Embed Size (px)
Citation preview
Security
Topics: Security
What are the threats that affect information security? – For each threat, identify controls that can be used to
mitigate risks.
Security Concerns
Information systems are subject to many threats Continue to apply Risk Assessment Framework
– What is threat?– What is likelihood that
threat will occur?– What is potential damage
from threat?– What controls can be used
to minimize damage?– What is the cost of
implementing the control?
Goals of Information Security
Reduce the risk of systems and organizations ceasing operations
Maintain information confidentiality Ensure the integrity and reliability of data
resources Ensure compliance with national security laws
and privacy policies and laws
Security Threats
Three major types:– Natural Forces– Human– Technical (System)
Security Threats
Natural forces– Fire– Water– Energy (surges, brownouts, etc.)– Structural damage (earthquake)– Pollution
How prevent/minimize damage?
Security Threats - cont
Human– Unintentional mistakes– Unauthorized intrusion– Sabotage– Hackers– Virus and worms
Human Security Threats (cont.)
Unintentional mistakes– Over 90% of errors
How prevent/minimize?
Risks to Information Systems
Risks to Applications and Data– Theft of information– Data alteration and data destruction– Computer viruses– Unauthorized remote control programs– Nonmalicious mishaps
Unintentional mistakes
Human Security Threats (cont.)
Risks to Network Operations– Denial of Service– Spoofing
Deception for the purpose of gaining access Deception of users direction to different web site
Risks to Information Systems
Security Threats - cont
Technical– Inadequate testing of modifications– Hardware failure
Controls
Controls: Constraints imposed on a user or a system to secure systems against risks.
Types– Prevent– Detect– Correct
Control Types – cont’d
Preventative– Program Robustness and Data Entry Controls
Provide a clear and sound interface with the user Menus and limits
– Access Controls Ensure that only authorized people can gain access to
systems and files Access codes, passwords, biometric
– Atomic Transactions Ensures that transaction data are recorded properly in all the
pertinent files to ensure integrity
Control Types – cont’d Preventative Controls – cont’d
Segregation of Duties– Different people in charge of different activities,
allowing checks and balances and minimizing possibility of criminal behavior.
– Separation of duties during systems development prevents installation of trapdoors.
– Separation of duties while using the system minimizes abuse, especially in electronic fund transfer.
Control Types – cont’dPreventative Controls – cont’d
Network– Callback
Remote user’s telephone number verified before access allowed
– Encryption Messages scrambled on sending end; descramble to plain
text on receiving end Symmetric: Both users use a private, secret key Asymmetric: Parties use a combination of a public and a
private key
Control Types – cont’dPreventative Controls – cont’d
Web encryption standards– Secure Sockets layer (SSL)
is the most common protocol used The main capability is encrypting messages automatically by the
SSL in your computer browser before being sent over the Internet.
– Secure Hypertext Transport Protocol (SHTTP) Works only along with HTTP
– Secure Electronic Transaction (SET) Developed by MasterCard and VISA in 1997 to provide protection
from electronic payment fraud Proposed standard incorporating digital signatures, encryption,
certification, and an agreed-upon payment gateways
Control Types – cont’dPreventative Controls – cont’d
Firewalls– Software that separates users from computing
resources– Allows retrieval and viewing of certain material but
blocks changes and access to other resources on the same computer
Control Types – cont’d
Detective– Audit Trails
Built into an IS so that transactions can be traced to people, times, and authorization information
– Network Logs– Internet Logs
Control Types – cont’d
Corrective– Backup and Recovery
Periodic duplication of all data
Electronic Commerce Security
The security features needed to conduct commerce were not in place when public ban on use of internet was lifted
Major issues– Authorization– Authentication– Integrity– Privacy– Fraud/theft– Sabotage
Electronic Commerce Security
Authorization – Does user have permission to access?– Solution:
Access control mechanisms– Passwords
– Problem with solution Administrative overhead How control access to e-commerce site?
Electronic Commerce Security
Authorization – Cont’d– Digital Certificate
Equivalent of a physical ID card
– Electronic Signature Electronic symbol or process associated with a contract
– Digital Signature Encrypted text sent along with message that verifies that
message was not altered (equivalent to a signed envelop)
Electronic Commerce Security
Authentication - assurance regarding the identity of the parties who are involved in the deal
Solution– Encrypted password devices
System sends a 5 digit number Enter into handheld device, which displays different 5 digit
number Enter back into system as password
– Digital Certificate Similar principle – owner’s public key stored on third-party site
Electronic Commerce Security
Integrity - assurance that data and information (orders, reply to queries, and payment authorization) are not accidentally or maliciously altered or destroyed during transmission
Solution– Digital signature
Digital code attached to message that verifies origin and contents
Problems– Not everyone has digital signatures
Electronic Commerce Security
Privacy – How prevent eavesdropping? Solution
– Encryption Based on mathematical principles to factor product into two
prime numbers If prime numbers are large, supposedly difficult to crack
– 56-bit DES encrypted message was decrypted in little over 22 hours by a network of volunteers and a special purpose computer called “Deep Crack”.
Standards:– Secure Sockets Layer (SSL)– Secure HTTP (S-HTTP)– Secure Electronic Transactions (SET)
Electronic Commerce Security
Fraud/Theft – How do you know if something is “stolen”?
Solution– Internet logs– “Electronic tags” on files, etc.
Problems– Cannot prevent people from saving page, images, etc.– If saved as images – almost impossible to determine if
someone else has them.
Electronic Commerce Security
Sabotage – Can someone enter internal information system and access private information or destroy/alter information?
What do intruders do?– Scan/explore system (15%)– Change documents/files (15%)
e.g., credit rating, stealing
– Plant a virus (11%)– Steal trade secrets (10%)
Hackers
Who are they?– People who gain unauthorized access for profit,
criminal mischief or personal pleasure
“Training” manuals on WWW Examples of tactics
– “War dialing” – denial of service– Sniffers– Password crackers– Viruses
Viruses
First occurrence on internet in 1988 by Robert Morris, CS student at Cornell– Went out of control. As spread, tied up memory and
storage space– Hundreds of computer centers in research institutes
and universities had to shut down– Virus intended to cause no harm cost over $100
million in lost access and direct labor costs
Anti-viral software
Sabotage – cont’d
Solution– Firewall
Sits between internet and internal network Can be router, or can use third-party host for web site
– Firebreak – submit sensitive information over telephone or VAN– not over internet
Problem– Only prevents inexperienced hackers
CERT
Computer Emergency Response Team– Helps determine who is breaking into sites, and
publishes solutions to the method used for the breakin
Discussion Questions
Crime– Bank robbery: average loss is $3400, 85% chance of
being caught– White collar: average loss is $23,000– Computer fraud: average loss is $600,000, extremely
hard to catch culprit
– Why?
Discussion Questions cont’d
Computer fraud typically performed by insiders.– What measures can be used to minimize fraud?
Why doesn’t everyone use biometric access controls?
Should companies use firewalls to block employee access to outside web sites?– To track pages downloaded to PC?
Why don’t companies report computer fraud?
Network Security: Need combination to Minimize Risk
Authorization management Firewall Encryption Advisory organization and consultants
– e.g., CERT, ex-hackers
OR Disconnect from internet
