E-Business Network and Web Site Security

1
Chapter 7

• E-Business Network and Web SiteSecurity

2
Objectives

• In this chapter, you will learn to
• Describe general e-business and Web site security
  issues
• Identify ways to protect the physical security of
  a network
• List internal network security risks and explain
  how to protect against them
• Discuss external network and Web site security
  risks and explain how to protect against them

3
Objectives

• In this chapter, you will learn to
• Identify the risks associated with an
  e-businesss online transactions
• Illustrate a virtual private network
• Describe wireless security issues
• Discuss the importance of security audits

4
General Network and Web Site Security Issues

• E-business security protecting data and physical
  networks
• E-business security risks include
• Physical risks Damage to network and data
• Internal risks Threats originating within
  organization
• External risks Threats from outside the
  organization
• Transactional risks Data loss and interception

5
Physical Risks
Valued Gateway Client

• Include accidental or deliberate damage to
  equipment or data resulting from natural disaster
  or sabotage
• Specific issues include
• Network equipment and physical location
• Electrical power backup
• Internet connectivity redundancy
• Outsourcing physical risks

6
Network Equipment andPhysical Location

• Equipment and locations security include
• Network facilities location network equipment
  and server rooms always locked, locations
  anonymous
• Fire protection install fire-suppression systems
  that do not damage servers, routers, electrical
  equipment - but these systems might be fatal to
  humans
• Network facilities construction construction and
  design of facilities more substantial than
  conventional office space and with particular
  attention to electrical and communication
  considerations

7
Electrical Power Backup

• E-businesses should consider two levels of backup
  power
• Batteries that assume power within milliseconds
  of a failure
• Power generators that automatically start when
  the batteries die
• Critical servers should never be out more than
  five minutes per year to achieve five nines
  reliability (99.999 uptime)

8
Internet Connectivity Redundancy

• E-businesses should have more than one connection
  to the Internet
• ISPs and Web hosting companies often have
  connections to more than one network service
  provider (NSP)
• Complete data-center redundancy
  allowse-businesses to continue operations from a
  different location in the event of a major
  disaster
• What is the price of redundancy and when is the
  price too high?

9
Outsourcing Physical Risks

• Using Web hosting services provides physically
  secure environment for e-business servers
• Fee for service arrangement provides power,
  connectivity, and secure environment
• Eliminates internal risks to physical security
• What are the benefits for small firms to
  outsource?

10
Physical Risks to Network andWeb Site Assets

• Include accidental or deliberate damage to
  equipment or data is accidental or deliberate
  more likely?
• Caused by natural disaster or sabotage
• Threat to network infrastructure includes
• Damage to network equipment
• Damage to power supplies
• Damage from fire

11
Network Equipment andPhysical Location

• Physical security begins with equipment safety
• Threat reduction includes proper management of
  network facilities location and fire protection
• Security countermeasures for network facilities
  locations include
• Locked network equipment room doors with
  restricted personnel access
• Locations of servers and switching equipment kept
  anonymous

12
Network Equipment andPhysical Location

• Fire protection and countermeasures to prevent
  fire damage include
• Use fire suppression system approved for
  electrical fires in server, switch, and power
  rooms
• Use only fire extinguishers approved for
  electrical fires in server, switch, and power
  rooms
• Pre-select and train employees responsible for
  fire control

13
Internal Security Risks

• Come from inside the company unhappy employees,
  poor security awareness, poor planning
• Establishing and enforcing security policy is
  first countermeasure
• Additional countermeasures include
• Password protecting the network
• Using biometric identification
• Using smart card authorization

14
Passwords

• Passwords are used to identify a specific
  computer user and grant user access
• Effective when created properly and changed
  regularly

DO DONT
Use a combination of at least six characters and numbers Use familiar names, dates, or numbers significant to user
Use easy to remember combinations Use common words from the dictionary, street names, etc.
Change password periodically Pick new password similar to the old password
15
Biometric Identification

• Measurement of biological data
• Biometric security devices and software measure
  and record a computer users unique human
  characteristics (such as eye retina or iris) for
  user identification
• Still under development

16
Smart Card

• Smart cards contain an embedded memory chip with
  user identification information
• Can be used to authenticate a remote user logging
  into a network
• Disadvantage Risk of loss or theft

17
Backup and RestorePolicies and Procedures

• Describes the plan for securing vital data files
  and software in case of disaster
• Specifies when and how critical files and
  software are backed up
• Backups should be built in to daily, weekly,
  monthly network maintenance schedule
• Test restore procedure, and archive, by
  performing periodic restores

18
Backup and RestorePolicies and Procedures

• Backup media should also be stored offsite or at
  least a second copy of the backup media)
• Some e-businesses assign backup responsibilities
  to employees outside of IT department
• Offsite storage also available via Internet
  connection from data management companies

19
Disaster Recovery Planning

• Disaster Recovery Plan part of e-business
  Business Continuity Plan
• DRP for network operations should include
  procedures for handling electrical outages, data
  loss, and security breaches
• Plan can include the use or redundant servers and
  equipment to handle system failover
• DRP should be tested periodically

20
External Security Risks

• Originate outside the companys network
• Must bypass network defenses
• Connecting to the Internet exposes private LANs
  to risk of attack
• Stringent security necessary to protect against
  external risk

21
Hackers

• Outside intruders that deliberately gain
  unauthorized access to individual computers or
  computer networks
• White hat hackers find and make known weaknesses
  in computer systems without regard for personal
  gain
• Black hat hackers (crackers) gain access to steal
  valuable information, disrupt service, or cause
  damage

22
Hacker Attack Tactics

• Objective interrupt operations or use hacked
  computer as base of attack on other computers
• The most common method is to send confusing data
  to a server or other computer
• Crashing a program can allow a hacker to take
  control of computers
• Buffer overflows tie up operating memory,
  degrading performance, causing crashes

23
Distributed Denial of Service Attacks

• Denial of Service (DoS) attacks designed to
  disable network using flood of useless traffic
• Distributed DoS uses multiple computers to attack
  networks
• DDoS attacks include
• Unending string of Pings
• Sending hundred of huge e-mail messages

24
(No Transcript)
25
Web Site Defacement

• Hacker deliberately changes the content of Web
  pages
• Caused by breaking into network, accessing Web
  site files and modifying files
• Better known victims include FBI, Goodyear, NY
  Times, and NASA

26
Hacker Countermeasures

• Firewalls designed to resist buffer overflows and
  other common types of hacker attacks
• Firewall types include
• Packet-filtering firewalls
• Circuit-level firewalls - verified by TCP, the
  weakness is that once it is verified subsequent
  packets are not verified
• Application-level firewalls (e-mail, FTP, or some
  other application)

27
(No Transcript)
28
Hacker Countermeasures
hacking back is illegal

• Network Address Translation uses external IP
  addresses to hide internal IP addresses
• Proxy server uses external IP address to send
  HTTP request over Internet and forwards responses
  from HTTP servers to requesting client using
  internal IP address

29
How Filters Work

• A filter is a process or device that screens
  incoming information
• Allows only information that meets specified
  criteria through
• Disabling service ports denies access to HTTP,
  e-mail from Internet
• Restricting access to internal IP addresses hides
  computers

30
Viruses

• Standard computer viruses
• Are small, usually destructive, programs that are
  inserted into other files that then become
  infected
• Infect executable programs or operating system
  files, spreading when infected program executes
• Can also spread via e-mail headers or attachments
• Can prevent a computer system from booting, erase
  files or entire hard drives, prevent the saving
  or printing of files, and send repetitive e-mail
  messages

31
Worms

• Viruses that reside in a computers memory
  replicating itself
• Uncontrolled replications consume a computers
  resources, slowing or crashing the system

NAME DATE IDENTIFIED WHAT IT DOES
W32.Nimda.A_at_mm 9/18/2001 Sent as e-mail or MS Outlook/Outlook Express folders. Attacks IIS Web servers.
32
Macro Viruses

• A macro virus is a virus that infects macros
• Distributed in files such as Word documents or
  Excel workbooks e-mailed or transferred via
  floppy disk

NAME DATE IDENTIFIED WHAT IT DOES
W97M.DebilByte.A 02/05/2002 Infects MS Word Normal.dot template, and subsequent documents
33
Trojan Horses

• Pretends to be something useful or fun, does
  something malicious instead
• Used to steal passwords, record a users
  keystrokes, locate IP addresses, and plant other
  destructive programs

NAME DATE IDENTIFIED WHAT IT DOES
Backdoor.Surgeon 02/20/2002 Allows hacker to take control by opening a port (35000) and get control of computer
34
Wireless Viruses

• Liberty Crack Palm Trojan, identified in August
  2000
• Could delete all applications on a Palm device
• Phage discovered in September 2000
• Infected Palm operating system applications and
  documents
• Proliferated when users beamed or shared an
  infected document

35
Virus Hoaxes

• Some so-called viruses trumpeted in the media or
  announced via warning e-mails are just hoaxes
• False warnings about viruses proliferate as
  quickly as real viruses
• Creates an atmosphere in which a real virus
  warning might not be taken seriously
• Several antivirus software vendors maintain
  up-to-date information on viruses, worms, Trojan
  horses, and hoaxes. This information is available
  online.

36
Virus Countermeasures

• Countermeasures to block infections include
• Antivirus software
• Employee education
• Installing software updates and patches
• User awareness
• Use of application software tools
• It's not just the job of IT, but of all users

37
Transactional Security

• Transactional security includes
• Authentication
• Integrity
• Nonrepudiation
• Confidentiality
• Protective measures include sending and
  receiving encrypted messages or data, using
  digital certificates to authenticate the parties
  involved in the transaction, and storing retained
  customer information properly

38
Encryption

• Cryptography is the art of protecting information
  by encrypting it
• Encryption is the translation of data into a
  secret code called ciphertext
• Ciphertext that is transmitted to its destination
  and then decrypted (or returned to its
  unencrypted format) is called plaintext
• Both parties in a transaction need access to
  encryption key
• Network encryption uses two keys a public key to
  encrypt information and a private key to decrypt
  it

39
Public Key Infrastructure

• An e-business obtains public and private keys
  from a certificate authority (CA)
• Public keys are posted to a public directory
• Private keys are given only to the e-business
  requesting the keys
• A digital certificate is the electronic security
  credential that certifies an entitys identity

40
(No Transcript)
41
How Public Key Encryption Works

• Public-key encryption is asymmetric
• Uses very large prime numbers to create public
  keys
• Public and private keys are used for the initial
  session greeting session keys encrypt and
  decrypt data
• Session keys are shorter keys created and used
  only during the current session and discarded
  afterward
• In the U.S., session keys usually consist of 16
  digits equaling 128 bits, also called 128-bit keys

42
Security Protocols

• Secure Sockets Layer (SSL) uses public key
  encryption and digital certificates and is
  included in Web browsers/Web servers
• Transport Layer Security (TLS) used to assure no
  third-party access to Internet communications
  Uses two protocols
• TLS Record Protocol
• TLS Handshake Protocol
• Secure Electronic Transactions (SET) protocol
  used for presenting credit card transaction on
  the Internet

43
Virtual Private Networks

• Virtual Private Networks (VPNs) are private
  networks that use the Internet to transmit data
• VPNs use
• Firewalls
• Public key encryption
• Digital certificates

44
(No Transcript)
45
Tunneling

• Tunneling encapsulates one protocol within
  another protocol requires telecomm equipment that
  supports VPN
• VPNs using the Internet encapsulate encrypted
  data, sending and receiving IP addresses, and a
  special tunneling protocol within a regular IP
  packet
• Tunneling protocols include Point-to-Point, GRE,
  L2TP, and IPSec
• Method of data encryption and encapsulation
  depends on the protocol used

46
Wireless Security

• Eavesdropping on early wireless transmissions was
  fairly simple
• FDMA technologies stayed on one frequency for
  call duration, required listening device that
  operated on same frequency
• TDMA technologies switch can be intercepted using
  device that listens for one-third of a second and
  then decompresses signal into full second of
  speech
• CDMA (other current standards) poses more of a
  challenge, but not invincible

47
WAP and WTLS

• Wireless Transport Layer Security (WTLS) uses
  encryption and digital certificates
• Upon accessing WAP server, WAP client requests
  secure connection
• WAP server responds by sending digital
  certificate, with public key
• WAP client generates encrypted session key to WAP
  server, which decrypts the key
• WAP client/server can send/receive encrypted data
  for balance of session

48
WLANs and Security

• WLANs are most vulnerable at wireless access
  points
• Hackers need only an 802.11b-enabled laptop, an
  inexpensive antennae, and WLAN access point
  detection software, such as NetStumbler
• Using meaningful access point names and
  default settings on wireless access points
  simplifies hackers job
• Using Wireless Equivalent Privacy (WEP) security
  protocol (IEEE 802.11b Wi-Fi) provides encryption
  and authentication of wireless transmissions

49
IrDA and Bluetooth Security

• Short distances and line-of-sight requirements
  for IrDA devices make sniffers impractical
• Using laptops with default IrDA port settings in
  public places (such as airports) automatically
  allows networking with other IrDA devices without
  authentication or passwords
• Bluetooth uses 128-bit link key, private
  encryption keys, user PIN and device addresses
  for transmission security
• Bluetooth vulnerability device address sent with
  each transmission and user PINs can be
  compromised easily by theft or loss of device

50
Security Audits

• Security audit is a comprehensive review and
  assessment of an e-businesss security
  vulnerabilities
• A complete security audit should include
  reviewing security policies, employee security
  training, and the physical security of
  thee-businesss offices and network facilities
• Audits can include examining the technical
  security of a network via penetration testing or
  actual attempted hacking attacks by security
  audit personnel

51
Penetration Test Protection

• When evaluating security firms request
• Proof of insurance cover cost of fixing
  damage/losses caused by penetration testing
• Nondisclosure agreements prevent disclosure of
  test results, network and proprietary information
• Scanning tools determine what scanning tools
  will be used for testing
• Scope of engagement scope of audit and test
  plans
• Documentation final detailed accounting of
  audit, including individual test results, findings