Internet Security UTD EMBA March 30, 2001
description
Transcript of Internet Security UTD EMBA March 30, 2001
Internet SecurityUTD EMBA
March 30, 2001
iSecuritas, Inc.secure authenticated data exchange
2iSecuritas, Inc. Confidential
3iSecuritas, Inc. Confidential
• MIT's Tech Model Railroad Club• PDP - 1 • 1961
Who were the first “hackers”?
4iSecuritas, Inc. Confidential
• Everyone who ticks him or her off gets a $26,000 phone bill
• Has won the Publisher's Clearing House Sweepstakes three years running
• Massive 401k contribution made in half-cent increments• You hear them murmur, "Let's see you use that VISA
card now, Professor "I-Don't-Give-A's-To Any MBA Candidate!"
You know your co-worker is a hacker when...
5iSecuritas, Inc. Confidential
How Secure is e-Business?
•Security attacks cost U.S. corporations $266 million last year. That's more than double the average annual losses over the past three years.
•Cyber-crimes being investigated by the FBI have more than doubled in the past year.
• In 1999, the number soared to over 8,300 according to reports filed with the Computer Emergency Response Team, or CERT, at Carnegie
Mellon University in Pittsburgh.
•90 percent of survey respondents (primarily large corporations and government agencies) detected some form of security breach last year.
•70 percent of respondents reported a serious security breach in the past year (ie: financial fraud, denial of service attacks and data theft).
According to a report recently released by the Computer Security
Institute and the FBI Computer Intrusion Squad.
6iSecuritas, Inc. Confidential
Categories of Internet Security
• Website Security• Email Security• Authentication
7iSecuritas, Inc. Confidential
All Systems are Breakable!
8iSecuritas, Inc. Confidential
Website Security
• Prevent Unauthorized Access to Website– Manipulation of Website Information– Protection of Proprietary Data
• Credit Card Numbers• Confidential Customer Data• Financial Information
9iSecuritas, Inc. Confidential
Website Security
Website Security can be achieved by:• Firewalls• Software & System Architecture• Security Procedures
10iSecuritas, Inc. Confidential
In God We Trust….
All Others We Monitor
11iSecuritas, Inc. Confidential
Email Security
Case Studies:• International Satellite Company• International Restaurant Company• Your Company?
12iSecuritas, Inc. Confidential
Email Security
Email Security can be achieved with:• Encryption Software
– PGP, RSA, etc.• ASP Based Secure Messaging
– iSecuritas
13iSecuritas, Inc. Confidential
Authentication
14iSecuritas, Inc. Confidential
Authentication
15iSecuritas, Inc. Confidential
E-Sign Law
New Law for E-Signatures
• Electronic Signatures in Global and National Commerce Act
• Effective October 1, 2000• Nationwide Legality of Digital Signatures• Agnostic about Implementation of e-Signatures
• Electronic Notarizations• Opportunity to marry e-commerce with official,
regulated way for confirming identity• Reduces Fraud possible with Paper Based Notaries
16iSecuritas, Inc. Confidential
Authentication
Problem – Identity Theft
• Fastest Growing Financial Crime» Industry Standard – August 21, 2000
• Theft of:• Social Security Numbers• Drivers License Numbers• Mothers’ Maiden Names
• $1 Billion Problem?
17iSecuritas, Inc. Confidential
Authentication
Problem – Identity Theft Abraham Abdallah
“a pudgy, convicted swindler and high school dropout”, NY Post March 20, 2001
Nyquist vs. E*Trade
[Buckman, "Heavy Losses: The Rise and Collapse of a Day Trader," Wall Street Journal, Feb. 28, 2000]
18iSecuritas, Inc. Confidential
Authentication
Solutions (?)
• Credit Card Transactions• Digital Certificates• Authentication Services
19iSecuritas, Inc. Confidential
iSecuritas & MBE
iSecuritas, Inc. Confidential
21iSecuritas, Inc. Confidential
1) User requests certificate from CA’s web site.
2) CA web site submits request to IS.
3) IS sends e-mail to signer.
4) Signer visits notary.
6) Notary D-signs documents and statements, then forwards to IS.
5) Notary ID’s signer, fetches documents from IS, witnesses signing act.
7) IS applies 3rd party timestamp.
8) IS notifies CA.9) CA fetches
signed document(s) from IS.
Example 1: A CA Needs to Issue a Legally Binding Certificate
10) CA releases certificate and notifies user.
22iSecuritas, Inc. Confidential
1) Banker submits a signature request to his company’s mainframe.2) Mainframe
submits request to IS
3) IS sends e-mail to signer
4) Signer visits notary
6) Notary D-signs documents and statements, then forwards to IS.
5) Notary ID’s signer, and fetches documents from IS
7) IS applies 3rd party timestamp.
8) IS notifies banker.9) Banker fetches
signed document(s) from IS.
Example 2: A Corporate Banker Needs a Notarized Signature
23iSecuritas, Inc. Confidential
1) User requests PO on distributor’s web site.
2) Web site submits request to IS.
5) User fills out and D-Signs PO with notarized certificate, sends signed PO to IS.
6) IS applies 3rd party timestamp.
7) IS notifies Distributor.8) Distributor
fetches signed PO from IS.
Example 3: A Distributor Needs a Digital Signature on a PO
3) IS sends e-mail to signer.
4) User fetches PO.
9) Signed PO sent to account rep , billing, shipping, etc..
24iSecuritas, Inc. Confidential
Encrypting with X.509Bank wants to send Lawyer a secret message, but must do so on the public internet.
Lawyer gives Bank their certificate.
Bank verifies the certificate with the CA.
Bank uses the public key from Lawyer’s certificate,
and a secret message to Lawyer,
as input to an encryption engine,
to produce what looks like gibberish
And their private key
But Lawyer uses the gibberish
As input to a decryption engine
To find out what Bank had to say
25iSecuritas, Inc. Confidential
Signing with X.509Lawyer wants proof that Bank wrote the message.
as input to a hash engineBank uses their
gibberish
and their private key
Lawyer uses the gibberish (not the hash)
to produce a hash,(signature) and uses this hash
as input to an encryption engine
and adds the encrypted hash to their gibberish.
as input to a hash engine
and Bank’s public key
to produce a hash.
as input to a decryption engine
Then Lawyer takes Bank’s encrypted hash
to produce a hash. If both hashes match, then Lawyer knows that Bank signed the message.
26iSecuritas, Inc. Confidential
X.509 ReceiptBank wants proof that Lawyer saw the message on the Internet, Lawyer must prove it.
as input to a hash engine
Lawyer uses Bank’s message
and private key
Bank uses the signature
to produce a hash, and uses this hash
as input to an encryption engine
To produce an encrypted hash (signature)
and Lawyer’s public key
to produce a hash.as input to a decryption engine
as input to a hash engine
Bank uses his original message
to produce a hash, if the hashes match, we have a valid signature.
27iSecuritas, Inc. Confidential
Obtaining an X.509 Certificate
Use a random number to generate HUGE prime numbers and then create a key pair.
Encrypt the private key with a GOOD password that you have memorized,
and then store it away some place safe.
NameE-MailAddressEtc.
Use the public key and various bits of identifying data to construct a certificate request,
and send it to the Certificate Authority. They will investigate your identity to varying degrees, create a certificate that includes a hash encrypted with their private key,
and then send you a copy as well as making it a public record.