information systems security information security for web- based applications

Post on 26-Dec-2015

224 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Information Systems Security

Information Security for Web-based Applications

The full picture

Securing web sites Reduce the attack surface of the web

server Prevent unauthorized access to web sites

and applications Isolate web sites and applications Configure user authentication Encrypt confidential data exchanged with

clients Maintain web sites and application

security

Securing web sites

Reduce the attack surface of the web server Enable only essential OS components

and services Enable only web server components and

services Enable only MIME types Configure OS security settings

Securing web sites

Prevent unauthorized access to web sites and applications Store content on a dedicated disk

volume Set web site permissions Set IP address and domain name

restrictions Set NTFS file system permissions

Securing web sites

Isolate web sites and applications To prevent multiple web sites and

applications from adversely affect with one another

Have to create application pool, assign web sites and applications to them, and assign proper service account and permission

Complicated procedure

Securing web sites

Configure user authentication Select appropriate authentication

methodDigestAdvanced digestIntegrated windowsClient certificatesMS .NET passport

Securing web sites

Encrypt confidential data exchanged with clients Use of Secure Socket Layer (SSL)

Install server certificatehttps instead of http

Use IPSec or VPN for remote administration

Securing web sites

Maintain web sites and application security Obtain up-to-date security updates Enable server security logs Enable web server application logs Review security policies, processes and

procedures

Reading

Microsoft: Improving Web Application Security: Threats and Countermeasures

Chapter 1 “Web Application Security Fundamentals”

Chapter 4 “Design Guidelines for Secure Web Applications” is good but a bit too advanced for most students

Problem in e-Commerce

The transaction is done online. The customer and the company cannot see each other. How can they trust each other? Who are you? Can I trust you? What if I cannot receive my goods? What if I cannot receive the payment?

Certificate Authority

Now the CA comes in. It give a digital identity to all concerned party. It verifies the company is okay to do business with, and the customer is also okay

This is not done by the government but by some commercial organizations

PKI is used as the technology to provide the digital identification

What is PKI

The set of hardware, software, people and procedures need to create, store, distribute, revoke key/certificates based on public key cryptography

PKI infrastructure and software development

PKI uses of public key cryptography for authentication and access control of a user, guaranteeing the integrity and non-repudiation of documents signed by the user, and confidentiality of data.

PKI infrastructure and software development

Certificate Authority Registration Authority Certificate

Name Issuing CA Expiration date Public key

Certificate Revocation List

X.509 Certificate structure

PKI

PKI employs a pair of keys for each user: a private key which is known only to the user himself, and a public key which is published by some authority, in the form of a digital certificate (certificate for short).

PKI

In signing a document or an e-mail, a user signs using his own private key so that others can use the signer's public key to verify the authenticity and non-repudiation of documents or e-mail. Since only the user has his own private key to sign, non-repudiation is established

PKI

The use of PKI saves the trouble of maintaining and distributing the same encryption/decryption key between the sender and the receiver

Authentication using certificates

Secure online payment

Credit card payment Secure Socket Layer Secure Electronic Transaction (SET) PayPal E-purse

Credit Card

Invented in 1950s Only becomes profitable after 20 years

when the customers reach a critical mass

Credit Card Payment

This is the usual payment method used in eCommerce

4 parties are involved: Cardholder (payer) Merchant (payee) Issuing Bank Acquiring Bank

Measures to stop fraud Hot card lists Merchant floor limits – authorization

required when a certain amount is exceeded

Expiry date used as password Delivered to cardholder’s address Card verification value (MAC) Intrusion detection (anomaly detection)

SSL: Secure Socket Layer

Developed by Netscape to secure HTTP sessions

Provides Data encryption Server authentication Message integrity Optional client authentication

NOT a payment system in itself

SSL: Secure Socket Layer

Authentication of server by use of digital certificate

Use public key technology to exchange a session key (symmetric) between server and client used only for that session

After the buyer sends information thro the secure channel, the merchant processes the transaction in the usual manner

SSL

Client to Server Name C, transaction serial no. C#, nonce Nc

Server to Client Name S, transaction serial no. S#, nonce Ns,

public key KS Client to Server

Pre-mastered secret key encrypted by KS

{Ko}KS

SSL Client to Server

Finished message, MAC for all messages to date

{finished, MAC(K1, everything_to_date)}Kcs Server

Compute k1=h(Ko, Nc, Ns) Server to Client

{finished, MAC{k1,every_to_date)}Ksc, {data}Ksc

Secure Electronic Transaction

A joint effort of VISA and MasterCard to develop a more secure internet payment system in 1997 (credit card no not kept)

SET makes use of public key technology and each participants are assigned public key/private key pairs

Secure Electronic Transaction

Legal entity formed by MasterCard. Visa, American Express and JCB in 12/97

A protocol designed for electronic payment with credit card

Key idea Merchant does not need to know

payment details Bank does not need to know order details

SET

Client to Server C, Nc, CC(Cert of client)

Server to Client S, S#, CS(merchant) CB(bank)

Client to Server {Order}KS, {Payment}KB, SigKC{h(Order),

h(Payment)}

SET

Server to Bank (Summary}KB, {Payment}KB

Bank to Server Sig KS{Auth_response}

SET

Disgrace of SET Nothing for the credit card holders Huge cost in building PKI Benefits less than expected

EDI

Electronic Data Interchange Used for B2B transactions Build on Value-Added Networks International and national message

standards Expensive

EDI transactions EDI, or Electronic Data Interchange, provides

trading partners with an efficient business tool for the automatic transmission of commercial data from one computer system directly to another.

Through the use of EDI message standards such as X.12, UN/EDIFACT, or EANCOM, data may be communicated quickly, efficiently and accurately irrespective of the users' internal hardware and software equipment.

EDI in Hong Kong

TRAXON for air-cargo CargoNet for shipping EZ*TRADE for retail, manufacturing and

trading Tradelink for HK Government chiefly for the

Customs Department

EDI Infrastructure

VAN (Valued Added Networks) / VPN (Virtual Private Networks)

i-EDI (Web Based EDI Systems)

EDI example: SWIFT

RGP = Regional General Processor

PayPal

Virtual bank in Internet Cater for small merchants that cannot

open account with banks Provides other services such as shopping

cart Problem of jurisdiction

E-purse

Pre-paid debit cards that can work offline Not many business successes

Mondex Most successful case

Octopus Pre-paid phone cards

The Internet Payment Processing System

Acquiring bank Credit card association Customer issuing bank Internet merchant accounts Payment gateway Processor

Parties to Internet transaction

Customer Merchant

Issuing Bank Merchant’s Acquiring Bank

Payment Gateway

Processor

The transaction process

Credit Card NO.

Transaction info

Request for payment

Authorization

OK

Transaction initiation

Customer decides to make a purchase on merchant’s web site, proceeds to check out and inputs credit card information

Merchant’s web site receives customer information and send transaction information to Payment Gateway

Payment Gateway route information to processor

Payment authorization Processor send information to the

Merchant’s Acquiring Bank Acquiring Bank sends transaction

information to the credit card holder’s Issuing Bank

Issuing Bank sends transaction result (authorization or decline) to Acquiring Bank

Acquiring Bank send transaction result to Processor

Payment authorization

Processor routes information to the Payment Gateway

Payment Gateway passes result to the Merchant

Merchant accepts and ships goods or rejects transaction

The payment process

Request for payment

CreditMerchantA/C

DebitConsumerA/C

Payment settlement

Merchant requests Payment Gateway to settle a payment

Payment Gateway sends all transactions to be settled to the Processor

Processor send settlement payment details to customer’s credit card Issuing Bank , and to the Merchant’s Acquiring Bank

Payment settlement

Issuing Bank includes the Merchant’s charge on the customer’s credit card statement while Acquiring Bank credits the Merchant’s account

Payment Processing

PCI DSS

Payment Card Industry Data Security Standard

It is developed by PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International

PCI DSS

It is a security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

This is intended to help organizations proactively protect customer account data.

Requirements

Build and Maintain a Secure Network Install and maintain a firewall configuration to

protect cardholder data Do not use vendor-supplied defaults for

system passwords and other security parameters

Requirements

Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data

across open, public networks

Requirements

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software Develop and maintain secure systems and

applications

Requirements

Implement Strong Access Control Measures Restrict access to cardholder data by

business need-to-know Assign a unique ID to each person with

computer access Restrict physical access to cardholder data

Requirements

Regularly Monitor and Test Networks Track and monitor all access to network

resources and cardholder data Regularly test security systems and

processes

Requirements

Maintain an Information Security Policy Maintain a policy that addresses information

security

Reading

Refer Verisign Online Payment Processing Guide

top related