Date of final exam IMS5002 INFORMATION SYSTEMS l 14 · PDF filenetwork were down l The...
-
Upload
trinhthien -
Category
Documents
-
view
213 -
download
1
Transcript of Date of final exam IMS5002 INFORMATION SYSTEMS l 14 · PDF filenetwork were down l The...
1
IMS5002 INFORMATION SYSTEMS
SECURITY
SECURITY OVER THE INTERNET - The weak link!!
WEEK 7http://www.cert.org/encyc_article/tocencyc.html
Lecturer: Sue Foster: Week 7IMS5002
Date of final exam
l 14 June 2005 – Second week of exams)
l Morning sessionl 2 hours
– + 10 minutes reading timel Closed bookl 50%
– Read unit outline for mark requirements
Lecturer: Sue Foster: Week 7IMS5002
Course Structurel Week 1 – Security Governancel Week 2 – Managing Security in the organisation
l Risk Managementl Week 3 – Risk management
l Breaches, threats, vulnerabilitiesl Week 4 – IS security
l access controls l Week 5 – IS Security
l Computer forensicsl Week 6 – The impact of e-commerce on the organisation
l The role of e- securityl Week 7 – Security over the internet
l The weak linkl Week 8 – Security as a critical business function
l Designing a Secure Systeml Is this achievable?
l Week 9 – Risk Management Part 4l Security policies and procedures
l Week 10 – Business continuity plansl Disaster recovery
l Week 11 – Security standards, Privacy and lawl Week 12 – Current issues and future trendsl Week 13 – Revision and exam preparation
Lecturer: Sue Foster: Week 7IMS5002
Learning Objectives
l Describe the history of the internetl Understand the need for security when using
the internet for e-commercel Describe the different types of protection that
can be used over the internetl Describe the importance of SSL
Lecturer: Sue Foster: Week 7IMS5002
A Secure Is Framework
SECURE INFORMATION
ConfidentialityPRIVACY
DATA INTEGRITY
NON-REPUDIATION AUTHENTICATION
AVAILABILITY
Lecturer: Sue Foster: Week 7IMS5002
From TruSecure / ICSA Labs , 29 August 2003, see our Security Spending section
A survey of 882 respondents determined that the MS Blaster worm:
l Remediation cost $475,000 per company (median average - including hard, soft and productivity costs) companies reporting losses up to $4,228,000
l Entered company networks most often through infected laptops, then through VPNs, and finally through mis-configured firewalls or routers. Located at :http://www.securitystats.com/
2
Lecturer: Sue Foster: Week 7IMS5002
Current stories
l Reuters shuts down messaging system to fight Kelvirworm. Computerworld, April 15, 2005
l http://www.computerworld.com/securitytopics/security/holes/story/0,10801,101124,00.html?source=NLT_SEC&nid=101124
l Additional stories at the above site:– PHP falls down security hole– Firefoxsinged by eight security holes– Land Management agency shuts Web site over security
fears– SP2 Blocking Tool Expires on Windows XP
l CERT Coordination Centre fights Loveletter virus (2000) Located at: http://www.cert.org/about/loveletter5-2000.html
Lecturer: Sue Foster: Week 7IMS5002
History Of InternetThe basis for the Internet was an experiment begun in 1968 by the Defence
Department's Information Processing Techniques Office (ARPA/IPTO) Project funded by the Advanced Research Projects Agency (ARPA)
l Goal to:– connect computers over a network in order to ensure command and control
communications in the event of a nuclear war.– Enable a network to function (communicate) even when other parts of the
network were downl The original network was known as the ARPAnet, and the project quickly
became a "straight research project without a specific application [Lyn93:5]."
– ARPAnet Protocolsl Rules of syntax that enable computers to communicate on a
network
l Designed for openness and flexibility not securityl 1980s- the number of local area networks increased significantly and this
stimulated rapid growth of interconnections to the ARPAnet and other networks.
– These networks and interconnections are known today as the Internet [Til96:168].
Lecturer: Sue Foster: Week 7IMS5002
1986-network International Security Incident
l Identified by Cliff Stoll– Lawrence Berkeley National Laboratory USA
l An accounting error in computer records of systems connected to the ARPAnet identified an international effort using the network to connect computers over the US and copy information from them
l Sites included: government, military and universities
l Stoll published his experience in 1989 in a book entitled The Cuckoo’s Egg
Lecturer: Sue Foster: Week 7IMS5002
1988 – First Automated Security Incident – Morris Worm
Growth - 88,000 user computersPrimary means of communication among network security experts
l Robert Morris a student at Cornell University wrote a program that would connect to another computer, find and use one of several vulnerabilities to copy itself to that secondcomputer and begin to run the copy of itself at the new location
l The original code and the copy would then repeat these actions in an infinite loop to other computers on the ARPAnet
l The Worm used so many system resources that the attacked computers could no longer function.
l 10% of US computers stopped at about the same time
Lecturer: Sue Foster: Week 7IMS5002
Computer Emergency Response Team (CERT)
Background:The Morris worm prompted the Defence Advance Research Projects Agency (DARPA) which replaced ARPA to fund CERT (coordination centre) (1988) to give experts a central point for coordinating responses to network emergencies
Tech@Work:The surge in viruses http://www.bigplanet.com/corp/company/industry_statistics.shtmlIf there is one place taking an EKG of the Net, it is the CERT Coordination Center at Carnagie-Mellon University in Pittsburg . CERT was set up in 1988 after the release of the first Interne t worm brought 10 percent of the still tiny Net's computers to a halt. Since then, the group has kept track of the steadily growing threats to the Internet. In 1990 it counted 252 unique attacks to the Net. By last year that figure had grown to 82,094. Huge, but getting larger. In the first half of 2003, CERT tracked a whopping 74,000 incidents. Source: Fortune, Sept. 29, 2003 Lecturer: Sue Foster: Week 7IMS5002
CERT SURVEY
3
Lecturer: Sue Foster: Week 7IMS5002
Security problems on the rise http://www.bigplanet.com/corp/company/industry_statistics.shtml
l A hacker attacked and downloaded 70,000 bank account numbers from an Australian bank’s web site
l Another web site had 10,000 credit card numbers stolen (Computerworld, August 26, 2002)
l ID theft shot up 79 percent last year from 2002, affecting 3.4 percent of U.S. consumers, according to Gartner, a business research and consulting firm.
– One reason it's growing is that such thieves face only a 1-in-700 chance of getting caught.
– ID thefts directly cost U.S. businesses $1.2 billion in 2003, Gartner estimates. Source: Associated Press, October 7, 2004
l Nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months, according to a soon-to-be released survey by market research group Gartner.
– Consumers reported an average loss per incident of $1,200, pushing total losses higher than $2 billion for the year. Source: MSNBC, June 14, 2004
Lecturer: Sue Foster: Week 7IMS5002
Internet Vulnerabilities
l A vulnerability is a weakness in the system caused by:
1. Flaws in software or protocol design:< Not identified before release< Speed to market = software not tested properly
< Price cutting – competition< Software designed as easy to use off the shelf, cheap =
insecure configuration< Attackers may infiltrate software before released on the
market – Trojan Horse/virus/worm
2. Weaknesses in how protocols and software are implemented
3. Weaknesses in system and network configurations – set up and used
Lecturer: Sue Foster: Week 7IMS5002
Vulnerability Exploit Cycle
Reference: CERT/CC Overview Incident and vulnerability trends located at; http://www.cert.org/present/cert -overview-trends/module -2.pdf Lecturer: Sue Foster: Week 7IMS5002
Why Is The Internet Vulnerable?
l Many early network protocols that now form part of the internet infrastructure were designed without security in mind
– Network defence is made difficult– A dynamic environment– an open environment
l Much of the traffic not encrypted– Confidentiality and integrity compromised– Authentication and non-repudiation
l (efraud)l Identity theft
Lecturer: Sue Foster: Week 7IMS5002
Possible effects of an attack
F denial-of-serviceF unauthorized use or misuse of computingF systemsF loss/alteration/compromise of data or
softwareF monetary/financial lossF loss of trust in computer/network systemF loss of public confidence
Lecturer: Sue Foster: Week 7IMS5002
Incident Trends (1)l Intruders
– demonstrate increased technical knowledge – share knowledge with others – are prepared and organized– Develop new ways to exploit system vulnerabilities– Create software tools to automate attacks
l intruder tools are increasingly sophisticated– easy to use, especially by novice intruders– designed to support large- scale attacks
– Speed of automated attack toolsl Time to detect vulnerability and patch
REASONSl Internet attacks are easy, low risk, and hard to tracel Internet explosion and use of e-commerce capabilities
– thousands of exploitable vulnerabilities in technologyl lack of awareness regarding information security
4
Lecturer: Sue Foster: Week 7IMS5002
Incident trends (2)
l system and network administrators not prepared
– insufficient resources– lack of training
l critical infrastructures increasingly rely upon the Internet for operations
l intruders are leveraging the availability of broadband connections
l vulnerable home users computers– collections of compromised home computers
are good weapons
Reference: Cert/CC Incident and Vulnerability trends (2003) loca ted at http://www.cert.org/present/cert-overview-trends/module-2.pdf
Lecturer: Sue Foster: Week 7IMS5002
Complexity of Administration Reference: Cert/CC Incident and Vulnerability trends (2003) located at http://www.cert.org/present/cert-overview -trends/module-2.pdf
Lecturer: Sue Foster: Week 7IMS5002
Securing data over the web
The web was never designed to be a secure systemHence a number of cryptosystems work to secure Web
browsers, especially at electronic commerce sites:
l PKIl DIGITAL CERTIFICATES l SSL (Secure Sockets Layer) l SET (Secure Electronic Transmission)l PGP (Pretty good privacy)l VPNs (Virtual Private networks)
Lecturer: Sue Foster: Week 7IMS5002
PKI
Lecturer: Sue Foster: Week 7IMS5002
PKI
l Entire set of hardware, software and cryptosystems necessary to implement Public Key encryption
l PKI is based on:– PKC and – includes digital certificates and CAs (certificate authorities)
l Common use of PKI:– Systems to issue digital certificates to users and servers– Encryption enrolment– Key issuing systems– Tools for managing the key issuance– Verification and return of certificates
Lecturer: Sue Foster: Week 7IMS5002
Public Key Cryptosystem (PKCs)
To conceal a message in transit so that only the desired recipient may read it, the cleartext is encrypted(coding a message in a way that it becomes unreadable) using the recipient’s public key.
l Use pairs of related keys generated togetherl The ciphertext (the encrypted (unreadable)
message) produced by one key can be decrypted(making an encrypted message readable) only with the other member of the same key pair
l One of these keys is kept secret (the private key) and the other is published for all to use (the public key)
5
Lecturer: Sue Foster: Week 7IMS5002
Coding Technique
l Data encryption or cryptography safeguards the security of transmitted information
l Each character of data sent is replaced with other coded characters
l The substitution algorithm is determined by the sender according to a selected key
Lecturer: Sue Foster: Week 7IMS5002
Integrity And Authenticity
l PKC depends on the integrity of each public key and of that public key’s binding to a specific entity, such as a person, an institution or a network component
l Without mechanisms for ensuring integrity and authenticity a relaying party is vulnerable to masquerading attacks through public key substitution
Lecturer: Sue Foster: Week 7IMS5002
Randomness Of Numbers
l Computers generate PSEUDORANDOM numbers
l A string of bits to be random must be computationally infeasible to predict what the NTH random bit will be
l The challenge is to build random number generators that will not repeat sequences of bits PREDICTABLY often
Lecturer: Sue Foster: Week 7IMS5002
Digital Certificates
l An electronic document – Similar to a digital signature
l Attaches to a file certifying that the file is from the organisation it claims to be from
– That is: It has not been modified from the original
PUBLIC KEY MANAGEMENTCERTIFICATION AUTHORITIESAgency that manages the issuance of certificates and
serves as the electronic notary public to verify their worth and integrity
– A popup window via the internet may show that the downloaded files come from the purported agency
Lecturer: Sue Foster: Week 7IMS5002
PKI - DCs Protect Information assets
Digital Certificates
Protect
AUTHENTICATION
Digital Certificates (DCs) permit users to validate the identity of each of the parties in a transaction
INTEGRITY
DC demonstrates content not altered while being transferred
CONFIDENTIALITY/ PRIVACY
DCs keep data from being intercepted during transmission
AUTHORISATION
DCs can replace user IDs and passwords
NONREPUDIATION
DCs can validate actions
Whitman & Mattord , 2003
Lecturer: Sue Foster: Week 7IMS5002
Gatekeeper® Strategy
l The Government’s Gatekeeper® Strategy is a strategy for the use of Public Key Infrastructures (PKIs) in government.
l PKI is a technology and trust framework which involves the use of digital signature certificates for assuring the identity of certificate holders and the integrity of the online messages they exchange.
l Gatekeeper® is designed to facilitate government online service delivery
6
Lecturer: Sue Foster: Week 7IMS5002
PKI, Able to ReassureCustomer and Supplier
CLIENT SUPPLIER
Purchase order
AUTHENTICATION
Public Key Management
Public key distribution centre (certification authority)
PKI mechanism to authenticate ownership (Public and private keys unlock
the message)
Encrypts message
Decrypts message
Client uses private key and suppliers public key
Supplier uses own private key and clients public key
Lecturer: Sue Foster: Week 7IMS5002
Benefits of PKI
l Authentication of the parties in a transaction– Positive identification of the two parties – verifying their identities
l encrypting the details of the transaction l guarding against hackersl offering a legal record of the e-business
transactions. l Consistent interface for administering systems
that use PKIl Provides the basis for trust
Lecturer: Sue Foster: Week 7IMS5002
Risks of PKI:
l Private keys are maintained by certification authorities, which are trusted to maintain their privacy.
l If these certification authorities themselves are insecure, the confidentiality of the private keys they maintain is at risk.
l Anyone who knows an individual’s private key could act as an imposter.
Lecturer: Sue Foster: Week 7IMS5002
Risks Cont/d
l Contingency plans must be made for loss of private keys or disruption of service on PKI servers.
l Many organizations lack internal expertise. l Laws on digital signature vary by country.
This is especially important for multinational enterprises.
Lecturer: Sue Foster: Week 7IMS5002
TRUST MANAGEMENT
HOW CAN I BE SURE THE PUBLIC KEY I AM USING REALLY BELONGS TO THE INTENDED RECIPIENT??
Lecturer: Sue Foster: Week 7IMS5002
Man In The Middle Attack
A POSSIBLE SCENARIO:l A third party (attacker) introduces its
public key to the sender who is fooled into believing that it is the public key of recipient and vice versa
l CERTIFICATE AUTHORITY (CA)– SOLVES THIS PROBLEM
7
Lecturer: Sue Foster: Week 7IMS5002
CA
l CA Digitally signs a certificate that belongs to the sender and another certificate that belongs to the recipient
l The certificate includes:– Name of public key of its owners
l Integrity checked through using CAs public key
l PROBLEM: sender and receiver must belong to the same CA
Lecturer: Sue Foster: Week 7IMS5002
SECURE SOCKETS LAYER (SSL)
l WHAT IS SSL?l How does it work?l What are some of its
advantages/disadvantages?
Lecturer: Sue Foster: Week 7IMS5002
SSL
l The most common use of SSL is in protecting HTTP communications. For example, any URL beginning with https:// indicates the use of HTTP protected by SSL.
l SSL provides a range of security services for
client/server sessions, including: – Server authentication– Client authentication
l Integrityl confidentiality
Lecturer: Sue Foster: Week 7IMS5002
Secure Transport of data -Integrity/confidentiality
l Of primary consideration is the demand for secure transport of data across the Internet
l Many online businesses use SSL or TLS (Transport Layer Security) to provide end to end encryption to protect internet transactions between client and web server
– Integrity: l Data items transferred are protected against attempts to
modify data.
– Confidentiality: l Users are assured that no unauthorised entity has access to
the information being shared at the Web site. l This protects sensitive information such as account
numbers or credit card numbers against eavesdroppers
Lecturer: Sue Foster: Week 7IMS5002
SSL
Addresses many (NOT ALL) security concerns when sharing private or confidential information via the internet
l Designed for client/server applicationsl Prevent unwanted tampering of data transmission
through:– Eavesdropping– Data alteration– Message forgery
l GOALS– Ensure privacy and reliability of communication between
two applications
Lecturer: Sue Foster: Week 7IMS5002
SSL HANDSHAKE PROTOCOL
SSL provides a protocol by which all information during a session is sent by the server and the client and is encrypted for example:
1. When a client makes a request over HTTPS (hypertex transfer protocal) to a server the server’s public key is sent to the browser
2. The browser uses this key to encrypt the information before it leaves the client.
– Authenticates the server to a software-based client ( ie web browser)
– Enables it to decide upon an encryption algorithm and cryptographic KEYS BEFORE a higher-level protocol sends or receives data
– Relies on a six-step handshaking approach between parties (see page 207, Merkow)
8
Lecturer: Sue Foster: Week 7IMS5002
SSL Handshake protocol Cont/d
l Browser lets you know when the session is ready for secure communication by displaying a closed padlock
l SSL must be selectively used by the Web client and server in order to invoke the protocol
l BENEFIT– Allows higher level protocols to sit on top of it and
communicates with them without dictating a specific application protocol
Lecturer: Sue Foster: Week 7IMS5002
Secure Site: Virgin Blue Credit Card – SSL – Microsoft Internet Explorer
“How we (Virgin) ensure your protection”Because your privacy is our priority we make sure that the personal
information you submit to us online remains strictly confidential.
We ensure your protection with Secure Sockets Layer (SSL) which scrambles your data, so that it is unreadable by third parties. It does this by:
1. Server authentication. The web server sends a digital certificate to your computer so that you can be sure of its identity.
2. Client authentication. Your computer in turn authenticates itself to the server by showing its digital signature.
3. Encryption connection. During the Internet connection, data is encrypted (i.e. scrambled) so that only your computer and the web server can understand the contents. This prevents other Internet users from intercepting the information sent between you and the web server.
Lecturer: Sue Foster: Week 7IMS5002
TO USE SSL
SSL Use DIGITAL CERTIFICATES– obtain and install certificate from a CA (certificate
authority) – VeriSign– Internal Windows 2000 certificate server
l A stream of data (thousands of bites long)l Encodes the user’s public key l Endorsed by a Certificate Authority (CA)l CA verifies the server being visited is indeed the
server it says it is (A TRUSTED SOURCE)l Hold both private and public encryption key
– Public ) Asymmetric keys .. Whatever
– Private ) private key encrypts public key decrypts
Lecturer: Sue Foster: Week 7IMS5002
http://www.verisign.com.au/gatekeeper/faqs/general.shtml
Lecturer: Sue Foster: Week 7IMS5002
Problems (Merkow p209 )
MANY AND VARIED:
l Encrypted SSL communications do not compress slowing their transmission through devices such as modems
l International export restrictions cause complicationsl Security Expertise to recognise and manage “good”
certificatesHowever:l It is well understoodl Inexpensive and relative well supported in
organisations and relative safe
Lecturer: Sue Foster: Week 7IMS5002
REWRITE VICTIMS URL (Universal Resource Locator)
Web server
Attacker
Victims browser 1. Request
spoofed URL
2. Request original URL
3. Original page contents
5. Spoofed page contents
Unknowingly, attacker may obtain victim’s bank account number and password or stock market information
9
Lecturer: Sue Foster: Week 7IMS5002
SSL offers no help
Even though the victim may establish an SSL connection to the attacker:
l If victim does not check SSL certificates ownership carefully they may believe that a secure connection with the real server has been established
l Fake certificates can look very similar to the real ones
l Perhaps containing misspelled names that are often difficult to notice
Lecturer: Sue Foster: Week 7IMS5002
Secure Networking (VPNs)
l Virtual private networks (VPNs) – advanced encryption technologies – enable businesses to establish secure private connections
between corporate networks and third-party networks such as the Internet.
l VPNsallow mobile workers and businesses with multiple office sites to communicate securely at high speeds.
– offer one of the highest levels of network and Internet security,
– an expensive solution for smaller businesses.
Lecturer: Sue Foster: Week 7IMS5002
Pretty Good Privacy (PGP)
Secure personal connection– a popular security option for individuals.
l uses public key encryption. l unlike PKI, it allows users to generate
their own public and private keys.– cheaper and easier to implement, but – does not offer the same reassurance as a
certificate issued by an independent third party.
Lecturer: Sue Foster: Week 7IMS5002
Protecting your organisation from cyber crime http://www.niksun.com/documents/NetDetector_NIFS.pdf
Review and update security measures and controls
Security audit
Security policy
Security aware culture
Consider all security options
Use Australian Government Evaluated Products (EPL)
Crisis management plan
Business case developed
ASSETS
Outsource IS Security
Honeynet/Honeypot
http://www.honeynet.org/papers/honeynet/
http://www.honeynet.org/papers/profiles/cc -fraud.pdf
Lecturer: Sue Foster: Week 7IMS5002
CONCLUSION
l Although it is possible for a Web client to strongly authenticate a Web server and communicate privately with it (using SSL and certificates)
– See: www.verisign.com, – belsign.com and Thawte.com
l Not all security problems are solvedl REASON:
– Access control managementl Only really efficient for a small number of client server
relationshipsl Requires security expertise to recognise and manage “good”
certificates
Lecturer: Sue Foster: Week 7IMS5002
REVIEW
l WHAT METHODS CAN ORGANISATIONS ADOPT TO SAFEGUARD AGAINST DDoSATTACKS
l DESCRIBE HOW DDoS ATTACKS OPERATEl WHAT OTHER PROBLEMS DOES INTERNET
POSE FOR USERS
10
Lecturer: Sue Foster: Week 7IMS5002
REFERENCES
l Hassler, V. (2001). Security Fundamentals for E-Commerce. London: Arteck House.
l Levy, S. (1984). Hackers: Heros of the computer revolution. Garden City, NY: Anchor Press/Doubleday.
l Merkow, M. S. & Breithaupt. (2002) Internet the complete guide to security.
l Stoll, C. (1989).The Cuckoo’s Egg: Tracking a Spy Through the Ma ze of computer espionage. New York: Doubleday.
l Tipton, H.F. & Krause, M. (2002). Information security management: Handbook. London: Auerbach Publications.
l http://webct.monash.edu.au/SCRIPT/IMS5002_S1_2004/scripts/serve_home
l http://www.govonline.gov.au/projects/confidence/Securing/FAQs.htm#13
l http://security2.gartner.com/section.php.id.37.s.1.jsp