Design process begins with a chief security officer
Five major steps
Assessing the security needs of the firm
Establishing a good policy
Fulfilling Web security needs
Structuring the security environment
Monitoring the system
The Security System Design Process
Designing the Security Environment
The design begins with the sequence and parameters in the security network based on the security policy and requirements of the e-commerce system
How much security depends on how much risk the company is willing to take, the security policy it is willing to adopt, and the present state of security practices
A security perimeter generally includes firewalls, authentication, virtual private networks (VPNs), and intrusion detection devices
The first line of defense is the firewall
Another technology protecting the perimeter is authentication
Security in the Middle Ages
Monitoring the Security System
Separation of responsibilities
Security system must be monitored via feedback mechanisms to ensure that the entire system is working properly
Monitoring
Capture processing details for evidence
Verify that e-commerce is operating within the security policy
Verify that attacks have been unsuccessful
How Much Risk Can You Afford?
How secure are we? How much will it cost to secure our system?
Estimate the pain threshold your company and the attacker are willing to tolerate
Goal of security strategies, methods, and procedures is to raise the threshold of pain an attacker must endure to access and cause damage to a system
What is the level of protection required against the risks the merchant is willing to assume?
Kinds of Threats or Crimes
Those that are physically related
Steal & damage information on a computer
Those that are order related
Misused credit cards
Insider tampering
Those that are electronically related
Manipulate or steal data “in-flight”
A sniffer is a person or a program that uses the Internet to record information that transmits through a router from its source to its destination
Denial of service (DOS) is an attack by a third party that prevents authorized users from accessing the infrastructure
Distributed denial of service attacks
DDOS
http://www.cs3-inc.com/pk_whatisddos.html
Hacker Strategies
Social engineering
Shoulder surfing
Dumpster diving
Whacking (wireless hacking)
Hacker Prevention
Perform an online security checkup or install a firewall on your computer workstation
Intrusion detection is sensing when a system is being used without authorization
Hire a hacker who works at foiling the efforts of the troublemakers while not hacking
Conduct cyber-forensic investigations and hire cyber-investigators to set up alarms and traps to watch and catch intruders and criminals within the networks
The Players: Hackers, Crackers, and Other Attackers
Hackers
Original hackers created the Unix operating system and helped build the Internet, Usenet, and World Wide Web; and, used their skills to test the strength and integrity of computer systems
Over time, the term hacker came to be applied to rogue programmers who illegally break into computers and networks
Hacker underground
http://www.defcon.org/
http://www.blackhat.com/
http://www.2600.com/
The Players: Hackers, Crackers, and Other Attackers (cont.)
Uber Haxor
Wizard Internet Hackers
Highly capable attackers
Responsible for writing most of the attacker tools
Crackers
People who engage in unlawful or damaging hacking short for “criminal hackers”
Other attackers
“Script kiddies” are ego-driven, unskilled crackers who use information and software (scripts) that they download from the Internet to inflict damage on targeted sites
1. [very common] The lowest form of cracker; script kiddies do mischief with scripts and rootkits written by others, often without understanding the exploit they are using. Used of people with limited technical expertise using easy-to-operate, pre-configured, and/or automated tools to conduct disruptive activities against networked systems. Since most of these tools are fairly well-known by the security community, the adverse impact of such actions is usually minimal.
2. People who cannot program, but who create tacky HTML pages by copying JavaScript routines from other tacky HTML pages. More generally, a script kiddie writes (or more likely cuts and pastes) code without either having or desiring to have a mental model of what the code does; someone who thinks of code as magical incantations and asks only “what do I need to type to make this happen?”
More info: http://www.tamingthebeast.net/articles/scriptkiddies.htm
How Hackers Hack
Many Techniques
Social Engineering
Get someone to give you their password
Cracking
Guessing passwords
A six letter password (no caps)
> 300 million possibilities
Merriam-Webster's citation files, which were begun in the 1880s, now contain 15.7 million examples of words used in context and cover all aspects of the English vocabulary.
http://www.m-w.com/help/faq/words_in.htm
Buffer Overflows
Getting code to run on other PCs
Load a Trojan or BackDoor
Snoop and Sniff
Steal data
Denial of Service (DOS)
Crash or cripple a Computer from another computer
Distributed Denial of Service (DDOS)
Crash or cripple a Computer from multiple distributed computers
Maine’s Anti-Hacker laws
§432. Criminal invasion of computer privacy 1. A person is guilty of criminal invasion of computer privacy if the person intentionally accesses any computer resource knowing that the person is not authorized to do so. [1989, c. 620 (new).] 2. Criminal invasion of computer privacy is a Class D crime. [1989, c. 620 (new).]
§433. Aggravated criminal invasion of computer privacy
1. A person is guilty of aggravated criminal invasion of computer privacy if the person: A. Intentionally makes an unauthorized copy of any computer program, computer software or computer information, knowing that the person is not authorized to do so; [1989, c. 620 (new).] B. Intentionally or knowingly damages any computer resource of another person, having no reasonable ground to believe that the person has the right to do so; or [1989, c. 620 (new).] C. Intentionally or knowingly introduces or allows the introduction of a computer virus into any computer resource, having no reasonable ground to believe that the person has the right to do so. [1989, c. 620 (new).][1989, c. 620 (new).]
2. Aggravated criminal invasion of computer privacy is a Class C crime. [1989, c. 620 (new).]
The National Strategy to Secure Cyberspace
Create a cyberspace surety response system
Establish a threat and vulnerability reduction program
Improve security training and awareness
Secure the government’s own systems
Work internationally to solve security issues (U.S. Department of Homeland Security)
Most serious attack on a client computer or a server in an Internet environment is the virus
A virus is a malicious code that replicates itself and can be used to disrupt the information infrastructure
Viruses commonly compromise system integrity, circumvent security capabilities, and cause adverse operation by taking advantage of the information system of the network
Types of Viruses
File virus is one that attacks executable files
Boot virus attacks the boot sectors of the hard drive and diskettes
Macro virus exploits the macro commands in software applications such as Microsoft Word
Levels of Virus Damage
Steps for Antivirus Strategy
Establish a set of simple enforceable rules for others to follow
Educate and train users on how to check for viruses on a disk
Inform users of the existing and potential threats to the company’s systems and the sensitivity of information they contain
Monitors everything that you do and sends out reports to Marketing agencies
Usually ties to a POP-UP server
Top Spyware
I-Look Up
CoolWebSearch
N-CASE
GATOR
DoubleClick
If you have ever loaded up ICQ Loaded on your PC you have Spyware
If you have ever had KAZAA loaded on your PC you have Spyware
If you have loaded Quicken or TurboTax you have Spyware
C-Dilla
Spyware infestation. Taken by Brandon Waddell.
Spyware and Adware
Spyware is software the user unknowingly installs through an e-mail attachment or downloading an infected file that could be used for illicit reasons
Adware is software that sneaks into a user’s hard disk installed by Internet advertising companies to promote pop-up ads and release information for advertisers on the outside
Spyware Solutions
Enforce strict user Web policies on surfing and downloading activities
Install a desktop firewall on every laptop and desktop - http://www.zonelabs.com
Do not give users administrator privileges
Configure an e-mail gateway to block all executable e-mail attachments
Ensure desktop antivirus software signatures are up to date - http://www.grisoft.com
Spyware Solutions (Cont’d)
Use commercial antispyware software to detect and remove existing spyware program - http://www.spybot.com
Keeping Your PC Spyware Free.pdf
Enforce the usage of higher security settings in Internet browsers to prevent sites that cause spyware infection
Use pop-up blockers that lead to Web sites low trustworthiness
Educate your employees and staff about spyware threats be creating an active out-reach with groups and organizations, including the Consortium of Anti-Spyware Technology (COAST)
Compliance Legislation
The Gramm-Leach-Billey Act
Protects personal data
The VISA USA Cardholder Information Security Program
Level of monitoring and control the organization wants
Financial and administrative
Whether the company wants internal firewalls installed
Firewall Design features
Security policy
Deny policy
Filtering ability
Scalability
Authentication
Recognizing dangerous services
Effective audit logs
Corporate Networks and Firewalls
How Firewalls Work
Firewall check Packets in and out of Networks
Decide which packets go through and which don’t
Work in both directions
Only one part of Security
Firewalls
Attack Prevention System
Corporate Network
Hardened
Client PC
Hardened Server
With Permissions
Internet
Attacker
Attack
Message
Attack
Message
Firewall
X
Stops Most
Attack Messages
How Personal Firewalls work
Software version of a standard Hardware firewall
Controls packets in and out of one PC in much the same way as a Hardware Firewall does
Cycle of Recovery from Attack
Attack detection and vulnerability assessment
Damage assessment <> evidence collection
Correction and recovery
Vigilance and corrective feedback
Biometric Security
Biometrics is the science and technology of quantifying and statistically scrutinizing biological data
Biometrics enhance authentication
Biometric devices ensure that the person who encrypts data is the only one who can decrypt and has access to the data
Applying biometric technology on a smart card also would increase the level of confidence in the security
When considering biometric technologies for future use, management does need to implement a cost-effective system appropriate for their particular circumstance
Types of Biometrics and Select Application Areas
Types of Biometrics and Select Application Areas (Cont’d)
Terrorism
http://www.state.gov/s/ct/rls/fs/37191.htm
Abu Nidal Organization (ANO)
Abu Sayyaf Group
Al-Aqsa Martyrs Brigade
Ansar al-Islam
Armed Islamic Group (GIA)
Asbat al-Ansar
Aum Shinrikyo
Basque Fatherland and Liberty (ETA)
Communist Party of the Philippines/New People's Army (CPP/NPA)
Continuity Irish Republican Army
Gama’a al-Islamiyya (Islamic Group)
HAMAS (Islamic Resistance Movement)
Harakat ul-Mujahidin (HUM)
Hizballah (Party of God)
Islamic Jihad Group
Islamic Movement of Uzbekistan (IMU)
Jaish-e-Mohammed (JEM) (Army of Mohammed)
Jemaah Islamiya organization (JI)
al-Jihad (Egyptian Islamic Jihad)
Kahane Chai (Kach)
Kongra-Gel (KGK, formerly Kurdistan Workers' Party, PKK, KADEK
Lashkar-e Tayyiba (LT) (Army of the Righteous)
Lashkar i Jhangvi
Liberation Tigers of Tamil Eelam (LTTE)
Libyan Islamic Fighting Group (LIFG)
Moroccan Islamic Combatant Group (GICM)
Mujahedin-e Khalq Organization (MEK)
National Liberation Army (ELN)
Palestine Liberation Front (PLF)
Palestinian Islamic Jihad (PIJ)
Popular Front for the Liberation of Palestine (PFLF)
Tanzim Qa'idat al-Jihad fi Bilad al-Rafidayn (QJBR) (al-Qaida in Iraq) (formerly Jama'at al-Tawhid wa'al-Jihad, JTJ, al-Zarqawi Network)
United Self-Defense Forces of Colombia (AUC)
How Modern Terrorism Uses the Internet
National Strategy to Secure Cyberspace
The National Strategy to Secure Cyberspace articulates five national priorities including:
I. A National Cyberspace Security Response System;
II. A National Cyberspace Security Threat and Vulnerability Reduction Program;
III. A National Cyberspace Security Awareness and Training Program;
IV. Securing Governments’ Cyberspace;
V. National Security and International Cyberspace Security Cooperation.
cyberspace_strategy.pdf
USA Patriot Act
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001
Enacted Oct, 2001 and was to last for 4 years
USA Patriot Act Improvement And Reauthorization Act Of 2005
Signed March 2006
ACLU repsonse
Expands terrorism laws to include “domestic terrorism” which could subject political organizations to surveillance, wiretapping, harassment, and criminal action for political advocacy.
Expands the ability of law enforcement to conduct secret searches, gives them wide powers of phone and Internet surveillance, and access to highly personal medical, financial, mental health, and student records with minimal judicial oversight.
Allows FBI Agents to investigate American citizens for criminal matters without probable cause of crime if they say it is for “intelligence purposes.”
Permits non-citizens to be jailed based on mere suspicion and to be denied re-admission to the US for engaging in free speech. Suspects convicted of no crime may be detained indefinitely in six month increments without meaningful judicial review.
Implications for Management
The Internet is becoming an increasingly filtered channel of communication
Information security continues to be deemphasized or ignored by management at all levels of the organization
Changes in the identification of threats, the growing advancement of technologies, and the identification of new threats continue to shift the organizational security focus
Any serious profile should begin with a valid security policy, which is then translated into an effective security plan with a focus on prevention, detection, and correction of threats
