Security On The Internet

1
Chapter 10

• Security On The Internet

2
Agenda

• Security
• Cryptography
• Privacy on Internet
• Virus Worm
• Client-based Security
• Server-based Security

3
Security

• Security and trust requirements
• Threats on the Internet
• Sources of the threats
• Security policy

4
Security and Trust Requirements

• Confidentiality
• Integrity
• Availability
• Legitimate use
• Non-repudiation

5
Threats on the Internet

• Loss of data integrity
• Loss of data privacy
• Loss of service
• Loss of control

6
Sources of the Threats

• Hackers
• Cyber terrorists
• Employee error
• Missing procedures
• Wrongly configured software

7
Hackers

• Monitoring the communication
• Private information password
• Steal hardware software
• Smart card or database
• Intercept the output of a monitor screen
• Overloading the service
• Trojan horses virus
• Masquerading (IP address spoofing)
• Dustbin

8
Hackers

• Bribe employee
• Information of internal network or internal DNS
  structure
• Social Engineering
• Exploiting habits of employee
• Pretending an employee
• Organization chart
• Phone book
• Information gathering and social pressure

9
Hackers

• Counter measurements
• Firewall
• Two-factor authentication (know and have)
• Audit log file
• Digital certificate (user or server)
• Message encryption

10
Cyber Terrorists

• Definition
• Use computer resources to intimidate others
• Methods
• Virus attack
• Alteration of information
• Cutting off Communication
• Killing from a Distance
• Spreading misinformation

11
Cyber Terrorists

• Counter measurements
• Commission of Critical Infrastructure Protection
• Disconnect mission critical systems from public
  network
• Firewall to monitor communication
• The eternity service concept (duplication and
  encryption)

12
Security Policy

• List of resources needed to be protected
• Catalogue the threats for every resource
• A risk analysis (cost and benefit)
• Centralized authorization
• Physical access control (policy procedure)
• Logical access control (policy procedure)
• Test, review and update

13
Agenda

• Security
• Cryptography
• Privacy on Internet
• Virus Worm
• Client-based Security
• Server-based Security

14
Cryptography

• Secret key
• Public key
• Steganography
• Applications

15
Secret Key

• Symmetric cryptography
• A single key for encryption and decryption
• Use different medium for key and message
• Fast encryption and decryption
• Types
• Stream ciphers bit level
• Block ciphers pre-defined length into a block

16
Public Key

• Asymmetric key cryptography
• SRA algorithm two distinct keys (private and
  public) for every users
• Public key decrypt messages encrypted with
  private key
• Long time to encrypt and decrypt message
• RSA to encrypt the symmetric key which encrypted
  the message

17
Public Key

• Usages
• Communication between web server and web browsers
  for create session key
• E-mail uses different public key for different
  recipients

18
Steganogrphy

• Hide information in the ordinary noise and
  digital systems of sounds and images
• Low quality of free software
• Higher quality for commercial software
• Law requirements for encryption and decryption

19
Applications

• Enforce privacy
• Storing the hash value of password
• Encrypting e-mail
• Pretty Good Privacy (PGP) unbreakable
• Secure Multipurpose Internet Mail Extensions
  (S/MIME) ease to set up with less security
• Separate the use of strong symmetric encryption
  algorithms and e-mail software
• WinZip for e-mail read by multiple person and
  password over the phone

20
Applications

• Digital Signatures
• Digital hash or digital code for each message
• Encrypt the digital code with private key
• Decrypt the digital code with public key
• Digital time stamp (time and date) encrypted with
  private key by third party

21
Agenda

• Security
• Cryptography
• Privacy on Internet
• Virus Worm
• Client-based Security
• Server-based Security

22
Privacy on Internet

• Footprints on the Net
• TRUSTe
• The platform for privacy preferences
• Anonymity

23
Footprints on the Net

• Request a web site
• The name of the browser
• The operating systems
• Preferred language
• The last visited web site
• IP address and domain name
• The client location
• The screen resolution and number of colors

24
Footprints on the Net

• Cookies
• The password to open a site
• A user name
• An e-mail address
• Purchasing information

25
TRUSTe

• An independent, non-profit privacy organization
  issues online seal called trustmark
• To certify an online business is trustworthy,
  safe and allow checking the privacy practice by a
  third- party
• Hard to understanding the privacy information by
  end user

26
The Platform for Privacy preferences

• Platform for Privacy Preference Project (P3P) by
  W3C
• Define a way for web site to inform the users of
  privacy practice before the first page

27
Anonymity

• Anonymous remailers to replace the header of
  original e-mail with remailers
• Anonymizer

28
Agenda

• Security
• Cryptography
• Privacy on Internet
• Virus Worm
• Client-based Security
• Server-based Security

29
Virus

• Types of viruses
• Virus damage
• Virus strategy

30
Types of viruses

• Boot sector virus
• Executable virus
• Macro virus
• Hoax viruses and chain letter

31
Virus Damage

• Annoying
• Harmless
• Harmful
• Destructive

32
Virus Strategy

• Firewall
• Anti-virus program
• Scanner
• Shield
• Cleaner
• Backup strategy
• Education of employee with a frequently asked
  questions (FAQ) page

33
Agenda

• Security
• Cryptography
• Privacy on Internet
• Virus Worm
• Client-based Security
• Server-based Security

34
Client-based Security

• Digital certificates
• Smart card
• Biometric identification

35
Digital Certificates

• Personal information (name and address) file
  encrypted and password-protected with public key
  and certification authority (name and validity
  period)
• Types
• Browser and server SSL encryption
• Customer and merchant SET encryption
• Two e-mail partners S/MIME

36
Smart Cards

• Uses electronically erasable programmable red
  only memory (EEPROM)
• Types
• Contact cards
• Contactless cards
• Combi cards
• Information Access
• Read only
• Add only
• Modify or delete
• Execution only

37
Biometric Identification

• Physical characteristics or behavioral traits
• Issues
• Acceptance
• Accuracy
• Cost
• Privacy

38
Agenda

• Security
• Cryptography
• Privacy on Internet
• Virus Worm
• Client-based Security
• Server-based Security

39
Server-based Security

• Isolation of web server
• Application Proxies
• Multi-layered firewall
• A trusted operating systems (TOS)
• Backup
• Least privilege
• Balance of power
• A good audit system

40
Trusted Operating Systems

• Types
• Virtual Vault by Hewlett Packard
• Trusted Solaris by Sun
• Features
• Firewall
• Intranet
• Internet
• Distributed system data and program
• Least privilege
• Peak usage management
• Multi level security
• Audit system

41
Audit System

• Adaptable
• Automated
• Configurable
• Dynamic
• Flexible
• Manageable
• System-wide

42
Points to Remeber

• Security
• Cryptography
• Privacy on Internet
• Virus Worm
• Client-based Security
• Server-based Security