Integrity and Security Control

Security BreachesTORONTO, Nov. 9 /CNW/ -TELUS and the Rotman School of Management released their third annual study on Canadian IT security, revealing that Canadian companies experienced a 29 per cent increase in security breaches from 2009 to 2010. The study also found that the annual cost of these security breaches dropped considerably from $834,000 to $179,508 during the same one-year period.

3

Recent FBI Computer Security Institute survey 85% of large companies and

government agencies have detected computer breaches in past 12 months

64% acknowledged financial losses 35% quantified the losses totaled

to $375 million

4

Cost of Security Breach The average large company loses

$20,000 per hour during the first 72 hours of its response to a security breach

Leaky security costs companies 6%-7% of annual revenue Loss of business, decreased customer

confidence, increased insurance, expenditures of public relations

Objectives of Integrity Controls Ensure that only appropriate and

correct business transactions occur Ensure that transactions are

recorded and processed correctly Protect and safeguard assets of the

organization Software Hardware Information

Information security Protecting information and

information systems from unauthorized access, use, disclosure, disruption, modification or destruction.

6

7

The Importance of Security in e-Commerce The Internet presents enormous

business opportunities The Internet is open to public,

vulnerable to various of attacks One of the major hurdles that we face

in achieving the full potential of Internet-based electronic commerce is security

New threats from terrorism and cyber warfare

Points of Security and Integrity Controls

Input Integrity Controls Used with all input mechanisms Additional level of verification to

help reduce input errors Common control techniques

Field combination controls Value limit controls Completeness controls Data validation controls

Output Integrity Controls Ensure output arrives at proper

destination and is correct, accurate, complete, and current

Destination controls - output is channeled to correct people

Completeness, accuracy, and correctness controls

Appropriate information present in output

Data Integrity Controls Access controls Data encryption Transaction controls Update controls Backup and recovery protection

Integrity Controls to Detect and Prevent Fraud

Control of fraud requires both manual procedures and computer integrity controls

Designing Security Controls

Security controls protect assets of organization from all threats External threats such as hackers, viruses, worms,

and message overload attacks Security control objectives

Maintain stable, functioning operating environment for users and application systems (24 x 7)

Protect information and transactions during transmission outside organization (public carriers)

Access control

Security for Access to Systems

Used to control access to any resource managed by operating system or network

User categories Unauthorized user – no authorization to access Registered user – authorized to access system Privileged user – authorized to administrate system

Organized so that all resources can be accessed with same unique ID/password combination

Users and Access Roles to Computer Systems

Managing User Access

Most common technique is user ID / password

Authorization – Is user permitted to access?

Access control list – users with rights to access

Authentication – Is user who they claim to be?

Computerized User Authentication Techniques Password-based systems:

something that you know Physical tokens: something that you

have Biometrics: something that you are Location: someplace you are Reference: third party

authentication

Password problem Has to be stored in file May be intercepted May forget May easy to guess May tell other people

Physical Tokens Access card, storage token,

synchronous one-time password generator, challenge-response, digital signature token

Human-interface token, smart card, PCMCIA card

The token does not prove who you are Token may be copied or forged Token may be used with password

Biometrics

An image of person’s face Fingerprints Footprints and walking style Hand shape and size Pattern of blood vessels in the retina DNA patterns Voice prints Handwriting techniques Typing characteristics

24

Fingerprints

SOURCE: C3i

MAIN SHAPES:

LOOPWHORLARCH

MINUTIAE:

END BIFURCATION ISLAND LAKE DOT

EACH PERSON HAS A UNIQUEARRANGEMENT OF MINUTIAE:

25

Fingerprint CaptureThompson-CSF FingerChip

(Thermal-sensed swipe)DEMO1, DEMO2

ST-Micro TOUCHCHIP(Capacitative)

American Biometric CompanyBioMouse (Optical) Biometric Partners

Touchless Sensor

26

Iris Scan

SOURCE: IRISCAN

• Human iris patterns encode ~3.4 bits per sq. mm

• Can be stored in 512 bytes

• Patterns do not change after 1 year of life

• Patterns of identical twins are uncorrelated

• Chance of duplication < 1 in 1078

• Identification speed: 2 sec. per 100,000 people

PERSONAL IRIS IMAGER

Companies: British Telecom, Iriscan, Sensar

27

Signature Dynamics• Examines formation of signature, not final

appearance

• DSV (Dynamic signature verification)

• Parameters

• Total time

• Sign changes in x-y velocities

and accelerations

• Pen-up time

• Total path length

• Sampling 100 times/second

Companies: CyberSIgn, Quintet,PenOp, SoftPro SignPlus,

28

Error in Biometric Systems

SOURCE: IDEX

VERY BAD BAD

Problems with biometrics A person’s biometric “print” must be

on file before that person can be identified

Require expensive, special purpose equipment

Unprotected biometrics equipment is vulnerable to sabotage and fraud

Possibility of false match

31

Transaction Security

32

Transaction Security Authentication: A user must be able to prove his

identity to the other party. (“I am Joan Thomas and I live at...”)

Integrity: Each party must be comfortable that exchanged information wasn’t altered during transmission by a third party or corrupted by misfortune. (“I ordered three items not four...”)

Nonrepudiation: Each party must be assured that the counterparty won’t be able to deny being the originator or receiver of information. (“I didn’t order that item...”)

Confidentiality: Parties must be able to exchange information securely without it falling into the hands of a third party. (“My credit card number is...”)

33

Protective measures Sending and receiving encrypted

messages or data, Using digital certificates to

authenticate the parties involved in the transaction, and

Virtual Private Networks

Cryptography

Cryptography is the practice and study of hiding information.

Encryptionconverting ordinary information (plain text) into unintelligible gibberish (cipher text) so unauthorized users cannot read it

Decryption Converting encrypted data back to its original

state

35

Cryptography techniques Symmetric cryptosystems Public-key cryptosystems Integrity check-values (message

digest) Digital Certificate Digital Signature

Data Security Symmetric key – same key

encrypts and decrypts Asymmetric key – a pair of

different keys for encryption and decryption. Public key Private key

37

Symmetric Cryptography

Symmetric Cryptography The same key is used for

encryption and decryption Operates as block cipher (fixed

size) or stream cipher (arbitrary size, byte by byte)

Fast encryption and decryption Require secure key distribution

Role of the Key in Cryptography

The key is a parameter to an encryption procedure Procedure stays the same, but produces different

results based on a given key

NOTE: THIS METHOD IS NOT USED IN ANY REAL CRYPTOGRAPHY SYSTEM.IT IS AN EXAMPLE INTENDED ONLY TO ILLUSTRATE THE USE OF KEYS.

S P E C I A L T Y B D F G H J K M N O Q R U V W X ZA B C D E F G H I J K L M N O P Q R S T U V W X Y Z

C O N S U L T I N G

D S R A V G H E R M

EXAMPLE:Plain text

Cipher text

Public Key Cryptosystems A pair of related keys:

Private key (kept secret) Public key (publicly known)They are related but it is not feasible to determine the private key by knowing the public key

Two ways of use:Encryption mode: make sure a right person receives messageAuthentication mode: make sure message is from a right person

Solving key distribution problem

Public-Key (Asymmetric) Encryption

1. USERS WANT TO SEND PLAINTEXT TO RECIPIENT WEBSITE

2. SENDERS USE SITE’S PUBLIC KEY FOR ENCRYPTION

3. SITE USES ITS PRIVATE KEY FOR DECRYPTION

4. ONLY WEBSITE CAN DECRYPT THE CIPHERTEXT. NO ONE ELSE KNOWS HOW

SOURCE: STEIN, WEB SECURITY

Digital Signatures and Certificates

Encryption of messages enables secure exchange of information between two entities with appropriate keys

Digital signature encrypts document with private key to verify document author

Digital certificate is institution’s name and public key that is encrypted and certified by third party

Certifying authority: VeriSign or Equifax

Digital Certificate Certificate

A document containing a certified statement, especially as to the truth of something

Digital certificateInformation digitally signed by trusted certificate authority such as VeriSign

Certification Authorizer GlobalSign NV-SA. GlobalSign is the

Leading European Trusted Network of Certification Authorities (CA) that, signs and manages digital certificates

Thawte Certification offers free personal certificates for signing and encrypting e-mail. Thawte is a global CA that has already certified 30% of the world’s Internet e-commerce servers.

Public-key Certificate Identify the holder of the private-

key A Certificate consists of

Subject Identification information Subject public key value Certification authority name Certification authority’s digital

signature

Digital Signatures A digital signature indicates the

signer and the integrity of the document

A digital signature must support non-repudiation

Hash Functions One way hash function f hash x to y = f(x) Infeasible to calculate x = f-1(y) Infeasible to construct x’ so that

f(x’) = y = f(x) U.S. Government’s Secure Hash

Algorithm (SHA-1) the best so far RSA MD5 has some known weakness

Using a Digital Certificate

Security Protocols - SSL Secure Sockets Layer (SSL) uses public

key encryption and digital certificates for information exchange between Web browsers and certified Web servers

The URL for the SSL-secured Web pages begins with “https://” instead of http://

A randomly generated symmetric Session key (40 bit or 128 bit) for message encryption

56

Secure Sockets Layer (SSL)

if it has one

SOURCE: WEB SECURITY

Summary Integrity controls and security

designed into system Ensure only appropriate and correct

business transactions occur Ensure transactions are recorded and

processed correctly Protect and safeguard assets of the

organization Control access to resources

58

Privacy Protection

59

Privacy concerns 90% of people surveyed said privacy

was the most important issue for e-commerce to address

79% don’t use web sites which require personal information; 42% fabricate information

Consumers generally wary of releasing phone number, address, and credit card number over the Internet.

60

Information Privacy Information privacy is the “claim of

individuals, groups, or institutions to determine for themselves when, and to what extent, information about them is communicated to others”

61

The right of privacy Privacy protection should

prevent non-permitted, illegal, and/or unethical use of private information.

It is important to note that the right of privacy is not absolute. Privacy must be balanced against the needs of society.

62

Privacy and Security Security and privacy are often related to

each other but they are not the same. Information is secure if the owner of

information can control that information. Information is private if the subject of

information can control that information. Anonymous information has no subject,

and thus ensures that information is private.

63

The difficulty of privacy protection in Web environment The complexity of manually collecting,

sorting, filing, and accessing information from several different agencies was a built-in privacy protection

In Internet and Web environment, information about users can be easily collected, integrated and analyzed from different sources through the use of network, database, data warehouse and data mining technologies. The potential of privacy violation therefore becomes much higher.

64

Privacy Protection Policy Companies now publicize their

privacy policy when collecting personal information

Customer consent request Customer choice

65

66

67

Principles for collection and Use Private Information Don’t collect information unless its need

and relevance have been clearly established

Don’t collect information fraudulently or unfairly

Use information only if it is accurate and current

Individuals have the right to know of information stored about them

68

Principles for collection and Use Private Information (continue)

Provide a clear procedure on how the individuals can correct, delete, or amend inaccurate, obsolete, or irrelevant information

Ensure the reliability, integrity, and availability of collected, maintained, used, or disseminated personal information and take precautions to prevent its misuse

69

Principles for collection and Use Private Information (continue)

Prevent personal information collected for one purpose from being used for another purpose or disclosed to a third party without an individual’s consent.

Federal, state, and local government should collect only legally authorized personal information