This is why an organization must
continually watch for attempted, as well as actual, security breaches/ leakage.
Today, a special category of software exists that can monitor activity across a network or on a
host computer, watch for suspicious activity,( failed log on attempts failed database access
attempts) and take automated action based on what it sees. This category of software is called
intrusion detection systems (IDSs).
IDSs are either host based or network based. A host-based IDS resides on the server or host system
that is being monitored. Host-based systems are particularly good at detecting whether critical or
security-related files have been tampered with or whether a user has attempted to access files
that he or she is not authorized to use. The host-based system does this by computing a special
signature or check-sum for each file. The IDS checks files on a regular basis to see if the current
signatures match the previous signatures. If the signatures do not match, security personnel are
notified immediately.
Some examples of commercial host-systems are Symantec's Intruder Alert (symantec.com),
Tripwire Security's Tripwire aresecurity.com), and McAfee's Entercept Desktop and Server Agents
(mcafee.com)
40
-
7/30/2019 4_Internet Security Ch11(Final
41/50
Honey nets are another technology that can be used to detect and analyzeintrusions. A Honey net is a network of honey pots designed to attract hackers likehoney attracts bees. In this case, the honey pots are information system resources,firewalls, routers, Web servers, data base servers, files, and the likethat are madeto look like production systems but do no real work. The main difference between ahoney pot and the real thing is that the activities on honey pot come from intrudersattempting to compromise the system. In this way, researchers watching the honey
net can gather information about why hackers attack, when they attack, how theyattack, what they do after the system is compromised, and how they communicatewith one another during and after the attack.
Honey net: A way to evaluate vulnerabilities of an organization by studying thetypes of attacks to which a site is subjected using a network of systems called honey
pots.
Honey pots: Production systems (e.g., firewalls, routers, Web servers, databaseservers) designed to do real work but that are watched and studied as networkintrusions occur.
Honey nets and honey pots originated in April 1999 with the Honey net Project(Honey-net 2004). The Honey net Project is a worldwide, not-for-profit researchgroup of security professionals. The group focuses on raising awareness of securityrisks that confront any system connected to the Internet and teaching and informingthe security community about better ways to secure and defend network resource
41
-
7/30/2019 4_Internet Security Ch11(Final
42/50
-
7/30/2019 4_Internet Security Ch11(Final
43/50
social engineering
A type of nontechnical attack that uses social pressures to trick computerusers into compromising computer networks to which those individualshave access
A multiprong approach should be used to combat social engineering
Education and training
Policies and procedures
Penetration testing
43
-
7/30/2019 4_Internet Security Ch11(Final
44/50
An attack committed using software and systems knowledge or expertise.
Common (Security) Vulnerabilities And Exposures (Cves)Publically known computer security risks, which are collected, listed, and
shared by a board of security-related organizations (cve.mitre.org)In 1999, Mitre Corporation (CVE.mitre.org) and 15 other
security related organizations began to count all Publiclyknown common (security) Vulnerabilities and exposures(CVEs).
National Infrastructure Protection Center (NIPC)A joint partnership under the auspices of the FBI between
government and private industry; designed to prevent andprotect the nations infrastructure
44
-
7/30/2019 4_Internet Security Ch11(Final
45/50
Denial-of-service (DoS) attack
An attack on a Web site in which an attacker uses specialized software to
send a flood of data packets to the target computer with the aim ofoverloading its resources.
Distributed denial-of Service (DDoS) attack
A denial-of-service attack in which the attacker gains illegal administrative
access to as many computers on the Internet as possible and uses themultiple computers to send a flood of data packets to the target computer.
The machines on which the DDoS software is loaded are known as zombies.Zombies are located at university and government sites and, increasingly,on home computers that are petted to the Internet through cable modemsor DSL modems
45
-
7/30/2019 4_Internet Security Ch11(Final
46/50
46
-
7/30/2019 4_Internet Security Ch11(Final
47/50
MalwareA generic term for malicious software
A number of factors have contributed to the overall increase in
malicious code. Among these factors, the following are paramount:
Mixing data and executable instructions Increasingly homogenous computing environments
Unprecedented/ Unmatched connectivity
Larger clueless user base
47
-
7/30/2019 4_Internet Security Ch11(Final
48/50
virus
A piece of software code that inserts itself into a host, including the operating
systems, in order to propagate; it requires that its host program be run toactivate it.
worm
A software program that runs independently, consuming the resources of its host
in order to maintain itself, that is capable of propagating a complete workingversion of itself onto another machine.
48
-
7/30/2019 4_Internet Security Ch11(Final
49/50
Common mistakes in managing security risks: Undervalued information
Narrowly defined security boundaries
Reactive security management
Dated security management processes
Lack of communication about security responsibilities
49
-
7/30/2019 4_Internet Security Ch11(Final
50/50
Security Risk Management
A systematic process for determining the likelihood of various security
attacks and for identifying the actions needed to prevent or mitigate thoseattacks.