cse 4482 2012 - session 51 “the advance of technology is based on making it fit in so that you...

CSE 4482 2012 - Session 5 1

• “The advance of technology is based on making it fit in so that you don't really even notice it, so it's part of everyday life.” – Bill Gates

• What would we do without the Internet?

• As we can’t seem to resist the Web.

• There is so much we can see.

• Is 640k really enough for anybodCSE 4482 2012 - Session 5 2

• Everything seems so easy to get.

• But you could be part of a denial-of-service attack.

• Many doors will open without a key.

• We should give respect to intellectual property.

CSE 4482 2012 - Session 5 3

• Learn to spot the good from the bad.

• So you won’t fall for ID theft.

• Take good care of your identity.

• So you won’t lose privacy.CSE 4482 2012 - Session 5 4

CSE 4482 2012 - Session 5 5

Internet Infrastructure

• Web server and webmaster

• Firewall

• Internet service provider

CSE 4482 2012 - Session 5 6


• Domain name server – translates a domain name to an Internet Protocal (IP) address, e.g., 142.142.153.157; the maximum is 255.255.255.255; a range of 2 billion addresses. New range will increase this by more than 100 times.

• Routers• Application server• Database server

CSE 4482 2012 - Session 5 7


• Web hosting software

• Web site management system to keep track of visits and user pattern

• Network operating system

• Infrastructure needs to be protected.

Comparison of Network Models

CSE 4482 2012 - Session 5


Internet’s Hierarchical Structure

• National Internet Service Providers (ISPs)– Provide services to their customers and sell

access to regional ISPs and local ISPs• Regional ISPs

– Connect with National ISPs– Provide services to their customers and sell

access to local ISPs• Local ISPs

– Connected to National or Regional ISPs– Sell access to individuals


Basic Internet Architecture


Address Type Example Example Address

Application Layer

Network Layer

Data Link Layer

Types of Addresses

IP address

URL

MAC address

www.manhattan.edu

149.61.10.22 (4 bytes)

00-0C-00-F5-03-5A (6 bytes)

Name

Street #

Apt #

Analogy


Assignment of Addresses

• Application Layer address (URL)– For servers only (clients don’t need it)– Assigned by network managers and placed in configuration files. – Some servers may have several application layer addresses

• Network Layer Address (IP address)– Assigned by network managers, or by programs such as DHCP, and

placed in configuration files– Every network on the Internet is assigned a range of possible IP addresses

for use on its network

• Data Link Layer Address (MAC address)– Unique hardware addresses placed on network interface cards by their

manufacturers ( based on a standardized scheme)

• Servers have permanent addresses, clients usually do not


Internet Addresses

• Managed by ICANN– Internet Corporation for Assigned Names and Numbers– Manages the assignment of both IP and application layer name

space (domain names)• Both assigned at the same time and in groups• Manages some domains directly (e.g., .com, .org, .net) and • Authorizes private companies to become domain name

registrars as well


Address Resolution

• Server Name Resolution– Translating destination host’s domain name to

its corresponding IP address– www.yahoo.com is resolved to

204.71.200.74– Uses one or more Domain Name Service

(DNS) servers to resolve the address

http://www.yahoo.com/


DNS - Domain Name Service• Used to determine IP address for a given URL• Provided through a group of name servers

– Databases containing directories of domain names and their corresponding IP addresses

• Large organizations maintain their own name servers– smaller organizations rely on name servers provided by their ISPs

• When a domain name is registered, IP address of the DNS server must be provided to registrar for all URLs in this domain– Example: Domain name: ontario.ca

URLs: www.ontario.ca


How DNS Works

• Desired URL in client’s address table:– Use the corresponding IP address

– Each client maintains a server address table

• containing URLs used and corresponding IP addresses

• Desired URL not in client’s address table:– Use DNS to resolve the address

– Sends a DNS request packet to its local DNS server

– URL in Local DNS server

• Responds by sending a DNS response packet back to the client


How DNS Works (Cont.)

• URL NOT in Local DNS server – Sends DNS request packet to the next highest

name server in the DNS hierarchy– Usually the DNS server at the top level domain

(such as the DNS server for all .edu domains)– URL NOT in the name server

• Sends DNS request packet ahead to name server at the next lower level of the DNS hierarchy


How DNS Works

Client computer

DNS ServerDNS Request

LAN

LAN

Internet

DNS Request

DNS Server

Root DNS Server for .EDU domain

University of Toronto

Indiana University

DNS Request

DNS Response

DNS Response

DNS Response

If client at Toronto asks for a web page on Indiana University’s server:


MAC Address Resolution

• Problem:– Unknown MAC address of the next node (whose IP address

known)• Solution:

– Uses Address Resolution Protocol (ARP) • Operation

– Broadcast an ARP message to all nodes on a LAN asking which node has a certain IP address

– Host with that IP address then responds by sending back its MAC address

– Store this MAC address in its address table – Send the message to the destination node– Example of a MAC address: 00-0C-00-F5-03-5A


Routing

• Process of identifying what path to have a packet take through a network from sender to receiver

• Routing Tables– Used to make routing decisions

– Shows which path to send packets on to reach a given destination

– Kept by computers making routing decisions

• Routers– Special purpose devices used to handle routing

decisions on the Internet

– Maintain their own routing tables

Dest.

B

C

D

E

F

G

Next

B

B

D

D

D

B


Routing Example

Dest.

B

C

D

E

F

G

Next

B

B

D

D

D

B

Routing Table for A

Possible paths from A to G:• ABCG• ABEFCG• ADEFCG• ADEBCG

B

Each node has its own routing table

A

Types of Routing

• Centralized routing– Decisions made by one central computer– Used on small, mainframe-based networks

• Decentralized routing – Decisions made by each node independently of

one another – Information need to be exchanged to prepare

routing tables

CSE 4482 2012 - Session 5 22


Sending Messages using TCP/IP

• Required Network layer addressing information– Computer’s own IP address– Its subnet mask

• To determine what addresses are part of its subnet– Local DNS server’s IP address

• To translate URLs into IP addresses– IP address of the router (gateway) on its subnet

• To route messages going outside of its subnet

• Obtained from a configuration file or provided by a DHCP server– Servers also need to know their own application layer addresses

(domain names)


TCP/IP Configuration Information


TCP/IP Network Example


Case 1a: Known Address, Same Subnet

• Case:– A Client (128.192.98.130) requests a Web page from a server

(www1.anyorg.com)– Client knows the server’s IP and Ethernet addresses

• Operations (performed by the client)– Prepare HTTP packet and send it to TCP– Place HTTP packet into a TCP packet and sent it to IP– Place TCP packet into an IP packet, add destination IP address,

128.192.98.53 – Use its subnet mask to see that the destination is on the same subnet

as itself– Add server’s Ethernet address into its destination address field, and

send the frame to the Web server


Case 1b: HTTP response to client

• Operations (performed by the server)– Receive Ethernet frame, perform error checking and send back an

ACK– Process incoming frame successively up the layers (data link,

network, transport and application) until the HTTP request emerges– Process HTTP request and sends back an HTTP response (with

requested Web page)– Process outgoing HTTP response successively down the layers until

an Ethernet frame is created– Send Ethernet frame to the client

• Operations (performed by the client)– Receive Ethernet frame and process it successively up the layers

until the HTTP response emerges at browser


Case 2: Known Address, Different Subnet• Similar to Case 1a• Differences

– Use subnet mask to determine that the destination is NOT on the same subnet

– Send outgoing frames to the local subnet’s GW– Local gateway operations

• Receive the frame and remove the Ethernet header• Determine the next node (via Router Table) • Make a new frame and send it to the destination GW

– Destination gateway operations• Remove the header, determine the destination (by destination

IP address)• Place the IP packet in a new Ethernet frame and send it to its

final destination.

Case 3: Unknown Address

• Operations (by the host)– Determine the destination IP address

• Send a UDP packet to the local DNS server • Local DNS server knows the destination host’s IP

address– Sends a DNS response back to the sending host

• Local DNS server does not know the destination IP address

– Send a second UDP packet to the next highest DNS host, and so on, until the destination host’s IP address is determined

CSE 4482 2012 - Session 5 29


TCP Connections

• Before any data packet is sent, a connection is established– Use SYN packet to establish connection– Use FIN packet to close the connection

• Handling of HTTP packets– Old version:

• a separate TCP connection for each HTTP Request– New version:

• Open a connection when a request (first HTTPP Request) send to the server

• Leave the connection open for all subsequent HTTP requests to the same server

• Close the connection when the session ends

TCP/IP and Layers

• Host Computers– Packets move through all layers

• Gateways, Routers– Packet moves from Physical layer to Data Link

Layer through the network Layer

• At each stop along the way– Ethernet packets is removed and a new one is

created for the next node

CSE 4482 2012 - Session 5 31

CSE 4482 2012 - Session 5 5 - 32

Message Moving Through Layers

DNS Attacks

• Substituting a valid IP address with a hacker’s IP address.

• Removing IP address thus causing an attempted connection to a web site to fail.

• Bring down the DNS so outgoing surfing is stopped.

CSE 4482 2012 - Session 5 33

CSE 4482 2012 - Session 5 34

Risk Implications

• Inherent risk? - increases because of new way of doing business, new way is more complicated.

• Control risk? – Increases because some control functions are carried out by external parties like customers, suppliers and ISPs. Can go down because more controls are automated.

• Detection risk? – Increases because more audit evidence is in electronic form and therefore less obvious and certain.

CSE 4482 2012 - Session 5 35

Risk Implications

• Non-occurrence of transactions – High because of open access.

• Incomplete processing – moderate because of real-time processing, but delivery may not be complete.

• Unauthorized transaction – high because of open access.

CSE 4482 2012 - Session 5 36

Risk Implications

• Inaccurate processing – high because customers not trained and because of complexity.

• Untimely processing – moderate, similar to risk of incompleteness, but delivery may be late.

• Inefficiency – Low risk, because of computer power vs human power.

• Should also relate to the 5 system components: infrastructure, software, people, procedures and information.

CSE 4482 2012 - Session 5 37

Domain Name Server (DNS) Risks

• DNS is a common target for hackers.

• A hacker can change the translation table and therefore direct users to hacker sites resulting in unauthorized transactions.

• A hacker can bring down a DNS.

• Which of these is of more concern to management, to the external auditors?

CSE 4482 2012 - Session 5 38

Internet Security Measures

• Boundary checking – against buffer overflow

• Digital certificate

• Digital signature

• Encryption

• Firewall

CSE 4482 2012 - Session 5 39

Internet Security Measures

• Intrusion prevention system• Online backup• Redundant communication lines• Redundant servers• Web site refreshment – to nullify

defacement.


Using Redundant Hardware• A key principal in preventing disruption, destruction and disaster• Examples of components that provide redundancy

– Uninterruptible power supplies (UPS)• A separate battery powered power supply• Can supply power for minutes or even hours• Some run on generators.

– Fault-tolerant servers (with redundant components)– Disk mirroring

• A redundant second disk for every disk on the server• Every data on primary disk is duplicated on mirror

– Disk duplexing (redundant disk controllers), more reliable.

• Can apply to other network components as well– Circuits, routers, client computers, etc.


Preventing Computer Viruses• Viruses spreads when infected files are accessed

– Macro viruses attach themselves to other programs (documents) and spread when the programs are executed (the files are opened)

• Worms– Special type of virus that spread itself without human intervention

(sends copies of itself from computer to computer)

• Anti-virus software packages check disks and files to ensure that they are virus-free

• Incoming e-mail messages are most common source of viruses– Check attachments to e-mails, use filtering programs to ‘clean’

incoming e-mail

Securing Network Perimeter

• Basic access points into a network– LANs inside the organization– Dial-up access through a modem– Internet (most attacks come in this way)

• Basic elements in preventing access– Physical Security– Dial-in security– Firewalls–



Personnel Matters

• Also important to– Provide proper security education

– Perform background checks

– Implement error and fraud controls

• Reduces the possibility of attackers posing as employees– Example: Become employed as janitor and use various listening

devices/computers to access the network

• Areas vulnerable to this type of access:– Network Cabling

– Network Devices


Securing Network Devices

• Should be secured in locked wiring closets– More vulnerable: LAN devices (controllers,

hubs, bridges, routers, etc.,)• A sniffer (LAN listening device) can be easily

hooked up to these devices

• Use secure hubs: requires special code before a new computers are connected


Security Holes

• Made by flaws in network software that permit unintended access to the network– A bug that permits unauthorized access– Operating systems often contain security holes– Details can be highly technical

• Once discovered, knowledge about the security hole quickly circulated on the Internet– A race can then begin between

• Hackers attempting to break into networks through the security hole and

• Security teams working to produce a patch to eliminate the security hole

– CERT: major clearing house for Internet related holes


Trojan Horses• Remote access management that enable users to access a

computer and manage it from afar• More often concealed in other software that is downloaded

over Internet– Common carriers: Music and video files shared on Internet sites

• Undetected by even the best antivirus software• Major Trojans

– Back Orifice: attacked Windows servers• Gave the attacker the same right as the administrator

– Morphed into tools such as MoSucker and Optix Pro• Powerful and easy to use

AIS, 2012 47

Symmetric Key Encryption

• The same key is used to decrypt and encrypt

• Simple to encrypt and decrypt

• Large number of keys required for one-on-one secret communication

• Number of keys for N people is N(N-1)/2

• Need to secure the key

• Use of the key should require a passphrase.

Application of Encryption

• eBusiness

• Virtual private network

• eMail

• Stored data

• Digital signature

• Wireless network

AIS, 2012 48

AIS, 2012 49

Asymmetric Encryption

• A pair of key is generated by a user, a private key and a corresponding public key.

• The public key can be disclosed. The private key is secured.

• People can use the public key to encrypt material.

• Use of private key should require a passphrase.

AIS, 2012 50


• The corresponding private key is needed to decrypt.

• The 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key.

• Longer keys than symmetric and therefore a longer process to encrypt and decrypt. Longer keys required to prevent reverse engineering.

AIS, 2012 51


• Needed for email encryption.

• Used for e-commerce, digital certificates and digital signatures.

• Number of keys for N users is 2N.

AIS, 2012 52

• Digital signature: • A digital code attached to an electronically

transmitted message that is used to verify the origin and contents of a message

• Digital certificates: • Data files used to establish the identity of users and

electronic assets for protection of online transactions.

Encryption and Public Key Infrastructure

AIS, 2012 53

• A set of policy, procedures and servers used to operate a public key environment.

• There is a public key server that holds everybody’s public key for retrieval by programs that use encryption.

• There are servers used to authenticate users that activate private keys.

Public Key Infrastructure

AIS, 2012 54

Limitation of Encryption

• If key is lost, data cannot be decrypted.

• Rogue parties can delete an encrypted file without knowing the key; therefore access control list is important.

• Encrypted email attachments are generally deleted by the anti-virus program.

AIS, 2012 55

Digital Signature

• A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged.

AIS, 2012 56

Digital Signature

• The sender uses an algorithm to compute a hash (garbled digest) of the document

• Sender uses its private key to encrypt the hash.• Recipient uses same algorithm to hash the plain

text document when received.• Recipient uses the public key to decrypt the digital

signature and compare to the hash the recipient created, to confirm integrity.

AIS, 2012 57

Digital Certificate

• An electronic business card that establishes your credentials when doing business or other transactions on the Web.

• It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key.

• People can use the certificate authority’s public key to verify the signature.

AIS, 2012 58

Certificate Authority

• An organization that issues digital certificates to companies and individuals

• An organization can issue digital certificates to its own customers or employees to authenticate local transactions

• The certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate.

AIS, 2012 59

eBusiness Encryption

• Uses both symmetric keys and asymmetric keys

• Uses the Secure Socket Layer (SSL) protocol

• Enforced by the merchant• Merchant sends its certificate and public key

to the browser

AIS, 2012 60


• Browser generates a symmetric key

• Browser encrypts the symmetric key with the merchant’s public key

• Browser authenticates the digital certificate

• Encrypted symmetric key is sent to merchant

AIS, 2012 61


• Merchant decrypts the symmetric key with its private key

• The symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off.

Secure Electronic Transaction

• Some financial institutions have adopted SET to prevent merchants from seeing the credit card numbers and prevent the financial institution from viewing the purchase detail.

• This requires a digital certificate to be issued to the merchant and customer.

CSE 4482 2012 - Session 5 62

SET

1. A customer receives a “personal” digital certificate from the credit card issuing

financial institution or an ePayment vendor

like Paypal.

2. When the customer buys something on a web site, s/he sends his or her digital

cert to the merchant, which sends it to the

financial institution. S/he also downloads

the merchant’s and the financial

institution’s digital certificates.CSE 4482 2012 - Session 5 63

SET

3. The customer’s browser hashes the purchase order and the credit card (or payment order) information separately to form two message digests.

4. The customer signs the message digests to form the composite digital signature.

CSE 4482 2012 - Session 5 64

SET

5. The digital signature is sent to the merchant

which in turn forwards it to the financial

institution.

6. The customer uses the merchant’s public key to encrypt the purchase order and s/he

uses the financial institution’s public key to encrypt the payment information. The

merchant forwards the payment information to the financial institution or ePayment vendor.

CSE 4482 2012 - Session 5 65

SET

7. The merchant and the financial institution use the customer’s public key to decrypt

the digital signature.

8. The merchant and the financial institution independently computes the message digests of the purchase order and payment order respectively.

CSE 4482 2012 - Session 5 66

SET

9. The independently computed message digests are then compared to the message

digests in the decrypted digital signature.

10.Now the merchant and the financial institution/ePayment vendor have authenticated the purchase and credit/ePayment card information separately and independently.

CSE 4482 2012 - Session 5 67

AIS, 2012 68

Email Encryption

• Sender uses the recipient’s public key to encrypt the message

• Sender signs the message with own private key• Recipient uses own private key to decrypt message• Recipient uses sender’s public key to authenticate

the digital signature• The above process applies to non-Web based email.

Web mail encryption is same as eBusiness.

Stored Data Encryption

• Uses a symmetric key.

• Key should be activated with a passphrase.

• Applies to laptop, smart phones, memory disks, desktops and servers.

AIS, 2012 69

AIS, 2012 70

Encryption Strength

• The secrecy of the key

• The length of the key

• The rigour of the algorithm

PKI

• A public key infrastructure consists of the policy, procedures, software and servers to manage public keys to ensure secure storage and allocation.

• PKI can prevent man in the middle attack.

CSE 4482 2012 - Session 5 71

Pretty Good Privacy

• PGP does not rely on PKI.

• Allows 2 parties to exchange public keys.

• PGP also provides a way to encrypt an email attachment that is password protected without key exchange.

CSE 4482 2012 - Session 5 72

Man-in-middle Attack

• A hacker intercepts the key exchange and substitute his or her public key for the actual keys exchanged.

• The hacker can then intercept subsequent communication and change the content and digital signature.

• The actual parties are kept in the dark.

CSE 4482 2012 - Session 5 73

AIS, 2012 74

Cookie

• Useful to web sites and users to remember info so users can be provided with more relevant info and it reduces keying, e.g., remembers the account number.

• Must not be used to remember password.• Privacy concern as web sites can track user

behaviour more.

AIS, 2012 75

Cookie• Cookies are small data files that are given to a browser

by a web application when a user first visits.

• Every subsequent visit, the application checks if a cookie exists (and if so, its contents) and thus knows if a user has previously accessed the application and what was done in the previous transaction.

• Cookies can be persistent (written to hard drive) or non-persistent (in browser memory).

• Cookies can have expiration dates.

AIS, 2012 76

CookieSession management risks:

• Cookies can manipulated by end users to elevate privileges or impersonate others. Important for organizations to verify content of cookies for authentication and authorization before accepting from user computers.

• Cookies can be sniffed/stolen leading to impersonation. Sensitive cookies should be subject to SSL.

• Cookie may track more info than necessary, thus invading privacy.

AIS, 2012 77

Web Application SecurityInput validation: Web applications implement controls to

ensure the input entered is valid.

• Web applications expect valid input – that is, it is of correct length, right type (text vs integer), etc.

• Developers often insert edit checks via JavaScript that is executed on the client side.

• However end users can always modify these checks (since they reside on client side) to bypass them and submit wrong inputs to the application.

• Developers should implement edit checks on the server side.

AIS, 2012 78

• Checking the correctness of extension, quantity x unit price = Invoice total

• A hacker can overwrite an input URL of www.things.com/orders/final&custID=112&num=55A&qty=20&price=10&shipping=5&total=205 as

• www.things.com/orders/final&custID=112&num=55A&qty=20&price=10&shipping=5&total=25

http://www.things.com/orders/final&custID=112&num=55A&qty=20&price=10&shipping=5&total=205






AIS, 2012 79

Buffer OverflowBuffer overflows: Attack wherein malicious input spills into

sensitive portions of memory compromising applications.

• Buffer overflows were covered in detail in application security chapter. Buffers are memory locations allocated by programmers to store user’s inputs.

• Attackers may provide malicious input that runs past the size of the buffer.

• Extra input could spill into sensitive portions of memory with results ranging from nothing happening, to application crashing, to a complete compromise.

• .

AIS, 2012 80

Buffer OverflowBuffer overflow risks:

• Impact of buffer overflow ranges from application failing its execution, to its crash, to running of malicious code of attacker’s choice resulting in complete compromise.

Control:

• Enforce boundary checks before accepting inputs. Use compilers that warn of potential overflow conditions.

AIS, 2012 81

SQL Injection AttackSQL injection: Attack wherein malicious SQL commands

are passed into web applications via user inputs.

• Web applications with back-end databases are often susceptible to these attacks.

• These applications convert user supplied input into SQL commands that are processed by the database.

• Attackers can craft special input that make the SQL commands malicious in nature.

AIS, 2012 82

SQL Injection AttackSQL injection: SQL injection attack example.

• Consider, a web application, that allows users to type in a keyword to search a particular product type by asking:

Product keyword: antique

• Say, the resulting SQL executed by the database is:SELECT product FROM product_table

WHERE product_description like ‘%antique%’;

• This query results in showing all products from the product_table that have the keyword ‘antique’ in it.

AIS, 2012 83

SQL Injection AttackSQL injection: SQL injection attack example contd.

• Now consider, if the user provides the following special input:

Product keyword: antique%’; DROP password_table;--

• The resulting SQL executed by the database then is:SELECT product FROM product_table

WHERE product_description like ‘% antique%’;

DROP password_table; --%’;

• This results in display user IDs and password hashes and deletion of a table!!

AIS, 2012 84

SQL Injection AttackSQL injection risks:

• SQL injection can lead to web application malfunction, user impersonation, loss of sensitive data, etc.

Controls:

• Do not trust user’s inputs and sanitize user inputs by rejecting known bad data/characters.


Authenticating Users

• Done to ensure that only the authorized users are permitted into network – and into the specific resources inside the network

• Basis of user authentication– User profile

– User accounts based on something you have, know or are

– Smart card, time based token is something you have

– Password is something you know

– Biometric is something you are

– Network authentication

User Profile

• Assigned to each user account by the manager

• Determines the limits of what users have access to on a network– Allowable log-in day and time of day– Allowable physical locations– Allowable number of incorrect log-in attempts



Forms of Access• Password based

– Users gain access based on something they know– Not very secure due to poor choice of passwords

• Card based– Users gain access based on something they have

• Smart cards, ATM cards– Typically used in conjunction with a password

• One-time passwords– Users connected to network obtains a password via:

• A pager• A token system (a separate handheld device)

– A network provided number is entered to device which generates the password

• Time-based tokens (password changes every 60 s)– Generated by a device synchronized with server


Biometric based Forms of Access

• Users gain access based on something they are– Finger, hand, or retina scanning by a biometric

system– Convenient; no need to remember passwords

• Used in high-security applications

• Low cost versions becoming available– Fingerprint scanners for less than $100


Managing User Access• Create accounts and profiles when new personnel arrive• Remove user accounts when someone leaves an

organization– Often forgotten, creating big security problems– Many systems allows now to set an expiration dates to the

accounts• When expires, deleted automatically

• Assign separate profiles and passwords to users using several different computers– Cumbersome for users and managers as well

• Adopt network authentication– Helps mange users automatically


Network Authentication

• Also called central authentication, single sign on, directory services

• Requires user to login to an authentication server– Checks id and password against a database

– Issues a certificate

• Certificate used for all transactions requiring authentications– No need to enter passwords

– Eliminates passwords changing hands


Managing Users

• Screen and classify both users and data– Based on “need to know”

• Review the effect of any security software– Focus on restriction or control access to files, records, or data

items

• Provide adequate user training on network security – Use self-teaching manuals, newsletters, policy statements, and

short courses– May eliminate social engineering attacks

• Launch a well publicized security campaign– To deter potential intruders


Detecting Unauthorized Access

• Intrusion Prevention Systems (IPSs):– Network-based IPSs

• Install IDPS sensors on network circuits and monitor packets

• Reports intrusions to IPS Management Console

– Host-based IPSs

• Monitor all activity on the server as well as incoming server traffic

– Application-based IPSs

• Special form of host-based IPSs

• Monitor just one application, such as a Web server


Best Practice Recommendations

• Start with a clear disaster recovery plan and solid security policies

• Train individuals on data recovery and social engineering

• Use routinely antivirus software, firewalls, physical security, intrusion detection, and encryption


Recommendations (Cont.)

• Use of strong centralized desktop management– Prohibits individual users to change settings

– Use regular reimaging of computers to prevent Trojans and viruses

– Install most recent security patches

– Prohibit al external software downloads

• Use continuous content filtering– Scan all incoming packets

– Encrypt all server files and communications

• Enforce, vigorously, all written security policies– Treat violations as “capital offense,” a basis for firing


Implications for Management

• Security - fastest growing area in networking

• Cost of security expected to increase– More and sophisticated security tools to encounter ever increasing

attacks

– Network becoming mission critical

– More and skilled staff providing security

• Expect tougher laws and better enforcement

• Security to become a major factor to consider in choosing software and equipment– More secure OSs, more secure application software, etc.

96

RFID – What Is It?

• Radio Frequency IDentification • Requires two pieces of hardware

• Reader queries item with tag for information through a radio transmission

• Unique identification of products• Quick, automated scans

– Line of sight with a tagged item is not required

Reader Transponder (or Tag)


97

RFID Usage

• RFID tags are already widely used:– Access cards (Proximity cards)– Livestock tagging– Supply chain management

• Walmart• Target• US Department of Defense

– Passports– Libraries


98

RFID Usage

• RFID has the potential to be extremely useful:– Quick checkouts

• All items scanned at once

• No receipts

– Interactive objects• Cell phone RFID reader

• Read movie show-time info off a poster


99

RFID Details

• Two groups– Active

• Powered by a battery

– Passive• No battery• Powered by electromagnetic induction (radio transmission from

reader)

• Passive tags are most common– Average tag costs $0.50– As low as 5 cents


100

RFID Details

• Two components– Antenna

– Chip

Antenna

Chip


101

Tracking

Credit Card #: 1234 5678 9012

Hershey’s Chocolate Bar ID: 123432

PS2 Game: Guitar Hero 2

$20 cash


102

Tracking

Bobby buys a new belt with a fancy RFID chip

Joe Bandit tracks Bobby as he…

takes a jog…proposes to his

girlfriend…

plays golf…

works at the office…

takes a plane…


103

Eavesdropping

• Attacker listens to a valid conversation• Not necessary to power the RFID tag

– Greater reading distance possible– Can also intercept the strong reader signal

What is the solution?


104

Countermeasures

• Killable tags– EPC approach– Tags lose their value after they are “killed”

• Faraday cages– ePassport cover– Not all items can be covered (eg. clothes)– Covered items have to be uncovered to be read

• Intent Signal– Button or sensor indicating proper use environment– Ease of use a problem in some cases


105

RFID Trend

• RFID tags will become more and more ubiquitous

• Assume information on tag will be read• Implement security around this fact• If you must rely on secrets in the tag

– Use STRONG cryptography– More expensive, but worth it


CSE 4482 2012 - Session 5 106

Legal Issues

• Protection of intellectual property.

• Licensing, sharing and distributing technology.

• Criminal law.

CSE 4482 2012 - Session 5 107

Legal Issues

• Intellectual property

• Privacy law

• Competition law

CSE 4482 2012 - Session 5 108

Intellectual Property Protection

• Copyright

• Trademarks

• Patents

CSE 4482 2012 - Session 5 109

Intellectual Property Protection

• Trade secrets

• Domain name registration

CSE 4482 2012 - Session 5 110

Copyright

• Prevents the labour, creativity and skill in a work from being taken.

• Protects original work in fixed form, not ideas.

• Registration makes it easier to prove infringement and sue for damage.

CSE 4482 2012 - Session 5 111

Copyright

• Applies to computer programs

• Covered by the Copyright Act

• Protects “moral rights”, e.g., producing software that sounds and looks like a popular product but performs damaging functions

CSE 4482 2012 - Session 5 112

Trademark

• Protects goodwill rather than content

• A domain name can be a trademark

• Distinctive sound

• Can be registered in the Canadian Intellectual Property Office like copyright

CSE 4482 2012 - Session 5 113

Trademark

• Registration has to be renewed every 15 years.

• Unused registered trademark can be challenged.

• Registration makes it easier to sue, does not have to prove reputation.

CSE 4482 2012 - Session 5 114

Patents

• It grants the owner a legal right to exclude others for 20 years from making, selling or using the invention.

• Covered by the Patent Act.

• Protects ideas.

CSE 4482 2012 - Session 5 115

Intellectual Property Controls

• Employment and development agreements

• Software licensing agreements

• Support and maintenance agreements

CSE 4482 2012 - Session 5 116

Licensing, Sharing, Distributing Technology

• Source code escrow agreement

• Confidentiality agreement

• Management review.

• In summary, need more management controls.

CSE 4482 2012 - Session 5 117

Personal Information Protection and Electronic Documents Act

• Governs the collection, use and disclosure of personal information in a manner that balances the right of privacy of all individuals

• Requires each organization to designate a responsible officer

CSE 4482 2012 - Session 5 118

Personal Information

• Information about a person that originates from the person, e.g., social insurance number given to an employer, age.

• Does not include business information generated for a person, e.g., salary within the employer’s possession or grade within the school’s possession.

CSE 4482 2012 - Session 5 119

PIPEDA Principles

• Accountability – needs a chief privacy officer

• Identifying purpose

• Consent from information provider and owner

• Limiting collection

CSE 4482 2012 - Session 5 120

PIPEDA Principles

• Limiting use, retention and disclosure.

• Accuracy – process in an organization holding personal info to ensure accuracy

• Safeguards by organization holding personal info

• Openness, e.g., posting privacy policy on web site.

CSE 4482 2012 - Session 5 121

PIPEDA Principles

• Individual access – Information owner can access information held by organizations.

• Challenge – respond to challenges from the Privacy Commissioner and information owner, e.g., consumers or employees.

CSE 4482 2012 - Session 5 122

Technology Impact on Privacy

• Increasing technology power enables organizations to hold and analyze more data thereby potentially violating privacy legislation, e.g., customer relationship management system like gas station card or shopping points card.

• Increasing tracking devices like radio frequency ID’s may violate privacy.

CSE 4482 2012 - Session 5 123

Addressing Technology Impact on Privacy

• Reviewing data stores to assess whether the amount and length of personal information retention is excessive.

• Reviewing data mining applications for privacy violations.

• Restricting tracking devices to be used within the organization.

AIS 2012 David Chan 124

Payment Card Industry (PCI) Security Standard

• Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express, Diners Club, JCB International and Discover Card.

• All issuing financial institutions and merchants that take credit card transactions on the Internet have to comply.

• Failure to comply may lead to financial penalty.• Standard is applicable to the cardholder data

environment, i.e., the environment where cardholder data is present.

Chan

PCI Security Standard

• Visa and MasterCard require major merchants and IT service organizations (over 1 million transactions annually or over 20,000 eTransactions annually) to have an annual external validation for compliance.



PCI Standards

1.Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor supplied defaults for system passwords and other security parameters.

3. Protect stored cardholder data.4. Encrypt transmission of cardholder data

across the Internet


PCI Standards

5. Use regularly updated anti-virus software

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business on a need-to-know basis

8. Assign a unique ID to each person with computer access


PCI Security Standard

9. Restrict physical access to cardholder data

10. Track and monitor all access to network

resources and cardholder data

11. Regularly test security systems and

processes

12. Maintain a policy that addresses

information security

CSE 4482 2012 - Session 5 129

Conclusion

• Auditor has to understand implication of not complying with legal obligation and requirements.

• eBusiness and EDI increases audit risks because of complexity.

• EDI decreases substantive testing because of smaller balance sheet.

• Controls need to be in place to ensure compliance.

cse 4482 2012 - session 51 “the advance of technology is based on making it fit in so that you...

Documents

internet addressesmanaged

internet infrastructuredomain

internet protocal ip

basic internet architecturecse

network managers

range of possible ip

permanent addresses

network interface cards