1 / 18

Cyber Security & e-Commerce

Cyber Security & e-Commerce . NCMA – December Meeting December 14, 2000 (Updated 12/18/03) Robert E. Mahan Chief Information Officer Pacific Northwest National Laboratory. Definitions. Cyber Security Cyber – automatic control, usually through some form of computing, network, electronics

carney
Télécharger la présentation

Cyber Security & e-Commerce

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cyber Security & e-Commerce NCMA – December Meeting December 14, 2000 (Updated 12/18/03) Robert E. Mahan Chief Information Officer Pacific Northwest National Laboratory Cyber

  2. Definitions • Cyber Security • Cyber – automatic control, usually through some form of computing, network, electronics • Security – a state characterized by the freedom from danger, fear, anxiety Cyber

  3. More Definitions • E-commerce • Business transactions in a cyber environment • Buy, sell, contract, bill, pay, etc. • Business-to-Business (B2B), Consumer (B2C) Cyber

  4. E-Commerce – How Big (U.S.)? • Business (B2B) from U.S. Dept. Commerce • 1999 - $913B • 2000 - $997B • 2001 - $995B • Consumer (B2C) from U.S. Dept. of Commerce • 1999 – $15B • 2000 - $29B • 2001 – $34B • About 40M buyers • Point ? It is big business Cyber

  5. What is the worry? (Requirements) • Confidentiality (secrecy, privacy) of the transaction • Integrity of the system and information associated with the transaction • Availability of the system and information so transactions can be completed • Authentication of the parties • Evidence that the transaction occurred as agreed to by both parties (non-repudiation) Cyber

  6. What are the Solutions? • Confidentiality – Encryption in transit & at rest • Integrity – Message and file authentication codes • Availability – Systems secured against intrusion & denial of service • Authentication – From one-time passwords to token to biometric authenticators • Non-repudiation – Digital signatures • Basis for all of these is cryptography – elegant, mathematically provable – magical security dust! Cyber

  7. So…What is the Problem? • There is no magical security dust • Mathematics is perfect, logical, and well-defined, but will only stay that way if perfectly implemented and used. • Mathematics are hard to implement correctly and harder to test • Easy to test functionality (does it do what it is designed to do?) • Hard to test security (does it stop what it is not designed to do?) • Yogi Berra: “In theory there is no difference between theory & practice. In practice there is.” Cyber

  8. More problems! • Vendors create code with vulnerabilities • Users don’t install firewalls, intrusion or virus detection • System administrators don’t patch known holes • Users, share passwords, use lousy passwords, store them on their computers • Plenty of problems everywhere in the chain! • Biggest one is the carbon-based system! Cyber

  9. Problems – the bottom line • Computers/networks are complex systems (the Internet is a system composed of millions of computers connected in a complex structure) • Every operating system, network system, and software application has bugs. • Even if we do it well, we typically only secure the parts, not the whole. • Security is only as strong as the weakest link! Cyber

  10. For example – 7 days in March 2000 • 5,000 credit card # disclosed on the Internet • Taiwan reported 7,000 attempts by Chinese to enter Taiwanese security systems • Pretty Park e-mail worm released • 13 new vulnerabilities reported • 65 web sites defaced • 2 hackers arrested, 2 sentenced, 1 admitted hacking the RSA security site • ++++ more – not an unusual period of time! Cyber

  11. Updated – 7 days in November 2001 • Playboy magazine credit cards stolen (since 1998) • Arab sites continue to be defaced, attacked • Nimda virus/worm still persists (since 9/18) • 4 vulnerabilities reported • 1M attacks on Port 138(Bios), 700k on port 80 • 2 hackers arrested, 1 indicted, 1 trial began, 1 pled guilty Cyber

  12. Costs – Virus Infections • SirCam – $1.15B • Code Red – $2.62B • Love Bug – $8.75B • NIMDA - $2.6B • Slammer - $1B • Lost productivity – unusable systems/cleanup • Bottom Line – The costs are huge! Cyber

  13. What Can We Do? • Prevent • Past focus, especially by auditors • Trouble is…..impossible to prevent • Detect • Emerging focus • Trouble is….detection is difficult • Respond • When all else fails • Investigate, remediate Cyber

  14. What to Do – Extended by DoD • Protect – Lock it down up front • Detect – Watch for nefarious activity • React – When detected, observe in detail • Defend – From tracking to cutting off access • Reconstitute – Re-build breached system • Recover – Restore pre-attack state Cyber

  15. Ok…, but How well must we do it? • Conventional approach – risk reduction • But….. Risk means reducing the event probability • Cannot explicitly identify the adversary or event • Adversary skill, resources, motive is unknown • Loss is unknown, may be large or small • Positive benefit is absence of the unknown loss • New approach – due care or due diligence, best business practices • Reality is BOTH - protection & risk management Cyber

  16. No Brainers • Don’t share, disclose, or store passwords • Turn off unneeded services, disable file sharing • Apply patches for known vulnerabilities • Regularly scan systems for vulnerabilities • Use anti-virus software • Don’t open e-mail attachments w/o questioning the source and potential content • Don’t leave laptops unattended on travel Cyber

  17. Slightly Brainier • Use a firewall – at home a Linksys router will do this very well – or use the XP firewall – or use a freeby like Zone Alarm on older systems • Don’t use free peer-to-peer, like KaZaA (music sharing) or Skype (IP telephone) – they come with built in Trojan Horses • Don’t store passwords unencrypted use something like Password Safe – or store them off-line • Backup, Backup, Backup Cyber

  18. Summarizing • Bad news is: • There is no perfect security – no magic bullets • Even good security is hard • Security will negatively impact productivity • Good news • 90% of the problems are avoidable with a little effort • Cryptography can help a lot • Working on better ways to track down the bad guys • Problem is now more widely recognized Cyber

More Related