Security: Refer Chapter-10 From Gary P. Schneider

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 60

Security

Refer chapter- 10 from Gary P.


schneider
Topics to Be covered
• Introduction
• Security Issues
• Security for Client
• Communication channels
Online Security Issues
• Computer security
• Physical security
• Logical security
• Threat
Computer Security
• It is the protection of assets from unauthorized
access, use , alteration or destruction.
• Security: Physical security, logical security and threat.
• Early days E-Mail uses.
• Today, it is Internet, web for shopping, transaction.
• 50 years ago, security was accomplished by using
physical controls over access to computers.
• Eg. Alarmed doors and windows, guards, security
badges to admit people to sensitive areas,
surveillance cameras
Computer Security and Risk Management
• Managing Risk
- Countermeasure : it is the procedure either
physical or logical, that recognizes, reduces or
eliminates a threat.

Risk Management Model


Computer Security and Risk Management

- Eavesdropper : it is a person or device that can


listen in on and copy internet transmissions.
- Crackers or Hackers : people who write
programs or manipulate technologies to
obtain unauthorized access to computers and
networks.
Elements of Computer Security (denial of
service)
• Secrecy
- Protecting against unauthorized data disclosure and
ensuring the authenticity of a data source. Eg. Stolen
credit card numbers.
• Integrity
- Refers to preventing unauthorized data modification.
Eg. E-mail message, (man-in-the-middle exploit)
• Necessity
- Refers to preventing data delays or denials (removal).
Security Policy and Integrated Security
• A security policy is a written statement describing:
- Which assets to protect and why they are being
protected
- Who is responsible for that protection
- Which behaviors are acceptable and which are not.
- it primarily addresses physical security, network
security, access authorizations, virus protection and
disaster recovery.
- Good example :- WindowSecurity.com, Information
Security Policy World.
• Specific elements of a security policy address the following points:
A five step process:

• Determine which assets to protect from which threats

• Determine who should have access to various parts of the system or


specific information assets.

• Identify resources available or needed to protect the information


assets while ensuring access by those who need it.

• Using the information gathered in the first three steps, the


organization develops a written security policy.

• Following the written policy, the organization commits resources to


building or buying software, hardware, and physical barriers that
implement the security policy.
Requirements for secure commerce
Security for Client Computers
• Cookies:
- Allow Web servers to maintain an open
sessions with Web clients.
- Were invented to solve the stateless
connection problem by saving information
about a Web user from one set of server–
client message exchanges to another
User sends a request for page at www.example.com for the first time.

Server sends back the page xhtml to the browser AND stores some data
in a cookie on the user’s PC.
At the next page request for domain www.example.com, all
cookie data associated with this domain is sent too.
Cookies Categories:
1)Time duration :
• Session cookies :which exist until the Web client ends the
connection
• Persistent cookies: which remain on the client computer
indefinitely

2)Source:
• Cookies can be placed on the client computer by the Web
server site, in which case they are called first-party cookies, or
they can be placed by a different Web site, in which case they
are called third-party cookies
THREAT BY COOKIES
• A cookie itself cannot harm the computer, as it
does not and cannot hold code .However, the
cookie can support (help) malicious actions to
be taken on the respective system.
• The cookie will only contain information that
you freely provide to a Web site.
• A malicious user could use the stolen cookies
to impersonate or steal user’s identity online.
Avoid This Threat
• The most complete way for Web site visitors to
protect themselves from revealing private
information or being tracked by cookies is to disable
cookies entirely.
• Most Web browsers have settings that allow the
user to refuse only third-party cookies or to review
each cookie before it is accepted. Eg: Browsers such
as Google Chrome, Microsoft Internet Explorer,
Mozilla Firefox, and Opera provide cookie
management functions.
Digital Certificates:
• A digital certificate or digital ID is an
attachment to an e-mail message or a
program embedded in a Web page that
verifies that the sender or Web site is who or
what it claims to be
• It is issued by a Certification Authority (CA),
and serves the same purpose as a driver’s
license or a passport
A DIGITAL CERTIFICATE INCLUDES SIX MAIN
ELEMENTS:
• Certificate owner’s identifying information,
such as name, organization, address etc
• Certificate owner’s public encryption key
• Dates between which the certificate is valid
• Serial number of the certificate
• Name of the certificate issuer
• Digital signature of the certificate issuer
Process of obtaining a Certificate
1.Subscriber (sender) generates a public\private key pair. Applies
to CA for digital certificate with the public key.
2.CA verifies subscriber's identity and issues digital certificate
containing the public key.
3.CA publishes certificate to public, on-line repository.
4.Subscriber signs message with private key and sends message
to second party.
5.Receiving party verifies digital signature with sender's public
key and requests verification of sender's digital certificate from
CA's public repository.
6.Repository reports status of subscriber's certificate.
Main Uses:
• Proving the Identity of the sender of a transaction
• Non Repudiation – the owner of the certificate
cannot deny partaking in the transaction
• Encryption and checking the integrity of data -
provide the receiver with the means to encode a
reply.
• Single Sign-On - It can be used to validate a user and
log them into various computer systems without
having to use a different password for each system
Steganography
• It describes process of hiding information
within another piece of information.
Physical Security for clients
• A biometric security device: on that uses an
element of a person’s biological makeup to
perform the identification.
Communication Channel Security
• Provide multiple alternative paths
• Message travelling on internet is subject to:
Secrecy threats
Integrity threats
Necessity threats
Secrecy Threats
• Secrecy: prevention of unauthorized information disclosure.
• Privacy: protection of individual rights to nondisclosure. It
covers business and legal issues. Eg. E-Mail
• Sniffer programs : provides means to record information that
passes through a computer or router that is handling
internet traffic.
• Backdoors (electronic holes): it is element of program that
allow users to run the program without any authentication
process.
• Data exposure is a security breach : Type of browser being
used and IP address.
Integrity Threats
• Also known as active wiretapping
• Integrity violations Example: unprotected banking
transactions, Cybervandalism (electronic defacing –
someone’s replaces website regular content with
his/her own content)
• Masquerading or spoofing : pretending to be someone
you are not. Eg. DNS.
• Victims of spoofing are Amazon.com, eBay
• Phishing expeditions combine spam with spoofing.
Such as paypal.
Necessity Threats
• Occurs as a delay or denial commonly called
denial-of-service (DoS) attacks
• Example: Internet worm attack of 1998,
disabled thousands of computer systems that
were connected to internet.
Threats to Wireless Networks
• Security of connection depends on Wireless
Encryption Protocol (WEP) i.e. Set of rules for
encrypting transmissions from wireless device
to WAP.
• Wireless Access Points(WAP)- technical
standard for accessing information over mobile
wireless networks
• Attackers called Wardrivers practice
Warchalking
ENCRYPTION
• Encryption is the coding of information by using a
mathematically based program and a secret key to produce a
string of characters that is unintelligible.
• The science that studies encryption is called Cryptography, i.e.
Secret writing.
• Resistance of an encrypted message to attack attempts
depends on the size (in bits) of the key.
• Encryption is subdivided into three functions:
1. Hash code
2. Asymmetric encryption
3. Symmetric encryption
Hash Coding
• Calculates a numeric hash value from a
message
• Unique
• Message Integrity: Check original hash value
and the hash value computed by the receiver
Asymmetric Encryption/ public key
encryption
• Using two different mathematically related
numeric keys.
• RSA Public Key Cryptosystem
• A public key is freely distributed
• A private key—belongs to the key owner, and
is secret.
• Sender encrypts using receiver’s public key
• Receiver decrypts using it’s own private key
Pretty good Privacy
• A set of software tools that can use several
different encryption algorithms to perform
public-key encryption
• Individuals can use PGP to encrypt their e-mail
messages to protect them from being read if
they are intercepted on the Internet
Symmetric Encryption/ Private Key
encryption
• Uses a single numeric key to encode and
decode data
• Fast and efficient
• If the key is made public, then all messages
sent previously using that key become
vulnerable
Data Encryption Standard (DES)
• Private-key encryption system
• Size of DES private keys must be increased
regularly because researchers use increasingly
fast computers to break them
• Triple or 3 DES-stronger version
• Advanced Encryption Standard AES uses
longer bit lengths to increase the difficulty of
cracking its keys
ASYMMETRIC SYSTEMS-ADVANTAGES

• Small combination of keys required


• Key distribution is simple
• Implementation of digital signatures
ASYMMETRIC SYSTEMS-DISADVANTAGES

• Slower

• Public-key systems are used to transmit


private keys
DIGITAL SIGNATURES
• Ensures transaction integrity
• Message Digest- hash function computes a message’s
hash value
• That value is appended to the message
• Hash algorithm is public, may lead to spoofing
Solution:
• Sender encrypts the message digest using private key
• Encrypted message digest (message hash value) is
called a digital signature
• Authenticity- Only the owner of the
public/private key pair could have encrypted
the message digest
• Nonrepudiation-only the sender’s private key
would yield an encrypted message that could
be decrypted successfully by an associated
public key
SECURITY FOR SERVER COMPUTERS
• The server is the third link in the client–Internet–server electronic
commerce path between the user and a Web server

• Servers have vulnerabilities that can be exploited by anyone


determined to cause destruction or acquire information illegally

• One entry point for the attacker is the Web server and its software.

• Other entry point includes back-end programs containing data,


such as a database and the server on which it runs
WEB SERVER THREATS
• Web server software is designed to deliver Web pages by
responding to HTTP requests.
• A Web server can compromise secrecy if it allows
automatic directory listings.
• Another source of threat to the web server is if the attacker
obtains the most sensitive files on a Web server which
holds Web server username–password pairs
• Another web server threat is the passwords that users
select which once broken, may provide an opening for
entry into a server that can remain undetected for a long
time. Dictionary attack
DATABASE THREATS
• Electronic commerce systems store user data and retrieve
product information from databases connected to the Web
server
• Most database management systems include security
features that rely on usernames and passwords
• However, some databases either store username/password
pairs in an unencrypted table, or they fail to enforce
security at all and rely on the Web server to enforce
security
• Eg: Trojan horse programs in database system change the
access controls.
OTHER THREATS
• Web server threats can arise from programs executed
by the server like Java or C++ programs that are passed
to Web servers by a client, or that reside on a server,
frequently make use of a buffer.
• Programs may overfill the buffer, spilling the excess data
outside the designated buffer memory area which lead
to buffer overflow error. E.g. Internet worm of 1988,
mail bomb
• Web servers should be protected from physical harm as
they are repositories of important data for businesses.
ACCESS CONTROL AND AUTHENTICATION

• Access control and authentication refers to


controlling who and what has access to the Web
server.
• The server can authenticate a user in several
ways:
1.Digital signature : timestamp, callback system
2.Usernames and passwords-oneway encryption
algorithm.
3.Access control list (ACL)
FIREWALL
• A firewall is a device which filters traffic between the inside network and
the outside network.
• Types of firewalls:
1.Packet filter firewall : it examine all data flowing back and forth
between the trusted network and the internet.
2.Gateway server firewall : it filter traffic based on application requested.
3.Proxy server firewall : it communicates with the internet on the private
network’s behalf.
4.personal firewall

• Many organizations often install intrusion detection systems(IDS) as part


of their firewalls.
• IDS are designed to monitors activities such as attempts to login to servers
and analyze those attempts for patterns that might indicate a cracker’s
attack is underway
SECURE SOCKETS LAYER (SSL) PROTOCOL
• The Secure Sockets Layer (SSL) system developed by Netscape
Communications is a protocol that provides secure information transfer
through the Internet via security “handshake” in which the client and server
computers exchange messages
• In these messages, the client and server agree on the level of security to be
used
• SSL encrypts and decrypts information flowing between the two computers
• Encrypted information includes the requested URL, any forms and HTTP
access authorization data, such as usernames and passwords
• The server’s public key is stored in the digital certificate that server sends to
the browser during the authentication step
• Once the key is encrypted, the browser sends it to the server ,which in turn,
decrypts the message with its private key and exposes the shared private key.
SSL
• In short, all communication between SSL enabled clients and
servers is encoded
• To implement secrecy, SSL uses public-key (asymmetric)
encryption and private-key (symmetric) encryption
• In SSL the browser generates a private key to share which is
then encrypted by the browser using the server’s public key
Communication between SSL client(SSL client)
and web server(SSL server)
1) Client send request message to server, server sends hello to
the client (browser), this is handshaking.
2) The client ask the server for DC (digital certificate), in
response server sends certificate.
3) The client browser check details of DC against public key
stored in the browser. This authenticate the web server
4) The browser respond by sending its client certificate and
encrypted private key, when server receives information it
initiates the session.
5) Once secure session is established, communication starts.
How SSL Used in Today’s modern E-
commerce
• To secure online credit card transactions.
• To secure webmail and applications like outlook, office
communication server etc.
• To secure system logins.
• To secure workflow like cloud based computing platforms.
• To secure FTP sessions.
• To secure connection between an email client such as
microsoft outlook and an email server.
• To secure intranet based traffics.
• To secure network logins.
SET
• Secure Electronic Transaction is a system for ensuring the
security of financial transactions on the Internet via a set of
protocols and formats that allow users to securely use the
existing credit card payment infrastructure on the Internet
• It was supported initially by MasterCard, Visa, Microsoft,
Netscape, and others
• Its aim at satisfying the following security requirements :-

1. Confidentiality of information
2. Integrity of data
3. Cardholder account authentication
4. Merchant authentication
SET Network Architecture
Seller

Buyer

Bank

Agent
SET Transactions
SET Digital Certificate System
• The authentication system is based on X.509
digital certificate framework
• This allows merchants, cardholders, acquires
to verify the identities of each other by
exchanging digital certificates.
ORGANISATIONS THAT PROMOTE COMUTER
SECURITY
• Following the occurrence of the Internet Worm of
1988, a number of organizations were formed to
share information about threats to computer
systems
• These organizations are devoted to the principle that
sharing information about attacks and defences for
those attacks can help everyone create better
computer security
• Some of the organizations began at universities
others were launched by government agencies
CERT
• Computer Emergency Response Team
• In 1988, a group of researchers met to study the Internet Worm attack
soon after it occurred
• They wanted to understand how worms worked and how to prevent
damage from future attacks of this type
• The organization is now operated as part of the federally funded
Software Engineering Institute at Carnegie Mellon
• Today, CERT responds to thousands of security incidents each year and
provides a wealth of information to help Internet users and companies to
become more knowledgeable about security risks
• CERT posts alerts to inform the Internet community about security
events, and it is regarded as a primary authoritative source for
information about viruses, worms, and other types of attacks
OTHER ORGANIZATIONS
• SANS ( systems administrator, audit, network and security) Institute includes
members who work in computer security consulting firms and information
technology departments of companies as Systems Administrator, Audit,
Network Security
• It operates the SANS Internet Storm Centre, a Web site that provides current
information on the location and intensity of computer attacks throughout the
world
• CERIAS Centre for Education and Research in Information Assurance and
Security is a centre for multidisciplinary research and education in information
security
• The Centre for Internet Security is a not-for-profit cooperative organization
helps reduce technical failures or deliberate attacks on the computer systems
• A British publication, Infosecurity.com, is available online and includes articles
about all types of online security issues

You might also like