Most Common Security Threats (cont.)

Similar documents
CPET 581 E-Commerce & Business Technologies. References

The Tension. Security vs. ease of use: the more security measures added, the more difficult a site is to use, and the slower it becomes

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

(2½ hours) Total Marks: 75

Overview. SSL Cryptography Overview CHAPTER 1

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Securing Information Systems

CHAPTER 8 SECURING INFORMATION SYSTEMS

E-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

Security+ SY0-501 Study Guide Table of Contents

Network Security and Cryptography. December Sample Exam Marking Scheme

Digital Certificates Demystified

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

e-commerce Study Guide Test 2. Security Chapter 10

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

APNIC elearning: Cryptography Basics

Securing Information Systems

Chapter 19 Security. Chapter 19 Security

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Cryptographic Concepts

Computers and Security

Cryptography (Overview)

Securing Information Systems

Simple and Powerful Security for PCI DSS

Google Cloud Platform: Customer Responsibility Matrix. April 2017

18-642: Cryptography 11/15/ Philip Koopman

Distributed Systems. Lecture 14: Security. Distributed Systems 1

CSC 474/574 Information Systems Security

Distributed Systems. Lecture 14: Security. 5 March,

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Verteilte Systeme (Distributed Systems)

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

NETWORK SECURITY & CRYPTOGRAPHY

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Ethical Hacking and Prevention

Information Security in Corporation

Chapter 8 Information Technology

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Google Cloud Platform: Customer Responsibility Matrix. December 2018

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Fifth Edition

1.264 Lecture 28. Cryptography: Asymmetric keys

Chapter 15: Security. Operating System Concepts 8 th Edition,

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

CYBER SECURITY MADE SIMPLE

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Chapter 6: Security of higher layers. (network security)

SMart esolutions Information Security

BEST PRACTICES FOR PERSONAL Security

Network Security and Cryptography. 2 September Marking Scheme

Network Security Issues and Cryptography

Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Security: Focus of Control. Authentication

The following chart provides the breakdown of exam as to the weight of each section of the exam.

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2

UNIT - IV Cryptographic Hash Function 31.1

Introduction and Overview. Why CSCI 454/554?

KALASALINGAM UNIVERSITY

Cryptography in Lotus Notes/Domino Pragmatic Introduction for Administrators

CompTIA Security+ (Exam SY0-401)

Authentication CHAPTER 17

Information Security CS 526

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

CTS2134 Introduction to Networking. Module 08: Network Security

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Course 831 Certified Ethical Hacker v9

Connecting Securely to the Cloud

18-642: Cryptography

Network Security Chapter 8

Crypto meets Web Security: Certificates and SSL/TLS

Introduction. Ahmet Burak Can Hacettepe University. Information Security

A New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam Patel 3 Rakesh Patel 4

Introduction to Cryptography. Vasil Slavov William Jewell College

Firewalls, Tunnels, and Network Intrusion Detection

14. Internet Security (J. Kurose)

New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall

Security: Focus of Control

CSci530 Final Exam. Fall 2011

Cryptography and Network Security

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Authenticating on a Ham Internet

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

Securing Information Systems

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Innovation and Cryptoventures. Technology 101. Lee Jacobs and Campbell R. Harvey. February 22, 2017

10EC832: NETWORK SECURITY

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

Defeating All Man-in-the-Middle Attacks

Transcription:

Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software What is a zero-day vulnerability? Copyright 2017 Pearson Education Ltd. Slide 5-38

Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software Example of Adobe Flash: 78 bugs fixed in 2015 Heartbleed: OpenSSL flaw and RFC6520 heartbeat Social network security issues Manual sharing scams Fake offerings, fake Like buttons and fake apps Copyright 2017 Pearson Education Ltd. Slide 5-39

Most Common Security Threats (cont.) Mobile platform security issues As secure as landline phones? Cf. public WiFi networks Example: ikee.b worm Infects jailbroken iphones Password is changed and botnet command server in Lithuania takes over Data that passes through your iphone is compromised Example: Starbucks app Names, e-mail addresses, and passwords in plain text Ease of use vs. security concerns Vishing, smishing, and madware Copyright 2017 Pearson Education Ltd. Slide 5-40

Most Common Security Threats (cont.) Cloud security issues DDoS attacks against cloud-based service providers Safeguarding data: Dropbox example Internet of Things security issues Wireless baby monitors Radiology picture archive Drug infusion pumps Hospital x-ray systems Copyright 2017 Pearson Education Ltd. Slide 5-41

Tools Available to Achieve Site Security Figure 4.5, Page 272 Copyright 2017 Pearson Education Ltd. Slide 5-42

Encryption Encryption Transforms data into cipher text readable only by sender and receiver Secures stored information and information transmission Provides 4 of 6 key dimensions of e-commerce security: Message integrity Nonrepudiation Authentication Confidentiality What are substitution and transposition ciphers? Copyright 2017 Pearson Education Ltd. Slide 5-43

Encryption (cont.) Substitution cipher example Letter plus two HELLO JGNNQ Transposition cipher example Rules: Spell the first word with every other letter starting with the first. Existing words are broken into two words. HELLO HLO EL What is the key issue here? Copyright 2017 Pearson Education Ltd. Slide 5-44

Symmetric Key Cryptography Sender and receiver use same digital key to encrypt and decrypt message Requires different set of keys for each transaction What are common flaws? Secret key sent over insecure medium to reach the receiving party Secret key for each of the parties with whom is interacted (billions of keys would be needed to accommodate all e-commerce users) Digital encryption, example: The ASCII letter A is 01000001 in bits Multiply each letter by a secret 8-bit key 01010101 Sent encrypted message with secret 8-bit key to receiver Copyright 2017 Pearson Education Ltd. Slide 5-45

Symmetric Key Cryptography (cont.) Strength of modern security protection is measured in terms of the length of the binary key used to encrypt the data How many possibilities are there in the preceding example? 2 8 = 256 possibilities, decoded in a few seconds Modern digital encryption systems use keys with 56, 128, 256, or 512 binary digits How many possibilities when the key is 512 bits? 2 512 ; decoded in 10 years using all computers Copyright 2017 Pearson Education Ltd. Slide 5-46

Symmetric Key Cryptography (cont.) Data Encryption Standard (DES) 56-bit Has been improved by Triple DES Encryption Algorithm (TDEA) TDEA encrypts the message three times with three separate keys Advanced Encryption Standard (AES) Most widely used symmetric key algorithm Uses 128-, 192-, and 256-bit encryption keys Other standards use keys with up to 2,048 bits Copyright 2017 Pearson Education Ltd. Slide 5-47

Public Key Cryptography Uses two mathematically related digital keys Public key (widely disseminated) Private key (kept secret by owner) Both keys used to encrypt and decrypt message What is another term for Public Key Cryptography? Asymmetric cryptography Copyright 2017 Pearson Education Ltd. Slide 5-48

Public Key Cryptography (cont.) Once key used to encrypt message, same key cannot be used to decrypt message, compare with food recipe Sender uses recipient s public key to encrypt message; recipient uses private key to decrypt it Copyright 2017 Pearson Education Ltd. Slide 5-49

Public Key Cryptography: A Simple Case What increases the difficulty of intercepting the message in step 4? Figure 4.6, Page 275 Copyright 2017 Pearson Education Ltd. Slide 5-50

Public Key Cryptography (cont.) Are there security elements missing? Authenticity: no guarantee the sender really is the sender Repudiation: sender could deny he or she is the sender Integrity: no assurance message has been altered in transit Copyright 2017 Pearson Education Ltd. Slide 5-51

Public Key Cryptography using Digital Signatures and Hash Digests Sender applies a mathematical algorithm (hash function) to a message and then encrypts the message and hash result with recipient s public key Sender then encrypts the message and hash result with sender s private key creating digital signature for authenticity, nonrepudiation Recipient first uses sender s public key to authenticate message and then the recipient s private key to decrypt the hash result and message Copyright 2017 Pearson Education Ltd. Slide 5-52

Public Key Cryptography with Digital Signatures How do we know the message has integrity? Figure 4.7, Page 276 Copyright 2017 Pearson Education Ltd. Slide 5-53

Digital Envelopes Address weaknesses of: Public key cryptography Computationally slow, decreased transmission speed, and increased processing time Symmetric key cryptography Insecure transmission lines How to solve this? Copyright 2017 Pearson Education Ltd. Slide 5-54

Digital Envelopes Address weaknesses of: Public key cryptography Computationally slow, decreased transmission speed, and increased processing time Symmetric key cryptography Insecure transmission lines Uses symmetric key cryptography to encrypt document Uses public key cryptography to encrypt and send symmetric key ( key within a key ) Copyright 2017 Pearson Education Ltd. Slide 5-55

Creating a Digital Envelope Figure 4.8, Page 278 Copyright 2017 Pearson Education Ltd. Slide 5-56

Digital Certificates and Public Key Infrastructure (PKI) Digital certificate includes: Name of subject/company Subject s public key Digital certificate serial number Expiration date, issuance date Digital signature of CA (name of CA encrypted using CA s private key) Public Key Infrastructure (PKI): CAs and digital certificate procedures, PGP Copyright 2017 Pearson Education Ltd. Slide 5-57

Digital Certificates and Certification Authorities Figure 4.9, Page 279 Copyright 2017 Pearson Education Ltd. Slide 5-58

Limits to Encryption Solutions Doesn t protect storage of private key PKI not effective against insiders, employees Why is this especially problematic for e-commerce? Protection of private keys by individuals may be haphazard Under many digital signature laws, you are responsible for whatever your private key does No guarantee that verifying computer of merchant is secure Copyright 2017 Pearson Education Ltd. Slide 5-59

Limits to Encryption Solutions (cont.) CAs are unregulated, self-selecting organizations How can a CA know about all the corporations within an industry? Questionable methods used by CA to identify certificate holder Hacking of CAs DigiNotar example (starts at 44m45s) Google domain certificates. NSA involvement? Copyright 2017 Pearson Education Ltd. Slide 5-60

Limits to Encryption Solutions (cont.) Expected life of a certificate is a function of the frequency of use and the vulnerability of systems using it Yet, there are CAs that have no policy or just an annual policy for reissuing certificates Copyright 2017 Pearson Education Ltd. Slide 5-61

Securing Channels of Communication Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Establishes secure, negotiated client server session Virtual Private Network (VPN) Allows remote users to securely access internal network via the Internet Wireless (Wi-Fi) networks Wi-Fi Protected Access (WPA) 2 Copyright 2017 Pearson Education Ltd. Slide 5-62

Secure Negotiated Sessions Using SSL/TLS Figure 4.10, Page 282 Copyright 2017 Pearson Education Ltd. Slide 5-63

Firewall Protecting Networks Hardware or software that uses security policy to filter communications Packet filters (destination is a prohibited port and origin is a prohibited IP address) Application gateways: application-based filtering Next-generation firewalls (NGFWs) Copyright 2017 Pearson Education Ltd. Slide 5-64

Next-generation Firewalls Application Identification and Filtering Identification and filtering of traffic based on applications, rather than just opening ports for any and all traffic SSL and SSH Inspection Decryption of traffic, providing additional protection from malicious applications and activity that try to hide using encryption to avoid the firewall Copyright 2017 Pearson Education Ltd. Slide 5-65

Next-generation Firewalls (cont.) Intrusion prevention Terminate session Block traffic from a suspicious IP address Reconfigure firewall or security controls Directory integration Directory support, i.e., Active Directory to manage authorized applications based upon users and user groups Malware filtering Reputation-based filtering to block applications that have a bad reputation and check for phishing, viruses, and other malware. Copyright 2017 Pearson Education Ltd. Slide 5-66

Firewall Protecting Networks (cont.) Hardware or software that uses security policy to filter communications Packet filters (destination is a prohibited port and origin is a prohibited IP address) Application gateways: application-based filtering Next-generation firewalls (NGFWs) Proxy servers (proxies) Software servers that handle all communications sent to and from the Internet Dual-home systems Intrusion detection and intrusion prevention Copyright 2017 Pearson Education Ltd. Slide 5-67

Firewalls and Proxy Servers Figure 4.11, Page 285 Copyright 2017 Pearson Education Ltd. Slide 5-68

Protecting Servers and Clients Operating system security enhancements Upgrades, patches 10% of Internet users have Windows XP... Anti-virus software Easiest and least expensive way to prevent threats to system integrity Requires daily updates Copyright 2017 Pearson Education Ltd. Slide 5-69

Management Policies, Business Procedures, and Public Laws Worldwide, in 2015, companies are expected to spend more than 69 billion on security hardware, software, and services Managing risk includes: Technology Effective management policies Public laws and active enforcement Copyright 2017 Pearson Education Ltd. Slide 5-70

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback