Presentation is loading. Please wait.

Presentation is loading. Please wait.

Richard Henson University of Worcester October 2017

Published byEthan Whitehead Modified over 6 years ago

Similar presentations

Presentation on theme: "Richard Henson University of Worcester October 2017"— Presentation transcript:

1 Richard Henson University of Worcester October 2017
COMP3371 Cyber Security Richard Henson University of Worcester October 2017

2 Week 5: Networks, Securing the Internet, Business Continuity
Objectives Explain the dilemmas in keeping networks secure Explain that Internet never intended for security; securing networks connected to the Internet a double headache for network managers and the components of the secure Internet, or PKI Explain why businesses need continuity planning

3 Possible Security Features of a (local) Network
Information labelling and handling Equipment siting and protection Supporting utilities Cabling security Maintenance Secure disposal or re-use Separation of development, test and operational facilities Controls against malicious code Controls against mobile code Information back-up Network controls Security of network services Electronic messaging On-line transactions Publicly available information Audit logging Auditing system use Protection of log information Clock synchronisation Privilege management Equipment identification in networks Remote diagnostic and configuration port protection Segregation in networks Network connection control Network routing control Secure log-on procedures User identification and authentication Password management system Use of system utilities Session time-out Limitation of connection time Information access restriction Sensitive system isolation Input data Verification Control of internal processing, including Least Privilege Message integrity Output data Verification Cryptographic controls Key management Technical vulnerability management (patches and updates) Collection of evidence A Checklist of areas to consider, abtracted from ISO/IEC / Control Sets [TSI/2012/183] © Copyright

4 (local) Network Management
The network manager has two (conflicting?) responsibilities provide facilities and services that users need to do their jobs protect the network against abuse by naïve or malign users General perception (by users!)… network managers more concerned with “protecting the network” than servicing the needs of its users

5 The “good insider”.. a threat to security (?)
Employees (generally) want to do their job, and do it well… Possible conflict with the “security-orientated” or “nanny-state” approach to network management Needs balance the network IS there for the benefit of its users… fulfill business objectives BUT must be as secure as reasonably possible protect valuable company data

6 NOT Getting the balance right…
Worrying web page (BBC): BBC’s own network users so frustrated about IT restrictions stopping them doing their jobs that many (typically 41% according to a CISCO survey) ignore the rules!

7 Secure Network + World Wide Web (!!!)
For the first 20+ years… Internet for research and military… Changed… thanks to Tim Berners-Lee! became the world wide web (1992) TCP/IP developed to run on Windows & Apple computers people could access the Internet via telephone line… (14.4K bandwidth)

8 The Secure Internet Entrepreneurs realised that the Internet could now be used for anything some interested in pictures and movies others looking at banking and business online Big problem… no security; everything on www was free! needed to develop secure protocols

9 Public Key Infrastructure
… series of protocols turned the “raw” Internet into a secure platform for business could reliably accept payments for goods & services no longer free! Result had to be integrated with local networks… great Microsoft success worked with Internet geeks and entrepreneurs

10 Backup and Recovery Any system can fail
Essential for at least one backup system Typical hardware failures: hard disk hard disk controller CPU, memory, peripherals…

11 Rapid Recovery from Failure
Hardware: replacement! ideally system should identify failure and backup should be switched in automatically Software replacement, including current configuration mechanism to achieve this automatically from backup

12 Environmental Failure
Overheating… electrical components need to be kept cool Flooding… destroys delicate electrical components Other natural disasters… destroy a whole computer infrastructure setup!

13 Business Continuity Online business totally dependent on its digital infrastructure no Internet presence, no sales! many local business caught out by 2007 flash flooding could be taken out by malware Estimated that only 10 days without trading can put business out of business reputation tarnished customers go elsewhere…

14 Preparing for the Unthinkable
Need a backup plan to cover all eventualities anything that CAN go wrong COULD go wrong! even a flooded infrastructure can be mitigated by having that infrastructure replicated in the cloud (!)

15 Components of Safe Internet Trading and the PKI
Requirements for effective digital trading: integration of Internet data management structures (e.g. DNS) with local networks access to Internal network components via the Internet, using International standards (e.g. OSI model, RFCs, IEEE) security of personal, organisational, transactional data: effective encryption, one key not enough! system of authentication

16 Public Key Encryption (PKE)
Problems with Symmetric Key… one encryption/decryption key only no authentication Asymmetric (public key…) encryption: shared public key decryption: unshared private key each algorithm a one way function digital authentication

17 Authentication of an Email Message
Two potential issues with new Is it intact & unmodified? (integrity) can original authorship (authenticity) be established Requirements for Authentication: Inputs (sender): secret key, message output: message authentication code

18 When is Encryption alone not enough!
Authentication: technique needed for verifying that the sender really is who he or she claims to be On local network covered through username/password When data is on the move to a computer or device from OUTSIDE… could come from ANYONE!

19 Authentication Methods
Paper correspondence? by physical signature Many available digital methods of providing a sender signature e.g. Windows SIGVER (file signing) method of checking incoming files to ensure that they are from a Microsoft approved source Java uses a similar technique

20 Security & Wireless Data
Problem with WAP standard… open access decryption too easy… Requires authentication as well for safe transmission (best standard WPA-2) use a known SSID to provide authentication of remote device other devices won’t get access…

21 Asymmetric (two key) encryption
Diffie and Hellman (US, 1976) British scientists were secretly working on it much earlier Ellis, at GCHQ made the first breakthrough in 1970 Two keys: public key - known to everyone private or secret key - known only to the recipient of the message

22 Example of PKE in email John wants to send a secure message to Jane…
He uses Jane's public key to encrypt the message Jane then uses her private key to decrypt it Original public key method did not support either encryption or digital signatures… therefore vulnerable to third party in the middle eavesdroppers

23 PKE in practice Can work in two ways:
private key encryption, public key decryption public key encryption, private key decryption Private key on sender’s computer Unencrypted data Encrypted data Data sent through the Internet Public key on recipient computer Encrypted data Decrypted data Received by recipient’s computer

24 Security of Public Key Encryption (PKE)
Public and private keys logically related so that only the public key can be used to encrypt messages only the corresponding private key can be used to decrypt them Designed so virtually impossible to deduce the private key from public key alone…

25 Evolution of PKE systems
Must be designed to include authentication of sender in architecture Variety of techniques developed: Pretty Good Privacy (PGP - free) Digital Certificates & Public Key Infrastructure (PKI – server-end pays)

26 PGP (Pretty Good Privacy)
Developed by Philip Zimmerman (early 1990s) official repository held at the Massachusetts Institute of Technology spec for v2.0 at RFC #1991 Based on public-key method… plus authentication using a “web of trust”. Quote from RFC… “As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.” Convenient way to protect messages on the Internet: effective easy to use free

27 Using PGP (or not..) To encrypt a message using PGP, the receiver needs the PGP encryption package Zimmerman made it available for free download from a number of Internet sources Such an effective encryption tool that the U.S. government actually brought a lawsuit against Zimmerman! Problem: PGP made public… therefore available to enemies of the U.S.

28 US gov v Zimmerman (PGP)
Actual Lawsuit: selling munitions overseas without a license (used >40 bit encryption) unpopular… after a public outcry, quietly dropped, law changed in 2000 Still illegal to download PGP from US to many other countries

29 Trust through the Internet
Ever seen “Meet the Parents?” Circle of trust (personal) never practicable for trust “in the business sense” Web-based “business trust”: you may not trust me, but you do trust my business enough to accept that you’ll get paid! PGP web of trust wouldn’t be practicable! different model needed…

30 The trouble with HTTP General Internet principle of “anyone can go anywhere” On a Windows system with www access: TCP can link directly to HTTP session layer authentication not invoked HTML data transferred directly to the presentation and application layers for display Problem: the data is visible to anyone else on the Internet who may have access to that machine and the data path to it!

31 Secure HTTP and the user authentication problem
Makes use of the potential for requiring authentication at the session layer SSL protocol can require a username/password combination before data passes through the socket from transport layer to application layer application authentication required transport

32 Computer Authentication
SSL is able to use the PKI When a user first attempts to communicate with a web server over a secure connection: that server will present the web browser with authentication data presented as a server certificate (remember those?) verifies that the server is who and what it claims to be Works both ways… server may in return request client authentication

33 SSL and Encryption Authenticating the user & server only helps when the data is at its at its source or destination data also needs to be protected in transit… SSL working at level 5/6 also ensures that it is: encrypted before being sent decrypted upon receipt and prior to processing for display

34 Confidentiality & Integrity
Encryption of SSL responses can be From Standard 40 bit RSA difficult to break confidentiality to Secure 128/256 bit RSA virtually impossible to “crack” Guarantee that the data will not be modified in transit by a third party integrity therefore also maintained

35 Is an SSL Digital Certificate Really Necessary?
Yes: for sites involved in e-commerce and therefore involving digital payment any other business transaction in which authentication of identity is important No: if an administrator simply wants to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection In such cases, a self-signed certificate is sufficient

36 Https & “Web of Trust” Based on individual trust networks built up between individuals Possible to “self sign” a digital certificate if someone trusts you, a self-signature may be all they need OpenPGP identiity certificates are designed to be self-signed

37 Verisign Trust System Web of Trust
OK for academics (“good” people?) but bad” people can do business Verisign system presented as an alternative developed so that people could trust strangers in business transactions financial institutions provide the “trust”

38 General Tips on Running SSL
Designed to be as efficient as securely possible but encryption/decryption is computationally expensive from a performance standpoint not strictly necessary to run an entire Web application over SSL customary for a developer to decide which pages require a secure connection and which do not

39 Merchant Providers and Online Trading
PKI too complex for many start-up businesses use a merchant provider to handle online trading potential issues with outsourcing where is customer data? what happens if merchant provider goes down? Or even loses business data?

40 When to use SSL Whenever web pages require a secure connection e.g.:
login pages personal information pages shopping cart checkouts any pages where credit card information could possibly be transmitted

41 Running HTTPS Like http and ftp, a client-server service that runs on the Web server uniquely designed so it will not run on a server without a server certificate Once the service has been set up, https will require users to establish an encrypted channel with the server ie rather than Until the user does use https they will get an error, rather than the pop up that proceeds the secure web page

42 Running HTTPS However, there still could be problems with access…
The use of an encrypted channel running https requires that the user's Web browser and the Web server BOTH support the encryption scheme used to secure the channel For example: IF an IIS Web Server is set to use default secure communication settings THEN the client Web browser must support a session key strength of 40 bits, or greater

43 Accessing a Web Page using HTTPS
If the client is to request a page that needs SSL: in the HTML code that will call that page, prefix the address with instead of and the system will do the rest Any pages which absolutely require a secure connection should: check the protocol type associated with the page request take the appropriate action if https: is not specified

44 Proof that Web Page has been delivered securely using SSL
The first thing is that (depending on browser settings) a pop up appears… this informs the client that they are entering a secure client-server connection The pop up must be acknowledged to continue The page will then be displayed: will appear before the URL “lock” symbol appears on the bottom left of the screen

45 Practical Limitations on the Use of SSL
The SSL “handshake”, where the client browser accepts the server certificate, must occur before the HTTP request is accessed As a result: the request information containing the virtual host name cannot be determined prior to authentication it is therefore not possible to assign multiple certificates to a single IP address Using name-based virtual hosts on a secured connection can therefore be problematic

Download ppt "Richard Henson University of Worcester October 2017"

Similar presentations

Click to continue Network Protocols. Click to continue Networking Protocols A protocol defines the rules of procedures, which computers must obey when.

Click to continue Network Protocols. Click to continue Networking Protocols A protocol defines the rules of procedures, which computers must obey when.
Cryptography and Network Security

Cryptography and Network Security
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication E-Mail Security E-Mail Security Secure Sockets Layer Secure.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Network Layer and Transport Layer.

Network Layer and Transport Layer.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Chapter 8 Web Security.

Chapter 8 Web Security.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.

1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
COMP2121 Internet Technology Richard Henson April 2011.

COMP2121 Internet Technology Richard Henson April 2011.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
COMP3123 Internet Security Richard Henson University of Worcester October 2010.

COMP3123 Internet Security Richard Henson University of Worcester October 2010.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Masud Hasan 03-60-475 SecueEmail VS Hushmail Project 2.

Masud Hasan Secue VS Hushmail Project 2.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Similar presentations

Ads by Google