Security, Privacy and Authentication. Michael Power Gowling Lafleur Henderson LLP

Transcription

1 Security, Privacy and Authentication Michael Power owling Lafleur Henderson LLP

2 Why Security Autonomous Agents, Back Doors, Backup Theft, Call Forwarding Fakery, Condition Bombs, Covert Channels, Cracking, Data Aggregation, Data Diddling, Data Theft, Degradation of Service, Denial of Service, Dumpster Diving, Overflow, Spoofing, Excess Privileges, False Updates, et a Job, Hangup Hooking, Illegal Value Insertion, Invalid Values on Calls, Induced Stress Failures, Infrastructure Interference, Infrastructure Observation, Input Overflow, IP Spoofing, Logic Bombs, Login Spoofing, Masquerading, MIP Sucking, Network Services Attacks, Network Backup Information, Open Microphone Listening, Packet Insertion, Packet Sniffing, Password Cracking, Password uessing, Password Sniffing, PABX Bugging, Phracking, Phreaking, Ping of Death, Piracy, Process Bypassing, Protection Limit Poking, Salami Technique, Scanning, Session Hijacking, Shoulder Surfing, Social Engineering, Spamming, Sympathetic Vibration, Time Bombs, Timing Attacks, Toll Fraud Networks, Traffic Analysis, Trap Doors, Trojan Horses, Tunneling, Use Bombs, Van Eck Bugging, Viruses, Wiretapping, Worms

3 Privacy & Security Modern privacy principles call for protection of information : physical, procedural and technical controls required for management of personal information IKEA closed its online catalog order site Sept 5, 2000 after a the personal information of tens of thousands of its customers became available online. Estimated 80% of corporations with a market cap over $1 billion engage in corporate espionage On October 26, 2000 Microsoft reported hackers had tapped the digital blueprints of future MS products. FBI s Carnivore allows US government the ability to eavesdrop covertly on all digital communications by an ISP's customers.

4 Privacy and Security Meta roup: According to recent survey data, nine out of 10 companies and government organizations reported security breaches in the past year. Of the 42% willing (or able) to quantify the damages and financial losses, the total ran to $265M. February 7, 2000: hackers launched distributed denial of service attacks on several prominent Web sites, including Yahoo, E*Trade, Amazon.com, and ebay. Cyber crime increasing: US DOJ statistics: FY98: 547 computer intrusion cases; FY99, 1154 (up 53%). Pending cases: from 206 at the end of FY97, to 601 at the end of FY98, to 834 at the end of FY99, and to more than 900 by mid- FY00 (a 77% increase in pending cases in less than a three-year period).

5 Trading floor? Street corner! MSNBC report on Carders : an Internet chat room where "carders" buy and sell credit card numbers stolen from the Internet. The electronic scene resembles a combination of a commodity traders' floor and a street corner of drug dealers. Typically, a carder posts a claim that he has a fresh list of cards, and then to prove it, he posts a sample card, including billing address, phone number, etc., into the open chat room. A feeding frenzy follows. A participant reports that the "sample card is maxed out within 10 minutes, and then others jump in to buy the remaining list.

6 Why Public Key Cryptosystembased Authentication Ask yourself: Who clicked? How do you prove electrons?

7 Authentication E-commerce/e-contracting/egovernment is people dealing with people. To have trust you need to Authenticate people Authenticate sites Authenticate documents Use technologies that allow you to do these things

8 Why System Security Is Not Enough Connecting systems to the Internet before hardening them Connecting test systems to the Internet with default accounts/passwords Using telnet and other unencrypted protocols for managing systems, routers, firewalls etc. Implementing firewalls with rules that don t stop malicious or dangerous traffic Improper procedures for creating or changing passwords

9 What to do? Identify sensitive information and critical systems Define organization s security goals and objectives Plan to meet those goals and objectives Institute mechanisms to accomplish these goals/objectives Mesh legal and regulatory concerns, organizational characteristics, contractual requirements, environmental issues, and business line needs into policy development process. Implement appropriate security policies and procedures Use the right technology.

10 Some Advice from VISA 1. Install and maintain a working network firewall to protect data accessible via the Internet. 2. Keep security patches up-to-date. 3. Encrypt stored data accessible from the Internet. 4. Encrypt data sent across networks. 5. Use and regularly update antivirus software. 6. Restrict access to data by business "need to know." 7. Assign unique IDs to each person with computer access to data. 8. Track access to data by unique ID. 9. Don't use vendor-supplied defaults for system passwords and other security parameters. 10.Regularly test security systems and processes. 11. Screen employees with access to data to limit the "inside job." 12. Don't leave papers, diskettes or computers with data unsecured. 13. Destroy data no longer needed for business reasons.

11 Document Security Take security to the document level as well Use encryption to enhance data protection Use encryption to protect information assets Use digital signatures to record document integrity

12 Cases FirstNET v. Nike (Scottish action) Claim: inadequate security is negligence Ingram Micro v American uarantee (Arizona) Summary judgment: Business Interruption Coverage: computer damage includes loss of access/use

13 Conclusion Simple message: On-line trust includes data protection Take protection to the lowest practicable level right down to the document if sensitive enough

14 Michael Power owling Lafleur Henderson LLP fluent in the language of the new economy