cse 4482 2012 - session 51 “the advance of technology is based on making it fit in so that you...
TRANSCRIPT
CSE 4482 2012 - Session 5 1
• “The advance of technology is based on making it fit in so that you don't really even notice it, so it's part of everyday life.” – Bill Gates
• What would we do without the Internet?
• As we can’t seem to resist the Web.
• There is so much we can see.
• Is 640k really enough for anybodCSE 4482 2012 - Session 5 2
• Everything seems so easy to get.
• But you could be part of a denial-of-service attack.
• Many doors will open without a key.
• We should give respect to intellectual property.
CSE 4482 2012 - Session 5 3
• Learn to spot the good from the bad.
• So you won’t fall for ID theft.
• Take good care of your identity.
• So you won’t lose privacy.CSE 4482 2012 - Session 5 4
CSE 4482 2012 - Session 5 5
Internet Infrastructure
• Web server and webmaster
• Firewall
• Internet service provider
CSE 4482 2012 - Session 5 6
Internet Infrastructure
• Domain name server – translates a domain name to an Internet Protocal (IP) address, e.g., 142.142.153.157; the maximum is 255.255.255.255; a range of 2 billion addresses. New range will increase this by more than 100 times.
• Routers• Application server• Database server
CSE 4482 2012 - Session 5 7
Internet Infrastructure
• Web hosting software
• Web site management system to keep track of visits and user pattern
• Network operating system
• Infrastructure needs to be protected.
Comparison of Network Models
CSE 4482 2012 - Session 5
CSE 4482 2012 - Session 5
Internet’s Hierarchical Structure
• National Internet Service Providers (ISPs)– Provide services to their customers and sell
access to regional ISPs and local ISPs• Regional ISPs
– Connect with National ISPs– Provide services to their customers and sell
access to local ISPs• Local ISPs
– Connected to National or Regional ISPs– Sell access to individuals
CSE 4482 2012 - Session 5
Basic Internet Architecture
CSE 4482 2012 - Session 5
Address Type Example Example Address
Application Layer
Network Layer
Data Link Layer
Types of Addresses
IP address
URL
MAC address
www.manhattan.edu
149.61.10.22 (4 bytes)
00-0C-00-F5-03-5A (6 bytes)
Name
Street #
Apt #
Analogy
CSE 4482 2012 - Session 5
Assignment of Addresses
• Application Layer address (URL)– For servers only (clients don’t need it)– Assigned by network managers and placed in configuration files. – Some servers may have several application layer addresses
• Network Layer Address (IP address)– Assigned by network managers, or by programs such as DHCP, and
placed in configuration files– Every network on the Internet is assigned a range of possible IP addresses
for use on its network
• Data Link Layer Address (MAC address)– Unique hardware addresses placed on network interface cards by their
manufacturers ( based on a standardized scheme)
• Servers have permanent addresses, clients usually do not
CSE 4482 2012 - Session 5
Internet Addresses
• Managed by ICANN– Internet Corporation for Assigned Names and Numbers– Manages the assignment of both IP and application layer name
space (domain names)• Both assigned at the same time and in groups• Manages some domains directly (e.g., .com, .org, .net) and • Authorizes private companies to become domain name
registrars as well
CSE 4482 2012 - Session 5
Address Resolution
• Server Name Resolution– Translating destination host’s domain name to
its corresponding IP address– www.yahoo.com is resolved to
204.71.200.74– Uses one or more Domain Name Service
(DNS) servers to resolve the address
CSE 4482 2012 - Session 5
DNS - Domain Name Service• Used to determine IP address for a given URL• Provided through a group of name servers
– Databases containing directories of domain names and their corresponding IP addresses
• Large organizations maintain their own name servers– smaller organizations rely on name servers provided by their ISPs
• When a domain name is registered, IP address of the DNS server must be provided to registrar for all URLs in this domain– Example: Domain name: ontario.ca
URLs: www.ontario.ca
CSE 4482 2012 - Session 5
How DNS Works
• Desired URL in client’s address table:– Use the corresponding IP address
– Each client maintains a server address table
• containing URLs used and corresponding IP addresses
• Desired URL not in client’s address table:– Use DNS to resolve the address
– Sends a DNS request packet to its local DNS server
– URL in Local DNS server
• Responds by sending a DNS response packet back to the client
CSE 4482 2012 - Session 5
How DNS Works (Cont.)
• URL NOT in Local DNS server – Sends DNS request packet to the next highest
name server in the DNS hierarchy– Usually the DNS server at the top level domain
(such as the DNS server for all .edu domains)– URL NOT in the name server
• Sends DNS request packet ahead to name server at the next lower level of the DNS hierarchy
CSE 4482 2012 - Session 5
How DNS Works
Client computer
DNS ServerDNS Request
LAN
LAN
Internet
DNS Request
DNS Server
Root DNS Server for .EDU domain
University of Toronto
Indiana University
DNS Request
DNS Response
DNS Response
DNS Response
If client at Toronto asks for a web page on Indiana University’s server:
CSE 4482 2012 - Session 5
MAC Address Resolution
• Problem:– Unknown MAC address of the next node (whose IP address
known)• Solution:
– Uses Address Resolution Protocol (ARP) • Operation
– Broadcast an ARP message to all nodes on a LAN asking which node has a certain IP address
– Host with that IP address then responds by sending back its MAC address
– Store this MAC address in its address table – Send the message to the destination node– Example of a MAC address: 00-0C-00-F5-03-5A
CSE 4482 2012 - Session 5
Routing
• Process of identifying what path to have a packet take through a network from sender to receiver
• Routing Tables– Used to make routing decisions
– Shows which path to send packets on to reach a given destination
– Kept by computers making routing decisions
• Routers– Special purpose devices used to handle routing
decisions on the Internet
– Maintain their own routing tables
Dest.
B
C
D
E
F
G
Next
B
B
D
D
D
B
CSE 4482 2012 - Session 5
Routing Example
Dest.
B
C
D
E
F
G
Next
B
B
D
D
D
B
Routing Table for A
Possible paths from A to G:• ABCG• ABEFCG• ADEFCG• ADEBCG
B
Each node has its own routing table
A
Types of Routing
• Centralized routing– Decisions made by one central computer– Used on small, mainframe-based networks
• Decentralized routing – Decisions made by each node independently of
one another – Information need to be exchanged to prepare
routing tables
CSE 4482 2012 - Session 5 22
CSE 4482 2012 - Session 5
Sending Messages using TCP/IP
• Required Network layer addressing information– Computer’s own IP address– Its subnet mask
• To determine what addresses are part of its subnet– Local DNS server’s IP address
• To translate URLs into IP addresses– IP address of the router (gateway) on its subnet
• To route messages going outside of its subnet
• Obtained from a configuration file or provided by a DHCP server– Servers also need to know their own application layer addresses
(domain names)
CSE 4482 2012 - Session 5
TCP/IP Configuration Information
CSE 4482 2012 - Session 5
TCP/IP Network Example
CSE 4482 2012 - Session 5
Case 1a: Known Address, Same Subnet
• Case:– A Client (128.192.98.130) requests a Web page from a server
(www1.anyorg.com)– Client knows the server’s IP and Ethernet addresses
• Operations (performed by the client)– Prepare HTTP packet and send it to TCP– Place HTTP packet into a TCP packet and sent it to IP– Place TCP packet into an IP packet, add destination IP address,
128.192.98.53 – Use its subnet mask to see that the destination is on the same subnet
as itself– Add server’s Ethernet address into its destination address field, and
send the frame to the Web server
CSE 4482 2012 - Session 5
Case 1b: HTTP response to client
• Operations (performed by the server)– Receive Ethernet frame, perform error checking and send back an
ACK– Process incoming frame successively up the layers (data link,
network, transport and application) until the HTTP request emerges– Process HTTP request and sends back an HTTP response (with
requested Web page)– Process outgoing HTTP response successively down the layers until
an Ethernet frame is created– Send Ethernet frame to the client
• Operations (performed by the client)– Receive Ethernet frame and process it successively up the layers
until the HTTP response emerges at browser
CSE 4482 2012 - Session 5
Case 2: Known Address, Different Subnet• Similar to Case 1a• Differences
– Use subnet mask to determine that the destination is NOT on the same subnet
– Send outgoing frames to the local subnet’s GW– Local gateway operations
• Receive the frame and remove the Ethernet header• Determine the next node (via Router Table) • Make a new frame and send it to the destination GW
– Destination gateway operations• Remove the header, determine the destination (by destination
IP address)• Place the IP packet in a new Ethernet frame and send it to its
final destination.
Case 3: Unknown Address
• Operations (by the host)– Determine the destination IP address
• Send a UDP packet to the local DNS server • Local DNS server knows the destination host’s IP
address– Sends a DNS response back to the sending host
• Local DNS server does not know the destination IP address
– Send a second UDP packet to the next highest DNS host, and so on, until the destination host’s IP address is determined
CSE 4482 2012 - Session 5 29
CSE 4482 2012 - Session 5
TCP Connections
• Before any data packet is sent, a connection is established– Use SYN packet to establish connection– Use FIN packet to close the connection
• Handling of HTTP packets– Old version:
• a separate TCP connection for each HTTP Request– New version:
• Open a connection when a request (first HTTPP Request) send to the server
• Leave the connection open for all subsequent HTTP requests to the same server
• Close the connection when the session ends
TCP/IP and Layers
• Host Computers– Packets move through all layers
• Gateways, Routers– Packet moves from Physical layer to Data Link
Layer through the network Layer
• At each stop along the way– Ethernet packets is removed and a new one is
created for the next node
CSE 4482 2012 - Session 5 31
CSE 4482 2012 - Session 5 5 - 32
Message Moving Through Layers
DNS Attacks
• Substituting a valid IP address with a hacker’s IP address.
• Removing IP address thus causing an attempted connection to a web site to fail.
• Bring down the DNS so outgoing surfing is stopped.
CSE 4482 2012 - Session 5 33
CSE 4482 2012 - Session 5 34
Risk Implications
• Inherent risk? - increases because of new way of doing business, new way is more complicated.
• Control risk? – Increases because some control functions are carried out by external parties like customers, suppliers and ISPs. Can go down because more controls are automated.
• Detection risk? – Increases because more audit evidence is in electronic form and therefore less obvious and certain.
CSE 4482 2012 - Session 5 35
Risk Implications
• Non-occurrence of transactions – High because of open access.
• Incomplete processing – moderate because of real-time processing, but delivery may not be complete.
• Unauthorized transaction – high because of open access.
CSE 4482 2012 - Session 5 36
Risk Implications
• Inaccurate processing – high because customers not trained and because of complexity.
• Untimely processing – moderate, similar to risk of incompleteness, but delivery may be late.
• Inefficiency – Low risk, because of computer power vs human power.
• Should also relate to the 5 system components: infrastructure, software, people, procedures and information.
CSE 4482 2012 - Session 5 37
Domain Name Server (DNS) Risks
• DNS is a common target for hackers.
• A hacker can change the translation table and therefore direct users to hacker sites resulting in unauthorized transactions.
• A hacker can bring down a DNS.
• Which of these is of more concern to management, to the external auditors?
CSE 4482 2012 - Session 5 38
Internet Security Measures
• Boundary checking – against buffer overflow
• Digital certificate
• Digital signature
• Encryption
• Firewall
CSE 4482 2012 - Session 5 39
Internet Security Measures
• Intrusion prevention system• Online backup• Redundant communication lines• Redundant servers• Web site refreshment – to nullify
defacement.
CSE 4482 2012 - Session 5
Using Redundant Hardware• A key principal in preventing disruption, destruction and disaster• Examples of components that provide redundancy
– Uninterruptible power supplies (UPS)• A separate battery powered power supply• Can supply power for minutes or even hours• Some run on generators.
– Fault-tolerant servers (with redundant components)– Disk mirroring
• A redundant second disk for every disk on the server• Every data on primary disk is duplicated on mirror
– Disk duplexing (redundant disk controllers), more reliable.
• Can apply to other network components as well– Circuits, routers, client computers, etc.
CSE 4482 2012 - Session 5
Preventing Computer Viruses• Viruses spreads when infected files are accessed
– Macro viruses attach themselves to other programs (documents) and spread when the programs are executed (the files are opened)
• Worms– Special type of virus that spread itself without human intervention
(sends copies of itself from computer to computer)
• Anti-virus software packages check disks and files to ensure that they are virus-free
• Incoming e-mail messages are most common source of viruses– Check attachments to e-mails, use filtering programs to ‘clean’
incoming e-mail
Securing Network Perimeter
• Basic access points into a network– LANs inside the organization– Dial-up access through a modem– Internet (most attacks come in this way)
• Basic elements in preventing access– Physical Security– Dial-in security– Firewalls–
CSE 4482 2012 - Session 5
CSE 4482 2012 - Session 5
Personnel Matters
• Also important to– Provide proper security education
– Perform background checks
– Implement error and fraud controls
• Reduces the possibility of attackers posing as employees– Example: Become employed as janitor and use various listening
devices/computers to access the network
• Areas vulnerable to this type of access:– Network Cabling
– Network Devices
CSE 4482 2012 - Session 5
Securing Network Devices
• Should be secured in locked wiring closets– More vulnerable: LAN devices (controllers,
hubs, bridges, routers, etc.,)• A sniffer (LAN listening device) can be easily
hooked up to these devices
• Use secure hubs: requires special code before a new computers are connected
CSE 4482 2012 - Session 5
Security Holes
• Made by flaws in network software that permit unintended access to the network– A bug that permits unauthorized access– Operating systems often contain security holes– Details can be highly technical
• Once discovered, knowledge about the security hole quickly circulated on the Internet– A race can then begin between
• Hackers attempting to break into networks through the security hole and
• Security teams working to produce a patch to eliminate the security hole
– CERT: major clearing house for Internet related holes
CSE 4482 2012 - Session 5
Trojan Horses• Remote access management that enable users to access a
computer and manage it from afar• More often concealed in other software that is downloaded
over Internet– Common carriers: Music and video files shared on Internet sites
• Undetected by even the best antivirus software• Major Trojans
– Back Orifice: attacked Windows servers• Gave the attacker the same right as the administrator
– Morphed into tools such as MoSucker and Optix Pro• Powerful and easy to use
AIS, 2012 47
Symmetric Key Encryption
• The same key is used to decrypt and encrypt
• Simple to encrypt and decrypt
• Large number of keys required for one-on-one secret communication
• Number of keys for N people is N(N-1)/2
• Need to secure the key
• Use of the key should require a passphrase.
Application of Encryption
• eBusiness
• Virtual private network
• Stored data
• Digital signature
• Wireless network
AIS, 2012 48
AIS, 2012 49
Asymmetric Encryption
• A pair of key is generated by a user, a private key and a corresponding public key.
• The public key can be disclosed. The private key is secured.
• People can use the public key to encrypt material.
• Use of private key should require a passphrase.
AIS, 2012 50
Asymmetric Encryption
• The corresponding private key is needed to decrypt.
• The 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key.
• Longer keys than symmetric and therefore a longer process to encrypt and decrypt. Longer keys required to prevent reverse engineering.
AIS, 2012 51
Asymmetric Encryption
• Needed for email encryption.
• Used for e-commerce, digital certificates and digital signatures.
• Number of keys for N users is 2N.
AIS, 2012 52
• Digital signature: • A digital code attached to an electronically
transmitted message that is used to verify the origin and contents of a message
• Digital certificates: • Data files used to establish the identity of users and
electronic assets for protection of online transactions.
Encryption and Public Key Infrastructure
AIS, 2012 53
• A set of policy, procedures and servers used to operate a public key environment.
• There is a public key server that holds everybody’s public key for retrieval by programs that use encryption.
• There are servers used to authenticate users that activate private keys.
Public Key Infrastructure
AIS, 2012 54
Limitation of Encryption
• If key is lost, data cannot be decrypted.
• Rogue parties can delete an encrypted file without knowing the key; therefore access control list is important.
• Encrypted email attachments are generally deleted by the anti-virus program.
AIS, 2012 55
Digital Signature
• A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged.
AIS, 2012 56
Digital Signature
• The sender uses an algorithm to compute a hash (garbled digest) of the document
• Sender uses its private key to encrypt the hash.• Recipient uses same algorithm to hash the plain
text document when received.• Recipient uses the public key to decrypt the digital
signature and compare to the hash the recipient created, to confirm integrity.
AIS, 2012 57
Digital Certificate
• An electronic business card that establishes your credentials when doing business or other transactions on the Web.
• It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key.
• People can use the certificate authority’s public key to verify the signature.
AIS, 2012 58
Certificate Authority
• An organization that issues digital certificates to companies and individuals
• An organization can issue digital certificates to its own customers or employees to authenticate local transactions
• The certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate.
AIS, 2012 59
eBusiness Encryption
• Uses both symmetric keys and asymmetric keys
• Uses the Secure Socket Layer (SSL) protocol
• Enforced by the merchant• Merchant sends its certificate and public key
to the browser
AIS, 2012 60
eBusiness Encryption
• Browser generates a symmetric key
• Browser encrypts the symmetric key with the merchant’s public key
• Browser authenticates the digital certificate
• Encrypted symmetric key is sent to merchant
AIS, 2012 61
eBusiness Encryption
• Merchant decrypts the symmetric key with its private key
• The symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off.
Secure Electronic Transaction
• Some financial institutions have adopted SET to prevent merchants from seeing the credit card numbers and prevent the financial institution from viewing the purchase detail.
• This requires a digital certificate to be issued to the merchant and customer.
CSE 4482 2012 - Session 5 62
SET
1. A customer receives a “personal” digital certificate from the credit card issuing
financial institution or an ePayment vendor
like Paypal.
2. When the customer buys something on a web site, s/he sends his or her digital
cert to the merchant, which sends it to the
financial institution. S/he also downloads
the merchant’s and the financial
institution’s digital certificates.CSE 4482 2012 - Session 5 63
SET
3. The customer’s browser hashes the purchase order and the credit card (or payment order) information separately to form two message digests.
4. The customer signs the message digests to form the composite digital signature.
CSE 4482 2012 - Session 5 64
SET
5. The digital signature is sent to the merchant
which in turn forwards it to the financial
institution.
6. The customer uses the merchant’s public key to encrypt the purchase order and s/he
uses the financial institution’s public key to encrypt the payment information. The
merchant forwards the payment information to the financial institution or ePayment vendor.
CSE 4482 2012 - Session 5 65
SET
7. The merchant and the financial institution use the customer’s public key to decrypt
the digital signature.
8. The merchant and the financial institution independently computes the message digests of the purchase order and payment order respectively.
CSE 4482 2012 - Session 5 66
SET
9. The independently computed message digests are then compared to the message
digests in the decrypted digital signature.
10.Now the merchant and the financial institution/ePayment vendor have authenticated the purchase and credit/ePayment card information separately and independently.
CSE 4482 2012 - Session 5 67
AIS, 2012 68
Email Encryption
• Sender uses the recipient’s public key to encrypt the message
• Sender signs the message with own private key• Recipient uses own private key to decrypt message• Recipient uses sender’s public key to authenticate
the digital signature• The above process applies to non-Web based email.
Web mail encryption is same as eBusiness.
Stored Data Encryption
• Uses a symmetric key.
• Key should be activated with a passphrase.
• Applies to laptop, smart phones, memory disks, desktops and servers.
AIS, 2012 69
AIS, 2012 70
Encryption Strength
• The secrecy of the key
• The length of the key
• The rigour of the algorithm
PKI
• A public key infrastructure consists of the policy, procedures, software and servers to manage public keys to ensure secure storage and allocation.
• PKI can prevent man in the middle attack.
CSE 4482 2012 - Session 5 71
Pretty Good Privacy
• PGP does not rely on PKI.
• Allows 2 parties to exchange public keys.
• PGP also provides a way to encrypt an email attachment that is password protected without key exchange.
CSE 4482 2012 - Session 5 72
Man-in-middle Attack
• A hacker intercepts the key exchange and substitute his or her public key for the actual keys exchanged.
• The hacker can then intercept subsequent communication and change the content and digital signature.
• The actual parties are kept in the dark.
CSE 4482 2012 - Session 5 73
AIS, 2012 74
Cookie
• Useful to web sites and users to remember info so users can be provided with more relevant info and it reduces keying, e.g., remembers the account number.
• Must not be used to remember password.• Privacy concern as web sites can track user
behaviour more.
AIS, 2012 75
Cookie• Cookies are small data files that are given to a browser
by a web application when a user first visits.
• Every subsequent visit, the application checks if a cookie exists (and if so, its contents) and thus knows if a user has previously accessed the application and what was done in the previous transaction.
• Cookies can be persistent (written to hard drive) or non-persistent (in browser memory).
• Cookies can have expiration dates.
AIS, 2012 76
CookieSession management risks:
• Cookies can manipulated by end users to elevate privileges or impersonate others. Important for organizations to verify content of cookies for authentication and authorization before accepting from user computers.
• Cookies can be sniffed/stolen leading to impersonation. Sensitive cookies should be subject to SSL.
• Cookie may track more info than necessary, thus invading privacy.
AIS, 2012 77
Web Application SecurityInput validation: Web applications implement controls to
ensure the input entered is valid.
• Web applications expect valid input – that is, it is of correct length, right type (text vs integer), etc.
• Developers often insert edit checks via JavaScript that is executed on the client side.
• However end users can always modify these checks (since they reside on client side) to bypass them and submit wrong inputs to the application.
• Developers should implement edit checks on the server side.
AIS, 2012 78
• Checking the correctness of extension, quantity x unit price = Invoice total
• A hacker can overwrite an input URL of www.things.com/orders/final&custID=112&num=55A&qty=20&price=10&shipping=5&total=205 as
• www.things.com/orders/final&custID=112&num=55A&qty=20&price=10&shipping=5&total=25
AIS, 2012 79
Buffer OverflowBuffer overflows: Attack wherein malicious input spills into
sensitive portions of memory compromising applications.
• Buffer overflows were covered in detail in application security chapter. Buffers are memory locations allocated by programmers to store user’s inputs.
• Attackers may provide malicious input that runs past the size of the buffer.
• Extra input could spill into sensitive portions of memory with results ranging from nothing happening, to application crashing, to a complete compromise.
• .
AIS, 2012 80
Buffer OverflowBuffer overflow risks:
• Impact of buffer overflow ranges from application failing its execution, to its crash, to running of malicious code of attacker’s choice resulting in complete compromise.
Control:
• Enforce boundary checks before accepting inputs. Use compilers that warn of potential overflow conditions.
AIS, 2012 81
SQL Injection AttackSQL injection: Attack wherein malicious SQL commands
are passed into web applications via user inputs.
• Web applications with back-end databases are often susceptible to these attacks.
• These applications convert user supplied input into SQL commands that are processed by the database.
• Attackers can craft special input that make the SQL commands malicious in nature.
AIS, 2012 82
SQL Injection AttackSQL injection: SQL injection attack example.
• Consider, a web application, that allows users to type in a keyword to search a particular product type by asking:
Product keyword: antique
• Say, the resulting SQL executed by the database is:SELECT product FROM product_table
WHERE product_description like ‘%antique%’;
• This query results in showing all products from the product_table that have the keyword ‘antique’ in it.
AIS, 2012 83
SQL Injection AttackSQL injection: SQL injection attack example contd.
• Now consider, if the user provides the following special input:
Product keyword: antique%’; DROP password_table;--
• The resulting SQL executed by the database then is:SELECT product FROM product_table
WHERE product_description like ‘% antique%’;
DROP password_table; --%’;
• This results in display user IDs and password hashes and deletion of a table!!
AIS, 2012 84
SQL Injection AttackSQL injection risks:
• SQL injection can lead to web application malfunction, user impersonation, loss of sensitive data, etc.
Controls:
• Do not trust user’s inputs and sanitize user inputs by rejecting known bad data/characters.
CSE 4482 2012 - Session 5
Authenticating Users
• Done to ensure that only the authorized users are permitted into network – and into the specific resources inside the network
• Basis of user authentication– User profile
– User accounts based on something you have, know or are
– Smart card, time based token is something you have
– Password is something you know
– Biometric is something you are
– Network authentication
User Profile
• Assigned to each user account by the manager
• Determines the limits of what users have access to on a network– Allowable log-in day and time of day– Allowable physical locations– Allowable number of incorrect log-in attempts
CSE 4482 2012 - Session 5
CSE 4482 2012 - Session 5
Forms of Access• Password based
– Users gain access based on something they know– Not very secure due to poor choice of passwords
• Card based– Users gain access based on something they have
• Smart cards, ATM cards– Typically used in conjunction with a password
• One-time passwords– Users connected to network obtains a password via:
• A pager• A token system (a separate handheld device)
– A network provided number is entered to device which generates the password
• Time-based tokens (password changes every 60 s)– Generated by a device synchronized with server
CSE 4482 2012 - Session 5
Biometric based Forms of Access
• Users gain access based on something they are– Finger, hand, or retina scanning by a biometric
system– Convenient; no need to remember passwords
• Used in high-security applications
• Low cost versions becoming available– Fingerprint scanners for less than $100
CSE 4482 2012 - Session 5
Managing User Access• Create accounts and profiles when new personnel arrive• Remove user accounts when someone leaves an
organization– Often forgotten, creating big security problems– Many systems allows now to set an expiration dates to the
accounts• When expires, deleted automatically
• Assign separate profiles and passwords to users using several different computers– Cumbersome for users and managers as well
• Adopt network authentication– Helps mange users automatically
CSE 4482 2012 - Session 5
Network Authentication
• Also called central authentication, single sign on, directory services
• Requires user to login to an authentication server– Checks id and password against a database
– Issues a certificate
• Certificate used for all transactions requiring authentications– No need to enter passwords
– Eliminates passwords changing hands
CSE 4482 2012 - Session 5
Managing Users
• Screen and classify both users and data– Based on “need to know”
• Review the effect of any security software– Focus on restriction or control access to files, records, or data
items
• Provide adequate user training on network security – Use self-teaching manuals, newsletters, policy statements, and
short courses– May eliminate social engineering attacks
• Launch a well publicized security campaign– To deter potential intruders
CSE 4482 2012 - Session 5
Detecting Unauthorized Access
• Intrusion Prevention Systems (IPSs):– Network-based IPSs
• Install IDPS sensors on network circuits and monitor packets
• Reports intrusions to IPS Management Console
– Host-based IPSs
• Monitor all activity on the server as well as incoming server traffic
– Application-based IPSs
• Special form of host-based IPSs
• Monitor just one application, such as a Web server
CSE 4482 2012 - Session 5
Best Practice Recommendations
• Start with a clear disaster recovery plan and solid security policies
• Train individuals on data recovery and social engineering
• Use routinely antivirus software, firewalls, physical security, intrusion detection, and encryption
CSE 4482 2012 - Session 5
Recommendations (Cont.)
• Use of strong centralized desktop management– Prohibits individual users to change settings
– Use regular reimaging of computers to prevent Trojans and viruses
– Install most recent security patches
– Prohibit al external software downloads
• Use continuous content filtering– Scan all incoming packets
– Encrypt all server files and communications
• Enforce, vigorously, all written security policies– Treat violations as “capital offense,” a basis for firing
CSE 4482 2012 - Session 5
Implications for Management
• Security - fastest growing area in networking
• Cost of security expected to increase– More and sophisticated security tools to encounter ever increasing
attacks
– Network becoming mission critical
– More and skilled staff providing security
• Expect tougher laws and better enforcement
• Security to become a major factor to consider in choosing software and equipment– More secure OSs, more secure application software, etc.
96
RFID – What Is It?
• Radio Frequency IDentification • Requires two pieces of hardware
• Reader queries item with tag for information through a radio transmission
• Unique identification of products• Quick, automated scans
– Line of sight with a tagged item is not required
Reader Transponder (or Tag)
CSE 4482 2012 - Session 5
97
RFID Usage
• RFID tags are already widely used:– Access cards (Proximity cards)– Livestock tagging– Supply chain management
• Walmart• Target• US Department of Defense
– Passports– Libraries
CSE 4482 2012 - Session 5
98
RFID Usage
• RFID has the potential to be extremely useful:– Quick checkouts
• All items scanned at once
• No receipts
– Interactive objects• Cell phone RFID reader
• Read movie show-time info off a poster
CSE 4482 2012 - Session 5
99
RFID Details
• Two groups– Active
• Powered by a battery
– Passive• No battery• Powered by electromagnetic induction (radio transmission from
reader)
• Passive tags are most common– Average tag costs $0.50– As low as 5 cents
CSE 4482 2012 - Session 5
100
RFID Details
• Two components– Antenna
– Chip
Antenna
Chip
CSE 4482 2012 - Session 5
101
Tracking
Credit Card #: 1234 5678 9012
Hershey’s Chocolate Bar ID: 123432
PS2 Game: Guitar Hero 2
$20 cash
CSE 4482 2012 - Session 5
102
Tracking
Bobby buys a new belt with a fancy RFID chip
Joe Bandit tracks Bobby as he…
takes a jog…proposes to his
girlfriend…
plays golf…
works at the office…
takes a plane…
CSE 4482 2012 - Session 5
103
Eavesdropping
• Attacker listens to a valid conversation• Not necessary to power the RFID tag
– Greater reading distance possible– Can also intercept the strong reader signal
What is the solution?
CSE 4482 2012 - Session 5
104
Countermeasures
• Killable tags– EPC approach– Tags lose their value after they are “killed”
• Faraday cages– ePassport cover– Not all items can be covered (eg. clothes)– Covered items have to be uncovered to be read
• Intent Signal– Button or sensor indicating proper use environment– Ease of use a problem in some cases
CSE 4482 2012 - Session 5
105
RFID Trend
• RFID tags will become more and more ubiquitous
• Assume information on tag will be read• Implement security around this fact• If you must rely on secrets in the tag
– Use STRONG cryptography– More expensive, but worth it
CSE 4482 2012 - Session 5
CSE 4482 2012 - Session 5 106
Legal Issues
• Protection of intellectual property.
• Licensing, sharing and distributing technology.
• Criminal law.
CSE 4482 2012 - Session 5 107
Legal Issues
• Intellectual property
• Privacy law
• Competition law
CSE 4482 2012 - Session 5 108
Intellectual Property Protection
• Copyright
• Trademarks
• Patents
CSE 4482 2012 - Session 5 109
Intellectual Property Protection
• Trade secrets
• Domain name registration
CSE 4482 2012 - Session 5 110
Copyright
• Prevents the labour, creativity and skill in a work from being taken.
• Protects original work in fixed form, not ideas.
• Registration makes it easier to prove infringement and sue for damage.
CSE 4482 2012 - Session 5 111
Copyright
• Applies to computer programs
• Covered by the Copyright Act
• Protects “moral rights”, e.g., producing software that sounds and looks like a popular product but performs damaging functions
CSE 4482 2012 - Session 5 112
Trademark
• Protects goodwill rather than content
• A domain name can be a trademark
• Distinctive sound
• Can be registered in the Canadian Intellectual Property Office like copyright
CSE 4482 2012 - Session 5 113
Trademark
• Registration has to be renewed every 15 years.
• Unused registered trademark can be challenged.
• Registration makes it easier to sue, does not have to prove reputation.
CSE 4482 2012 - Session 5 114
Patents
• It grants the owner a legal right to exclude others for 20 years from making, selling or using the invention.
• Covered by the Patent Act.
• Protects ideas.
CSE 4482 2012 - Session 5 115
Intellectual Property Controls
• Employment and development agreements
• Software licensing agreements
• Support and maintenance agreements
CSE 4482 2012 - Session 5 116
Licensing, Sharing, Distributing Technology
• Source code escrow agreement
• Confidentiality agreement
• Management review.
• In summary, need more management controls.
CSE 4482 2012 - Session 5 117
Personal Information Protection and Electronic Documents Act
• Governs the collection, use and disclosure of personal information in a manner that balances the right of privacy of all individuals
• Requires each organization to designate a responsible officer
CSE 4482 2012 - Session 5 118
Personal Information
• Information about a person that originates from the person, e.g., social insurance number given to an employer, age.
• Does not include business information generated for a person, e.g., salary within the employer’s possession or grade within the school’s possession.
CSE 4482 2012 - Session 5 119
PIPEDA Principles
• Accountability – needs a chief privacy officer
• Identifying purpose
• Consent from information provider and owner
• Limiting collection
CSE 4482 2012 - Session 5 120
PIPEDA Principles
• Limiting use, retention and disclosure.
• Accuracy – process in an organization holding personal info to ensure accuracy
• Safeguards by organization holding personal info
• Openness, e.g., posting privacy policy on web site.
CSE 4482 2012 - Session 5 121
PIPEDA Principles
• Individual access – Information owner can access information held by organizations.
• Challenge – respond to challenges from the Privacy Commissioner and information owner, e.g., consumers or employees.
CSE 4482 2012 - Session 5 122
Technology Impact on Privacy
• Increasing technology power enables organizations to hold and analyze more data thereby potentially violating privacy legislation, e.g., customer relationship management system like gas station card or shopping points card.
• Increasing tracking devices like radio frequency ID’s may violate privacy.
CSE 4482 2012 - Session 5 123
Addressing Technology Impact on Privacy
• Reviewing data stores to assess whether the amount and length of personal information retention is excessive.
• Reviewing data mining applications for privacy violations.
• Restricting tracking devices to be used within the organization.
AIS 2012 David Chan 124
Payment Card Industry (PCI) Security Standard
• Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express, Diners Club, JCB International and Discover Card.
• All issuing financial institutions and merchants that take credit card transactions on the Internet have to comply.
• Failure to comply may lead to financial penalty.• Standard is applicable to the cardholder data
environment, i.e., the environment where cardholder data is present.
Chan
PCI Security Standard
• Visa and MasterCard require major merchants and IT service organizations (over 1 million transactions annually or over 20,000 eTransactions annually) to have an annual external validation for compliance.
AIS 2012 David Chan 125
AIS 2012 David Chan 126
PCI Standards
1.Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.4. Encrypt transmission of cardholder data
across the Internet
AIS 2012 David Chan 127
PCI Standards
5. Use regularly updated anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business on a need-to-know basis
8. Assign a unique ID to each person with computer access
AIS 2012 David Chan 128
PCI Security Standard
9. Restrict physical access to cardholder data
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and
processes
12. Maintain a policy that addresses
information security
CSE 4482 2012 - Session 5 129
Conclusion
• Auditor has to understand implication of not complying with legal obligation and requirements.
• eBusiness and EDI increases audit risks because of complexity.
• EDI decreases substantive testing because of smaller balance sheet.
• Controls need to be in place to ensure compliance.