Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS5038 The Electronic Society

Similar presentations

Presentation on theme: "CS5038 The Electronic Society"— Presentation transcript:

1 CS5038 The Electronic Society
Lecture 12: Security and Crime Online Lecture Outline Types of Attacks Security Problems Major security issues in online systems Security Risk Management Security Technologies

2 Attack Sophistication Vs. Intruder Knowledge
Go to presentations, overview, see trend Source: Special permission to reproduce the CERT ©/CC graphic © 2000 by Carnegie Melon University, in Electronic Commerce 2002 in Allen et al. (2000).

3 Types of Attacks Non-technical – phone or employee posing as administrator Buffer overflow – hide code at the end of a long entry DNS spoofing – change DNS tables or router maps Sniffing – listen to all packets on network Malicious code: Viruses – propagate locally Worms - propagate between systems Macro viruses and macro worms Trojan horses – e.g. posing as a game

4 Security Problems Example: Denial of service (DOS) – purchases are not made, ads are not seen Security and ease of use are antithetical to one another E.g. passwords, electronic wallets/credit card Security takes a back seat to market pressures E.g. trying to hurry the time to market Security systems are only as strong as their weakest points Security of a site depends on the security of the whole Internet – DOS, Knowledge of vulnerabilities is increasing faster than it can be combated - Hackers share secrets and write tools Flaws in ubiquitous applications – Outlook, Word Underreporting: in %; in % of organisations had serious attacks reported to law enforcement Why might a company not report a crime?

5 Security Concerns Filling a form at a simple marketing site:
User’s perspective Is Web server owned and operated by legitimate company? Web page and form contain some malicious code content? Will Web server distribute user’s information to another party? (or allow to be stolen) Company’s perspective Will the user attempt to break into the Web server or alter the site? Will the user try to disrupt the server so it isn’t available to others? Both perspectives Is network connection free from eavesdropping? Has information sent back and forth between server and browser been altered?

6 Major security issues in online systems
Privacy or Confidentiality trade secrets, business plans, health records, credit card numbers, records of web activity Authentication – for Web page, Something known – password Something possessed – smartcard Something unique – signature, biometrics Integrity – protect data from being altered or destroyed Financial transaction Non-repudiation – not denying that you bought something PAIN – for payment systems

7 Security Risk Management
Definitions involved in risk management Assets—anything of value worth securing Threat—eventuality representing danger to an asset Vulnerability—weakness in a safeguard Risk Assessment Determine organizational objectives Cannot safeguard against everything – limit to satisfying objectives Example: if Web site is to service customer complaints then top priority is to ensure no disruption – rather than protect data Inventory assets – value and criticality of all assets on network Delineate threats – hackers, viruses, employees, system failure Identify vulnerabilities - Quantify the value of each risk e.g. Risk = Asset x Threat x Vulnerability (

8 Security Technologies
Firewall: Like a bouncer, has rules to determine if data is allowed entry More in CS5401 (For eTech class) Virtual Private Network (VPN) Encryption—scramble communications Intrusion Detection Systems (IDS) Automatically review logs of file accesses and violations Analyse suspicious activity for known patterns of attack Quiz 13

9 Summary Attack Sophistication Vs. Intruder Knowledge
Types of Attacks – non-technical, buffer overflow, malicious code Security Problems - ease of use, market pressure, weak links Security Concerns – e.g. filling a form Major security issues in online systems - PAIN Security Risk Management – assessment, planning, implementation, monitoring Security Technologies – firewall, VPN, IDS Quiz 14

10 QUIZ 13 hint for q. 5: look at q
QUIZ 13 hint for q.5: look at q.7 question 7 - guess you can guess question 9 skip question 12 q.13 answer is stateful packet inspection skip question 15

Download ppt "CS5038 The Electronic Society"

Similar presentations

Ads by Google