3Types of AttacksNon-technical – phone or employee posing as administratorBuffer overflow – hide code at the end of a long entryDNS spoofing – change DNS tables or router mapsSniffing – listen to all packets on networkMalicious code:Viruses – propagate locallyWorms - propagate between systemsMacro viruses and macro wormsTrojan horses – e.g. posing as a game
4Security ProblemsExample: Denial of service (DOS) – purchases are not made, ads are not seenSecurity and ease of use are antithetical to one anotherE.g. passwords, electronic wallets/credit cardSecurity takes a back seat to market pressuresE.g. trying to hurry the time to marketSecurity systems are only as strong as their weakest pointsSecurity of a site depends on the security of the whole Internet – DOS,Knowledge of vulnerabilities is increasing faster than it can be combated - Hackers share secrets and write toolsFlaws in ubiquitous applications – Outlook, WordUnderreporting: in %; in % of organisations had serious attacks reported to law enforcementWhy might a company not report a crime?
5Security Concerns Filling a form at a simple marketing site: User’s perspectiveIs Web server owned and operated by legitimate company?Web page and form contain some malicious code content?Will Web server distribute user’s information to another party? (or allow to be stolen)Company’s perspectiveWill the user attempt to break into the Web server or alter the site?Will the user try to disrupt the server so it isn’t available to others?Both perspectivesIs network connection free from eavesdropping?Has information sent back and forth between server and browser been altered?
6Major security issues in online systems Privacy or Confidentialitytrade secrets, business plans, health records, credit card numbers, records of web activityAuthentication – for Web page,Something known – passwordSomething possessed – smartcardSomething unique – signature, biometricsIntegrity – protect data from being altered or destroyedFinancial transactionNon-repudiation – not denying that you bought somethingPAIN – for payment systems
7Security Risk Management Definitions involved in risk managementAssets—anything of value worth securingThreat—eventuality representing danger to an assetVulnerability—weakness in a safeguardRisk AssessmentDetermine organizational objectivesCannot safeguard against everything – limit to satisfying objectivesExample: if Web site is to service customer complaints then top priority is to ensure no disruption – rather than protect dataInventory assets – value and criticality of all assets on networkDelineate threats – hackers, viruses, employees, system failureIdentify vulnerabilities -Quantify the value of each riske.g. Risk = Asset x Threat x Vulnerability (Symantec.com)
8Security Technologies Firewall:Like a bouncer, has rules to determine if data is allowed entryMore in CS5401 (For eTech class)Virtual Private Network (VPN)Encryption—scramble communicationsIntrusion Detection Systems (IDS)Automatically review logs of file accesses and violationsAnalyse suspicious activity for known patterns of attackQuiz 13
9Summary Attack Sophistication Vs. Intruder Knowledge Types of Attacks – non-technical, buffer overflow, malicious codeSecurity Problems - ease of use, market pressure, weak linksSecurity Concerns – e.g. filling a formMajor security issues in online systems - PAINSecurity Risk Management – assessment, planning, implementation, monitoringSecurity Technologies – firewall, VPN, IDSQuiz 14
10QUIZ 13 hint for q. 5: look at q QUIZ 13 hint for q.5: look at q.7 question 7 - guess you can guess question 9 skip question 12 q.13 answer is stateful packet inspection skip question 15