Presentation on theme: "1 CS5038 The Electronic Society Lecture 12: Security and Crime Online Lecture Outline Types of Attacks Security Problems Major security issues in online."— Presentation transcript:
1 CS5038 The Electronic Society Lecture 12: Security and Crime Online Lecture Outline Types of Attacks Security Problems Major security issues in online systems Security Risk Management Security Technologies
3 Types of Attacks Non-technical – phone or employee posing as administrator Buffer overflow – hide code at the end of a long entry DNS spoofing – change DNS tables or router maps Sniffing – listen to all packets on network Malicious code: Viruses – propagate locally Worms - propagate between systems Macro viruses and macro worms Trojan horses – e.g. posing as a game
4 Security Problems Example: Denial of service (DOS) – purchases are not made, ads are not seen Security and ease of use are antithetical to one another E.g. passwords, electronic wallets/credit card Security takes a back seat to market pressures E.g. trying to hurry the time to market Security systems are only as strong as their weakest points Security of a site depends on the security of the whole Internet – DOS, Knowledge of vulnerabilities is increasing faster than it can be combated - Hackers share secrets and write tools Flaws in ubiquitous applications – Outlook, Word Underreporting: in %; in % of organisations had serious attacks reported to law enforcement Why might a company not report a crime?
5 Security Concerns Users perspective Is Web server owned and operated by legitimate company? Web page and form contain some malicious code content? Will Web server distribute users information to another party? (or allow to be stolen) Companys perspective Will the user attempt to break into the Web server or alter the site? Will the user try to disrupt the server so it isnt available to others? Filling a form at a simple marketing site: Both perspectives Is network connection free from eavesdropping? Has information sent back and forth between server and browser been altered?
6 Major security issues in online systems Privacy or Confidentiality trade secrets, business plans, health records, credit card numbers, records of web activity Authentication – for Web page, Something known – password Something possessed – smartcard Something unique – signature, biometrics Integrity – protect data from being altered or destroyed Financial transaction Non-repudiation – not denying that you bought something PAIN – for payment systems
7 Security Risk Management Definitions involved in risk management Assetsanything of value worth securing Threateventuality representing danger to an asset Vulnerabilityweakness in a safeguard Risk Assessment Determine organizational objectives Cannot safeguard against everything – limit to satisfying objectives Example: if Web site is to service customer complaints then top priority is to ensure no disruption – rather than protect data Inventory assets – value and criticality of all assets on network Delineate threats – hackers, viruses, employees, system failure Identify vulnerabilities - Quantify the value of each risk e.g. Risk = Asset x Threat x Vulnerability (Symantec.com)
8 Security Technologies Firewall: Like a bouncer, has rules to determine if data is allowed entry More in CS5401 (For eTech class) Virtual Private Network (VPN) Encryptionscramble communications Intrusion Detection Systems (IDS) Automatically review logs of file accesses and violations Analyse suspicious activity for known patterns of attack
9 Summary Attack Sophistication Vs. Intruder Knowledge Types of Attacks – non-technical, buffer overflow, malicious code Security Problems - ease of use, market pressure, weak links Security Concerns – e.g. filling a form Major security issues in online systems - PAIN Security Risk Management – assessment, planning, implementation, monitoring Security Technologies – firewall, VPN, IDS
10 QUIZ 13 hint for q.5: look at q.7 question 7 - guess you can guess question 9 skip question 12 q.13 answer is stateful packet inspection skip question 15