1 / 23

Lesson 3 Security Needs for Successful E-Commerce

Lesson 3 Security Needs for Successful E-Commerce. Overview. Privacy Multilevel Security Anonymity Privacy and the Government Medical Anonymity Authentication Authentication vs Integrity Auditing. Privacy. Personal US Govt Privacy Act—democracy is built upon the notion of privacy

jag
Télécharger la présentation

Lesson 3 Security Needs for Successful E-Commerce

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 3 Security Needs for Successful E-Commerce

  2. Overview • Privacy • Multilevel Security • Anonymity • Privacy and the Government • Medical Anonymity • Authentication • Authentication vs Integrity • Auditing

  3. Privacy • Personal • US Govt Privacy Act—democracy is built upon the notion of privacy • EU Data Protection Act of 1995--stiffer than US Privacy Act • Most Businesses believe personal privacy is bad for business • Business • Trade secrets: long term (Coke patent) • Product development data: few years • Financial health: weeks-months • Negotiations: weeks-months • Marketing, product plans, business strategies: months-years

  4. Privacy • Government • Military secrets : short term • Names of spies: until spies’ children are dead

  5. Multilevel Security • US Military schema • U/FOUO, C,S, TS, TS/SCI -- Classification modifiers: NOFORN, LIMDIS (limited distribution), -- WNINTEL (warning notice intel sources and methods) • MLS is easy to do on paper, but not easy in computers • Security in the real world doesn’t fit into hierarchical boxes

  6. Anonymity • Complete anonymity: no SSN, lack of birth records • Pseudonymity: Swiss bank account • True anonymity on Internet is probably impossible • Commercial in banking: cost passed on to consumer • Medical: health insurance portability and accessibility act (HIPPA)

  7. Privacy and the Government • USA Patriots Act • Export Laws on Cryptography (40 bit, 128 bit) • We are losing more of our privacy every day • Philosphical issues -- The social ills of privacy outweigh the social good? -- Can Govt limit a technology because it may hinder law enforcement • Bottom-line: a balance between privacy and safety

  8. Medical Anonymity • Computerized patient data is bad for privacy • Allows for hackers to steal • But good for patient care and portability--moving from treatment facility to other facilities

  9. Authentication Authentication is about: • Continuity of relationships • Knowing who to trust and not to trust • Making sense of a complex world • Logging onto a network computer is an authentication process • Two types of authentication • Session authentication –face to face, phone, email • Transaction authentication – is the transaction valid (ie charge card, cashing a check)

  10. Authentication on the WEB • URL Problems: • Is www.nwa.com = www.northwestairlines.com? Northwest Airlines A Travel Agency • Competitor names embedded in WEB pages • The most important security problem to solve is authentication across a digital network.

  11. Authentication vs Integrity • We mix the two up or use them interchangeably—they are not! • Authentication has to do with origin (of the data) • Integrity has to do with the “state” of the data, i.e. has it been changed • Integrity is important in: Stocks • Phone directories • Medical records • Financial Records • Employment Records • Have you ever received those “incredible” email stories? Heard about www.urbanlegends.com?

  12. Auditing • Designed to aid forensics • So you can detect a successful attack or system compromise • Figure out what happened to bring attacker to justice • Electronic currency: “Will we repave cowpaths by just moving cash, checks, debit cards, credit cards, gift certificates, and letters of credit, to the internet? • Consider these items: • ATMs • Credit card authentication and validation • Digital cash via “points” system (pseudo currencies) • Solution are reactive not pro-active

  13. Registration Phase Client Hacker Verify Registration Master Control Programs *Hello* PONG png *Hello* PONG Master Host Master Host Broadcast Agents Broadcast Host Broadcast Host Broadcast Host Broadcast Host Broadcast Host A Distributed DoS in Action The Internet

  14. Client Hacker Attack Target Attack Target Attack Target Broadcast Agents Broadcast Host Broadcast Host Broadcast Host Broadcast Host Broadcast Host Target The Attack Phase The Internet UDP Flood Attack UDP Flood Attack COLLATERAL DAMAGE

  15. How CODE RED Works First infected system

  16. How CODE RED Works First infected system Scans to find new victims 100 system probes

  17. How CODE RED Works First infected system Scans to find new victims

  18. - Each new victim starts scanning process over again - 20th to EOM, primary target is www.whitehouse.gov

  19. How NIMDA Works First infected system

  20. First infected system Attacking system How NIMDA Works tftp Admin.dll from attacking system (contains NIMDA payload)

  21. First infected system How NIMDA Works Sends infected email attachment NIMDA propagates via open file shares Infected system scans network for vulnerable IIS web servers NIMDA attaches to web pages on infected server

  22. How NIMDA Works - NIMDA prefers to target its neighbors - Very rapid propagation

  23. Summary • Privacy -- consumers want it • Multilevel Security -- government demands it • Anonymity -- not guaranteed • Privacy and the Government -- balancing act • Medical Anonymity - Good…Bad • Authentication - most important security problem to solve • Authentication vs Integrity -- not the same • Auditing -- aids forensics

More Related