COMP3371 Cyber Security Richard Henson University of Worcester October 2015.

Slides:



Advertisements
Similar presentations
GCSE ICT Networks & Security..
Advertisements

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Chapter 17 Controls and Security Measures
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Principles of Information Technology
TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,
Chapter 20: Network Security Business Data Communications, 4e.
Payment Card Industry (PCI) Data Security Standard
Computer Networks IGCSE ICT Section 4.
Encryption is a way to transform a message so that only the sender and recipient can read, see or understand it. The mechanism is based on the use of.
1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
1 3 Computing System Fundamentals 3.4 Networked Computer Systems.
COMP3123 Internet Security Richard Henson University of Worcester October 2010.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Networks. What is a Network? Two or more computers linked together so they can send and receive data. We use them for sending s, downloading files,
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.
Networks and Hackers Copyright © Texas Education Agency, All rights reserved. 1.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Characteristics of Communication Systems
ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.
Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.
Royal Latin School. Spec Coverage: a) Explain the advantages of networking stand-alone computers into a local area network e) Describe the differences.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
COMP3123 Network and Internet Security Richard Henson University of Worcester September 2011.
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
COMP3123 Internet Security Richard Henson University of Worcester October 2011.
COMP2113 E-business Richard Henson University of Worcester April 2008.
COMP1321 Digital Infrastructure Richard Henson University of Worcester December 2012.
Summary - Part 2 - Objectives The purpose of this basic IP technology training is to explain video over IP network. This training describes how video can.
TCP/IP (Transmission Control Protocol / Internet Protocol)
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
COMP3371 Cyber Security Richard Henson University of Worcester October 2015.
Networks Network Components. Learning Objectives Describe different media for transmitting data and their carrying capabilities. Explain the different.
science/internet-intro
Computer Networks. Computer Network ► A computer network is a group of computers that are linked together.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
K. Salah1 Security Protocols in the Internet IPSec.
Computer Networks – the basics Week 1 Lesson 1. In this project, you will be learning about the computer networks which we use every day – when we log.
Computer Security Sample security policy Dr Alexei Vernitski.
Information Systems Design and Development Security Precautions Computing Science.
1 Internet data security (HTTPS and SSL) Ruiwu Chen.
Richard Henson University of Worcester October 2016
Richard Henson University of Worcester October 2016
Richard Henson University of Worcester October 2017
Topic 5: Communication and the Internet
Public-Key, Digital Signatures, Management, Security
WJEC GCSE Computer Science
Principles of Information Technology
Richard Henson University of Worcester October 2019
Presentation transcript:

COMP3371 Cyber Security Richard Henson University of Worcester October 2015

Week 3: Encryption and Technical Controls n Objectives:  Explain why, how, and to what standard an organisation can set up controls/ISMS  Compare security of most common types of data transmission  Explain encryption and decryption  Contrast between symmetric keys and asymmetric keys

Developing an Information Security Management System n Each organisation is different! No template ISMS possible n ISO27001 standard lists over 100 possible controls  how many are actually needed? »depends on an organisation’s processes  for each control not used »non-use needs to be justified…

An ISMS that is “fit for purpose” n Analysis needs to acknowledge all aspects of how data is managed  requires an understanding of processes and associated data n Risk assessment required to determine where controls are needed  ISO27001 assumes all controls needed  no point spending money on controls where they are not needed but exemptions need justifying…

A Security Controls approach light on ISMS: PCI DSS n System devised by Credit Card Companies (i.e. banks…)  n Guidelines for a number of years… n Now with v3 a sting in the tail for the SME  heavy fines possible  can be refused business merchant facilities… n Will affect small businesses WORLDWIDE selling online directly to consumers

Requirements for PCI DSS compliance? (1) n 12 controls (11 Technical)  Install and maintain a firewall configuration to protect cardholder data  Do not use vendor-supplied defaults for system passwords and other security parameters  Protect stored cardholder data  Encrypt transmission of cardholder data across open, public networks  Use and regularly update anti-virus software or programs

What is needed for PCI DSS compliance? (2)  Develop and maintain secure systems and applications  Restrict access to cardholder data by business need-to- know  Assign a unique ID to each person with computer access  Track and monitor all access to network resources and cardholder data  Regularly test security systems and processes  Maintain a policy that addresses information security for employees and contractors

PCI DSS issues n Is it realistic? n Is it essential? n How can it be policed? n Discussion in groups…

IASME & Cyber Essentials n IASME uses principles of ISMS and like ISO27001 uses 100+ controls… but designed to be more SME friendly n Cyber Essentials requires only 5 controls… all essentially technical  Cyber Essentials now a minimum for government contracts  useful starting point? No IS policy!

Useful Technical Knowledge (covered in level 1 & 2 modules) n Client-server networking n The Seven OSI software layers & the TCP/IP protocol stack n Web servers and browsers n The importance of updates n How firewalls fit in with the above…

Security of Data on the move: Internal networks n Most organisational computers regularly interchange data n Data could in theory be copied (although not destroyed) by being intercepted:  as it passes between computers through use of e/m waves (easy)  in copper cables (difficult)  In optical fibre cables (very difficult) n The organisation therefore needs to vigilant…

Security and copper cables n UTP (Unshielded Twisted Pair) cable is cheap, but not totally secure:  electricity passing through a cable creates a magnetic field…  can then be intercepted and used to recreate the original signal… n Shielding stops the magnetic field spreading out  STP (Shielded Twisted Pair) cabling available but more expensive…

Security, cost and Fibre Optic Cables n Much more secure than even shielded copper  digital data transmitted as a high intensity light beam  no associated magnetic field; data can’t be “tapped” n Can carry much more data than twisted pair  but: »cost… of cables… of installation… n Which to choose, UTP, STP, optical fibre?  cost v risk balancing act

Security and Radio Waves n System easy to install  no cabling needed, just signal boosters n BUT… without encryption & authentication, not secure at all!  can be received by anyone within range and with the right equipment  especially easy to pick up if transmitted as “fixed spectrum” »“Spread spectrum” radio waves can only be picked up by equipment that can follow the changes in frequency n such equipment MUCH more expensive…

Security and Network Hardware n Very small organisations may use peer- peer networking and cabling/wireless  same dangers… n Use intelligent hubs, switches, and a router to connect everything together and link to Internet  data will be stored on these devices before forwarding  plenty of hacks started by compromising a router!

Standard Internet Protocols and Security n Early Internet:  users military personnel, research centre admin, etc.  all security vetted  protocols not designed with security in mind »about getting data safely & reliably from one place to another n OSI model ordered protocols into a 7-layer stack:  based on TCP and IP »user system security already built in at the session layer »no inherent security for data on the move

Network-Network n Most networks now use TCP/IP for Internet connectivity n Any intelligent device with an IP address and connected to the Internet theoretically visible across the network/Internet  otherwise, packets couldn’t be navigated to it! n Data on such a device could be:  located using its IP address  copied to another destination using a remote computer and an appropriate network protocol (e.g. NFS – network file system, part of the TCP/IP suite)) n It really is as simple as that!!!

Copying, Changing, or Deleting Data on a networked computer n Data could be tapped in exactly the same way on any Internet computer  must have an IP address to participate on the Internet  packets going to that computer have a destination IP address in the header, and headers can easily be read  NFS can be used to manage data remotely on that computer – which could include copying or (perhaps worse) deleting that data, or even BOTH

Technologies for Implementing Security Controls n The rest of this session focuses on ensuring the security of data “on the move”…  through cabling systems  in radio waves  via human transportation systems stored on digital media »hard disks & CDs »digital backup tapes »USB sticks…

Client-Server Network: do’s and don'ts for administrators n Only allow authorised (and TRUSTED) users to gain access to the network  ensure users are always properly authenticated n Only allow network administrators to have full access n Monitor the network continually to provide alerts that unauthorised access is being sought n Encrypt data that will be sent through UTP cables and/or held on computers that are connected to the Internet n When using the www, use secure versions of network protocols and/or tunnelling protocols to encapsulate and hide data

The Virtual Private Network n Secure sending of data through the Internet  Only use a restricted and very secure set of Internet routers  No IP address broadcasting, because all packets use the same route  IP tunnelling protocol encapsulates data »normal Internet users will therefore not be able to see the sending, receiving, or intermediate IP addresses  Data sent is encrypted n Potential hackers don’t get a look in!

Encyption/Decryption n Technique of changing digital data in a mathematical reversible way n Makes it impossible to get at the information… data representing it scrambled n Coding data not new…  been happening for millennia  many clever techniques involved  Encryption studies - cryptography

What is Cryptography? n “The safe securing, storing, and transmitting of sensitive information” n Purpose:  conceal sensitive information from unauthorised persons n Outlines protocols, practices, procedures to build components of a cryptosystem including…  authenticity (proof of ownership)  integrity (data not tampered with in any way)

What is a Cryptosystem? n Well?....

OSI layers and cryptosystem n Encryption level depends on:  circumstances  risk  value of information n could be layer 1  e.g. electronically, in communications equipment n could be layer 7…  encrypted directly from/to the screen Layer 7 Layer 1 screen hardware software

Key Escrow & Recovery n Law enforcement agencies can intervene to decode encypted data  under a court order in pursuit of criminal evidence or activity n Escrow:  system of checks and balances to ensure that privacy rights are not infringed where agencies need to get hold of encrypted information  separate agencies keep complementary components of the key system so no entity possesses a usable key

data and Encryption n As discussed earlier, sensitive data needs protecting…  Internet designed to be an “open” system  IDs of devices based on IP address n Data at rest or moving round the Internet could be intercepted by:  someone with a good knowledge of TCP/IP  any IT literate person with the appropriate software n This person could be anywhere in the world!

How does Encryption work? n Unencrypted data sent e.g. in forms or messages over the Internet usually a sequence of ASCII codes  ASCII code generated at keyboard by converting a selected keyboard character into a particular binary number  intercepted ASCII codes not secret; very easily converted back to text

Encryption of ASCII data n Encryption puts further coding onto each ASCII character in some reversible way before it is sent. Requires…  a coding method (often a mathematical operation)  a numerical value used with the coding method n The ASCII codes can always be recovered by someone who knows the encryption method

Simple Encryption Example n Algorithm based on a mathematical operation such as ADD  key based on a numerical digit (e.g 5) n Data represented by an ASCII code n Algorithm + key produce encrypted data

Using Encryption n The key must be kept secret  anyone with access to the key and the algorithm can decrypt the encrypted data n BOTH of:  coding method  key used to produce cipher text n needed to decrypt

Diagram – single key encryption User sends message via server server key Data is transmitted to another server key Message is coded Message is decoded Message is received

Simple example of an Encryption Method n Method of encryption – add 5 to each ASCII code (this would be the key)  plain text = HELLO (ASCII codes B 4B 4F)  cipher text would be MJQQT (ASCII codes 4D 4A ) n Getting the original data back would mean subtracting 5 from each ASCII character – very easy to anyone with access to the key

Effectiveness of Encryption n Only effective if:  either the key remains secret  or the algorithm remains secret n WWII: Germans thought they had an encryption method that was impossible to decipher n With the efforts of the Mathematicians at Bletchley Park, the key and algorithm were deciphered

Access to Encrypted Data Stored, encrypted file NTFS EFS enabled File system that supports encryption Authorised User Unauthorised User  Data encrypted Access Denied File accessed “MJQQT” “HELLO”

Encryption in Practice n Many techniques have been developed n Examples:  DES (Data Encryption Standard)  IDEA (ID Encryption Algorithm)  RSA (Rivest, Shamir, Adleman)  Diffie-Hellmann n Classified into two types:  Symmetric Key  Asymmetric Key

Symmetric Encryption n Sender and receiver share a single, common key – known as a symmetric key n Used both to encrypt and decrypt the message n Advantages: simpler and faster than other systems n Disadvantages:  the two parties must need to exchange the key in a secure way  the sender cannot easily be authenticated

DES – an example of symmetric encryption n IBM/US gov, ; still popular  56-bit encryption working on 64-bit blocks of data n However, in view of recent research, clearly inadequate for really secure encryption  “Using P2P architecture and over 100,000 participants (using only idle CPU time), distributed.net was able to test 245 billion keys per second to break the 56 bit DES encryption algorithm in less than 24 hours (22 hours and 15 minutes).”

What levels of encryption are available? n The more complex the key, the more difficult the encryption method is to decipher  a single 40-digit key can be mathematically deduced very quickly using a computer »known as WEAK encryption  an equivalent 128-digit key would take much longer to “crack” »known as STRONG encryption

Making Encryption as Effective as Possible n It makes sense to use 128-digit key encryption if possible…. n However, with commercial products there may be trade offs…  e.g. Verisign 40-bit SSL »actually 128-bit within US »40-bit for any communications that go outside US borders…  e.g. Verisign Global Server SSL »“the world’s strongest encryption” »standard for large-scale online merchants, banks, brokerages, health care organisations and insurance companies worldwide n Strong encryption may cost a little more  Is the extra expense going to be justified?

Breaking an Encryption Technique n Usually achieved with the aid of very powerful computers n The more powerful the computer, the more likely that the key can be mathematically deduced n Until fairly recently, a 128-bit encryption key would have been considered to be secure n However, a research team have now succeeded in breaking 128 bit encryption in seconds, using a supercomputer…

Secure Keys for Today and Tomorrow… n 256-bit encryption is probably now a minimum for single key encryption  but only a matter of time… n 512-bit encryption is currently used by financial institutions to transfer funds electronically via the Internet  again, only a matter of time before even this can be cracked…  Solution bit keys?