Secure E-mailSecure E-mail

Message interception (confidentiality)Message interception (confidentiality) Message interception (blocked delivery)Message interception (blocked delivery) Message interception and subsequent replayMessage interception and subsequent replay Message content modificationMessage content modification Message origin modificationMessage origin modification Message content forgery by outsiderMessage content forgery by outsider Message origin forgery by outsiderMessage origin forgery by outsider Message content forgery by recipientMessage content forgery by recipient Message origin forgery by recipientMessage origin forgery by recipient Denial of message transmissionDenial of message transmission

Requirements and SolutionsRequirements and Solutions

Message confidentialityMessage confidentiality Message integrityMessage integrity Sender authenticitySender authenticity nonrepudiationnonrepudiation

Examples of Secure E-mail Examples of Secure E-mail SystemsSystems

PGP (Pretty Good Privacy) – uses PGP (Pretty Good Privacy) – uses public key ring; confidentiality, public key ring; confidentiality, integrityintegrity

S/MIME (Secure Multipurpose Internet S/MIME (Secure Multipurpose Internet Mail Extensions) – uses certificatesMail Extensions) – uses certificates

Multi-Layer SecurityMulti-Layer Security Security Can be Applied at Multiple Security Can be Applied at Multiple

Layers SimultaneouslyLayers Simultaneously

• Application layer security for database, Application layer security for database, e-mail, etc.e-mail, etc.

• Transport layer: SSLTransport layer: SSL

• Internet layer: IPsec Internet layer: IPsec

• Data link layer: PPTP, L2TPData link layer: PPTP, L2TP

• Physical layer: locksPhysical layer: locks

Multi-Layer SecurityMulti-Layer Security

Applying security at 2 or more layers Applying security at 2 or more layers is goodis good

• If security is broken at one layer, the If security is broken at one layer, the communication will still be securecommunication will still be secure

However,However,• Security slows down processingSecurity slows down processing• Multi-Layer security slows down Multi-Layer security slows down

processing at each layerprocessing at each layer

Total SecurityTotal Security

Network Security is Only PartNetwork Security is Only Part Server SecurityServer Security

• Hackers can take down servers with Hackers can take down servers with denial-of-service attackdenial-of-service attack

• Hacker can log in as root user and take Hacker can log in as root user and take over the serverover the server

• Steal data, lock out legitimate users, Steal data, lock out legitimate users, etc.etc.

Total SecurityTotal Security

Server SecurityServer Security

• Occasionally, weakness are discovered Occasionally, weakness are discovered in server operating systemsin server operating systems

• This knowledge is quickly disseminatedThis knowledge is quickly disseminated

• Known security weaknessesKnown security weaknesses

Total SecurityTotal Security

Server SecurityServer Security

• Server operating system (SOS) vendors Server operating system (SOS) vendors create patchescreate patches

• Many firms do not download patchesMany firms do not download patches

• This makes them vulnerable to hackers, This makes them vulnerable to hackers, who quickly develop tools to probe for who quickly develop tools to probe for and then exploit known weaknessesand then exploit known weaknesses

Total SecurityTotal Security

Client PC SecurityClient PC Security

• Known security weaknesses exist but Known security weaknesses exist but patches are rarely downloadedpatches are rarely downloaded

• Users often have no passwords or weak Users often have no passwords or weak passwords on their computerpasswords on their computer

• Adversaries take over client PCs and can Adversaries take over client PCs and can therefore take over control over SSL, therefore take over control over SSL, other secure communication protocolsother secure communication protocols

Total SecurityTotal Security

Application SoftwareApplication Software

• May contain virusesMay contain viruses Must filter incoming messagesMust filter incoming messages

• Database and other applications can Database and other applications can add their own security with passwords add their own security with passwords and other protectionsand other protections

Total SecurityTotal Security

Managing UsersManaging Users

• Often violate security procedures, Often violate security procedures, making technical security worthlessmaking technical security worthless

• Social engineeringSocial engineering: attacker tricks user : attacker tricks user into violating security proceduresinto violating security procedures

Defense in DepthDefense in Depth

FirewallsFirewalls AntivirusAntivirus Intrusion Detection SystemsIntrusion Detection Systems Intrusion Protection SystemsIntrusion Protection Systems