View
219
Download
3
Category
Tags:
Preview:
Citation preview
Chapter 10
Security On The Internet
Agenda
• Security
• Cryptography
• Privacy on Internet
• Virus & Worm
• Client-based Security
• Server-based Security
Security
• Security and trust requirements
• Threats on the Internet
• Sources of the threats
• Security policy
Security and Trust Requirements
• Confidentiality
• Integrity
• Availability
• Legitimate use
• Non-repudiation
Threats on the Internet
• Loss of data integrity
• Loss of data privacy
• Loss of service
• Loss of control
Sources of the Threats
• Hackers
• Cyber terrorists
• Employee error
• Missing procedures
• Wrongly configured software
Hackers
• Monitoring the communication– Private information & password
• Steal hardware & software– Smart card or database
• Intercept the output of a monitor screen• Overloading the service• Trojan horses – virus• Masquerading (IP address spoofing)• Dustbin
Hackers
• Bribe employee• Information of internal network or internal DNS
structure• Social Engineering
– Exploiting habits of employee– Pretending an employee – Organization chart– Phone book– Information gathering and social pressure
Hackers
• Counter measurements– Firewall– Two-factor authentication (know and have)– Audit log file– Digital certificate (user or server)– Message encryption
Cyber Terrorists
• Definition– Use computer resources to intimidate others
• Methods– Virus attack– Alteration of information– Cutting off Communication– Killing from a Distance– Spreading misinformation
Cyber Terrorists
• Counter measurements– Commission of Critical Infrastructure
Protection– Disconnect mission critical systems from public
network– Firewall to monitor communication– The eternity service concept (duplication and
encryption)
Security Policy
• List of resources needed to be protected
• Catalogue the threats for every resource
• A risk analysis (cost and benefit)
• Centralized authorization– Physical access control (policy & procedure)– Logical access control (policy & procedure)
• Test, review and update
Agenda
• Security
• Cryptography
• Privacy on Internet
• Virus & Worm
• Client-based Security
• Server-based Security
Cryptography
• Secret key
• Public key
• Steganography
• Applications
Secret Key
• Symmetric cryptography
• A single key for encryption and decryption
• Use different medium for key and message
• Fast encryption and decryption
• Types– Stream ciphers: bit level– Block ciphers: pre-defined length into a block
Public Key
• Asymmetric key cryptography• SRA algorithm: two distinct keys (private
and public) for every users• Public key decrypt messages encrypted with
private key• Long time to encrypt and decrypt message• RSA to encrypt the symmetric key which
encrypted the message
Public Key
• Usages– Communication between web server and web
browsers for create session key– E-mail uses different public key for different
recipients
Steganogrphy
• Hide information in the ordinary noise and digital systems of sounds and images
• Low quality of free software
• Higher quality for commercial software
• Law requirements for encryption and decryption
Applications
• Enforce privacy– Storing the hash value of password
• Encrypting e-mail– Pretty Good Privacy (PGP): unbreakable– Secure Multipurpose Internet Mail Extensions
(S/MIME): ease to set up with less security– Separate the use of strong symmetric encryption
algorithms and e-mail software– WinZip: for e-mail read by multiple person and
password over the phone
Applications
• Digital Signatures– Digital hash or digital code for each message– Encrypt the digital code with private key– Decrypt the digital code with public key– Digital time stamp (time and date) encrypted
with private key by third party
Agenda
• Security
• Cryptography
• Privacy on Internet
• Virus & Worm
• Client-based Security
• Server-based Security
Privacy on Internet
• Footprints on the Net
• TRUSTe
• The platform for privacy preferences
• Anonymity
Footprints on the Net
• Request a web site– The name of the browser– The operating systems– Preferred language– The last visited web site– IP address and domain name– The client location– The screen resolution and number of colors
Footprints on the Net
• Cookies– The password to open a site– A user name– An e-mail address– Purchasing information
TRUSTe
• An independent, non-profit privacy organization issues online seal called “trustmark”
• To certify an online business is trustworthy, safe and allow checking the privacy practice by a third- party
• Hard to understanding the privacy information by end user
The Platform for Privacy preferences
• Platform for Privacy Preference Project (P3P) by W3C
• Define a way for web site to inform the users of privacy practice before the first page
Anonymity
• Anonymous remailers to replace the header of original e-mail with remailer’s
• Anonymizer
Agenda
• Security
• Cryptography
• Privacy on Internet
• Virus & Worm
• Client-based Security
• Server-based Security
Virus
• Types of viruses
• Virus damage
• Virus strategy
Types of viruses
• Boot sector virus
• Executable virus
• Macro virus
• Hoax viruses and chain letter
Virus Damage
• Annoying
• Harmless
• Harmful
• Destructive
Virus Strategy
• Firewall• Anti-virus program
– Scanner– Shield– Cleaner
• Backup strategy• Education of employee with a frequently
asked questions (FAQ) page
Agenda
• Security
• Cryptography
• Privacy on Internet
• Virus & Worm
• Client-based Security
• Server-based Security
Client-based Security
• Digital certificates
• Smart card
• Biometric identification
Digital Certificates
• Personal information (name and address) file encrypted and password-protected with public key and certification authority (name and validity period)
• Types– Browser and server: SSL encryption– Customer and merchant: SET encryption– Two e-mail partners: S/MIME
Smart Cards• Uses electronically erasable programmable red
only memory (EEPROM)• Types
– Contact cards– Contactless cards– Combi cards
• Information Access– Read only– Add only– Modify or delete– Execution only
Biometric Identification
• Physical characteristics or behavioral traits
• Issues– Acceptance– Accuracy– Cost– Privacy
Agenda
• Security
• Cryptography
• Privacy on Internet
• Virus & Worm
• Client-based Security
• Server-based Security
Server-based Security
• Isolation of web server• Application Proxies• Multi-layered firewall• A trusted operating systems (TOS)• Backup• Least privilege• Balance of power• A good audit system
Trusted Operating Systems
• Types– Virtual Vault by Hewlett Packard– Trusted Solaris by Sun
• Features– Firewall– Intranet– Internet– Distributed system: data and program– Least privilege– Peak usage management– Multi level security– Audit system
Audit System
• Adaptable
• Automated
• Configurable
• Dynamic
• Flexible
• Manageable
• System-wide
Points to Remeber
• Security
• Cryptography
• Privacy on Internet
• Virus & Worm
• Client-based Security
• Server-based Security
Recommended