Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy and Security.

Published byMelissa Jennings Modified over 7 years ago

Similar presentations

Presentation on theme: "Privacy and Security."— Presentation transcript:

1 Privacy and Security

2 Security and Privacy Security: the protection of data, networks and computing power Privacy: complying with a person's desires when it comes to handling his or her personal information

3 PRIVACY When you walk into the store, the big-screen displays "Hello Tom," your shopping habits, and other information from Minority Report

4 Some Views on Privacy “All this secrecy is making life harder, more expensive, dangerous …” Peter Cochran, former head of BT (British Telecom) Research “You have zero privacy anyway.” Scott McNealy, CEO Sun Microsystems “By 2010, privacy will become a meaningless concept in western society” Gartner report, 2000

5 Legal Realities of Privacy
Self-regulation approach in US, Japan Comprehensive laws in Europe, Canada, Australia European Union Limits data collection Requires comprehensive disclosures Prohibits data export to unsafe countries Or any country for some types of data

6 Aspects of Privacy Anonymity Security
Transparency and Control: knowing what is being collected

7 Privacy and Trust Right of individuals to determine if, when, how, and to what extent data about themselves will be collected, stored, transmitted, used, and shared with others Includes right to browse the Internet or use applications without being tracked unless permission is granted in advanced right to be left alone True privacy implies invisibility Without invisibility, we require trust

8 Privacy Aware Technologies
non-privacy-related solutions that enable users to protect their privacy Examples password and file-access security programs unsubscribe encryption access control

9 Privacy Enhancing Technologies
Solutions that help consumers and companies protect their privacy, identity, data and actions Examples popup blockers anonymizers Internet history clearing tools anti-spyware software

10 Impediments to Privacy
Surveillance Data collection and sharing Cookies – how long are they retained? Sniffing, Snarfing, Snorting All are forms of capturing packets as they pass through the network Differ by how much information is captured and what is done with it

11 P3P (2002) Platform for Privacy Preference (P3P) Voluntary standard
World Wide Web Consortium (W3C) project Voluntary standard Structures a web site’s policies in a machine readable format Allows browsers to understand the policy and behave according to a user’s defined preferences Short-lived (18 months): why?

12 Do Not Track Opt out technology HTTP header 2012 pledge not honored

13 Privacy and Wireless “Wardriver” program: scans for broadcast SSIDs
broadcasting improves network access, but at a cost once the program finds the SSID obtains the IP address obtains the MAC address Lowe’s was penetrated this way Stole credit card numbers

14 Deep Web Anything that can’t be indexed (estimate 97%!)
Accessible through secure browsers: Tor Anonymity Difficulty in tracing Onion addresses of interest

15 Security: broad issues, not technology

16 Security “Gospel” The Morris Internet worm of 1988 cost $98 million to clean up The Melissa virus crashed networks at 300 of the Fortune 500 companies The Chernobyl virus destroyed up to a million PCs throughout Asia The ExploreZip virus alone cost $7.6 billion to clean up

17 Security Reality The Morris Internet worm of 1988 cost $98 under $1 million to clean up The Melissa virus crashed scared executives into disconnecting networks at 300 of the Fortune 500 companies The Chernobyl virus destroyed caused replacement of up to a million PCs throughout Asia The ExploreZip virus alone could have cost $7.6 billion to clean up

18 Information Systems Security
Deals with Security of (end) systems Operating system, files, databases, accounting information, logs, ... Security of information in transit over a network e-commerce transactions, online banking, confidential s, file transfers,...

19 Basic Components of Security
Confidentiality Keeping data and resources secret or hidden Integrity Ensuring authorized modifications Refers to both data and origin integrity Availability Ensuring authorized access to data and resources when desired Accountability Ensuring that an entity’s action is traceable uniquely to that entity Security assurance Assurance that all four objectives are met

20 Info Security 30 Years Ago
Physical security Information was primarily on paper Lock and key Safe transmission Administrative security Control access to materials Personnel screening Auditing

21 Information Security Today
Increasing system complexity Digital information security importance Competitive advantage Protection of assets Liability and responsibility Financial losses FBI estimates that an insider attack results in an average loss of $2.8 million Estimates of annual losses: $5 billion - $45 billion (Why such a big range?) Protection of critical infrastructures Power grid Air transportation Government agencies GAO report (2015)

22 Attack Vs Threat A threat is a “potential” violation of security
Violation need not actually occur Fact that the violation might occur makes it a threat The actual violation (or attempted violation) of security is called an attack

23 Common security attacks
Interruption, delay, denial of receipt or denial of service System assets or information become unavailable or are rendered unavailable Interception or snooping Unauthorized party gains access to information by browsing through files or reading communications Modification or alteration Unauthorized party changes information in transit or information stored for subsequent access Fabrication, masquerade, or spoofing Spurious information is inserted into the system or network by making it appear as if it is from a legitimate source Repudiation of origin False denial that the source created something

24 Denial of Service Attacks
explicit attempt to prevent legitimate users from using service two types of attacks denial of service (DOS) distributed denial of service (DDOS) asymmetric attack attacker with limited resource (old PC and slow modem) may be able to disable much faster and more sophisticated machines or networks methods Bots or Zombie machines Trojans or Smurf attack: distributed attack that sends specified number of data packets to a victim

25 Phishing (Spoofing) use 'spoofed' e-mails and fraudulent websites
designed to fool recipients into divulging personal financial data credit card numbers account usernames and passwords social security numbers hijacking of trusted brands banks online retailers credit card companies able to convince up to 5% of recipients to respond

26 Goals of Security Prevention Detection Recovery
Prevent someone from violating a security policy Detection Detect activities in violation of a security policy Verify the efficacy of the prevention mechanism Recovery Stop attacks Assess and repair damage Ensure availability in presence of ongoing attack Fix vulnerabilities to prevent future attacks Deal with the attacker Prevention is ideal, because then there are no successful attacks. Detection occurs after someone violates the policy. The mechanism determines that a violation of the policy has occurred (or is underway), and reports it. The system (or system security officer) must then respond appropriately. Recovery means that the system continues to function correctly, possibly after a period during which it fails to function correctly. If the system functions correctly always, but possibly with degraded services, it is said to be intrusion tolerant. This is very difficult to do correctly; usually, recovery means that the attack is stopped, the system fixed (which may involve shutting down the system for some time, or making it unavailable to all users except the system security officers), and then the system resumes correct operations.

27 Human Issues Outsiders and insiders Social engineering
Which is the real threat? 1996: Tim Lloyd, disgruntled employee inserts time bomb that destroys all copies of Omega Engineering machining code. Estimated lost: $10 million. Social engineering How much should a company disclose about security? Claim more or less security than exists People problems are by far the main source of security problems. Outsiders are attackers from without the organization; insiders are people who have authorized access to the system and, possibly, are authorized to access data and resources, but use the data or resources in unauthorized ways. It is speculated that insiders account for 80-90% of all security problems, but the studies generally do not disclose their methodology in detail, so it is hard to know how accurate they are. (Worse, there are many slightly different definitions of the term “insider,” causing the studies to measure slightly different things!) Social engineering, or lying, is quite effective, especially if the people gulled are inexperienced in security (possibly because they are new, or because they are tired).

28 Honeypots Setting up a server to attract hackers
Used by corporations as early warning system Used to attract spam to improve filters Used to attract viruses to improve detection

29 ENCRYPTION

30 Security Level of Encrypted Data
Unconditionally Secure Unlimited resources + unlimited time Still the plaintext CANNOT be recovered from the ciphertext Computationally Secure Cost of breaking a ciphertext exceeds the value of the hidden information The time taken to break the ciphertext exceeds the useful lifetime of the information

31 Types of Attacks Ciphertext only Known plaintext Chosen plaintext
adversary has only ciphertext goal is to find plaintext, possibly key Known plaintext adversary has plaintext and ciphertext goal is to find key Chosen plaintext adversary can get a specific plaintext enciphered

32 Attack Mechanisms Brute force Statistical analysis
Knowledge of natural language Examples: All English words have vowels There are only 2 1-letter words in English High probability that u follows q

33 PRIVATE KEY

34 Caesar Cipher Substitute the letter 3 ahead for each one Example:
Et tu, Brute Hw wx, Euxwh Quite sufficient for its time High illiteracy New idea

35 Enigma Machine (Germany, World War II)
Simple Caesar cipher through each rotor But rotors shifted at different rates Roller 1 rotated one position after every encryption Roller 2 rotated every 26 times…

36 Private Key Cryptography
Sender, receiver share common key Keys may be the same, or trivial to derive from one another Sometimes called symmetric cryptography or classical cryptography Two basic types Transposition ciphers (rearrange bits) Substitution ciphers Product ciphers Combinations of the two basic types

37 DES (Data Encryption Standard)
A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher performs both transposition (permutation) and substitution on the bits Considered weak Susceptible to brute force attack

38 Cracking DES 1998: Electronic Frontier Foundation cracked DES in 56 hrs using a supercomputer 1999: Distributed.net cracked DES in 22 hrs With specialized hardware, DES can be cracked in less than an hour.

39 History of DES IBM develops Lucifer for banking systems (1970’s )
NIST and NSA evaluate and modify Lucifer (1974) Modified Lucifer adopted as federal standard (1976) Name changed to Data Encryption Standard (DES) Defined in FIPS (46-3) and ANSI standard X9.32 NIST defines Triple DES (3DES) (1999) Single DES use deprecated - only legacy systems. NIST approves Advanced Encryption Std. (AES) (2001) AES (128-bit block) Attack published in 2009 Current state of the art is AES-256

40 PUBLIC KEY

41 Public Key Cryptography
Two keys Private key known only to individual Public key available to anyone Public key, private key inverses Confidentiality encipher using public key decipher using private key Integrity/authentication encipher using private key decipher using public one

42 Public Key Requirements
Computationally easy to encipher or decipher a message given the appropriate key Computationally infeasible to derive the private key from the public key Computationally infeasible to determine the private key using a chosen plaintext attack

43 RSA Public key algorithm described in 1977 by Rivest, Shamir, and Adelman Exponentiation cipher Relies on the difficulty of factoring a large integer RSA Labs now owned by EMC A Guide to RSA

44 Summary Private key (classical) cryptosystems Public key cryptosystems
encipher and decipher using the same key Public key cryptosystems encipher and decipher using different keys computationally infeasible to derive one from the other Both depend on keeping keys secret Depend on computational difficulty As computers get faster, …

45 Photon Cryptography Use photons for key distribution
Prevents eavesdropping: reading a photon changes its state

46 AUTHENTICATION

47 Authentication Assurance of the identity of the party that you’re talking to Primary technologies Digital Signature Kerberos

48 NETWORK SECURITY – Gene Spafford (Purdue)
“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench” – Gene Spafford (Purdue)

49 Firewall Techniques Filtering Proxy
Doesn’t allow unauthorized messages through Can be used for both sending and receiving Most common method Proxy The firewall actually sends and receives the information Sets up separate sessions and controls what passes in the secure part of the network

50 DMZ: Demilitarized Zone
Arrangement of firewalls to form a buffer or transition environment between networks with different trust levels Fire wall Fire wall Internal resources Internet

51 Three Tier DMZ Internet Fire wall Internal resources Web Server App

Download ppt "Privacy and Security."

Similar presentations

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
22 November 2010. Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.

22 November Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
6 December Privacy. Presentations News: Tega Scott Peterson trial: Stephen.

6 December Privacy. Presentations News: Tega Scott Peterson trial: Stephen.
1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone.

1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Topics in Information Security Prof. JoAnne Holliday Santa Clara University.

Topics in Information Security Prof. JoAnne Holliday Santa Clara University.
Encryption. Introduction Computer security is the prevention of or protection against –access to information by unauthorized recipients –intentional but.

Encryption. Introduction Computer security is the prevention of or protection against –access to information by unauthorized recipients –intentional but.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
PART THREE E-commerce in Action Norton University E-commerce in Action.

PART THREE E-commerce in Action Norton University E-commerce in Action.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?

Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
C8- Securing Information Systems

C8- Securing Information Systems
Cryptography, Authentication and Digital Signatures

Cryptography, Authentication and Digital Signatures
Security is often cited as a major barrier to electronic commerce. Prospective buyers are leery of sending credit card information over the web. Prospective.

Security is often cited as a major barrier to electronic commerce. Prospective buyers are leery of sending credit card information over the web. Prospective.
Encryption No. 1  Seattle Pacific University Encryption: Protecting Your Data While in Transit Kevin Bolding Electrical Engineering Seattle Pacific University.

Encryption No. 1  Seattle Pacific University Encryption: Protecting Your Data While in Transit Kevin Bolding Electrical Engineering Seattle Pacific University.
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,

SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Similar presentations

Ads by Google