Security Issues in distributed systems - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Security Issues in distributed systems

Description:

... software or hardware tool to gain unauthorised ... Malware is a major problem. Encryption and authorisation technologies are major security techniques in use. ... – PowerPoint PPT presentation

Number of Views:1003
Avg rating:3.0/5.0
Slides: 35
Provided by: Shap6
Category:

less

Transcript and Presenter's Notes

Title: Security Issues in distributed systems


1
Security Issues in distributed systems
  • Security requirements
  • Encryption
  • Privacy
  • Authorisation
  • Denial of service
  • Malware

2
Critical Infrastructure Areas
  • Include
  • Telecommunications
  • Transportation
  • Electrical power systems
  • Water supply systems
  • Gas and oil pipelines
  • Government services
  • Emergency services
  • Banking and finance
  • .

3
What is a secure computer system?
  • To decide whether a computer system is secure,
    you must first decide what secure means to you,
    then identify the threats you care about.
  • You will never own a perfectly secure system!

4
Security threats examples
  • viruses, Trojan horses, etc., denial of service,
    stolen customer data, modified databases,
    identity theft and other threats to personal
    privacy, equipment theft, spying in cyberspace,
    hack-tivism, cyberterrorism..

5
Basic components of security
  • CIA (confidentiality, integrity, availability)
  • Confidentiality who is authorized to use data?
  • Integrity is data good?
  • Availability can access data whenever need it?

6
Need to balance CIA
  • Example 1 C vs. IA
  • Disconnect computer from Internet to increase
    confidentiality
  • Availability suffers, integrity suffers due to
    lost updates
  • Example 2 I vs. CA
  • Have extensive data checks by different
    people/systems to increase integrity
  • Confidentiality suffers as more people see data,
    availability suffers due to locks on data under
    verification.

7
Privacy-related to confidentiality
  • Privacy is the ability of an individual to
    control information about him/herself.
  • Various laws protect privacy, such as the Data
    Protection Act which places restrictions on the
    storage and use of personal data. The Internet
    can threaten privacy in various ways.

8
Threats to Privacy in distributed systems
  • The Internet allows information about individuals
    to be collected automatically and to be stored
    systematically in easily accessible form.
  • Different sources of information can be merged
    relatively easily for example, the Electoral
    Register can be merged with information gathered
    over the Web.

9
Opportunities for Collecting Personal Data
  • Web site registration when a user buys goods
    over the Internet he/she is normally required to
    enter personal details (at minimum, name, address
    and telephone number).
  • Tracking of behaviour as user navigates a Web
    site pages visited in a virtual store may
    indicate personal preferences, spending profile.
  • If individual joins newsgroups, e-mail listings,
    information can be collected.

10
Cookies and Privacy
  • A cookie is a small data file (limited in size)
    that a server can send to a user's browser.
  • The cookie is stored in the user's computer and
    can be retrieved by the server when the browser
    next contacts the server.
  • The cookie enables the server to identify the
    user uniquely and thereby track the user's
    behaviour.
  • Users are allowed to delete cookies but this
    often disables interaction with useful software
    (such as ASP).

11
Protection of Privacy
  • Europe and North America have formulated various
    principles concerning privacy.
  • Notice/awareness consumers must be made aware
    that personal information is being collected.
  • Choice/consent consumers must be able to choose
    whether or not to opt out of various uses of
    their personal data e.g. whether or not the data
    can be passed on to third parties.
  • Access to data stored about themselves.
    Consumers have a right to view the data that an
    organisation stores about them and to have
    inaccuracies corrected.

12
Major Security Needs
  • Authentication how can a party to a transaction
    verify that another party is who they claim to
    be?
  • Authorisation does a party have a right to
    access resources in the way they want?
  • Auditing can activities in the system be
    recorded and used in an audit trail?
  • Confidentiality will such information be
    protected? (i.e. not disclosed to third parties,
    destroyed after use if necessary)

13
Major security needs continued
  • Integrity data should not be modified in an
    unauthorised or accidental manner.
  • Availability are services of system available
    when they should be
  • Non-repudiation if a transaction (e.g. a money
    transfer) is agreed between two parties then both
    parties must adhere to the transaction

14
Major Security Threats
  • Interception - An unauthorised party gets access
    to a service or data
  • Interruption Services or data become
    unavailable (corrupted, unusable, etc.)
  • Modification Unauthorised alteration of data
  • Fabrication Creation of false data, e.g. extra,
    fake, password entries.

15
Types of Cyber Attacks
  • Non-technical attacks perpetrators gain access
    to a system by some form of cheating or deception
  • Technical attacks a hacker uses a software or
    hardware tool to gain unauthorised access.

16
Protection and Security Technologies
  • Data and services can be protected against
    different types of attack.
  • Protection mechanisms include authentication
    techniques which enable entities to prove who or
    what they are, encryption which ensures that data
    is kept confidential, firewalls which prevent
    unauthorised communications from gaining access
    to a system and of course various physical
    barriers such as locks.

17
Secret communication with a shared secret key
  • Both A and B share a secret key K.
  • A uses K and an agreed encryption function E(K,M)
    to encrypt and send a message to B.
  • B reads the encrypted messages using the
    corresponding decryption function D(K,M).

18
Problems
  • How can A send a shared key K to B securely?
  • If many users use the same key for communication,
    then the key is at a higher risk of being
    revealed.
  • If every two users are assigned a different key,
    then too many keys are needed for a large group
    of users.

19
Communication with public keys
  • There is a pair of keys Ksecret and Kpublic.
  • Only one user A keeps Ksecret, while Kpublic is
    accessible to everyone.
  • If B wants to send a message M to A, then B uses
    Kpublic to encrypt it with a public-key
    algorithm.
  • A uses his private key Ksecret to decrypt the
    message.

20
Use of cryptography
  • Secrecy and integrity
  • Authentication
  • Digital signatures

21
Interception
  • This includes unauthorised access to data and
    services
  • Transmitted data
  • In electronic commerce applications, credit card
    numbers and other financial information are
    extremely valuable and must be highly protected.
  • Transmitted data is usually protected by
    encryption.

22
Unauthorised Access
  • Stored data and services must be protected from
    interception. Users must be able to prove who
    they are and that they are authorised to have
    access.
  • Security protection normally includes user ids
    and password protection. Passwords are
    vulnerable. Users have difficulty remembering
    many passwords and tend to choose ones that are
    easy to hack. Passwords should be encrypted.
    Users using public Internet access points put
    their passwords at risk.

23
User Authorisation
  • The basic method of user id and password
    (knowledge) access to a service is often
    augmented by extra mechanisms such as
  • smart cards (possession)
  • biometric technology (trait)
  • encryption
  • firewalls (extra point of security control)
  • physical controls (secure rooms, locks, call-back
    modems)

24
Smart Cards
  • The possession of a smart card is another way of
    a user proving that they have authorised action.
    The smart card reader is tamper-proof so that the
    user's PIN cannot be read.

25
Biometric Identification
  • Each human has certain unique characteristics
    that can be stored digitally, such as
    fingerprints, iris images, signatures,
    voiceprints and even earprints.
  • A machine that measures a given biometric feature
    and compares it with a database of features of
    authorised users can be used to control access to
    a system.

26
Firewalls
  • A firewall is software (and possibly hardware)
    which controls network access to an
    organisation's systems.
  • An IP-based firewall usually intercepts IP
    packets as they arrive and decides which ones can
    pass through.
  • Can control by IP address and by port number (for
    example).
  • Can re-map internal addresses to virtual IP
    addresses so that external entities do not know
    network addresses in use inside the organisation.

27
Denial-of-Service Attacks
  • In a denial-of-service attack, the attacker
    attempts to prevent the system from working
    properly.
  • Two common forms of DOS attack are spamming and
    malicious code.

28
Spamming/DDOS
  • With spamming, a service is flooded with fake
    requests, preventing it from servicing authentic
    requests.
  • Examples e-mail bombing, repeated SYN packets to
    create useless TCP connections
  • Distributed Denial of Service (DDOS) hacker
    hijacks many innocent machines and mounts attack
    from them.
  • (Note that such attacks often work at a low level
    in the system so that authorisation controls do
    not prevent them.)

29
Auditing
  • This means recording a history of activities in a
    system. Allows detection of attacks after they
    have occurred.
  • Acts as a deterrent, as a policing mechanism and
    as a technique gathering information on types of
    attacks. Aids in formulation of theory of attacks.

30
Malicious software
  • Malicious software (malware) propagates
    throughout the Internet, causing damage in
    various ways
  • A virus is a piece of code that inserts itself
    into files and other locations in a host when it
    is run on arrival at the host machine. Viruses
    are propagated via e-mail attachments, removable
    disks and other forms of file transfer.

31
  • A worm is a program that can run independently on
    a machine and spread itself by creating direct
    network and internetwork connections.
  • A Trojan horse is a virus or worm which spreads
    itself by being disguised as a program with a
    benign function. The payload of the Trojan horse
    may be activated by a date change or some other
    activity and attacks the computer, e.g. by
    destroying the file system.

32
Malware Protection
  • Virus detection software monitors data arriving
    in a system and scans it for the characteristics
    of known malware.
  • Viruses and Trojans are created continuously so
    detection software should be updated daily.
  • Operating systems often have vulnerabilities so
    system manager should download security patches
    regularly.

33
Non-Repudiation
  • This can be ensured with the judicious use of
    Public Key Encryption.
  • Party 1 sends encrypted authorisation message to
    Party 2. Party 2 is able to read the
    authorisation message and thus prove (to a third
    party) that Party 1 agreed to the transaction.

34
Summary
  • Privacy is a major concern.
  • Attacks on systems attempt to read data,
    interfere with data.
  • Malware is a major problem.
  • Encryption and authorisation technologies are
    major security techniques in use.
  • Security points include service pages (i.e. to
    enter sensitive services such as payment),
    firewalls, biometric readers, card readers and
    locks.
  • A combination of security technologies should be
    used.
Write a Comment
User Comments (0)
About PowerShow.com