You are on page 1of 63

OLBUS800 e-Commerce

Semester Two 2007

Week 6

Online Security

OLBUS800 E-Commerce 1
Semester Two 2007
FACTS & FIGURES
February 7 - 9, 2000

• Yahoo!, Amazon, Buy.com, CNN.com, eBay, E*Trade,


ZDNet websites hit with massive DOS

• • Attacks received the attention of President Clinton and


Attorney General Janet Reno

• • “A 15-year-old kid could launch these attacks, it doesn’t


take a great deal of sophistication to do it” - Ron Dick,
Director NIPC, February 9

• • U.S. Federal Bureau of Investigation (FBI) officials


have estimated the attacks caused $1.7 billion in
damage OLBUS800 E-Commerce 2
Semester Two 2007
FACTS & FIGURES
January 2003 - USA

Slammer Worm
• affects 90% of vulnerable computers within 10 minutes

• Effects of the Worm


– interference with elections
– cancelled airline flights
– 911 emergency systems affected in Seattle
– 13,000 Bank of America ATMs failed
– Estimated ~$1 Billion in productivity loss

• A worm” released in Houston, Texas, USA

– Worm scanned the Internet for other computers to infect


– Forced the infected computers to use their modems to dial 911
– Because each infected computer can scan approximately
– 2,550 computers at a time, this worm had the potential to
– create an extensive DOS attack
OLBUS800 E-Commerce 3
Semester Two 2007
FACTS & FIGURES
• Gary McKinnon of Great Britain faces extradition to the United
States for allegedly carrying out "the biggest military computer
hack of all time”

– McKinnon reportedly hacked into almost 100 networks operated


by the US Army, Navy, Air Force and the Pentagon, shortly after
September 11, 2001

– Caused an estimated $1million worth of damages

– At the July 27 extradition hearing, Mr. Kinnon was granted bail


with restrictions on international travel and use of computer
equipment to access the Internet

• Source: July 27, 2005, BBC News

OLBUS800 E-Commerce 4
Semester Two 2007
FACTS & FIGURES
Worms biting harder into IM, P2P
– Instant messaging and peer-to-peer fans are being
hit with more worm and malicious code attacks than
ever before, according to research reports

– The number of threats detected for IM and peer-to-


peer networks rose a whopping 3,295 percent in the
third quarter of 2005, compared with last year

– Worm writers are coming up with more effective


ways to get people to click on links to their malicious
code, and worms can increasingly hop from one IM
network to another
October 4, 2005 OLBUS800 E-Commerce 5
Semester Two 2007
WHAT IS CYBER SECURITY?
Cyber (a prefix), relating to information technology, the internet
and virtual reality

Security is the process of making safe or safe guarding


something or someone. It involves taking the necessary
preventive measures to thwart all possible threats to normal
operations and livelihood

Cyber Security is essentially the process of securing this virtual


place or virtual reality, usually referred to as cyberspace. The
catch is that this ‘cyberspace’ is very real and does affect us all
in very tangible ways

OLBUS800 E-Commerce 6
Semester Two 2007
Cyber security – a
process, not a product
• Cyber Security is a process and not a feature or
product that you can go out and get
• Being a process means it needs to be monitored
and revised as the technology landscape evolves
• The concept applies to three things:

– Assets
– Vulnerability
– Threats

OLBUS800 E-Commerce 7
Semester Two 2007
Increasing dependence on the
internet today
Directly:

• Communication (Email, IM, VoIP)


• Commerce (business, banking, e-commerce, etc)
• Control systems (public utilities, etc)
• Information & Entertainment
• Sensitive data stored on the internet

Indirectly:

• Businesses, education and government have permanently


replaced physical or manual processed with internet-based
processes

OLBUS800 E-Commerce 8
Semester Two 2007
Security Not A Priority Today
Other design priorities often trump
security, due to:

– Cost
– Speed
– Convenience
– Open Architecture
– Backwards Compatibility

OLBUS800 E-Commerce 9
Semester Two 2007
Cyber Security
Threats
Hackers
Unavailability
Unauthorized
access Destruction

Disclosure of
Repudiation confidential
information

Reputational damage Modification

Financial Loss Theft


Authentication
Continuity
Fraud Privacy Staff
Money laundering Compliance

Confidentiality Data Integrity


Loss of trust and
public confidence
OLBUS800 E-Commerce 10
Semester Two 2007
Today’s threats
Revolution in connectivity has also increased the potential of
those who would do harm, giving them the capability to do so
from afar while armed with only a computer and the
knowledge needed to identify and exploit vulnerabilities.

Computer Security Institute / FBI Survey:


Fortune 500 and small companies

• 79% reported security breaches


• 70% from internet connections
• 66% from internal systems
• 59% reported employee internet abuse
• 78% detected computer viruses

OLBUS800 E-Commerce 11
Semester Two 2007
Who are the bad guys?
• Experimenters & Vandals – Impress peers

• Hacktivists – they have an Agenda (Political, Environmental).

• “End justifies the means” and the means can be anything

• Cyber criminals – Steal passwords, a/c information, a/c details


etc. – Black mail you. They use computers to steal

• Information warriors – State supported warriors. Their Agenda


is to destroy government defences or contribute to collapsing
their economy.

OLBUS800 E-Commerce 12
Semester Two 2007
Who are the bad guys?
…cont.

School for cyber terrorists:


North Korea & South Korea
• In North Korea’s mountainous Hyungsan region, a military
academy specializing in electronic warfare has been churning
out 100 cyber soldiers every year for nearly two decades

• Graduates of the elite hacking program at Mirim College are


skilled in everything from writing computer viruses to
penetrating network defences and programming weapon
guidance systems

• South Korea, in reply, developed 177 ‘computer training


facilities’ and trained more than 200,000 ‘information
technicians’ OLBUS800 E-Commerce 13
Semester Two 2007
Who are the bad guys?
…cont.
• Now the hackers don’t have to be the amateurs or
people with an agenda or the cyber terrorists

• They can even be YOU

• ‘Hack the Planet’ website


– Very easy to launch attack
– Just put in the IP address
– Download the kits to create viruses
– If in the right hands can be incredible teaching tools but if
in the wrong hands, it can be incredibly destructive
– Sends large packets of data and smoke the system
– Specially effective on a windows NT system

OLBUS800 E-Commerce 14
Semester Two 2007
Potential Consequences

• Embarrassment
– you are reluctant to tell anybody about it
• Repair costs
– any damage then u have to repair it
• Misinformation and worse
– people hack a webpage and put
misinformation in it
• Loss of e-business
– owing to lack of customer trust
OLBUS800 E-Commerce 15
Semester Two 2007
Most common types of attacks
today
Types of Attacks

Non-Technical Attacks Technical Attacks

1. Theft of data &


Social-Engineering DDoS Malicious Code
resources

Viruses Worms Trojan Horses

OLBUS800 E-Commerce 16
Semester Two 2007
Theft of data & Resources
• Stealing your computer files
• Data transfer to USB before they walk off

• Accessing your computer accounts

• Stealing your laptops and computers

• Intercepting your e-mails


OLBUS800 E-Commerce 17
Semester Two 2007
Denials of service attacks
Attacking computers or websites

Purpose:
– locks up equipment
– crashes your systems
Results:
– slows/stops work flow
– prevents e-mail communication
– shuts down e-commerce
OLBUS800 E-Commerce 18
Semester Two 2007
Methods of DoS Attacks
Hackers HACKER

Renan Alexia Lu Chris Jia

YOU YOU

More common –breaks into other computers


OLBUS800 E-Commerce 19
and
Semester Two 2007
gives direction to attack you!!!
Malicious Code
Code that executes for a purpose which is not
for the good welfare

Characteristics
– Sends itself over the internet
– Sends your files over the internet
– Deletes data
– Locks up computer system
– Hides in other programmes
– Copies itself

OLBUS800 E-Commerce 20
Semester Two 2007
Malicious Code
The common types are:
– Trojan horse
– Virus
– Worm

OLBUS800 E-Commerce 21
Semester Two 2007
Trojan Horse
Pretend to be something good

Eg. a screensaver of something gorgeous


But it also installs a programme that
watches activities and reports passwords to
someone else
Might even transfer file unknowingly
So it pretends to be something good but it
also does something behind the scene which
is not good

OLBUS800 E-Commerce 22
Semester Two 2007
Viruses
– Code that infect other programmes and then
execute when those programmes execute

– Go into memory and watch whatever the system


is doing and then they do what they are written to
do

– Eg. Send out copies of file infecting other


programmes / files or attach themselves to emails
and do whatever they are meant to do

OLBUS800 E-Commerce 23
Semester Two 2007
Worms
– Typically haven't had any purpose in terms of
destroying files
– Go on to a system and send a copies of
themselves to everyone on the email list and
address book
– Thus each one has a copy of the worm

Purpose:

– Denial of service for the entire system and


internet

OLBUS800 E-Commerce 24
Semester Two 2007
The Hoax as a “perfect” virus
• E-mails with false warning of a virus
• Symptoms of a hoax virus:

– Message source.
– Warning of doom and destruction
– Technical jargon
– Directions to pass it on

OLBUS800 E-Commerce 25
Semester Two 2007
Interestingly, its not always the
hackers
• Malicious actions
• by ex-employees

• Unintentional damage
• accidentally deleted a file…embarrassing but
still destruction of information

• Non-business use of computers


• doing personal work on your work systems

OLBUS800 E-Commerce 26
Semester Two 2007
Reducing the risks
There's no 100% guarantee that even with the best
precautions some of these things won't happen to
you, but there are steps you can take to minimize
the chances.

The following recommendations will build your


defense against future infections:
1. Use and maintain anti-virus software
2. Change your password
3. Keep software up to date
4. Install or enable a firewall
5. Use anti-spyware tools
6. Follow good security [practices

OLBUS800 E-Commerce 27
Semester Two 2007
Phishing

• One of the simplest methods of stealing a


user’s identity

• Uses fake email messages and fraudulent


websites to fool recipients into divulging
personal financial data

• Many US households fell victim to such


attacks at a cost of $400 million in 2004

OLBUS800 E-Commerce 28
Semester Two 2007
Anonymous Surfing
Reasons to hide IP address

• Tracking: you can be found and tracked using your IP address very easily
• Attacking: your IP address gives hackers an entryway into your computer

• IP address is the signature address of your computer as it is connected to the


Internet
• Using IP address, it is easy to detect your cookies, what's in your browser cache,
kind of computer, hard drive and files on it, etc.

• Uses: Saudi Arabia – Government ; Office – Another Job; Medicines – spam

• How does anonymous surfing work?

• Puts a buffer between you and the Web site you want to look at
• Allows you to view information without being tracked

OLBUS800 E-Commerce 29
Semester Two 2007
Anonymous Surfing (…cont)
There are 2 ways:

• Anonymous Server: Anonymous servers work by retrieving web pages for you.
They hide your IP address and other important browsing information, so the remote
server does not see your information but sees the proxy server's information instead

Public Proxy Servers


Proxy 4 Free
Elite Proxy

• Free Anonymous Proxy Sites and Services: The anonymous proxy retrieves the
web pages BEFORE they are delivered to you. This way, the IP address and other
browsing information that the remote server sees does not belong to you. It belongs
to the anonymous proxy

ByPassIt
Anonymouse
HideAndGoSurf.com

OLBUS800 E-Commerce 30
Semester Two 2007
Secure Servers
• A secure server is usually used when confidential information
needs to be sent across the Internet.
• This information might be password details to allow access to a
system, or credit card or other personal details which allow some
sort of transaction to be performed

• When a secure server is in use, the information is encrypted by your


www. browser prior to sending it across the Internet. This
information can only be decoded by the host site which requested it.
It is unlikely that anyone could intercept the information as it crosses
the Internet.

• Thus, it is practically impossible for outsiders to break the


encryption.

• Secure server URLs are usually denoted by the prefix 'https' as


opposed to 'http'.

• Eg. Verisign, www.commbank.com.au


OLBUS800 E-Commerce 31
Semester Two 2007
Implications for business
Organised Crime and Cyber Crime

• In the virtual world, most criminal activities are initiated by


individuals or small groups
• Called ‘disorganised crime’
• Yet organised crime groups or mafias are exploiting the new
opportunities offered by the internet

• Organized crime and cyber-crime will never be synonymous


• Nevertheless, the degree of overlap between the two
phenomena is likely to increase considerably in the next few
years
Thus, the need for business and government to wake up and
recognise this as an emerging and very serious threat to cyber-
security

OLBUS800 E-Commerce 32
Semester Two 2007
Internet: Why is it so attractive to
criminals?
Provides opportunities for various kinds of
thefts

• Online thieves can rob online banks


• Illicitly gain access to intellectual property
• Offers new means of committing old crimes such
as fraud and extortion

OLBUS800 E-Commerce 33
Semester Two 2007
Internet: Why is it so attractive to
criminals?

Anonymity of the internet

• Secrecy is a part of organised crime strategy


and the Internet offers excellent opportunities
for its maintenance
• Actions can be hidden behind a veil of
anonymity

OLBUS800 E-Commerce 34
Semester Two 2007
Synergy between organised
crime and cyber-crime
In sum, the synergy between organized crime and
the Internet is not only very natural but also one that
is likely to flourish and develop even further in the
future.
The Internet provides both channels and targets for
crime, and enables them to be exploited for
considerable gain with a very low level of risk.
It is critical, therefore, to identify some of the ways in
which organized crime is already overlapping with
cyber-crime.

OLBUS800 E-Commerce 35
Semester Two 2007
Implications for business
• Need for major changes in thinking about
cyber-security and in planning and
implementing security measures
• Important if e-business is to reach its full
potential

OLBUS800 E-Commerce 36
Semester Two 2007
Implications for business
• The most important changes are in ‘thinking’.
This has two distinct but overlapping
dimensions:
– security has to be understood in broad rather than
narrow terms
– security can no longer be an after-thought, but needs
to be part of intelligence, planning, and business
strategy
• Many businesses are now being attacked by
cyber extortionists who demand payment in
return for not attacking the businesses’ web
presence.

OLBUS800 E-Commerce 37
Semester Two 2007
Recommendations for firms in
the high-tech sector
1. Recognize the real problem is crime, not
hacking
2. Business intelligence needs to include criminal
intelligence analysis
3. Beware of infiltration
4. Be sensitive to money laundering opportunities
5. Develop partnerships and information-sharing
arrangements

OLBUS800 E-Commerce 38
Semester Two 2007
Recommendations for firms in
the high-tech sector
• None of these measures a panacea

• Yet, individual firms need to tailor their


security programs to their particular
vulnerabilities and needs

• Recognise that organised crime and cyber-


crime are becoming more convergent in
order for their security programs to be
sufficient
OLBUS800 E-Commerce 39
Semester Two 2007
Maintaining cyber-security:
Role of IT Managers
The naked truth:
Good IT security practice requires more
than anti-virus and firewall systems
• "Security Within™ - Configuration
based Security” explains the reasons
for a configuration-based monitoring
system in addition to existing
• perimeter security systems, such as
anti-virus and firewalls.
OLBUS800 E-Commerce 40
Semester Two 2007
Maintaining cyber-security:
Role of IT Managers
The result:
• IT managers must now be continuously aware of the
security implications of their IT system configurations
and be able to remedy their vulnerabilities in order to be
secure from future attacks
• Belarc calls this “Configuration based Security”
• Tools are now available to IT managers to help with
these configuration based security issues
• Sadly, none of them easy to use in IT environments,
with multiple locations throughout the country or
throughout the world

OLBUS800 E-Commerce 41
Semester Two 2007
Security Within™ - Configuration
based Security
• There are a number of published IT security
configuration standards:

• the DISA (Defense Information Systems Agency)


• NSA (National Security Agency) federal government
standards
• the CIS (Center for Internet Security) industry standard.

• Belarc uses the CIS standards as an example

OLBUS800 E-Commerce 42
Semester Two 2007
System Architecture: Hierarchical

OLBUS800 E-Commerce 43
Semester Two 2007
System Architecture: BelManage
– using your intranet

OLBUS800 E-Commerce 44
Semester Two 2007
Intranet based system
Advantages
• Mobile professionals can receive e-mails even
over a slow dial-up connection
• Geographically distributed operations – if your
laptops or servers have access to your
company's intranet to internet through WAN,
dial-up or satellite link, they can be managed
using BelManage
• Identifies high-risk IT assets – eg. File servers,
unauthorised software such as IM, desktops
without antivirus software

OLBUS800 E-Commerce 45
Semester Two 2007
Intranet based system
Performance thus far:
• Successfully deployed for systems with
hundreds of thousands of desktops,
servers and laptops
• Updates over 100,00 profiles daily
• 45,000 PC profiles can be uploaded to
the server in one hour
• ability to schedule when clients upload
profiles to best fit your network loading
OLBUS800 E-Commerce 46
Semester Two 2007
Reactive Vs Proactive security
approaches
Reactive Process

• Conventional security vendors offer solutions that react


to the threats that enter through your security holes.
• Using methods like firewall, anti- virus products, and
traditional intrusion detection systems alert that an attack
has occurred, after they slip through the leaky security
roof, and eventually prescribe or initiate
countermeasures.
• Typically unfolds over the course of hours, or even days
after the attack – often after significant damage has been
done

OLBUS800 E-Commerce 47
Semester Two 2007
Reactive Vs Proactive security
approaches
Proactive through research
• The alternate to reaction is research –
tackling the security challenge at its
source
• Creates effective defenses before attacks
even occur

OLBUS800 E-Commerce 48
Semester Two 2007
Reactive Vs Proactive: Conclusion

• Companies can no longer afford to


depend on reactive security techniques
• Potential for huge business losses from
sophisticated new internet threats are all
wake-up calls for corporate management

OLBUS800 E-Commerce 49
Semester Two 2007
Reactive Vs Proactive: Conclusion

Pre-emption

• The only security approach that addresses these issues


• The only solution that can truly keep internet-dependant
organizations ahead of the threat
• Today ISS (Internet Security Systems) is the only
company capable of delivering that solution
• It commands the extensive knowledge, innovative
research methods and complex technologies required to
achieve preemptive security

OLBUS800 E-Commerce 50
Semester Two 2007
Global Awareness of cyber security
issues…Countries finally pay heed!

Australia

New South Wales, Australia, introduced


legislation in May 2005 to outlaw employers from
prying into workers' private e-mails as part of
anti-spying legislation aimed at preventing
bosses from covertly observing employees.
National privacy laws in Australia do not cover e-
mail monitoring. (5/4/05 – Reuters)

OLBUS800 E-Commerce 51
Semester Two 2007
Global Awareness of cyber security
issues…Countries finally pay heed!

China

The Ministry of Public Security launched a


publicity campaign on Internet security, with a
focus on preventing internet fraud. In addition,
computer virus prevention firms based in China
are providing free online anti-virus services. The
Chinese authorities have been conducting a
study on Internet security incidents in the past
year.

OLBUS800 E-Commerce 52
Semester Two 2007
Global Awareness of cyber security
issues…Countries finally pay heed!

Japan

Effective April 1, 2005, businesses throughout


Japan, including foreign companies, must
comply with legislation that sets out new rules
for handling personal data. The Japan Personal
Information Protection Law mandates a set of
obligations to protect customers’ personal data.
The law applies to companies with offices in
Japan holding personal data on 5,000 or more
individuals.
OLBUS800 E-Commerce 53
Semester Two 2007
Global Awareness of cyber security
issues…Countries finally pay heed!

South Korea

The South Korean government will introduce measures


to protect personal information on the Internet within the
second half of the year. During an economic policy
meeting presided by Deputy Prime Minister for Economy
Han Duck-soo, the Ministry of Information and
Communication said it is considering devising computer
security measures to protect individual privacy. (4/15/05
– Digital Chosun Ilbo)

OLBUS800 E-Commerce 54
Semester Two 2007
Global Awareness of cyber security
issues…Countries finally pay heed!

Singapore

Two centres specializing in testing and certifying Internet


security products to help manufacturers meet global
standards have been set up in Singapore. They are the
first in the region to use Common Criteria Certification, a
standard for security products accepted by 20 countries.
(6/30/05 – Deutsche Presse-Agentur)

OLBUS800 E-Commerce 55
Semester Two 2007
Global Awareness of cyber security
issues…Countries finally pay heed!

Qatar

The Supreme Council for Information and


Communication Technology is launching the Qatar
Computer Emergency Response Team (Q-CERT) in
September with support from Carnegie Mellon
University’s CERT Coordination Centre. Q-CERT is
expected to conduct and coordinate a comprehensive
set of cyber security activities needed to protect Qatar’s
critical government, business, and education
infrastructures. (6/28/05 – Gulf Times)
OLBUS800 E-Commerce 56
Semester Two 2007
What can you, as now ‘cyber-security aware’
managers, do to help?

• System penetration threats

• Security budgets be adequately funded


– Do not consider this a no-return or discretionary
expense

• Understand internet security realities


– Assume a potentially hostile environmentand protect
themselves through full message encryption for
sensitive information, digital signature for message
authentication, high quality maintained firewalls and
other filters

OLBUS800 E-Commerce 57
Semester Two 2007
What can you, as now ‘cyber-security aware’
managers, do to help?
• Corporate road warriors travelling with
laptops secure them with at least two-
phase security controls
– Web-based services such as Groove can be
used to circumvent corporate document
policies

• Secure new communications devices -


PDA’s such as BlackBerrys
OLBUS800 E-Commerce 58
Semester Two 2007
New and Emerging Technologies

Tokens

Passive Tokens
• Storage devices that contain a secret code
• Most common – plastic cards with magnetic
strips containing a hidden code
• User swipes the token through a reader
attached to a personal computer or workstation
and then enters his or her password to gain
access to the network
OLBUS800 E-Commerce 59
Semester Two 2007
New and Emerging Technologies

Tokens

Active Tokens
• Usually stand-alone electronic devices (key
chain tokens, smartcards, USB) that generate
one-time passwords
• User enters a PIN into the token. The token
then generates a password that is only good for
a single log-on

OLBUS800 E-Commerce 60
Semester Two 2007
Smart Cards
• A smart card, a type of chip card is a plastic card
embedded with a computer chip that stores and
transacts data between users.
• This data is associated with either value or
information or both and is stored and processed
within the card's chip, either a memory or
microprocessor.

OLBUS800 E-Commerce 61
Semester Two 2007
Smart Cards
Portable USB Digital Identity Device

It supports comprehensive managed digital


identity and consolidated credentials, offering all
the power of a multi-application dynamic smart
card in the form of a USB

OLBUS800 E-Commerce 62
Semester Two 2007
Biometric Systems
Biometrics is the science of measuring physical properties of
living beings.

• What is biometric authentication?


• Biometric authentication is the automatical recognition of a living
being using suitable body characteristics.
• By measuring an individual's physical features in an
authentication inquiry and comparing this data with stored
biometric reference data, the identity of a specific user is
determined.
Examples:

Fingerprint scanners
Iris Scanners
Facial Recognition Systems
Voice Recognition
OLBUS800 E-Commerce 63
Semester Two 2007