ebusiness Security

1
e-business Security

• Henry C. Co
• Technology and Operations Management,
• California Polytechnic and State University

2
Security Authentication

• Concerns
• Hackers
• Industrial Espionage/Hi-Tech Criminals
• Viruses
• Denial Of Service

3
Hackers

• There are many hackers (it's hard to know exactly
  how many). Many of them have unimpressive skills,
  aren't creative, and simply borrow someone else's
  hacking software for their exploits. Good news
  there are routine and simple security measures to
  protect your Internet traffic against the
  junior-grade hackers.
• Some hacker masterminds can find new ways to
  break into computers. But such people are rare.
  That means it's extremely unlikely they'll attack
  your business unless it's a very high-profile
  target.

4
Industrial Espionage

• If company information is valuable to big and
  wealthy competitors, you may be at risk using the
  Internet.
  
• In the past, fax interception (microwave and
  satellite links make interception easy).
  
• Industrial spies turned their attention to e-mail
  and other Internet traffic if that's where the
  secrets are flowing, that's where they will
  look.
• It is easy to stop this sort of spying.
• Scramble (encrypt) your messages
• Main cost is training your people. The software
  you need isn't expensive.

5
Viruses

• Computer viruses can enter systems in a variety
  of ways
  
• e-mail attachments
• software installation
• files brought by employees from home, etc.
• Virus can quickly proliferate from system to
  system, user to user and cause damage to data,
  applications and networks.
  
• Viruses must be identified quickly, isolated, and
  damage repaired.
  
• Antivirus software provides virus detection
  solutions for desktop, server, and gateway
  solutions.

6
Denial Of Service

• The attacker's goal is to incapacitate a
  companys network from receiving or sending
  communications.
  
• Because the network is connected to other
  networks and, therefore, dependent on those
  networks to send it information, an attacker can
  bring down a network indirectly.
• By attacking the networks which connect others to
  a network, it is possible for an attacker to
  disrupt connection to the Internet.
  
• By forging ICMP-redirect messages, an attacker
  can cause the network to lose communications.
  
• Fortunately, the Internet was designed to
  re-route traffic around congested or damaged
  routers, and it is difficult for an attacker to
  bring down a network through an indirect approach.

7
Cryptography
8
P.A.I.N.

• Privacy/Confidentiality Information exchanged
  between two parties cannot be read by anyone but
  the intended recipient
  
• Authentication The parties exchanging data can
  validate each others identities
  
• Integrity Information exchanged between two
  parties arrives in tact and unmodified
  
• Non-Repudiation Agreements can be legally
  enforced.

9
Why Use Cryptography?

• Greek for secret writing
• To establish a shared secret when other people
  (eavesdroppers) are listening.

Source Gene Itkis
10
Encryption/Decryption

• Encoding the contents of the message (the
  plaintext) in such a way that hides its contents
  from outsiders is called encryption.
  
• The process of retrieving the plaintext from the
  cipher-text is called decryption.
  
• Encryption and decryption usually make use of a
  key, and the coding method is such that
  decryption can be performed only by knowing the
  proper key.

- plaintext
attack at midnight
- ciphertext
buubdl bu njeojhiu
11
The Encryption Process
Object Hide a message (Plaintext) by making it
unreadable (ciphertext).
UNREADABLE VERSION OFPLAINTEXT
MATERIAL WE WANT TO KEEP SECRET
MIGHT BE TEXT DATAGRAPHICS AUDIO VIDEO
SPREADSHEET
. . .
DATA TO THE ENCRYPTION ALGORITHM
MATHEMATICAL SCRAMBLING PROCEDURE
(TELLS HOW TO SCRAMBLE THIS PARTICULAR MESSAGE)
SOURCE STEIN, WEB SECURITY
12
Key

• The key is a parameter to an encryption
  procedure.
  
• Procedure stays the same, but produces different
  results based on a given key
  
• 40-bit or 128-bit keys
• The number of binary digits in the encryption
  key.
  
• The more bits in the key, the more secure the
  encryption and less likely an attacker can guess
  your key and unlock the file.
  
• Attackers have already found ways to crack 40-bit
  keys.

13
Symmetric (Private) Key
14
Symmetric Encryption
SAME KEY USED FOR BOTH ENRCYPTION AND DECRYPTION
SENDER AND RECIPIENT MUST BOTH KNOW THE KEY THIS
IS A WEAKNESS
SOURCE STEIN, WEB SECURITY
15
A Symmetric XOR Cipher

• A encrypts to R with key X and key X decrypts R
  to A

16
Limitations

• Parties that have not previously met cannot
  communicate securely
  
• Many people need to communicate with a server
  (many-to-one communications)
  
• cannot keep server key secret for long
• Once the secret key is compromised, the security
  of all subsequent messages is suspect and a new
  key has to be generated
  
• Authentication service must know private key
• privacy implications---someone else knows your
  key
  
• two possible points of attack
• changing authentication service requires a new
  key
  
• Digital signatures are difficult
• Crossrealm authentication
• accessing services outside the domain or realm of
  your authentication server is problematic
  
• requires agreement and trust between
  authentication services
  
• introduces another potential point of attack

17
Asymmetric (Public) Key
18
Public-Key (Asymmetric) Encryption
2. SENDERS USE SITES PUBLIC KEY FOR ENCRYP
TION
3. SITE USES ITS PRIVATE KEY FOR DECRYPTION
4. ONLY WEBSITE CAN DECRYPT THE CIPHERTEXT.

NO ONE ELSE KNOWS HOW
1. USERS WANT TO SEND PLAINTEXT TO RE
CIPIENT WEBSITE
SOURCE STEIN, WEB SECURITY
19
Security Infrastructure
20

• Layers of devices that serve specific purposes,
  and provide multiple barriers of security that
  protect, detect, and respond to network attacks,
  often in real time.

21
Routers

• A router is a network traffic-managing device
  that sits in between sub-networks and routes
  traffic intended for, or emanating from, the
  segments to which it's attached. Naturally, this
  makes them sensible places to implement packet
  filtering rules, based on your security polices
  that you've already developed for the routing of
  network traffic.
• Packet Filtering
• A packet filter is a simple and effective form of
  protection.
  
• A packet filter matches all packets against a
  series of rules.
  
• If the packet matches a rule, then an action is
  performed (packet is accepted, rejected, logged,
  etc.).

22
IDS

• An intrusion detection system (IDS) attempts to
  detect an intruder breaking into your system or a
  legitimate user misusing system resources.
  
• The IDS operates constantly in the background,
  and only notifies you when it detects suspicious
  or illegal activity.

23
Firewall
24
Firewall

• A firewall is a gateway device, a set of hardware
  and software that handles the access control to
  the network by keeping unwanted guests out
  
• It allows a company's network to use the public
  Internet while at the same time deters unwanted
  access from the Internet into your network.
  
• It allows organizations to create a secure
  organizational network that interfaces with the
  more freewheeling internet.
  
• A firewall typically consists of a bastion
  host--a computer that is fortified against
  network attacks.

25
Bastion Host

• A bastion host is the "choke point" of all
  communications that lead in and out of your
  intranet.
  
• By centralizing access through one computer, you
  can easily manage network security and configure
  the appropriate software for that one machine.

26
VPN Virtual Private Network
27

• Traditionally the establishment of private
  corporate data networks required the purchase of
  Leased Communication Lines (or high speed Dialup
  Lines such as ISDN) from telephone company.
• However, technology is now allowing the use of
  the public Internet as a backbone to create a
  secure communication Virtual Private Network by
  the use of Firewalls, Proxy Servers, TCP/IP
  tunneling Protocols, and Data Encryption.
• As the use of Intranets and Extranets increase so
  will the use of Virtual Private Networks across
  the public Internet.

28

• Companies with many locations may establish
  private networks to connect these locations
  (frame relay, T1 leased lines, etc.) or they may
  use the public Internet and establish a Virtual
  Private Network.
• In a VPN architecture, the client and server
  computers are connected to the public Internet
  but use data encryption to send data from one
  note on the virtual network to another. 
• Firewalls may also be used to restrict access at
  the connected nodes. 
  
• VPNs are especially useful in mobile computing
  applications.

29

• VPN is the construction of a private network
  operating over the public networks such as the
  Internet, without requiring the use of dedicated
  leased lines to interconnect all nodes of the
  network. 
• In situations where there is relatively low
  volumes of data, the savings from using the
  public Internet infrastructure can be
  significant. 
• VPNs offer connectivity to corporate networks for
  remote and mobile users as well as cost savings,
  while maintaining security and confidentiality.

30

• VPNs can be created with software by the use of
  Firewalls and/or, Proxy Servers using TCP/IP
  tunneling Protocols (such as Point to Point
  Tunneling Protocol), and Data Encryption to
  create secure communication using the public
  Internet network. 
• VPNs may also be created with hardware by using
  Layer 3 Switching. 
  
• A secure Virtual Private Network may be
  established between identified users--essentially
  establishing a safe Intranet across the Internet.
  Encrypted personal communication goes through a
  firewall at both transmitting and receiving
  nodes. This type of VPN is a security solution
  for mobile and telecommuting employees, as well
  as and business-to-business communications and
  transactions.