Security Introduction - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Security Introduction

Description:

... notice of trust e.g. BT Trustwise on MFI's site - these are ... Records every keystroke you make whether you are sending an email or writing a word document ... – PowerPoint PPT presentation

Number of Views:40
Avg rating:3.0/5.0
Slides: 25
Provided by: jonathan76
Category:

less

Transcript and Presenter's Notes

Title: Security Introduction


1
Security - Introduction
  • Systems security has always been a IT management
    issue - it is a massive subject
  • Security issues have been amplified by the
    E-Commerce revolution and bad publicity
  • A security policy is required - this can invoke
    trust amongst customers visiting your site
  • There are a variety of techniques to form a
    security policy
  • There is also a trade off between cost () of
    implementing and amount of security

2
Issues with Security
  • Networking Technology Security
  • firewalls, Virtual Private Networkss(VPNs) and
    Security policies
  • Aim to protect internet servers from hackers
  • Internet access in a secure manner
  • Intrusion detection - catching the hacker -
    honeytraps policy adopted by Microsoft to lure
    hackers
  • Tracking threats - throughput and traffic analysis

3
Security issues
  • Cyber crime - recent reports of cyber crime
  • Fraud - see notes section of slide and notice
    board
  • Security User groups - alt.2600
  • Chaos clubs /Hackers - Depends on what is worth
    stealing/graffiti/Vandalism factor
  • careless email/email bombs/spam(random) email
    can be excessive enough to stop servers handling
    normal traffic solution use automated tracing
    and blocking software but can be hard to block if
    slightly different sender and subject line
  • Denial of service attack affected Yahoo! a year
    ago

4
Is E-Commerce held back?
  • Recent media articles and research indicate that
    security is the biggest fear amongst consumers -
    fear of giving personal/credit card details over
    the internet
  • Two problems have always existed in trade of any
    sort
  • 1. Authentication of the shopper and vendor
  • 2. Security issues from the release of credit
    card etc details
  • But these issues have been amplified by the
    openess of the internet

5
How genuine is the site?
  • When Buying via E-Commerce-
  • If you can - check the business address of the
    company - is it a genuine address?
  • Is the company known or reputable?
  • Look at the terms and conditions for the site
  • Where do you go when what you have purchased goes
    wrong?

6
Solutions - Evidence of security
  • How can you tell if a site is secure or to be
    trusted?
  • Look for the padlock in the bottom right hand
    corner or the url shows https// this means the
    pages you are using are located on a secured
    server (Secure Sockets Layer(SSL))
  • Some other notice of trust e.g. BT Trustwise on
    MFIs site - these are good and popular
  • Which? trader kitemark
  • Comet - site visibly shows IMRG trust mark
  • Thorntons - site uses SSL

7
Threats - types
  • Packet sniffers - Nature of Internet
    information divided into packets, carried over
    different routes and assembled again - solution
    encryption
  • Cross-site scripts(CSS) - attackers introducing
    web scripting code (JavaScript etc) into web
    pages held on public servers. When downloaded to
    a user the script is executed in their web
    browser and can breach security - more slides
    follow after next
  • Poison cookies see next slide

8
Poison cookies
  • Protocols used to transmit web information across
    the information are connectionless - they have no
    memory of what they did before
  • E-Business demands that it is useful to remember
    what was done before e.g. delivery details
  • Solution - employ cookies - entries in a text
    file held on the users computer - server writes
    details about site visit to file - raises issue
    of privacy but also malicious code !

9
CSS
  • Cross-Site Scripting
  • Security flaw reported on 10/2/2000 by Computer
    Emergency Response Team(CERT)
  • Flaw in any web site that dynamically generates
    web pages such as search results may have rogue
    HTML scripts embedded in those pages
  • pages will be executed by the browser of a
    visiting customer as if they are part of the site

10
CSS
  • Cross-Site scripting
  • if the malicious scripts are executed before a
    user begins a transaction encrypted using SSL the
    hacker will be able to read the information such
    as credit card numbers

11
Spyware
  • Snooping see www.grc.com/optout.htm
  • Snoopware are programs installed secretly on your
    computer by a friend, family or work colleague
  • Records every keystroke you make whether you are
    sending an email or writing a word document
  • Read more about it and solutions at
    www.spydetect.com/news.html

12
CSS - solutions
  • Solve by manually checking scripts - some
    software checking tools will not find this flaw
  • Site admin - install a code filter on pages where
    user input is processed so as to stop web hackers
    adding rogue scripts
  • Surfer - disable scripting languages in their
    browsers which usually run scripts by default
  • see Cert web site links for advice on secure
    coding practices in practical

13
Other Solutions
  • Encryption
  • Encryption has become a selling factor - e.g.
    Net.Commerce from IBM was used for encrypting
    credit card details for the following site
  • Passwords - change regularly
  • Employ Firewalls for server and client end this
    end sometimes overlooked
  • ZoneAlarm available for free at www.zonelabs.com
  • Norton firewall
  • Magic folders shareware available from
    www.pc-magic.com

14
Types of Solutions
  • RSA since 1976 - many companies use this crypto
    system based on a different key for encryption
    and decryption
  • Public Key Infrastructure(PKI) - Digital
    signature technology - public key made available,
    private key to decrypt - who holds the private
    keys? See legislation session in a few weeks time
  • PGP(Pretty Good Privacy) been around for a long
    time free download available for Windows
    machines at www.pgp.com/products/freeware/default.
    asp

15
PKI
  • For latest solutions in the market see Secure
    Computing Feb 2000 PKI
  • Link in practical
  • BALTIMORE BOSS CALLS FOR 'HANDS OFF' SECURITY
    POLICY Public Key Infrastructure (PKI) has become
    an accepted Internet standard, but the UK
    government must provide a strong legislative
    framework for information security, without being
    seen to interfere with commerce...
    http//www.silicon.com/a36908

16
Security standards?
  • DES (56-bit key)
  • AES (128-bit key) was restricted by US
    Government
  • Secure Electronic Transaction(SET) - may be
    adopted by credit card companies
    soon(Visa/Mastercard)
  • Secure Sockets Layer(SSL) - uses public key
    encryption(PKI) -originally created by Netscape
    but has now been published in the public domain
  • SSH - secure internet login - encrypts login
    name and password

17
Standards - SSL
  • encrypts the conversation between the browser and
    the server rendering packets captured en route
    difficult to decrypt
  • Once the transaction is completed merchants have
    possession of the buyers credit card number and
    should store it in a secure place!
  • SSL is now being combined with digital
    certificates - this authenticates server

18
Standards - SET
  • SET combines SSL, STT(see notes pages) and
    S-HTTP(see notes pages) - thought to be safer?
  • identity of buyer and seller are tied together
    using encryption thus making repudiation easier
    to track
  • Merchants never see the credit card number as SET
    encodes the credit card numbers on the merchants
    servers - can only be read by banks or credit
    card companies

19
Standards - SET
  • It seems SET may be adopted as an industry
    standard as some of the credit card companies
    (Visa and Mastercard)have made sure their
    structure is fully compliant with the standard
    see links on last slide
  • The Secure Electronic Transaction Council(SETco)
    authorise the use of the SET trademark. In the
    past they have authorised GlobeSet, Spyrus/Terisa
    Systems, Trintech and Verifone - have a look at
    the the SETco site for latest news
  • SETco authorise both client and server software

20
SET and the credit card companies
  • Visa and SET
  • 1 article
  • 2 article

21
Solutions
  • Secure web servers
  • By its very nature a web server has to be open
    and of course has to be protected
  • Certification authorities who can verify web
    server is secure
  • Verisign(USA)
  • Entrust(USA)
  • Thawte(South Africa)
  • Microsoft

22
Solutions
  • Browser security
  • Netscape or MS Explorer have a range of options
    which cover security
  • Cookies - can tell service providers some info
    about what is being used - if cache is enabled
    then this may not possible
  • CGI scripting - making sure scripts cannot remove
    directories etc also investigating
  • Email security

23
Security
  • www.fortify.net - can upgrade browser to use
    128bit encryption - can do this also with
    Netscape now

24
Other related info
  • Internet2 is forecast to improve security
  • Data Protection Act and privacy issues see
    legislation part of the module
Write a Comment
User Comments (0)
About PowerShow.com