Information Security

Dr Ritu Yadav
In Today’s Session
• Client Side Security
• Server Side Security
• Message Level Security
• Corporate Systems Security
Definitions
• Security
• Policies, procedures, and technical measures used to prevent unauthorized
access, alteration, theft, or physical damage to information systems
• Controls
• Methods, policies, and organizational procedures that ensure safety of
organization’s assets; accuracy and reliability of its accounting records; and
operational adherence to management standards
Revisiting Client Server Computing
Wireless Security Challenges
• Why Wi-Fi is vlunerable
• Radio frequency bands easy to scan
• SSIDs (service set identifiers)
• Identify access points, broadcast multiple times, can be identified by sniffer programs
• The Wi-Fi Protocols
• What type of threats are there
• War driving
• Eavesdroppers drive by buildings and try to detect SSID and gain access to network and resources
• Once access point is breached, intruder can gain access to networked drives and files
• Rogue access points/Evil Twin
• Solutions
• Use the best Protocol available with you
• Mac Address Control
• Turn off automatic connections to known WiFi networks
Web-based Application Architecture

• The Client
• The various
servers
• The message
• Or the transaction
Client-End Security
• What are the risks that clients on the Internet face?
• Active Content
• Program embedded in an HTML page or an email attachment or as a plugin for your
browser
• The benign – Java Applets – famous “client side” computing revolution
• The malicious
• Trojan Horse – malicious programs which gets an access to your computer under the guise of a totally
different purpose
• Solution
• Java categorises applets into two categories – Trusted Applets and Non-trusted Applets
• Use of Digital certificates (we’ll see!) to identify the trusted sources
• What if we wish to use an applet that is not in the list of trusted Applets?
• Sand Box!
Client-End Security
• Running applets in Sand Box
• Java may ask such untrusted applets to run in a sand box
• i.e. Applets have no access to the PC resources
• They can simply operate on the data that comes in from the web server from
which they were downloaded
Client-End Security
• What are the risks that clients on the Internet face? Contd…
• Active Content
• Malwares
• Viruses
• Rogue software program that attaches itself to other software programs or data files in order to be executed
• Worms
• Independent programs that copy themselves from one computer to other computers over a network.
• Worms and viruses spread by
• Downloads (drive-by downloads)
• E-mail, attachments
• Downloads on Web sites and social networks
• Smartphones as vulnerable as computers
• Study finds 13,000 types of smartphone malware
• Trojan horses
• Software that appears benign but does something other than expected. Ex : MMarketPay.A
Client-End Security
• What are the risks that clients on the Internet face? Contd…
• Active Content
• Malwares
• Ransomware
• Tries to extort money from users by taking control of their computer or mobiles or displaying annoying pop-up
messages
• Spyware
• Install themselves surreptitiously on computers to monitor user web-surfing activity and serve up advertising or
worse!
• Keyloggers
• Identity theft
• Theft of personal Information (social security ID, driver’s license, or credit card numbers) to impersonate someone
else
• Evil twins
• Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet
Client-End Security
• What are the risks that clients on the Internet face? Contd…
• Active Content
• Malwares
• Solution
• Anti-virus Softwares
• Scan your PC for several known viruses and “disinfects” it
• Continuously and regularly updated
• Safe Habits
• Not installing pirated software, or downloading files from untrusted sources
• Inserting diskettes into your PCs without scanning
• Reading e-mails from unknown sources – especially with attachments
Client-End Security
• Client End Security
• Active Content
• Trusted Applets, Sand Box
• Malwares
• Anti-virus Software
• Safe Habits
• Server End Security
Server End Security
Malwares

• Malwares contd…
• SQL injection attacks
• Hackers submit data to Web forms that exploits site’s unprotected software and sends
rogue SQL query to database
• Spoofing
• Misrepresenting oneself by using fake e-mail addresses or masquerading as someone
else
• Redirecting Web link to address different from intended one, with site masquerading as
intended destination
• Sniffer
• Eavesdropping program that monitors information traveling over network
• Enables hackers to steal proprietary information such as e-mail, company files, and so on
Server End Security
DDoS Attacks

• Denial-of-service attacks (DoS)

• Flooding server with thousands of false requests to crash the network
• Distributed denial-of-service attacks (DDoS)
• Use of numerous computers to launch a DoS
• Botnets
• Networks of “zombie” PCs infiltrated by bot malware
• Deliver 90% of world spam, 80% of world malware
• Grum botnet: controlled 560K to 840K computers
Server End Security
Computer Crime

• Computer crime
• Defined as “any violations of criminal law that involve a knowledge of
computer technology for their perpetration, investigation, or prosecution”
• Computer may be target of crime, for example:
• Breaching confidentiality of protected computerized data
• Accessing a computer system without authority
• Computer may be instrument of crime, for example:
• Theft of trade secrets
• Using e-mail for threats or harassment
Server End Security
Computer Crime

• Hackers and computer crime

–Hackers vs. crackers
–Activities include:
• System intrusion
• System damage
• Cybervandalism
– destruction of Web site or corporate information system
Server End Security
Computer Crime

• Phishing
• Setting up fake Web sites or sending e-mail messages that look like legitimate
businesses to ask users for confidential personal data.
Server End Security
Computer Crime
• Pharming
– Redirects users to a bogus Web page, even when individual types correct Web
page address into his or her browser
• Click fraud
– Occurs when individual or computer program fraudulently clicks on online ad
without any intention of learning more about the advertiser or making a
purchase
• Cyberterrorism and Cyberwarfare
Server End Security
Computer Crime

• Failed computer systems can lead to significant or total loss of

business function.
• Firms now are more vulnerable than ever.
• Confidential personal and financial data
• Trade secrets, new products, strategies
• A security breach may cut into a firm’s market value almost
immediately.
• Inadequate security and controls also bring forth issues of liability.
Server End Security
• The Solution
• Firewall
• Combination of hardware and software that prevents unauthorized users from accessing private networks
• Identifies names, IP addresses, applications and other traffic characteristics
• Technologies include:
• Static packet filtering
• Examines selected fields in the headers of data packets flowing between trusted network and the Internet
• Stateful inspection
• Determining whether packets are part of an ongoing dialogue between a sender and a receiver
• Network address translation (NAT)
• Conceals IP addresses of the organization’s internal host computers to prevent the sniffers
• Application proxy filtering
• Examines the application content of packets
• Firewalls can deter but not completely prevent network penetration by outsiders
Server End Security
• The Solution
• Firewall

The firewall is placed

between the firm’s private
network and the public
Internet or another distrusted
network to protect against
unauthorized
traffic.
The Message Security
• EXAMPLE: We want to buy TATAMOTORS stocks from our broker
– and hence, send a letter for the same on the broker’s address.
• What are the message level risks we’ll face?
Confidentiality
• Only the broker should be able to read the message, and no one else!
Authentication
• Broker should know that it is you who have sent the letter, and no
one else. Integrity
• Broker should be confident that the message he/she received is the
message you had sent! Non-repudiation

• Broker should make sure that in future you may not deny having sent
such a request.
The Message Security
• EXAMPLE: We want to buy TATAMOTORS stocks from our broker – and hence, send a
letter for the same on the broker’s address.

• What are the message level risks we’ll face?

• Confidentiality
• To ensure that only you, as the person to whom the message has been sent, are able to read the message
• Authentication
• Whether the person/site that you are dealing with is actually the person/site it claims to be
• Integrity
• The message received is actually the message sent
• Non-Repudiation
• The problem where one person or the site or the organization denies having sent the message he did
send
The Message Security
• What are the message level risks we’ll face?
• Confidentiality
• To ensure that only you, as the person to whom the
message has been sent, are able to read the message
• The Solution
• Encryption
The Message Security
• Encryption
• Transforming the message such that it makes sense only when it is
decrypted back – Decryption
• Science of encryption – Cryptography
• Encryption algorithm is also referred as the cipher
• Publicly available
• Common to huge number of people. Some of the commonly used ones are
DES, Triple DES etc.
• Anybody can decrypt the message! – Use of a key
• How will you share the key with the receiver
• Use of public key cryptography
The Message Security

A public key encryption system can be viewed as a series of public and private keys that lock data when
they are transmitted and unlock the data when they are received. The sender locates the recipient’s public
key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet
or a private network. When the encrypted message arrives, the recipient uses his or her private key to
decrypt the data and read the message.
The Message Security
• Encryption
• Encryption-Decryption (Cipher)
• Concept of Key
• Public Key Cryptography
• Works both ways
• Symmetric key cryptography
The Message Security
• What are the message level risks we’ll face?
• Confidentiality
• Integrity
• The message received is actually the message sent
• The Solution
• ……….. Signatures
• The Digital Signatures
The Message Security
Sender Received
Message Message

The Internet Receiver

HASH FUNCTION
HASH FUNCTION

Encryption Received
Algorithm Re-computed
Message Digest Message Digest
Message Digest
HASH FUNCTION – publicly available Decryption
Algorithm
Sender’s Private Key
Sender’s Public Key
The Message Security
• What are the message level risks we’ll face?
• Confidentiality
• Integrity
• Authentication
• Whether the person/site that you are dealing with is actually
the person/site it claims to be
• The Solution
• Digital Certificates
The Message Security
• Digital Certificates
• Issued by Trusted Third Parties, also referred as Certificate
Authority (CA)
• Charge fee for this service
• Issues a pair of keys – public key and the private key
• Public key is share with the CA, which is used to create your
digital signature
• 40 bit and 128 bit keys
Digital certificates help
establish the identity of people
or electronic assets. They
protect online transactions by
providing secure, encrypted,
online communication.
The Message Security
• What are the message level risks we’ll face?
• Confidentiality
• Encryption
• Integrity
• Digital Signature
• Authentication
• Digital Certificate
• What about Non-Repudiation?
• What does non-repudiation require?
• The message
• Proof that the message came from you – or your certificate
• Proof that the message has not been tampered with – or your digital signature
• All your broker needs to do is store the message, your certificate, and your digital signature
The Message Security
• What are the message level risks we’ll face?
• Confidentiality
• Encryption
• Integrity
• Digital Signature
• Authentication
• Digital Certificate
• Non-Repudiation

• The Protocol
• Secure Socket Layer (SSL)
• A protocol that permits encryption, digital signatures, digital certificates to be exchanged between the hosts
• The most popular protocol of this kind for the Internet, developed by Netscape
• It ensure that the server has the digital certificate, does not insist on client authentication
• Non-repudiation is not built into the SSL protocol
• Secure Electronic Transaction (SET)
• Developed by VISA and MasterCard (along with many other companies) to handle credit card transactions
Server End Security
• The Solution
• Firewall
• Intrusion detection systems:
• Monitors hot spots on corporate networks to detect and deter intruders
• Examines events as they are happening to discover attacks in progress
• Unified threat management (UTM) systems
Corporate Security

• Legal and regulatory requirements for electronic records management and privacy
protection
– HIPAA: Medical security and privacy rules and procedures

– Gramm-Leach-Bliley Act: Requires financial institutions to ensure the security and

confidentiality of customer data
– Sarbanes-Oxley Act: Imposes responsibility on companies and their management to safeguard
the accuracy and integrity of financial information that is used internally and released
externally

• Security policy
• Ranks information risks, identifies acceptable security goals, and identifies mechanisms for
achieving these goals
Corporate Security

• Identity management
– Business processes and tools to identify valid users of system and
control access
• Identifies and authorizes different categories of users
• Specifies which portion of system users can access
• Authenticating users and protects identities
– Identity management systems
• Captures access rules for different levels of users
 Corporate Security
These two examples represent
two security profiles or data
security patterns that might be
found in a personnel system.
Depending on the security
profile, a user would have
certain restrictions on access to
various systems, locations, or
data in an organization.
Corporate Security

• MIS audit
• Examines firm’s overall security environment as well as controls governing
individual information systems
• Reviews technologies, procedures, documentation, training, and personnel.
• May even simulate disaster to test response of technology, IS staff, other
employees
• Lists and ranks all control weaknesses and estimates probability of their
occurrence
• Assesses financial and organizational impact of each threat
Corporate Security
Corporate Security

• Identity management
– Automates keeping track of all users and privileges
– Authenticates users, protecting identities, controlling access
• Authentication
– Password systems
– Tokens
– Smart cards
– Biometric authentication