420 likes | 435 Vues
Chapter 10. Security On The Internet. Agenda. Security Cryptography Privacy on Internet Virus & Worm Client-based Security Server-based Security. Security. Security and trust requirements Threats on the Internet Sources of the threats Security policy. Security and Trust Requirements.
E N D
Chapter 10 Security On The Internet
Agenda • Security • Cryptography • Privacy on Internet • Virus & Worm • Client-based Security • Server-based Security
Security • Security and trust requirements • Threats on the Internet • Sources of the threats • Security policy
Security and Trust Requirements • Confidentiality • Integrity • Availability • Legitimate use • Non-repudiation
Threats on the Internet • Loss of data integrity • Loss of data privacy • Loss of service • Loss of control
Sources of the Threats • Hackers • Cyber terrorists • Employee error • Missing procedures • Wrongly configured software
Hackers • Monitoring the communication • Private information & password • Steal hardware & software • Smart card or database • Intercept the output of a monitor screen • Overloading the service • Trojan horses – virus • Masquerading (IP address spoofing) • Dustbin
Hackers • Bribe employee • Information of internal network or internal DNS structure • Social Engineering • Exploiting habits of employee • Pretending an employee • Organization chart • Phone book • Information gathering and social pressure
Hackers • Counter measurements • Firewall • Two-factor authentication (know and have) • Audit log file • Digital certificate (user or server) • Message encryption
Cyber Terrorists • Definition • Use computer resources to intimidate others • Methods • Virus attack • Alteration of information • Cutting off Communication • Killing from a Distance • Spreading misinformation
Cyber Terrorists • Counter measurements • Commission of Critical Infrastructure Protection • Disconnect mission critical systems from public network • Firewall to monitor communication • The eternity service concept (duplication and encryption)
Security Policy • List of resources needed to be protected • Catalogue the threats for every resource • A risk analysis (cost and benefit) • Centralized authorization • Physical access control (policy & procedure) • Logical access control (policy & procedure) • Test, review and update
Agenda • Security • Cryptography • Privacy on Internet • Virus & Worm • Client-based Security • Server-based Security
Cryptography • Secret key • Public key • Steganography • Applications
Secret Key • Symmetric cryptography • A single key for encryption and decryption • Use different medium for key and message • Fast encryption and decryption • Types • Stream ciphers: bit level • Block ciphers: pre-defined length into a block
Public Key • Asymmetric key cryptography • SRA algorithm: two distinct keys (private and public) for every users • Public key decrypt messages encrypted with private key • Long time to encrypt and decrypt message • RSA to encrypt the symmetric key which encrypted the message
Public Key • Usages • Communication between web server and web browsers for create session key • E-mail uses different public key for different recipients
Steganogrphy • Hide information in the ordinary noise and digital systems of sounds and images • Low quality of free software • Higher quality for commercial software • Law requirements for encryption and decryption
Applications • Enforce privacy • Storing the hash value of password • Encrypting e-mail • Pretty Good Privacy (PGP): unbreakable • Secure Multipurpose Internet Mail Extensions (S/MIME): ease to set up with less security • Separate the use of strong symmetric encryption algorithms and e-mail software • WinZip: for e-mail read by multiple person and password over the phone
Applications • Digital Signatures • Digital hash or digital code for each message • Encrypt the digital code with private key • Decrypt the digital code with public key • Digital time stamp (time and date) encrypted with private key by third party
Agenda • Security • Cryptography • Privacy on Internet • Virus & Worm • Client-based Security • Server-based Security
Privacy on Internet • Footprints on the Net • TRUSTe • The platform for privacy preferences • Anonymity
Footprints on the Net • Request a web site • The name of the browser • The operating systems • Preferred language • The last visited web site • IP address and domain name • The client location • The screen resolution and number of colors
Footprints on the Net • Cookies • The password to open a site • A user name • An e-mail address • Purchasing information
TRUSTe • An independent, non-profit privacy organization issues online seal called “trustmark” • To certify an online business is trustworthy, safe and allow checking the privacy practice by a third- party • Hard to understanding the privacy information by end user
The Platform for Privacy preferences • Platform for Privacy Preference Project (P3P) by W3C • Define a way for web site to inform the users of privacy practice before the first page
Anonymity • Anonymous remailers to replace the header of original e-mail with remailer’s • Anonymizer
Agenda • Security • Cryptography • Privacy on Internet • Virus & Worm • Client-based Security • Server-based Security
Virus • Types of viruses • Virus damage • Virus strategy
Types of viruses • Boot sector virus • Executable virus • Macro virus • Hoax viruses and chain letter
Virus Damage • Annoying • Harmless • Harmful • Destructive
Virus Strategy • Firewall • Anti-virus program • Scanner • Shield • Cleaner • Backup strategy • Education of employee with a frequently asked questions (FAQ) page
Agenda • Security • Cryptography • Privacy on Internet • Virus & Worm • Client-based Security • Server-based Security
Client-based Security • Digital certificates • Smart card • Biometric identification
Digital Certificates • Personal information (name and address) file encrypted and password-protected with public key and certification authority (name and validity period) • Types • Browser and server: SSL encryption • Customer and merchant: SET encryption • Two e-mail partners: S/MIME
Smart Cards • Uses electronically erasable programmable red only memory (EEPROM) • Types • Contact cards • Contactless cards • Combi cards • Information Access • Read only • Add only • Modify or delete • Execution only
Biometric Identification • Physical characteristics or behavioral traits • Issues • Acceptance • Accuracy • Cost • Privacy
Agenda • Security • Cryptography • Privacy on Internet • Virus & Worm • Client-based Security • Server-based Security
Server-based Security • Isolation of web server • Application Proxies • Multi-layered firewall • A trusted operating systems (TOS) • Backup • Least privilege • Balance of power • A good audit system
Trusted Operating Systems • Types • Virtual Vault by Hewlett Packard • Trusted Solaris by Sun • Features • Firewall • Intranet • Internet • Distributed system: data and program • Least privilege • Peak usage management • Multi level security • Audit system
Audit System • Adaptable • Automated • Configurable • Dynamic • Flexible • Manageable • System-wide
Points to Remeber • Security • Cryptography • Privacy on Internet • Virus & Worm • Client-based Security • Server-based Security