Date of final exam IMS5002 INFORMATION SYSTEMS l 14 · PDF filenetwork were down l The original network was known as the ARPAnet, ... systems connected to the ARPAnet identified an

1

IMS5002 INFORMATION SYSTEMS

SECURITY

SECURITY OVER THE INTERNET - The weak link!!

WEEK 7http://www.cert.org/encyc_article/tocencyc.html

Lecturer: Sue Foster: Week 7IMS5002

Date of final exam

l 14 June 2005 – Second week of exams)

l Morning sessionl 2 hours

– + 10 minutes reading timel Closed bookl 50%

– Read unit outline for mark requirements


Course Structurel Week 1 – Security Governancel Week 2 – Managing Security in the organisation

l Risk Managementl Week 3 – Risk management

l Breaches, threats, vulnerabilitiesl Week 4 – IS security

l access controls l Week 5 – IS Security

l Computer forensicsl Week 6 – The impact of e-commerce on the organisation

l The role of e- securityl Week 7 – Security over the internet

l The weak linkl Week 8 – Security as a critical business function

l Designing a Secure Systeml Is this achievable?

l Week 9 – Risk Management Part 4l Security policies and procedures

l Week 10 – Business continuity plansl Disaster recovery

l Week 11 – Security standards, Privacy and lawl Week 12 – Current issues and future trendsl Week 13 – Revision and exam preparation


Learning Objectives

l Describe the history of the internetl Understand the need for security when using

the internet for e-commercel Describe the different types of protection that

can be used over the internetl Describe the importance of SSL


A Secure Is Framework

SECURE INFORMATION

ConfidentialityPRIVACY

DATA INTEGRITY

NON-REPUDIATION AUTHENTICATION

AVAILABILITY


From TruSecure / ICSA Labs , 29 August 2003, see our Security Spending section

A survey of 882 respondents determined that the MS Blaster worm:

l Remediation cost $475,000 per company (median average - including hard, soft and productivity costs) companies reporting losses up to $4,228,000

l Entered company networks most often through infected laptops, then through VPNs, and finally through mis-configured firewalls or routers. Located at :http://www.securitystats.com/

2


Current stories

l Reuters shuts down messaging system to fight Kelvirworm. Computerworld, April 15, 2005

l http://www.computerworld.com/securitytopics/security/holes/story/0,10801,101124,00.html?source=NLT_SEC&nid=101124

l Additional stories at the above site:– PHP falls down security hole– Firefoxsinged by eight security holes– Land Management agency shuts Web site over security

fears– SP2 Blocking Tool Expires on Windows XP

l CERT Coordination Centre fights Loveletter virus (2000) Located at: http://www.cert.org/about/loveletter5-2000.html


History Of InternetThe basis for the Internet was an experiment begun in 1968 by the Defence

Department's Information Processing Techniques Office (ARPA/IPTO) Project funded by the Advanced Research Projects Agency (ARPA)

l Goal to:– connect computers over a network in order to ensure command and control

communications in the event of a nuclear war.– Enable a network to function (communicate) even when other parts of the

network were downl The original network was known as the ARPAnet, and the project quickly

became a "straight research project without a specific application [Lyn93:5]."

– ARPAnet Protocolsl Rules of syntax that enable computers to communicate on a

network

l Designed for openness and flexibility not securityl 1980s- the number of local area networks increased significantly and this

stimulated rapid growth of interconnections to the ARPAnet and other networks.

– These networks and interconnections are known today as the Internet [Til96:168].


1986-network International Security Incident

l Identified by Cliff Stoll– Lawrence Berkeley National Laboratory USA

l An accounting error in computer records of systems connected to the ARPAnet identified an international effort using the network to connect computers over the US and copy information from them

l Sites included: government, military and universities

l Stoll published his experience in 1989 in a book entitled The Cuckoo’s Egg


1988 – First Automated Security Incident – Morris Worm

Growth - 88,000 user computersPrimary means of communication among network security experts

l Robert Morris a student at Cornell University wrote a program that would connect to another computer, find and use one of several vulnerabilities to copy itself to that secondcomputer and begin to run the copy of itself at the new location

l The original code and the copy would then repeat these actions in an infinite loop to other computers on the ARPAnet

l The Worm used so many system resources that the attacked computers could no longer function.

l 10% of US computers stopped at about the same time


Computer Emergency Response Team (CERT)

Background:The Morris worm prompted the Defence Advance Research Projects Agency (DARPA) which replaced ARPA to fund CERT (coordination centre) (1988) to give experts a central point for coordinating responses to network emergencies

Tech@Work:The surge in viruses http://www.bigplanet.com/corp/company/industry_statistics.shtmlIf there is one place taking an EKG of the Net, it is the CERT Coordination Center at Carnagie-Mellon University in Pittsburg . CERT was set up in 1988 after the release of the first Interne t worm brought 10 percent of the still tiny Net's computers to a halt. Since then, the group has kept track of the steadily growing threats to the Internet. In 1990 it counted 252 unique attacks to the Net. By last year that figure had grown to 82,094. Huge, but getting larger. In the first half of 2003, CERT tracked a whopping 74,000 incidents. Source: Fortune, Sept. 29, 2003 Lecturer: Sue Foster: Week 7IMS5002

CERT SURVEY

3


Security problems on the rise http://www.bigplanet.com/corp/company/industry_statistics.shtml

l A hacker attacked and downloaded 70,000 bank account numbers from an Australian bank’s web site

l Another web site had 10,000 credit card numbers stolen (Computerworld, August 26, 2002)

l ID theft shot up 79 percent last year from 2002, affecting 3.4 percent of U.S. consumers, according to Gartner, a business research and consulting firm.

– One reason it's growing is that such thieves face only a 1-in-700 chance of getting caught.

– ID thefts directly cost U.S. businesses $1.2 billion in 2003, Gartner estimates. Source: Associated Press, October 7, 2004

l Nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months, according to a soon-to-be released survey by market research group Gartner.

– Consumers reported an average loss per incident of $1,200, pushing total losses higher than $2 billion for the year. Source: MSNBC, June 14, 2004


Internet Vulnerabilities

l A vulnerability is a weakness in the system caused by:

1. Flaws in software or protocol design:< Not identified before release< Speed to market = software not tested properly

< Price cutting – competition< Software designed as easy to use off the shelf, cheap =

insecure configuration< Attackers may infiltrate software before released on the

market – Trojan Horse/virus/worm

2. Weaknesses in how protocols and software are implemented

3. Weaknesses in system and network configurations – set up and used


Vulnerability Exploit Cycle

Reference: CERT/CC Overview Incident and vulnerability trends located at; http://www.cert.org/present/cert -overview-trends/module -2.pdf Lecturer: Sue Foster: Week 7IMS5002

Why Is The Internet Vulnerable?

l Many early network protocols that now form part of the internet infrastructure were designed without security in mind

– Network defence is made difficult– A dynamic environment– an open environment

l Much of the traffic not encrypted– Confidentiality and integrity compromised– Authentication and non-repudiation

l (efraud)l Identity theft


Possible effects of an attack

F denial-of-serviceF unauthorized use or misuse of computingF systemsF loss/alteration/compromise of data or

softwareF monetary/financial lossF loss of trust in computer/network systemF loss of public confidence


Incident Trends (1)l Intruders

– demonstrate increased technical knowledge – share knowledge with others – are prepared and organized– Develop new ways to exploit system vulnerabilities– Create software tools to automate attacks

l intruder tools are increasingly sophisticated– easy to use, especially by novice intruders– designed to support large- scale attacks

– Speed of automated attack toolsl Time to detect vulnerability and patch

REASONSl Internet attacks are easy, low risk, and hard to tracel Internet explosion and use of e-commerce capabilities

– thousands of exploitable vulnerabilities in technologyl lack of awareness regarding information security

4


Incident trends (2)

l system and network administrators not prepared

– insufficient resources– lack of training

l critical infrastructures increasingly rely upon the Internet for operations

l intruders are leveraging the availability of broadband connections

l vulnerable home users computers– collections of compromised home computers

are good weapons

Reference: Cert/CC Incident and Vulnerability trends (2003) loca ted at http://www.cert.org/present/cert-overview-trends/module-2.pdf


Complexity of Administration Reference: Cert/CC Incident and Vulnerability trends (2003) located at http://www.cert.org/present/cert-overview -trends/module-2.pdf


Securing data over the web

The web was never designed to be a secure systemHence a number of cryptosystems work to secure Web

browsers, especially at electronic commerce sites:

l PKIl DIGITAL CERTIFICATES l SSL (Secure Sockets Layer) l SET (Secure Electronic Transmission)l PGP (Pretty good privacy)l VPNs (Virtual Private networks)


PKI


PKI

l Entire set of hardware, software and cryptosystems necessary to implement Public Key encryption

l PKI is based on:– PKC and – includes digital certificates and CAs (certificate authorities)

l Common use of PKI:– Systems to issue digital certificates to users and servers– Encryption enrolment– Key issuing systems– Tools for managing the key issuance– Verification and return of certificates


Public Key Cryptosystem (PKCs)

To conceal a message in transit so that only the desired recipient may read it, the cleartext is encrypted(coding a message in a way that it becomes unreadable) using the recipient’s public key.

l Use pairs of related keys generated togetherl The ciphertext (the encrypted (unreadable)

message) produced by one key can be decrypted(making an encrypted message readable) only with the other member of the same key pair

l One of these keys is kept secret (the private key) and the other is published for all to use (the public key)

5


Coding Technique

l Data encryption or cryptography safeguards the security of transmitted information

l Each character of data sent is replaced with other coded characters

l The substitution algorithm is determined by the sender according to a selected key


Integrity And Authenticity

l PKC depends on the integrity of each public key and of that public key’s binding to a specific entity, such as a person, an institution or a network component

l Without mechanisms for ensuring integrity and authenticity a relaying party is vulnerable to masquerading attacks through public key substitution


Randomness Of Numbers

l Computers generate PSEUDORANDOM numbers

l A string of bits to be random must be computationally infeasible to predict what the NTH random bit will be

l The challenge is to build random number generators that will not repeat sequences of bits PREDICTABLY often


Digital Certificates

l An electronic document – Similar to a digital signature

l Attaches to a file certifying that the file is from the organisation it claims to be from

– That is: It has not been modified from the original

PUBLIC KEY MANAGEMENTCERTIFICATION AUTHORITIESAgency that manages the issuance of certificates and

serves as the electronic notary public to verify their worth and integrity

– A popup window via the internet may show that the downloaded files come from the purported agency


PKI - DCs Protect Information assets

Digital Certificates

Protect

AUTHENTICATION

Digital Certificates (DCs) permit users to validate the identity of each of the parties in a transaction

INTEGRITY

DC demonstrates content not altered while being transferred

CONFIDENTIALITY/ PRIVACY

DCs keep data from being intercepted during transmission

AUTHORISATION

DCs can replace user IDs and passwords

NONREPUDIATION

DCs can validate actions

Whitman & Mattord , 2003


Gatekeeper® Strategy

l The Government’s Gatekeeper® Strategy is a strategy for the use of Public Key Infrastructures (PKIs) in government.

l PKI is a technology and trust framework which involves the use of digital signature certificates for assuring the identity of certificate holders and the integrity of the online messages they exchange.

l Gatekeeper® is designed to facilitate government online service delivery

6


PKI, Able to ReassureCustomer and Supplier

CLIENT SUPPLIER

Purchase order

AUTHENTICATION

Public Key Management

Public key distribution centre (certification authority)

PKI mechanism to authenticate ownership (Public and private keys unlock

the message)

Encrypts message

Decrypts message

Client uses private key and suppliers public key

Supplier uses own private key and clients public key


Benefits of PKI

l Authentication of the parties in a transaction– Positive identification of the two parties – verifying their identities

l encrypting the details of the transaction l guarding against hackersl offering a legal record of the e-business

transactions. l Consistent interface for administering systems

that use PKIl Provides the basis for trust


Risks of PKI:

l Private keys are maintained by certification authorities, which are trusted to maintain their privacy.

l If these certification authorities themselves are insecure, the confidentiality of the private keys they maintain is at risk.

l Anyone who knows an individual’s private key could act as an imposter.


Risks Cont/d

l Contingency plans must be made for loss of private keys or disruption of service on PKI servers.

l Many organizations lack internal expertise. l Laws on digital signature vary by country.

This is especially important for multinational enterprises.


TRUST MANAGEMENT

HOW CAN I BE SURE THE PUBLIC KEY I AM USING REALLY BELONGS TO THE INTENDED RECIPIENT??


Man In The Middle Attack

A POSSIBLE SCENARIO:l A third party (attacker) introduces its

public key to the sender who is fooled into believing that it is the public key of recipient and vice versa

l CERTIFICATE AUTHORITY (CA)– SOLVES THIS PROBLEM

7


CA

l CA Digitally signs a certificate that belongs to the sender and another certificate that belongs to the recipient

l The certificate includes:– Name of public key of its owners

l Integrity checked through using CAs public key

l PROBLEM: sender and receiver must belong to the same CA


SECURE SOCKETS LAYER (SSL)

l WHAT IS SSL?l How does it work?l What are some of its

advantages/disadvantages?


SSL

l The most common use of SSL is in protecting HTTP communications. For example, any URL beginning with https:// indicates the use of HTTP protected by SSL.

l SSL provides a range of security services for

client/server sessions, including: – Server authentication– Client authentication

l Integrityl confidentiality


Secure Transport of data -Integrity/confidentiality

l Of primary consideration is the demand for secure transport of data across the Internet

l Many online businesses use SSL or TLS (Transport Layer Security) to provide end to end encryption to protect internet transactions between client and web server

– Integrity: l Data items transferred are protected against attempts to

modify data.

– Confidentiality: l Users are assured that no unauthorised entity has access to

the information being shared at the Web site. l This protects sensitive information such as account

numbers or credit card numbers against eavesdroppers


SSL

Addresses many (NOT ALL) security concerns when sharing private or confidential information via the internet

l Designed for client/server applicationsl Prevent unwanted tampering of data transmission

through:– Eavesdropping– Data alteration– Message forgery

l GOALS– Ensure privacy and reliability of communication between

two applications


SSL HANDSHAKE PROTOCOL

SSL provides a protocol by which all information during a session is sent by the server and the client and is encrypted for example:

1. When a client makes a request over HTTPS (hypertex transfer protocal) to a server the server’s public key is sent to the browser

2. The browser uses this key to encrypt the information before it leaves the client.

– Authenticates the server to a software-based client ( ie web browser)

– Enables it to decide upon an encryption algorithm and cryptographic KEYS BEFORE a higher-level protocol sends or receives data

– Relies on a six-step handshaking approach between parties (see page 207, Merkow)

8


SSL Handshake protocol Cont/d

l Browser lets you know when the session is ready for secure communication by displaying a closed padlock

l SSL must be selectively used by the Web client and server in order to invoke the protocol

l BENEFIT– Allows higher level protocols to sit on top of it and

communicates with them without dictating a specific application protocol


Secure Site: Virgin Blue Credit Card – SSL – Microsoft Internet Explorer

“How we (Virgin) ensure your protection”Because your privacy is our priority we make sure that the personal

information you submit to us online remains strictly confidential.

We ensure your protection with Secure Sockets Layer (SSL) which scrambles your data, so that it is unreadable by third parties. It does this by:

1. Server authentication. The web server sends a digital certificate to your computer so that you can be sure of its identity.

2. Client authentication. Your computer in turn authenticates itself to the server by showing its digital signature.

3. Encryption connection. During the Internet connection, data is encrypted (i.e. scrambled) so that only your computer and the web server can understand the contents. This prevents other Internet users from intercepting the information sent between you and the web server.


TO USE SSL

SSL Use DIGITAL CERTIFICATES– obtain and install certificate from a CA (certificate

authority) – VeriSign– Internal Windows 2000 certificate server

l A stream of data (thousands of bites long)l Encodes the user’s public key l Endorsed by a Certificate Authority (CA)l CA verifies the server being visited is indeed the

server it says it is (A TRUSTED SOURCE)l Hold both private and public encryption key

– Public ) Asymmetric keys .. Whatever

– Private ) private key encrypts public key decrypts


http://www.verisign.com.au/gatekeeper/faqs/general.shtml


Problems (Merkow p209 )

MANY AND VARIED:

l Encrypted SSL communications do not compress slowing their transmission through devices such as modems

l International export restrictions cause complicationsl Security Expertise to recognise and manage “good”

certificatesHowever:l It is well understoodl Inexpensive and relative well supported in

organisations and relative safe


REWRITE VICTIMS URL (Universal Resource Locator)

Web server

Attacker

Victims browser 1. Request

spoofed URL

2. Request original URL

3. Original page contents

5. Spoofed page contents

Unknowingly, attacker may obtain victim’s bank account number and password or stock market information

9


SSL offers no help

Even though the victim may establish an SSL connection to the attacker:

l If victim does not check SSL certificates ownership carefully they may believe that a secure connection with the real server has been established

l Fake certificates can look very similar to the real ones

l Perhaps containing misspelled names that are often difficult to notice


Secure Networking (VPNs)

l Virtual private networks (VPNs) – advanced encryption technologies – enable businesses to establish secure private connections

between corporate networks and third-party networks such as the Internet.

l VPNsallow mobile workers and businesses with multiple office sites to communicate securely at high speeds.

– offer one of the highest levels of network and Internet security,

– an expensive solution for smaller businesses.


Pretty Good Privacy (PGP)

Secure personal connection– a popular security option for individuals.

l uses public key encryption. l unlike PKI, it allows users to generate

their own public and private keys.– cheaper and easier to implement, but – does not offer the same reassurance as a

certificate issued by an independent third party.


Protecting your organisation from cyber crime http://www.niksun.com/documents/NetDetector_NIFS.pdf

Review and update security measures and controls

Security audit

Security policy

Security aware culture

Consider all security options

Use Australian Government Evaluated Products (EPL)

Crisis management plan

Business case developed

ASSETS

Outsource IS Security

Honeynet/Honeypot

http://www.honeynet.org/papers/honeynet/

http://www.honeynet.org/papers/profiles/cc -fraud.pdf


CONCLUSION

l Although it is possible for a Web client to strongly authenticate a Web server and communicate privately with it (using SSL and certificates)

– See: www.verisign.com, – belsign.com and Thawte.com

l Not all security problems are solvedl REASON:

– Access control managementl Only really efficient for a small number of client server

relationshipsl Requires security expertise to recognise and manage “good”

certificates


REVIEW

l WHAT METHODS CAN ORGANISATIONS ADOPT TO SAFEGUARD AGAINST DDoSATTACKS

l DESCRIBE HOW DDoS ATTACKS OPERATEl WHAT OTHER PROBLEMS DOES INTERNET

POSE FOR USERS

10


REFERENCES

l Hassler, V. (2001). Security Fundamentals for E-Commerce. London: Arteck House.

l Levy, S. (1984). Hackers: Heros of the computer revolution. Garden City, NY: Anchor Press/Doubleday.

l Merkow, M. S. & Breithaupt. (2002) Internet the complete guide to security.

l Stoll, C. (1989).The Cuckoo’s Egg: Tracking a Spy Through the Ma ze of computer espionage. New York: Doubleday.

l Tipton, H.F. & Krause, M. (2002). Information security management: Handbook. London: Auerbach Publications.

l http://webct.monash.edu.au/SCRIPT/IMS5002_S1_2004/scripts/serve_home

l http://www.govonline.gov.au/projects/confidence/Securing/FAQs.htm#13

l http://security2.gartner.com/section.php.id.37.s.1.jsp

Documents

Date of final exam IMS5002 INFORMATION SYSTEMS l 14 · PDF filenetwork were down l The original network was known as the ARPAnet, ... systems connected to the ARPAnet identified an