2. Secure E-mail  Message interception (confidentiality)  Message interception (blocked delivery)  Message interception and subsequent replay  Message content modification  Message origin modification  Message content forgery by outsider  Message origin forgery by outsider  Message content forgery by recipient  Message origin forgery by recipient  Denial of message transmission

3. Requirements and Solutions  Message confidentiality  Message integrity  Sender authenticity  nonrepudiation

4. Examples of Secure E-mail Systems  PGP (Pretty Good Privacy) – uses public key ring; confidentiality, integrity  S/MIME (Secure Multipurpose Internet Mail Extensions) – uses certificates

5. Multi-Layer Security  Security Can be Applied at Multiple Layers Simultaneously Application layer security for database, e-mail, etc.Application layer security for database, e-mail, etc. Transport layer: SSLTransport layer: SSL Internet layer: IPsecInternet layer: IPsec Data link layer: PPTP, L2TPData link layer: PPTP, L2TP Physical layer: locksPhysical layer: locks

6. Multi-Layer Security  Applying security at 2 or more layers is good If security is broken at one layer, the communication will still be secureIf security is broken at one layer, the communication will still be secure  However, Security slows down processingSecurity slows down processing Multi-Layer security slows down processing at each layerMulti-Layer security slows down processing at each layer

7. Total Security  Network Security is Only Part  Server Security Hackers can take down servers with denial-of-service attackHackers can take down servers with denial-of-service attack Hacker can log in as root user and take over the serverHacker can log in as root user and take over the server Steal data, lock out legitimate users, etc.Steal data, lock out legitimate users, etc.

8. Total Security  Server Security Occasionally, weakness are discovered in server operating systemsOccasionally, weakness are discovered in server operating systems This knowledge is quickly disseminatedThis knowledge is quickly disseminated Known security weaknessesKnown security weaknesses

9. Total Security  Server Security Server operating system (SOS) vendors create patchesServer operating system (SOS) vendors create patches Many firms do not download patchesMany firms do not download patches This makes them vulnerable to hackers, who quickly develop tools to probe for and then exploit known weaknessesThis makes them vulnerable to hackers, who quickly develop tools to probe for and then exploit known weaknesses

10. Total Security  Client PC Security Known security weaknesses exist but patches are rarely downloadedKnown security weaknesses exist but patches are rarely downloaded Users often have no passwords or weak passwords on their computerUsers often have no passwords or weak passwords on their computer Adversaries take over client PCs and can therefore take over control over SSL, other secure communication protocolsAdversaries take over client PCs and can therefore take over control over SSL, other secure communication protocols

11. Total Security  Application Software May contain virusesMay contain viruses  Must filter incoming messages Database and other applications can add their own security with passwords and other protectionsDatabase and other applications can add their own security with passwords and other protections

12. Total Security  Managing Users Often violate security procedures, making technical security worthlessOften violate security procedures, making technical security worthless Social engineering: attacker tricks user into violating security proceduresSocial engineering: attacker tricks user into violating security procedures

13. Defense in Depth  Firewalls  Antivirus  Intrusion Detection Systems  Intrusion Protection Systems