Session 2

1
Session 2 Common Security Techniques

2
Two-factor Authentication

• Used to compensate for the inherent weaknesses of
  passwords, i.e., guessing and hacking.
• Uses what the user has and what the user
  knows.
• Examples are to use a token with a dynamic
  password and ATM.

3
Biometrics

• Can include fingerprint, hand geometry, voice
  etc.
• Held back by privacy concerns.
• Not recognised legally in place of signature

4
Operating System Security

• Use a standard checklist for configuration
• Implement vendor updates
• Use scanning software to detect vulnerabilities
  before implementation and periodically

5
Firewall

• Can be hardware based only, e.g., a
  router.
• Can be a server with sophisticated software, more
  granular and reliable than a router, provides
  better logs.
• Can use artificial intelligence to check for
  patterns.

6
Firewall

• Every organization that hosts a web site should
  have a firewall to protect its internal network
  from hackers
• The firewall would block traffic that is
  definitely unacceptable.

7
Firewall

• A typical firewall uses rules to determine
  whether traffic is acceptable, e.g., port
  scanning is not allowed by some
  organizations.
• A data packet typically consists of a source
  Internet Protocol (IP) address, a port and a
  destination Internet Protocol address.

8
Firewall

• A port is a logical connection point in a network
  device including a computer.
• It is used to standardize Internet traffic, e.g.,
  web browsing uses port 80, e-commerce uses port
  443.

9
Virus Protection

• Companies around the world spend about US 20
  billion a year to clean up viruses
• All critical servers are protected
• All internet email is scanned
• Automated identification of workstations that do
  not have up-to-date signature files
• Organizations should block common virus file
  types to be proactive

10
Virtual Private Network

• To secure remote access to company systems by
  staff or contractors.
• Should require two-factor authentication.
• Encrypted traffic, bypasses firewall, secure
  tunnel should end at another firewall with
  traffic decrypted.

11
Intrusion Detection System

• Installed at critical points of a network to
  inspect incoming and outgoing traffic for
  anomalies and malicious messages.
• Alerts systems administrators to take pre-emptive
  or corrective actions.

12
Intrusion Prevention System

• Combines firewall and intrusion detection
  technologies.
• Rejects highly questionable or unacceptable
  traffic.
• More effective than firewalls but may have false
  positive.

13
Encryption

• Uses mathematics to scramble data.
• Uses a key and an algorithm . Commercial
  algorithms are public knowledge.
• Symmetric key.
• Asymmetric keys (private/public key pair).

14
Symmetric Key Encryption

• The same key is used to decrypt and encrypt
• Simple to encrypt and decrypt
• Large number of keys required for one-on-one
  secret communication
• Number of keys for N people is N(N-1)/2
• Need to secure the key

15
Asymmetric Encryption

• A pair of key is generated by a user, a private
  key and a corresponding public key.
• The public key can be disclosed. The private key
  is secured.
• People can use the public key to encrypt material.

16
Asymmetric Encryption

• The corresponding private key is needed to
  decrypt.
• The 2 keys cannot be reengineered, i.e., you
  cannot use the public key to derive the private
  key.
• Longer keys than symmetric and therefore a longer
  process to encrypt and decrypt.

17
Asymmetric Encryption

• Needed for email encryption.
• Used for e-commerce, digital certificates and
  digital signatures.
• Number of keys for N users is 2N.

18
Digital Signature

• A digital signature is an electronic signature
  that can be used to authenticate the identity of
  the sender of a message or the signer of a
  document, and to ensure that the original content
  of the message or document that has been sent is
  unchanged.

19
Digital Signature

• The sender uses an algorithm to compute a hash
  (garbled digest) of the document
• Sender uses its private key to encrypt the hash.
• Recipient uses same algorithm to hash the plain
  text document when received.
• Recipient uses the public key to decrypt the
  digital signature and compare to the hash the
  recipient created, to confirm integrity.

20
Digital Certificate

• An electronic business card that establishes your
  credentials when doing business or other
  transactions on the Web.
• It is issued and digitally signed by a
  certification authority. It contains your name, a
  serial number, expiration dates, the certificate
  authoritys name and public key, and your public
  key.
• People can use the certificate authoritys public
  key to verify the signature.

21
Certificate Authority

• An organization that issues digital certificates
  to companies and individuals
• An organization can issue digital certificates to
  its own customers or employees to authenticate
  local transactions
• The certificate authority will do due diligence
  to confirm the existence and authenticity of the
  party before issuing a certificate.

22
E-commerce Encryption

• Uses both symmetric keys and asymmetric
  keys
• Enforced by the merchant
• Merchant sends its certificate and public key to
  the browser

23
E-commerce Encryption

• Browser generates a symmetric key
• Browser encrypts the symmetric key with the
  merchants public key
• Browser authenticates the digital certificate
• Encrypted symmetric key is sent to merchant

24
E-commerce Encryption

• Merchant decrypts the symmetric key with its
  private key
• The symmetric key is used for all subsequent
  transfer of information between the 2 parties
  until the user logs off.

25
Email Encryption

• Sender uses the recipients public key to encrypt
  the message
• Sender signs the message with own private key
• Recipient uses own private key to decrypt message
• Recipient uses senders public key to
  authenticate the digital signature

26
Conclusion

• Security is increasingly important because of
  e-commerce.
• Security is the responsibility of every
  employee.
• Organizations should designate a chief
  information security officer to coordinate.