Business Information Security Systems
-
Upload
ertugrul-bilgin -
Category
Documents
-
view
218 -
download
2
description
Transcript of Business Information Security Systems
Michael Liu
University of Waterloo
1
There are three major sources for these slides: Chapter 01 lecture slides, “Cryptography and
Network Security”, 4th edition, Stallings
From the textbook written by Laudon, Laudon and Brabston (2009). Management Information Systems: Managing the Digital Firm, Fourth Canadian Edition, Toronto, Pearson Prentice Hall, © 2009 Pearson Education Canada
From the lectures developed by Dr. Anne Pidduck
2
Textbook Chapter 08
3
Common cyber threats
Definition of computer security
6 categories of security services
Implementations of security services
Security policy and security audit
4
5
Image Source: https://www.livehacking.com/2011/09/08/cybercrime-bigger-than-global-black-market-in-marijuana-cocaine-and-heroin-combined/
6
Juliet
Romeo
Contemporary Security Challenges and Vulnerabilities
Figure 8-1
The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network.
7
8 Image Source: http://savejasonsmom.org/wp-content/uploads/2011/02/question_mark.jpg
Computer virus: a rogue software programs that attached to other programs in order to be executed, ◦ Can automatically copy itself from files to files ◦ Can harm data, programs, machines, the network or its
performance; or open backdoor to hacker
Worm: programs with ill intent that can copy themselves from one computer to another over networks by exploiting security vulnerabilities ◦ Can cause the same damage as virus
Trojan horse: a software program that appears to be benign, but then does something unexpected ◦ Can cause the same damage as virus ◦ Cannot replicate
9
Image Source: http://www.aakashjain.com/wp-content/uploads/2009/04/cyber-threat.jpg http://computerworm.net/2011/07/14/all-you-need-to-know-about-a-computer-worm/ http://www.systemdiary.com/a-new-type-of-trojan-horse-attacks-europe/
Spoofing: masquerading as someone else to trick users to reveal their information ◦ Phishing (e-mail spoofing): sending email or text messages
that look legitimate, and using them to ask for confidential data
◦ Pharming (web spoofing): Redirects users to a bogus web site
◦ Evil twins: rogue WiFi access point
Sniffing: an eavesdropping program that monitors information travelling over a network
Denial of Service (DoS) Attacks or Distributed DoS (DDoS): Hackers flood a server with false communications in order to crash the system ◦ Gain control many zombie computers to form a botnet to
perform the attack
10
11
UPS
FBI
Order
For more information: http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx
http://e-commercewonderland.blogspot.com/2009/06/phishing-examples-and-its-prevention.html
12 Image Source: http://e-commercewonderland.blogspot.com/2009/06/phishing-examples-and-its-prevention.html
Please click the following link to verify your information: http://www.ebay.com/
http://www.oxfordadvancedlearnersdictionary.com/dictionary/spam
13
Return-Path: [email protected] This is what address you will send an email to should you "Reply" to an email sent to you
From: TD Customer Service <[email protected]> To: [email protected] Subject: TD Customer Service – Account Update Date: Thursday, 06 Oct 2011 13:27:26 +0300 Importance: high This tells your email client what to display in the browser
MIME-Version: 1.0 Content-Type: multipart/alternative; This tells what kind of text the email contains, and whether or not it is plain text, HTML formatted, or another format
Content:
Dear Customer,
We are currently upgrading our system. Please click the following link, log into your account and verify your information.
http://easyweb.td.com/
Sincerely,
TD Customer Support Group
In Spring 2012, two math students got coop offers in New City York. They found a very good apartment.
They were taking CS 330 at that time and found the e-mail sent by the landlord a bit fishy.
They asked me whether it was phishing.
What do you think?
14
Acknowledgment: special thanks to Martin, the student who gave me permission to use this e-mail for teaching purpose
15 Image Source: http://en.wikipedia.org/wiki/Botnet
16
On Oct 5, 2012, Hotmail shut down all communications with UW e-mail servers ◦ All e-mails between Hotmail accounts and UW
accounts are rejected
What happened ◦ Some hacker got control of several hundred UW e-
mail accounts and used them to sent mass e-mails to Hotmail, presumably attempting to crash it.
◦ Hotmail identified the problem (all e-mails from UW server) and as the only means of defense, rejected all e-mails from UW accounts Denial of service to all UW users.
17
The successful takedown of the Rustock botnet cut the volume of spam across the world by one-third, according to Symantec's March 2011 MessageLabs Intelligence Report.
The largest botnet that has been found and removed so far is a botnet controlling over 12M computers
It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet.
18
Click Fraud: Bogus clicks to drive up pay-per-clicks ◦ Web click robot ◦ http://en.wikipedia.org/wiki/Click_fraud
Cyberterrorism and Cyberwarfare: Exploitation of computer systems by terrorists or political parties as a mean of warfare ◦ Kill switch bill
Adware is any software package which automatically downloads, displays, or plays advertisements to a computer, often without user’s permission and in the form of pop-up
Spyware is software that (secretly) installs on a user’s machine and collects information about the user without their knowledge. ◦ Keylogger is a form of spyware ◦ Germany’s probe into state use of spyware on people.
19
@AP, the official twitter handle of the respected Associated Press news agency, sent out a message at about 1:07 p.m. ET, saying "Breaking: Two Explosions in the White House and Barack Obama is Injured." The AP quickly said it was hacked. The Dow plunged more than 140 points and bond yields fell. Within six minutes, the Dow recovered its losses and was trading with triple-digit gains. Reuters estimated that the temporary loss of market cap in the S&P 500 alone totaled $136.5 billion. Source: http://www.cnbc.com/id/100646197
@AP, the official twitter handle of the respected Associated Press news agency, sent out a message at about 1:07 p.m. ET, saying "Breaking: Two Explosions in the White House and Barack Obama is Injured." The AP quickly said it was hacked. The Dow plunged more than 140 points and bond yields fell. Within six minutes, the Dow recovered its losses and was trading with triple-digit gains. Reuters estimated that the temporary loss of market cap in the S&P 500 alone totaled $136.5 billion. Source: http://www.cnbc.com/id/100646197
Replay attack ◦ A valid data transmission is maliciously repeated at
a later time.
Salami attack ◦ How to add smalls into large
20 Image Source: http://www.winspark.net/tag/security/
E-mail spam, also known as junk e-mail is a subset of spam that sends nearly identical messages to numerous recipients by e-mail, often for advertisement. ◦ Definitions of spam usually include the aspects that e-mail
is unsolicited, for business purpose and sent in bulk.
All of the above software with malicious intent can be collectively called malware.
For a better definition of hacker, please refer to http://en.wikipedia.org/wiki/Hacker
http://www.faqs.org/docs/artu/hackers.html
http://www.campusactivism.org/html-resource/hackers/section4.html
21
The Spam Problem
Figure 4-8
22
Spam Filtering Software
Figure 4-7 23
Definition:
•Policies, procedures and technical measures used to
prevent unauthorized access, alteration, theft,
interruption or physical damage to information
systems
24
My system is secure because it is protected by ID and password
My communication is secure because it is encrypted.
Is that really so?
25
A user wants to access an online ordering web site. Need to make sure that: ◦ The user is legit
◦ Restrict his access to certain part of the system
◦ His conversation cannot be overheard by others
◦ His data cannot be modified by others
◦ He can place an order if so desired
◦ He keeps his words after placing the order
26 Image source: http://activerain.com/blogsview/1860583/is-opportunity-knocking-at-your-door-
27
• assurance that the communicating entity
is the one claimed Authentication
• prevention of the unauthorized use of a
resource Access Control
• protection of data from unauthorized
disclosure Data Confidentiality
• assurance that data received is as sent by
an authorized entity Data Integrity
•assurance that services are available when
needed Availability
• protection against denial by one of the
parties in a communication Non-Repudiation
Two possibilities: ◦ Sender denied sending
◦ Receiver denied receiving
28
3 days passed. If the gas price is $1.2 per liter, who is likely to default?
3 days passed. If the gas price is $0.8 per liter, who is likely to default?
29
E-mail: I am going to buy one million liters of gas from you at $1 per liter in 3 days
Authentication, Access Control, Data Confidentiality, Data Integrity, Availability, Non-repudiation
30
Captain Jack Sparrow redecorates the Black Pearl and wants to open it to the public for sightseeing. He sets up some rules that for $100, a tourist can visit the first deck; for $200, a tourist can visit the second deck; $300 for the third deck etc. Which of the following security services can be implemented to enforce these rules?
Captain Jack Sparrow wants to auction off the Black Pearl on eBay but he is not sure the web site that he logs into is in fact eBay. Which of the following security services could be implemented to ease his anxiety?
The Smurfs e-mail Captain Jack Sparrow and offer 1 billion dollars to buy the Black Pearl. Jack thinks this is a super sweet deal but he is afraid that the Smurfs might back down from this deal. What security service can be used to prevent the Smurfs from denying they send the e-mail?
Captain Jack Sparrow wants to make an announcement that he sold his ship and officially retires from piracy. What security service can be used to ensure the public the message is genuine?
Firewall
◦ Provide authentication and access control
◦ Example: packet filtering firewall, proxy firewall
Antivirus software
◦ Provide data and system integrity, access control
◦ Example: Norton, Trend Micro, AVG etc.
Hardware Controls
◦ Provide authentication, access control, availability
◦ Example: dedicated hardware, smartcard, fingerprint scan, retina scan, VPN dongle, backup etc
Security software
◦ Service provided depends on type of security software used (authentication, confidentiality, integrity, access control etc.)
User awareness
◦ Core of any implementation
31
2010, based on 30 million compromised passwords: ◦ 123456, 123456789, password, iloveyou
In 2011 … … ◦ http://www.theglobeandmail.com/news/technology
/tech-news/top-25-most-hacked-passwords-revealed/article2244739/
In 2013… … ◦ http://newsfeed.time.com/2014/01/20/the-25-
worst-passwords-of-2013/
32
A device/program that monitors and controls incoming and outgoing data transmissions to protect company network from unauthorized access. ◦ Allow authorized communication and deny
unauthorized access
◦ Often placed between the company network and external network like the Internet
Can be implemented using software or hardware. Sometimes it is built into the network modem/switch/hub/OS
33 Image Source: http://tadp.wdfiles.com/local--files/clase-5/firewall.gif
It is used to detect, prevent, and remove malware ◦ Including but not limited to computer viruses, computer worm,
Trojan horses, spyware and adware.
How does it work? ◦ Based on virus signature database ◦ Based on heuristics ◦ Only effective against known threats
Reactive approach Need to update frequently and backup data
Proper set up ◦ Temp directory and Internet temp directory ◦ Registry ◦ Internet setting and system files ◦ Access scan ◦ E-mail scan ◦ Inconvenient side-effect
34
It is the study of encryption – render a message unreadable based on a key ◦ Foundation of many security services mentioned above
The strength of an encryption depends on the size of the key ◦ Longer the key used, harder to guess what the message is
about
◦ Analogy: longer the password, harder to guess it
35
meet me after
the toga party
PHHW PH DIWHU
WKH WRJD SDUWB
Transformation based on a key
Always possible to simply try every key to guess the actual key used in an encryption
Difficulty is proportional to key size
Key Size (bits)
Number of Alternative Keys
Time required at 106 Decryption/µs
32 232 = 4.3 x 109 2.15 milliseconds
56 256 = 7.2 x 1016 10 hours
128 2128 = 3.4 x 1038 5.4 x 1018 years
168 2168 = 3.7 x 1050 5.9 x 1030 years
What is secure is relative to the computation power we have now ◦ This is called computationally secure: a
system/message is computationally secure if it will take the attacker very a “long time” to crack the system/message even he is using the best existing technologies and tools
◦ Implication of Moore’s Law
Computer security needs constant upgrade
37 Image Source: http://blog.commtouch.com/cafe/wp-content/uploads/What-is-security-2.jpg
Symmetric key encryption: the same key is used to encrypt and decrypt the data ◦ This is what people usually refer to as “encryption”
◦ Protect secrecy
Examples: DES, Triple DES, AES, RC4/5, WEP
Public key encryption: use a pair of keys (one called public key and one called private key). One key used for encrypt and other is used to decrypt it ◦ Thought it can be used to protect secrecy, it is often used
to generate digital signature
◦ Example: PKI, RSA
39 Image Source: http://techliberation.com/wp-content/uploads/2011/01/encryption.jpg
Protect data authenticity and integrity, and non-repudiation ◦ A digital signature is a unique mathematical value for a
digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit.
Sender’s private key is used to sign the document and its public key is used to verify the signature
40 Image Source: https://tspace.library.utoronto.ca/html/1807/4637/jmir_v4i2e12_fig2.jpg
Signed text
Only the sender can sign as his private key is “private”
Easy to verify as his public key is “public”
MD5 ◦ http://www.whatsmyip.org/hash_generator/
SHA1 ◦ http://www.tech-faq.com/sha-1-generator
◦ http://nsfsecurity.pr.erau.edu/crypto/sha1.html
Interesting tools ◦ http://www.whatsmyip.org/
41
It bears the digital signature of certain certificate authority whose identify is built into the operating system/web browser ◦ The OS can verity the legitimacy of the digital
signature, hence the legitimacy of the certificate, and hence the identify of the certificate holder
◦ The certificate also contains the public key of the certificate holder
42
https and SSL Secure protocols over
the Internet, based on certificate.
eBay first creates a pair of keys, one public key and one private key
It then submits the public key to VeriSign to get a certificate ◦ The certificate contains information about eBay and its public key
◦ VeriSign is the biggest certificate authority
When Romeo contacts eBay to sign up for an account, eBay presents its certificate to his web browser. ◦ The process to verify a certificate is built into the browser.
The browser verifies that the certificate is valid and it belongs to eBay ◦ This step proves that Romeo is indeed in contact with eBay, not an impersonator
The browser then extracts eBay’s public key from the certificate.
It then randomly generates a symmetric key and encrypts it using eBay’s public key and sends it back to eBay. ◦ Since it is encrypted with eBay’s public key, it can be decrypted only by eBay’s private
key.
eBay then decrypts the systematic key with its private key.
Now Romeo and eBay shares a symmetric key and all subsequent conversation can be encrypted using this symmetric key.
43
The HR manager received the following appraisal report one day:
“Bob Smith, my assistant programmer, can always be found
hard at work at his desk. He works independently, without
wasting company time talking to colleagues. Bob never
thinks twice about assisting fellow employees, and always
finishes given assignments on time. Often he takes extended
measures to complete his work, sometimes skipping coffee
breaks. Bob is a dedicated individual who has absolutely no
vanity in spite of his high accomplishments and profound
knowledge in his field. I firmly believe that Bob can be
classed as an asset employee, the type which cannot be
dispensed with. Consequently, I duly recommend that Bob be
promoted to executive management, and a proposal will be
executed as soon as possible.”
44
An alternative to encryption for secrecy
Hides existence of message ◦ Using only a subset of letters/words in a longer
message marked in some way
◦ Hiding data in graphic image or sound file
◦ Using invisible ink
Drawbacks ◦ High overhead to hide relatively few info bits
◦ Become useless once comprised
45
46
Hiding message in picture using WinRAR: http://www.marcofolio.net/how_to/hide_files_in_jpg_files.html http://www.online-tech-tips.com/computer-tips/hide-file-in-picture/
These programs are available for test purposes only. Please send me any useful comments for improvements. In particular if you discover ways to detect the presence of the hidden data (even if you can't extract it) I would like to hear about it. This excludes the case where both the original and the modified jpeg are available (in which case it is a trivial task!) Remember they are FREE and BETA test versions. They may not work as you expect. I offer no warranty and accept to liability for their use. They are incompatible with earlier versions of similar products I have written. JPHIDE.EXE is a DOS program to hide a data file in a jpeg file. JPSEEK.EXE is a DOS program to recover a file hidden with JPHIDE.EXE JPHSWIN.EXE is a Windows-95 program which performs the same functions as the two programs above. The programs are free standing and require no special installation. Allan Latham <[email protected]> 7th January 1999.
47
48
The risks to users of wireless technology have increased as the service has become more popular ◦ Wireless transmission is broadcasted over the air.
Anyone with the right equipment can intercept the signal
◦ Wireless transmission by default is NOT encrypted!
◦ Wardriving
Common solutions ◦ Encrypt the transmission!
WEP (not recommended), WPA1 and WPA2
◦ Smart card and USB token
◦ Use wired network for highly sensitive communication
49 Image source: http://en.wikipedia.org/wiki/Wardriving
Commercial software contains flaws that create security vulnerabilities ◦ Hidden bugs (program code defects)
Zero defects cannot be achieved because complete testing is not technically or economically possible with large programs
◦ Flaws can open networks to intruders
Patches ◦ Vendors release small pieces of software to repair flaws
◦ However, the amount of software in use can mean exploits created faster than patches be released and implemented
50
Inadequate security and control results in loss of business and may create serious legal liability ◦ Businesses must protect not only their own
information assets but also those of customers, employees, and business partners. Failure to do so can lead to costly litigation for data exposure or theft
A sound security and control framework that protects business information assets can thus produce a high return on investment
51
CSOX: Canadian Rules for Sarbanes-Oxley Act, Bill 198 ◦ Called SOX in US ◦ Internal controls must be put in place to govern
information in financial statements
ERM: Electronic Records Management ◦ Managing the retention, storage and destruction of
electronic records
These controls can be realized by the security services and their implementations introduced earlier
52
Determine level of risk to the firm in the case of improper controls ◦ Type of risk
◦ Probability of occurrence
◦ Damage
53 Image Source: http://www.scienceinthebox.com/en_UK/safety/riskassessment_en.html
54
How much are you wiling to spend on security?
55
Acceptable Use Policy (AUP) ◦ Acceptable uses and users of information and
computers
◦ Example
Authorization Policies ◦ Determine the levels of access for different users
◦ Often based on security profiles
Business continuity plan
Technical measures used to enforce the policies
Security Profiles for a Personnel System
Figure 8-4 56
Getting the business up and running after a disaster ◦ Safeguarding people as well as machines
Business measures: ◦ Documenting business processes
Not relying on people who may be unavailable
◦ Drill and training
Technical measures: ◦ High-availability computer systems help firms recover
quickly from a crash ◦ Fault-tolerant computer systems promise continuous
availability and eliminate recovery time altogether Often use a backup system
57
A comprehensive assessment of a company’s computer security policies, procedures and technical measures ◦ Penetration test: simulated attack
◦ Video Source: http://video.google.com/videoplay?docid=5642547759793319840#
Risk assessment is done before security implementation while auditing is after its implementation and should be done from time to time
58
Auditor’s List of Weaknesses
Figure 8-5 59
User’s lack of knowledge or human ignorance is the single greatest cause of computer security breaches! ◦ Social engineering is the act of manipulating people into
performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.
◦ Passwords revealed by sweet deal
60 Image Source: http://truthaboutlaserhairremoval.com/wp-content/uploads/2010/10/scam-alert-large1-e1288206782821.jpg