Most Common Security Threats (cont.)

Transcription

1 Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software What is a zero-day vulnerability? Copyright 2017 Pearson Education Ltd. Slide 5-38

2 Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software Example of Adobe Flash: 78 bugs fixed in 2015 Heartbleed: OpenSSL flaw and RFC6520 heartbeat Social network security issues Manual sharing scams Fake offerings, fake Like buttons and fake apps Copyright 2017 Pearson Education Ltd. Slide 5-39

3 Most Common Security Threats (cont.) Mobile platform security issues As secure as landline phones? Cf. public WiFi networks Example: ikee.b worm Infects jailbroken iphones Password is changed and botnet command server in Lithuania takes over Data that passes through your iphone is compromised Example: Starbucks app Names, addresses, and passwords in plain text Ease of use vs. security concerns Vishing, smishing, and madware Copyright 2017 Pearson Education Ltd. Slide 5-40

4 Most Common Security Threats (cont.) Cloud security issues DDoS attacks against cloud-based service providers Safeguarding data: Dropbox example Internet of Things security issues Wireless baby monitors Radiology picture archive Drug infusion pumps Hospital x-ray systems Copyright 2017 Pearson Education Ltd. Slide 5-41

5 Tools Available to Achieve Site Security Figure 4.5, Page 272 Copyright 2017 Pearson Education Ltd. Slide 5-42

6 Encryption Encryption Transforms data into cipher text readable only by sender and receiver Secures stored information and information transmission Provides 4 of 6 key dimensions of e-commerce security: Message integrity Nonrepudiation Authentication Confidentiality What are substitution and transposition ciphers? Copyright 2017 Pearson Education Ltd. Slide 5-43

7 Encryption (cont.) Substitution cipher example Letter plus two HELLO JGNNQ Transposition cipher example Rules: Spell the first word with every other letter starting with the first. Existing words are broken into two words. HELLO HLO EL What is the key issue here? Copyright 2017 Pearson Education Ltd. Slide 5-44

8 Symmetric Key Cryptography Sender and receiver use same digital key to encrypt and decrypt message Requires different set of keys for each transaction What are common flaws? Secret key sent over insecure medium to reach the receiving party Secret key for each of the parties with whom is interacted (billions of keys would be needed to accommodate all e-commerce users) Digital encryption, example: The ASCII letter A is in bits Multiply each letter by a secret 8-bit key Sent encrypted message with secret 8-bit key to receiver Copyright 2017 Pearson Education Ltd. Slide 5-45

9 Symmetric Key Cryptography (cont.) Strength of modern security protection is measured in terms of the length of the binary key used to encrypt the data How many possibilities are there in the preceding example? 2 8 = 256 possibilities, decoded in a few seconds Modern digital encryption systems use keys with 56, 128, 256, or 512 binary digits How many possibilities when the key is 512 bits? ; decoded in 10 years using all computers Copyright 2017 Pearson Education Ltd. Slide 5-46

10 Symmetric Key Cryptography (cont.) Data Encryption Standard (DES) 56-bit Has been improved by Triple DES Encryption Algorithm (TDEA) TDEA encrypts the message three times with three separate keys Advanced Encryption Standard (AES) Most widely used symmetric key algorithm Uses 128-, 192-, and 256-bit encryption keys Other standards use keys with up to 2,048 bits Copyright 2017 Pearson Education Ltd. Slide 5-47

11 Public Key Cryptography Uses two mathematically related digital keys Public key (widely disseminated) Private key (kept secret by owner) Both keys used to encrypt and decrypt message What is another term for Public Key Cryptography? Asymmetric cryptography Copyright 2017 Pearson Education Ltd. Slide 5-48

12 Public Key Cryptography (cont.) Once key used to encrypt message, same key cannot be used to decrypt message, compare with food recipe Sender uses recipient s public key to encrypt message; recipient uses private key to decrypt it Copyright 2017 Pearson Education Ltd. Slide 5-49

13 Public Key Cryptography: A Simple Case What increases the difficulty of intercepting the message in step 4? Figure 4.6, Page 275 Copyright 2017 Pearson Education Ltd. Slide 5-50

14 Public Key Cryptography (cont.) Are there security elements missing? Authenticity: no guarantee the sender really is the sender Repudiation: sender could deny he or she is the sender Integrity: no assurance message has been altered in transit Copyright 2017 Pearson Education Ltd. Slide 5-51

15 Public Key Cryptography using Digital Signatures and Hash Digests Sender applies a mathematical algorithm (hash function) to a message and then encrypts the message and hash result with recipient s public key Sender then encrypts the message and hash result with sender s private key creating digital signature for authenticity, nonrepudiation Recipient first uses sender s public key to authenticate message and then the recipient s private key to decrypt the hash result and message Copyright 2017 Pearson Education Ltd. Slide 5-52

16 Public Key Cryptography with Digital Signatures How do we know the message has integrity? Figure 4.7, Page 276 Copyright 2017 Pearson Education Ltd. Slide 5-53

17 Digital Envelopes Address weaknesses of: Public key cryptography Computationally slow, decreased transmission speed, and increased processing time Symmetric key cryptography Insecure transmission lines How to solve this? Copyright 2017 Pearson Education Ltd. Slide 5-54

18 Digital Envelopes Address weaknesses of: Public key cryptography Computationally slow, decreased transmission speed, and increased processing time Symmetric key cryptography Insecure transmission lines Uses symmetric key cryptography to encrypt document Uses public key cryptography to encrypt and send symmetric key ( key within a key ) Copyright 2017 Pearson Education Ltd. Slide 5-55

19 Creating a Digital Envelope Figure 4.8, Page 278 Copyright 2017 Pearson Education Ltd. Slide 5-56

20 Digital Certificates and Public Key Infrastructure (PKI) Digital certificate includes: Name of subject/company Subject s public key Digital certificate serial number Expiration date, issuance date Digital signature of CA (name of CA encrypted using CA s private key) Public Key Infrastructure (PKI): CAs and digital certificate procedures, PGP Copyright 2017 Pearson Education Ltd. Slide 5-57

21 Digital Certificates and Certification Authorities Figure 4.9, Page 279 Copyright 2017 Pearson Education Ltd. Slide 5-58

22 Limits to Encryption Solutions Doesn t protect storage of private key PKI not effective against insiders, employees Why is this especially problematic for e-commerce? Protection of private keys by individuals may be haphazard Under many digital signature laws, you are responsible for whatever your private key does No guarantee that verifying computer of merchant is secure Copyright 2017 Pearson Education Ltd. Slide 5-59

23 Limits to Encryption Solutions (cont.) CAs are unregulated, self-selecting organizations How can a CA know about all the corporations within an industry? Questionable methods used by CA to identify certificate holder Hacking of CAs DigiNotar example (starts at 44m45s) Google domain certificates. NSA involvement? Copyright 2017 Pearson Education Ltd. Slide 5-60

24 Limits to Encryption Solutions (cont.) Expected life of a certificate is a function of the frequency of use and the vulnerability of systems using it Yet, there are CAs that have no policy or just an annual policy for reissuing certificates Copyright 2017 Pearson Education Ltd. Slide 5-61

25 Securing Channels of Communication Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Establishes secure, negotiated client server session Virtual Private Network (VPN) Allows remote users to securely access internal network via the Internet Wireless (Wi-Fi) networks Wi-Fi Protected Access (WPA) 2 Copyright 2017 Pearson Education Ltd. Slide 5-62

26 Secure Negotiated Sessions Using SSL/TLS Figure 4.10, Page 282 Copyright 2017 Pearson Education Ltd. Slide 5-63

27 Firewall Protecting Networks Hardware or software that uses security policy to filter communications Packet filters (destination is a prohibited port and origin is a prohibited IP address) Application gateways: application-based filtering Next-generation firewalls (NGFWs) Copyright 2017 Pearson Education Ltd. Slide 5-64

28 Next-generation Firewalls Application Identification and Filtering Identification and filtering of traffic based on applications, rather than just opening ports for any and all traffic SSL and SSH Inspection Decryption of traffic, providing additional protection from malicious applications and activity that try to hide using encryption to avoid the firewall Copyright 2017 Pearson Education Ltd. Slide 5-65

29 Next-generation Firewalls (cont.) Intrusion prevention Terminate session Block traffic from a suspicious IP address Reconfigure firewall or security controls Directory integration Directory support, i.e., Active Directory to manage authorized applications based upon users and user groups Malware filtering Reputation-based filtering to block applications that have a bad reputation and check for phishing, viruses, and other malware. Copyright 2017 Pearson Education Ltd. Slide 5-66

30 Firewall Protecting Networks (cont.) Hardware or software that uses security policy to filter communications Packet filters (destination is a prohibited port and origin is a prohibited IP address) Application gateways: application-based filtering Next-generation firewalls (NGFWs) Proxy servers (proxies) Software servers that handle all communications sent to and from the Internet Dual-home systems Intrusion detection and intrusion prevention Copyright 2017 Pearson Education Ltd. Slide 5-67

31 Firewalls and Proxy Servers Figure 4.11, Page 285 Copyright 2017 Pearson Education Ltd. Slide 5-68

32 Protecting Servers and Clients Operating system security enhancements Upgrades, patches 10% of Internet users have Windows XP... Anti-virus software Easiest and least expensive way to prevent threats to system integrity Requires daily updates Copyright 2017 Pearson Education Ltd. Slide 5-69

33 Management Policies, Business Procedures, and Public Laws Worldwide, in 2015, companies are expected to spend more than 69 billion on security hardware, software, and services Managing risk includes: Technology Effective management policies Public laws and active enforcement Copyright 2017 Pearson Education Ltd. Slide 5-70