OLBUS800 e-Commerce Semester Two 2007

Week 6 Online Security
OLBUS800 E-Commerce Semester Two 2007 1

February 7 - 9, 2000 • Yahoo!, Amazon, Buy.com, CNN.com, eBay, E*Trade, ZDNet websites hit with massive DOS • • Attacks received the attention of President Clinton and Attorney General Janet Reno • • “A 15-year-old kid could launch these attacks, it doesn’t take a great deal of sophistication to do it” - Ron Dick, Director NIPC, February 9 • • U.S. Federal Bureau of Investigation (FBI) officials have estimated the attacks caused $1.7 billion in damage OLBUS800 E-Commerce
Semester Two 2007


January 2003 - USA • • – – – – – Slammer Worm affects 90% of vulnerable computers within 10 minutes Effects of the Worm interference with elections cancelled airline flights 911 emergency systems affected in Seattle 13,000 Bank of America ATMs failed Estimated ~$1 Billion in productivity loss

A worm” released in Houston, Texas, USA – Worm scanned the Internet for other computers to infect – Forced the infected computers to use their modems to dial 911 – Because each infected computer can scan approximately – 2,550 computers at a time, this worm had the potential to – create an extensive DOS attack
OLBUS800 E-Commerce Semester Two 2007 3

• Gary McKinnon of Great Britain faces extradition to the United States for allegedly carrying out "the biggest military computer hack of all time”
– McKinnon reportedly hacked into almost 100 networks operated by the US Army, Navy, Air Force and the Pentagon, shortly after September 11, 2001 – Caused an estimated $1million worth of damages – At the July 27 extradition hearing, Mr. Kinnon was granted bail with restrictions on international travel and use of computer equipment to access the Internet

Source: July 27, 2005, BBC News
OLBUS800 E-Commerce Semester Two 2007 4

Worms biting harder into IM, P2P
– Instant messaging and peer-to-peer fans are being hit with more worm and malicious code attacks than ever before, according to research reports – The number of threats detected for IM and peer-topeer networks rose a whopping 3,295 percent in the third quarter of 2005, compared with last year – Worm writers are coming up with more effective ways to get people to click on links to their malicious code, and worms can increasingly hop from one IM network to another
October 4, 2005
OLBUS800 E-Commerce Semester Two 2007 5

Cyber (a prefix), relating to information technology, the internet and virtual reality Security is the process of making safe or safe guarding something or someone. It involves taking the necessary preventive measures to thwart all possible threats to normal operations and livelihood Cyber Security is essentially the process of securing this virtual place or virtual reality, usually referred to as cyberspace. The catch is that this ‘cyberspace’ is very real and does affect us all in very tangible ways

OLBUS800 E-Commerce Semester Two 2007


Cyber security – a process, not a product
• Cyber Security is a process and not a feature or product that you can go out and get • Being a process means it needs to be monitored and revised as the technology landscape evolves • The concept applies to three things: – Assets – Vulnerability – Threats

OLBUS800 E-Commerce Semester Two 2007


Increasing dependence on the internet today
Directly: • • • • • Communication (Email, IM, VoIP) Commerce (business, banking, e-commerce, etc) Control systems (public utilities, etc) Information & Entertainment Sensitive data stored on the internet Indirectly: • Businesses, education and government have permanently replaced physical or manual processed with internet-based processes

OLBUS800 E-Commerce Semester Two 2007


Security Not A Priority Today
Other design priorities often trump security, due to:
– – – – – Cost Speed Convenience Open Architecture Backwards Compatibility
OLBUS800 E-Commerce Semester Two 2007 9

Cyber Security
Threats Hackers Unavailability Unauthorized Destruction access Repudiation Disclosure of confidential information Modification Theft Staff Continuity Compliance Data Integrity Loss of trust and public confidence

Reputational damage Authentication Fraud Financial Loss Privacy Money laundering Confidentiality

OLBUS800 E-Commerce Semester Two 2007


Today’s threats
Revolution in connectivity has also increased the potential of those who would do harm, giving them the capability to do so from afar while armed with only a computer and the knowledge needed to identify and exploit vulnerabilities. Computer Security Institute / FBI Survey: Fortune 500 and small companies
• 79% reported security breaches • 70% from internet connections • 66% from internal systems • 59% reported employee internet abuse • 78% detected computer viruses

OLBUS800 E-Commerce Semester Two 2007


Who are the bad guys?
• • • • • Experimenters & Vandals – Impress peers Hacktivists – they have an Agenda (Political, Environmental). “End justifies the means” and the means can be anything Cyber criminals – Steal passwords, a/c information, a/c details etc. – Black mail you. They use computers to steal Information warriors – State supported warriors. Their Agenda is to destroy government defences or contribute to collapsing their economy.

OLBUS800 E-Commerce Semester Two 2007


Who are the bad guys?

School for cyber terrorists: North Korea & South Korea
• In North Korea’s mountainous Hyungsan region, a military academy specializing in electronic warfare has been churning out 100 cyber soldiers every year for nearly two decades • Graduates of the elite hacking program at Mirim College are skilled in everything from writing computer viruses to penetrating network defences and programming weapon guidance systems • South Korea, in reply, developed 177 ‘computer training facilities’ and trained more than 200,000 ‘information OLBUS800 E-Commerce technicians’
Semester Two 2007


Who are the bad guys? …cont.
• • • Now the hackers don’t have to be the amateurs or people with an agenda or the cyber terrorists They can even be YOU ‘Hack the Planet’ website
– – – – Very easy to launch attack Just put in the IP address Download the kits to create viruses If in the right hands can be incredible teaching tools but if in the wrong hands, it can be incredibly destructive – Sends large packets of data and smoke the system – Specially effective on a windows NT system
OLBUS800 E-Commerce Semester Two 2007 14

Potential Consequences
• Embarrassment
– you are reluctant to tell anybody about it

• Repair costs
– any damage then u have to repair it

• Misinformation and worse
– people hack a webpage and put misinformation in it

• Loss of e-business
– owing to lack of customer trust
OLBUS800 E-Commerce Semester Two 2007 15

Most common types of attacks today
Types of Attacks

Non-Technical Attacks

Technical Attacks



Malicious Code

1. Theft of data & resources



Trojan Horses

OLBUS800 E-Commerce Semester Two 2007


Theft of data & Resources
• Stealing your computer files
• Data transfer to USB before they walk off

• Accessing your computer accounts • Stealing your laptops and computers • Intercepting your e-mails
OLBUS800 E-Commerce Semester Two 2007 17

Denials of service attacks
Attacking computers or websites Purpose:
– locks up equipment – crashes your systems

– slows/stops work flow – prevents e-mail communication – shuts down e-commerce
OLBUS800 E-Commerce Semester Two 2007 18

Methods of DoS Attacks








OLBUS800 E-Commerce 19 and gives direction to attack you!!! Semester Two 2007

More common –breaks into other computers

Malicious Code
Code that executes for a purpose which is not for the good welfare Characteristics
– – – – – – Sends itself over the internet Sends your files over the internet Deletes data Locks up computer system Hides in other programmes Copies itself
OLBUS800 E-Commerce Semester Two 2007 20

Malicious Code
The common types are:
– Trojan horse – Virus – Worm

OLBUS800 E-Commerce Semester Two 2007


Trojan Horse
Pretend to be something good Eg. a screensaver of something gorgeous But it also installs a programme that watches activities and reports passwords to someone else Might even transfer file unknowingly So it pretends to be something good but it also does something behind the scene which is not good
OLBUS800 E-Commerce Semester Two 2007 22

– Code that infect other programmes and then execute when those programmes execute – Go into memory and watch whatever the system is doing and then they do what they are written to do – Eg. Send out copies of file infecting other programmes / files or attach themselves to emails and do whatever they are meant to do

OLBUS800 E-Commerce Semester Two 2007


– Typically haven't had any purpose in terms of destroying files – Go on to a system and send a copies of themselves to everyone on the email list and address book – Thus each one has a copy of the worm

– Denial of service for the entire system and internet

OLBUS800 E-Commerce Semester Two 2007


The Hoax as a “perfect” virus
• E-mails with false warning of a virus • Symptoms of a hoax virus:
– Message source. – Warning of doom and destruction – Technical jargon – Directions to pass it on

OLBUS800 E-Commerce Semester Two 2007


Interestingly, its not always the hackers
• Malicious actions
• by ex-employees

• Unintentional damage
• accidentally deleted a file…embarrassing but still destruction of information

• Non-business use of computers
• doing personal work on your work systems
OLBUS800 E-Commerce Semester Two 2007 26

Reducing the risks
There's no 100% guarantee that even with the best precautions some of these things won't happen to you, but there are steps you can take to minimize the chances. The following recommendations will build your defense against future infections:
1. 2. 3. 4. 5. 6. Use and maintain anti-virus software Change your password Keep software up to date Install or enable a firewall Use anti-spyware tools Follow good security [practices

OLBUS800 E-Commerce Semester Two 2007


• One of the simplest methods of stealing a user’s identity • Uses fake email messages and fraudulent websites to fool recipients into divulging personal financial data • Many US households fell victim to such attacks at a cost of $400 million in 2004
OLBUS800 E-Commerce Semester Two 2007 28

Anonymous Surfing
Reasons to hide IP address
• • • • • • • • Tracking: you can be found and tracked using your IP address very easily Attacking: your IP address gives hackers an entryway into your computer IP address is the signature address of your computer as it is connected to the Internet Using IP address, it is easy to detect your cookies, what's in your browser cache, kind of computer, hard drive and files on it, etc. Uses: Saudi Arabia – Government ; Office – Another Job; Medicines – spam How does anonymous surfing work? Puts a buffer between you and the Web site you want to look at Allows you to view information without being tracked

OLBUS800 E-Commerce Semester Two 2007


Anonymous Surfing (…cont)
There are 2 ways:
• Anonymous Server: Anonymous servers work by retrieving web pages for you. They hide your IP address and other important browsing information, so the remote server does not see your information but sees the proxy server's information instead Public Proxy Servers Proxy 4 Free Elite Proxy • Free Anonymous Proxy Sites and Services: The anonymous proxy retrieves the web pages BEFORE they are delivered to you. This way, the IP address and other browsing information that the remote server sees does not belong to you. It belongs to the anonymous proxy ByPassIt Anonymouse HideAndGoSurf.com

OLBUS800 E-Commerce Semester Two 2007


Secure Servers
• • A secure server is usually used when confidential information needs to be sent across the Internet. This information might be password details to allow access to a system, or credit card or other personal details which allow some sort of transaction to be performed When a secure server is in use, the information is encrypted by your www. browser prior to sending it across the Internet. This information can only be decoded by the host site which requested it. It is unlikely that anyone could intercept the information as it crosses the Internet. Thus, it is practically impossible for outsiders to break the encryption. Secure server URLs are usually denoted by the prefix 'https' as opposed to 'http'. Eg. Verisign, www.commbank.com.au
OLBUS800 E-Commerce Semester Two 2007 31

• • •

Implications for business
Organised Crime and Cyber Crime
• • • • • In the virtual world, most criminal activities are initiated by individuals or small groups Called ‘disorganised crime’ Yet organised crime groups or mafias are exploiting the new opportunities offered by the internet Organized crime and cyber-crime will never be synonymous Nevertheless, the degree of overlap between the two phenomena is likely to increase considerably in the next few years Thus, the need for business and government to wake up and recognise this as an emerging and very serious threat to cybersecurity
OLBUS800 E-Commerce Semester Two 2007 32

Internet: Why is it so attractive to criminals?
Provides opportunities for various kinds of thefts
• Online thieves can rob online banks • Illicitly gain access to intellectual property • Offers new means of committing old crimes such as fraud and extortion

OLBUS800 E-Commerce Semester Two 2007


Internet: Why is it so attractive to criminals?
Anonymity of the internet
• Secrecy is a part of organised crime strategy and the Internet offers excellent opportunities for its maintenance • Actions can be hidden behind a veil of anonymity

OLBUS800 E-Commerce Semester Two 2007


Synergy between organised crime and cyber-crime
In sum, the synergy between organized crime and the Internet is not only very natural but also one that is likely to flourish and develop even further in the future. The Internet provides both channels and targets for crime, and enables them to be exploited for considerable gain with a very low level of risk. It is critical, therefore, to identify some of the ways in which organized crime is already overlapping with cyber-crime.

OLBUS800 E-Commerce Semester Two 2007


Implications for business
• Need for major changes in thinking about cyber-security and in planning and implementing security measures • Important if e-business is to reach its full potential

OLBUS800 E-Commerce Semester Two 2007


Implications for business
• The most important changes are in ‘thinking’. This has two distinct but overlapping dimensions:
– security has to be understood in broad rather than narrow terms – security can no longer be an after-thought, but needs to be part of intelligence, planning, and business strategy

• Many businesses are now being attacked by cyber extortionists who demand payment in return for not attacking the businesses’ web presence.
OLBUS800 E-Commerce Semester Two 2007 37

Recommendations for firms in the high-tech sector
1. Recognize the real problem is crime, not hacking 2. Business intelligence needs to include criminal intelligence analysis 3. Beware of infiltration 4. Be sensitive to money laundering opportunities 5. Develop partnerships and information-sharing arrangements

OLBUS800 E-Commerce Semester Two 2007


Recommendations for firms in the high-tech sector
• • None of these measures a panacea Yet, individual firms need to tailor their security programs to their particular vulnerabilities and needs Recognise that organised crime and cybercrime are becoming more convergent in order for their security programs to be sufficient
OLBUS800 E-Commerce Semester Two 2007 39

Maintaining cyber-security: Role of IT Managers
The naked truth: Good IT security practice requires more than anti-virus and firewall systems • "Security Within™ - Configuration based Security” explains the reasons for a configuration-based monitoring system in addition to existing • perimeter security systems, such as anti-virus and firewalls.
OLBUS800 E-Commerce Semester Two 2007 40

Maintaining cyber-security: Role of IT Managers
The result:
• IT managers must now be continuously aware of the security implications of their IT system configurations and be able to remedy their vulnerabilities in order to be secure from future attacks • Belarc calls this “Configuration based Security” • Tools are now available to IT managers to help with these configuration based security issues • Sadly, none of them easy to use in IT environments, with multiple locations throughout the country or throughout the world
OLBUS800 E-Commerce Semester Two 2007 41

Security Within™ - Configuration based Security
• There are a number of published IT security configuration standards: • • the DISA (Defense Information Systems Agency) NSA (National Security Agency) federal government standards • the CIS (Center for Internet Security) industry standard.

• Belarc uses the CIS standards as an example

OLBUS800 E-Commerce Semester Two 2007


System Architecture: Hierarchical

OLBUS800 E-Commerce Semester Two 2007


System Architecture: BelManage – using your intranet

OLBUS800 E-Commerce Semester Two 2007


Intranet based system
Advantages • Mobile professionals can receive e-mails even over a slow dial-up connection • Geographically distributed operations – if your laptops or servers have access to your company's intranet to internet through WAN, dial-up or satellite link, they can be managed using BelManage • Identifies high-risk IT assets – eg. File servers, unauthorised software such as IM, desktops without antivirus software
OLBUS800 E-Commerce Semester Two 2007 45

Intranet based system
• • • • Performance thus far: Successfully deployed for systems with hundreds of thousands of desktops, servers and laptops Updates over 100,00 profiles daily 45,000 PC profiles can be uploaded to the server in one hour ability to schedule when clients upload profiles to best fit your network loading
OLBUS800 E-Commerce Semester Two 2007 46

Reactive Vs Proactive security approaches
Reactive Process • Conventional security vendors offer solutions that react to the threats that enter through your security holes. • Using methods like firewall, anti- virus products, and traditional intrusion detection systems alert that an attack has occurred, after they slip through the leaky security roof, and eventually prescribe or initiate countermeasures. • Typically unfolds over the course of hours, or even days after the attack – often after significant damage has been done

OLBUS800 E-Commerce Semester Two 2007


Reactive Vs Proactive security approaches
Proactive through research • The alternate to reaction is research – tackling the security challenge at its source • Creates effective defenses before attacks even occur

OLBUS800 E-Commerce Semester Two 2007


Reactive Vs Proactive: Conclusion
• Companies can no longer afford to depend on reactive security techniques • Potential for huge business losses from sophisticated new internet threats are all wake-up calls for corporate management

OLBUS800 E-Commerce Semester Two 2007


Reactive Vs Proactive: Conclusion
• • The only security approach that addresses these issues The only solution that can truly keep internet-dependant organizations ahead of the threat • Today ISS (Internet Security Systems) is the only company capable of delivering that solution • It commands the extensive knowledge, innovative research methods and complex technologies required to achieve preemptive security

OLBUS800 E-Commerce Semester Two 2007


Global Awareness of cyber security issues…Countries finally pay heed!
Australia New South Wales, Australia, introduced legislation in May 2005 to outlaw employers from prying into workers' private e-mails as part of anti-spying legislation aimed at preventing bosses from covertly observing employees. National privacy laws in Australia do not cover email monitoring. (5/4/05 – Reuters)
OLBUS800 E-Commerce Semester Two 2007 51

Global Awareness of cyber security issues…Countries finally pay heed!
China The Ministry of Public Security launched a publicity campaign on Internet security, with a focus on preventing internet fraud. In addition, computer virus prevention firms based in China are providing free online anti-virus services. The Chinese authorities have been conducting a study on Internet security incidents in the past year.
OLBUS800 E-Commerce Semester Two 2007 52

Global Awareness of cyber security issues…Countries finally pay heed!
Japan Effective April 1, 2005, businesses throughout Japan, including foreign companies, must comply with legislation that sets out new rules for handling personal data. The Japan Personal Information Protection Law mandates a set of obligations to protect customers’ personal data. The law applies to companies with offices in Japan holding personal data on 5,000 or more individuals.
OLBUS800 E-Commerce Semester Two 2007 53

Global Awareness of cyber security issues…Countries finally pay heed!
South Korea
The South Korean government will introduce measures to protect personal information on the Internet within the second half of the year. During an economic policy meeting presided by Deputy Prime Minister for Economy Han Duck-soo, the Ministry of Information and Communication said it is considering devising computer security measures to protect individual privacy. (4/15/05 – Digital Chosun Ilbo)

OLBUS800 E-Commerce Semester Two 2007


Global Awareness of cyber security issues…Countries finally pay heed!
Two centres specializing in testing and certifying Internet security products to help manufacturers meet global standards have been set up in Singapore. They are the first in the region to use Common Criteria Certification, a standard for security products accepted by 20 countries. (6/30/05 – Deutsche Presse-Agentur)

OLBUS800 E-Commerce Semester Two 2007


Global Awareness of cyber security issues…Countries finally pay heed!
The Supreme Council for Information and Communication Technology is launching the Qatar Computer Emergency Response Team (Q-CERT) in September with support from Carnegie Mellon University’s CERT Coordination Centre. Q-CERT is expected to conduct and coordinate a comprehensive set of cyber security activities needed to protect Qatar’s critical government, business, and education infrastructures. (6/28/05 – Gulf Times)
OLBUS800 E-Commerce Semester Two 2007 56

What can you, as now ‘cyber-security aware’ managers, do to help?
• System penetration threats • Security budgets be adequately funded
– Do not consider this a no-return or discretionary expense

• Understand internet security realities
– Assume a potentially hostile environmentand protect themselves through full message encryption for sensitive information, digital signature for message authentication, high quality maintained firewalls and other filters
OLBUS800 E-Commerce Semester Two 2007 57

What can you, as now ‘cyber-security aware’ managers, do to help? • Corporate road warriors travelling with laptops secure them with at least twophase security controls
– Web-based services such as Groove can be used to circumvent corporate document policies

• Secure new communications devices PDA’s such as BlackBerrys
OLBUS800 E-Commerce Semester Two 2007 58

New and Emerging Technologies
Tokens Passive Tokens • Storage devices that contain a secret code • Most common – plastic cards with magnetic strips containing a hidden code • User swipes the token through a reader attached to a personal computer or workstation and then enters his or her password to gain access to the network
OLBUS800 E-Commerce Semester Two 2007 59

New and Emerging Technologies
Tokens Active Tokens • Usually stand-alone electronic devices (key chain tokens, smartcards, USB) that generate one-time passwords • User enters a PIN into the token. The token then generates a password that is only good for a single log-on

OLBUS800 E-Commerce Semester Two 2007


Smart Cards
• A smart card, a type of chip card is a plastic card embedded with a computer chip that stores and transacts data between users. • This data is associated with either value or information or both and is stored and processed within the card's chip, either a memory or microprocessor.

OLBUS800 E-Commerce Semester Two 2007


Smart Cards
Portable USB Digital Identity Device It supports comprehensive managed digital identity and consolidated credentials, offering all the power of a multi-application dynamic smart card in the form of a USB

OLBUS800 E-Commerce Semester Two 2007


Biometric Systems
Biometrics is the science of measuring physical properties of living beings. • • • What is biometric authentication? Biometric authentication is the automatical recognition of a living being using suitable body characteristics. By measuring an individual's physical features in an authentication inquiry and comparing this data with stored biometric reference data, the identity of a specific user is determined.

Examples: Fingerprint scanners Iris Scanners Facial Recognition Systems Voice Recognition
OLBUS800 E-Commerce Semester Two 2007 63