Post on 31-Jan-2016
description
transcript
Integrity and Security Control
Security BreachesTORONTO, Nov. 9 /CNW/ -TELUS and the Rotman School of Management released their third annual study on Canadian IT security, revealing that Canadian companies experienced a 29 per cent increase in security breaches from 2009 to 2010. The study also found that the annual cost of these security breaches dropped considerably from $834,000 to $179,508 during the same one-year period.
3
Recent FBI Computer Security Institute survey 85% of large companies and
government agencies have detected computer breaches in past 12 months
64% acknowledged financial losses 35% quantified the losses totaled
to $375 million
4
Cost of Security Breach The average large company loses
$20,000 per hour during the first 72 hours of its response to a security breach
Leaky security costs companies 6%-7% of annual revenue Loss of business, decreased customer
confidence, increased insurance, expenditures of public relations
Objectives of Integrity Controls Ensure that only appropriate and
correct business transactions occur Ensure that transactions are
recorded and processed correctly Protect and safeguard assets of the
organization Software Hardware Information
Information security Protecting information and
information systems from unauthorized access, use, disclosure, disruption, modification or destruction.
6
7
The Importance of Security in e-Commerce The Internet presents enormous
business opportunities The Internet is open to public,
vulnerable to various of attacks One of the major hurdles that we face
in achieving the full potential of Internet-based electronic commerce is security
New threats from terrorism and cyber warfare
Points of Security and Integrity Controls
Input Integrity Controls Used with all input mechanisms Additional level of verification to
help reduce input errors Common control techniques
Field combination controls Value limit controls Completeness controls Data validation controls
Output Integrity Controls Ensure output arrives at proper
destination and is correct, accurate, complete, and current
Destination controls - output is channeled to correct people
Completeness, accuracy, and correctness controls
Appropriate information present in output
Data Integrity Controls Access controls Data encryption Transaction controls Update controls Backup and recovery protection
Integrity Controls to Detect and Prevent Fraud
Control of fraud requires both manual procedures and computer integrity controls
Designing Security Controls
Security controls protect assets of organization from all threats External threats such as hackers, viruses, worms,
and message overload attacks Security control objectives
Maintain stable, functioning operating environment for users and application systems (24 x 7)
Protect information and transactions during transmission outside organization (public carriers)
Access control
Security for Access to Systems
Used to control access to any resource managed by operating system or network
User categories Unauthorized user – no authorization to access Registered user – authorized to access system Privileged user – authorized to administrate system
Organized so that all resources can be accessed with same unique ID/password combination
Users and Access Roles to Computer Systems
Managing User Access
Most common technique is user ID / password
Authorization – Is user permitted to access?
Access control list – users with rights to access
Authentication – Is user who they claim to be?
Computerized User Authentication Techniques Password-based systems:
something that you know Physical tokens: something that you
have Biometrics: something that you are Location: someplace you are Reference: third party
authentication
Password problem Has to be stored in file May be intercepted May forget May easy to guess May tell other people
Physical Tokens Access card, storage token,
synchronous one-time password generator, challenge-response, digital signature token
Human-interface token, smart card, PCMCIA card
The token does not prove who you are Token may be copied or forged Token may be used with password
Biometrics
An image of person’s face Fingerprints Footprints and walking style Hand shape and size Pattern of blood vessels in the retina DNA patterns Voice prints Handwriting techniques Typing characteristics
24
Fingerprints
SOURCE: C3i
MAIN SHAPES:
LOOPWHORLARCH
MINUTIAE:
END BIFURCATION ISLAND LAKE DOT
EACH PERSON HAS A UNIQUEARRANGEMENT OF MINUTIAE:
25
Fingerprint CaptureThompson-CSF FingerChip
(Thermal-sensed swipe)DEMO1, DEMO2
ST-Micro TOUCHCHIP(Capacitative)
American Biometric CompanyBioMouse (Optical) Biometric Partners
Touchless Sensor
26
Iris Scan
SOURCE: IRISCAN
• Human iris patterns encode ~3.4 bits per sq. mm
• Can be stored in 512 bytes
• Patterns do not change after 1 year of life
• Patterns of identical twins are uncorrelated
• Chance of duplication < 1 in 1078
• Identification speed: 2 sec. per 100,000 people
PERSONAL IRIS IMAGER
Companies: British Telecom, Iriscan, Sensar
27
Signature Dynamics• Examines formation of signature, not final
appearance
• DSV (Dynamic signature verification)
• Parameters
• Total time
• Sign changes in x-y velocities
and accelerations
• Pen-up time
• Total path length
• Sampling 100 times/second
Companies: CyberSIgn, Quintet,PenOp, SoftPro SignPlus,
28
Error in Biometric Systems
SOURCE: IDEX
VERY BAD BAD
Problems with biometrics A person’s biometric “print” must be
on file before that person can be identified
Require expensive, special purpose equipment
Unprotected biometrics equipment is vulnerable to sabotage and fraud
Possibility of false match
31
Transaction Security
32
Transaction Security Authentication: A user must be able to prove his
identity to the other party. (“I am Joan Thomas and I live at...”)
Integrity: Each party must be comfortable that exchanged information wasn’t altered during transmission by a third party or corrupted by misfortune. (“I ordered three items not four...”)
Nonrepudiation: Each party must be assured that the counterparty won’t be able to deny being the originator or receiver of information. (“I didn’t order that item...”)
Confidentiality: Parties must be able to exchange information securely without it falling into the hands of a third party. (“My credit card number is...”)
33
Protective measures Sending and receiving encrypted
messages or data, Using digital certificates to
authenticate the parties involved in the transaction, and
Virtual Private Networks
Cryptography
Cryptography is the practice and study of hiding information.
Encryptionconverting ordinary information (plain text) into unintelligible gibberish (cipher text) so unauthorized users cannot read it
Decryption Converting encrypted data back to its original
state
35
Cryptography techniques Symmetric cryptosystems Public-key cryptosystems Integrity check-values (message
digest) Digital Certificate Digital Signature
Data Security Symmetric key – same key
encrypts and decrypts Asymmetric key – a pair of
different keys for encryption and decryption. Public key Private key
37
Symmetric Cryptography
Symmetric Cryptography The same key is used for
encryption and decryption Operates as block cipher (fixed
size) or stream cipher (arbitrary size, byte by byte)
Fast encryption and decryption Require secure key distribution
Role of the Key in Cryptography
The key is a parameter to an encryption procedure Procedure stays the same, but produces different
results based on a given key
NOTE: THIS METHOD IS NOT USED IN ANY REAL CRYPTOGRAPHY SYSTEM.IT IS AN EXAMPLE INTENDED ONLY TO ILLUSTRATE THE USE OF KEYS.
S P E C I A L T Y B D F G H J K M N O Q R U V W X ZA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
C O N S U L T I N G
D S R A V G H E R M
EXAMPLE:Plain text
Cipher text
Public Key Cryptosystems A pair of related keys:
Private key (kept secret) Public key (publicly known)They are related but it is not feasible to determine the private key by knowing the public key
Two ways of use:Encryption mode: make sure a right person receives messageAuthentication mode: make sure message is from a right person
Solving key distribution problem
Public-Key (Asymmetric) Encryption
1. USERS WANT TO SEND PLAINTEXT TO RECIPIENT WEBSITE
2. SENDERS USE SITE’S PUBLIC KEY FOR ENCRYPTION
3. SITE USES ITS PRIVATE KEY FOR DECRYPTION
4. ONLY WEBSITE CAN DECRYPT THE CIPHERTEXT. NO ONE ELSE KNOWS HOW
SOURCE: STEIN, WEB SECURITY
Digital Signatures and Certificates
Encryption of messages enables secure exchange of information between two entities with appropriate keys
Digital signature encrypts document with private key to verify document author
Digital certificate is institution’s name and public key that is encrypted and certified by third party
Certifying authority: VeriSign or Equifax
Digital Certificate Certificate
A document containing a certified statement, especially as to the truth of something
Digital certificateInformation digitally signed by trusted certificate authority such as VeriSign
Certification Authorizer GlobalSign NV-SA. GlobalSign is the
Leading European Trusted Network of Certification Authorities (CA) that, signs and manages digital certificates
Thawte Certification offers free personal certificates for signing and encrypting e-mail. Thawte is a global CA that has already certified 30% of the world’s Internet e-commerce servers.
Public-key Certificate Identify the holder of the private-
key A Certificate consists of
Subject Identification information Subject public key value Certification authority name Certification authority’s digital
signature
Digital Signatures A digital signature indicates the
signer and the integrity of the document
A digital signature must support non-repudiation
Hash Functions One way hash function f hash x to y = f(x) Infeasible to calculate x = f-1(y) Infeasible to construct x’ so that
f(x’) = y = f(x) U.S. Government’s Secure Hash
Algorithm (SHA-1) the best so far RSA MD5 has some known weakness
Using a Digital Certificate
Security Protocols - SSL Secure Sockets Layer (SSL) uses public
key encryption and digital certificates for information exchange between Web browsers and certified Web servers
The URL for the SSL-secured Web pages begins with “https://” instead of http://
A randomly generated symmetric Session key (40 bit or 128 bit) for message encryption
56
Secure Sockets Layer (SSL)
if it has one
SOURCE: WEB SECURITY
Summary Integrity controls and security
designed into system Ensure only appropriate and correct
business transactions occur Ensure transactions are recorded and
processed correctly Protect and safeguard assets of the
organization Control access to resources
58
Privacy Protection
59
Privacy concerns 90% of people surveyed said privacy
was the most important issue for e-commerce to address
79% don’t use web sites which require personal information; 42% fabricate information
Consumers generally wary of releasing phone number, address, and credit card number over the Internet.
60
Information Privacy Information privacy is the “claim of
individuals, groups, or institutions to determine for themselves when, and to what extent, information about them is communicated to others”
61
The right of privacy Privacy protection should
prevent non-permitted, illegal, and/or unethical use of private information.
It is important to note that the right of privacy is not absolute. Privacy must be balanced against the needs of society.
62
Privacy and Security Security and privacy are often related to
each other but they are not the same. Information is secure if the owner of
information can control that information. Information is private if the subject of
information can control that information. Anonymous information has no subject,
and thus ensures that information is private.
63
The difficulty of privacy protection in Web environment The complexity of manually collecting,
sorting, filing, and accessing information from several different agencies was a built-in privacy protection
In Internet and Web environment, information about users can be easily collected, integrated and analyzed from different sources through the use of network, database, data warehouse and data mining technologies. The potential of privacy violation therefore becomes much higher.
64
Privacy Protection Policy Companies now publicize their
privacy policy when collecting personal information
Customer consent request Customer choice
65
66
67
Principles for collection and Use Private Information Don’t collect information unless its need
and relevance have been clearly established
Don’t collect information fraudulently or unfairly
Use information only if it is accurate and current
Individuals have the right to know of information stored about them
68
Principles for collection and Use Private Information (continue)
Provide a clear procedure on how the individuals can correct, delete, or amend inaccurate, obsolete, or irrelevant information
Ensure the reliability, integrity, and availability of collected, maintained, used, or disseminated personal information and take precautions to prevent its misuse
69
Principles for collection and Use Private Information (continue)
Prevent personal information collected for one purpose from being used for another purpose or disclosed to a third party without an individual’s consent.
Federal, state, and local government should collect only legally authorized personal information