Professional Documents
Culture Documents
Week 6
Online Security
OLBUS800 E-Commerce 1
Semester Two 2007
FACTS & FIGURES
February 7 - 9, 2000
Slammer Worm
• affects 90% of vulnerable computers within 10 minutes
OLBUS800 E-Commerce 4
Semester Two 2007
FACTS & FIGURES
Worms biting harder into IM, P2P
– Instant messaging and peer-to-peer fans are being
hit with more worm and malicious code attacks than
ever before, according to research reports
OLBUS800 E-Commerce 6
Semester Two 2007
Cyber security – a
process, not a product
• Cyber Security is a process and not a feature or
product that you can go out and get
• Being a process means it needs to be monitored
and revised as the technology landscape evolves
• The concept applies to three things:
– Assets
– Vulnerability
– Threats
OLBUS800 E-Commerce 7
Semester Two 2007
Increasing dependence on the
internet today
Directly:
Indirectly:
OLBUS800 E-Commerce 8
Semester Two 2007
Security Not A Priority Today
Other design priorities often trump
security, due to:
– Cost
– Speed
– Convenience
– Open Architecture
– Backwards Compatibility
OLBUS800 E-Commerce 9
Semester Two 2007
Cyber Security
Threats
Hackers
Unavailability
Unauthorized
access Destruction
Disclosure of
Repudiation confidential
information
OLBUS800 E-Commerce 11
Semester Two 2007
Who are the bad guys?
• Experimenters & Vandals – Impress peers
OLBUS800 E-Commerce 12
Semester Two 2007
Who are the bad guys?
…cont.
OLBUS800 E-Commerce 14
Semester Two 2007
Potential Consequences
• Embarrassment
– you are reluctant to tell anybody about it
• Repair costs
– any damage then u have to repair it
• Misinformation and worse
– people hack a webpage and put
misinformation in it
• Loss of e-business
– owing to lack of customer trust
OLBUS800 E-Commerce 15
Semester Two 2007
Most common types of attacks
today
Types of Attacks
OLBUS800 E-Commerce 16
Semester Two 2007
Theft of data & Resources
• Stealing your computer files
• Data transfer to USB before they walk off
Purpose:
– locks up equipment
– crashes your systems
Results:
– slows/stops work flow
– prevents e-mail communication
– shuts down e-commerce
OLBUS800 E-Commerce 18
Semester Two 2007
Methods of DoS Attacks
Hackers HACKER
YOU YOU
Characteristics
– Sends itself over the internet
– Sends your files over the internet
– Deletes data
– Locks up computer system
– Hides in other programmes
– Copies itself
OLBUS800 E-Commerce 20
Semester Two 2007
Malicious Code
The common types are:
– Trojan horse
– Virus
– Worm
OLBUS800 E-Commerce 21
Semester Two 2007
Trojan Horse
Pretend to be something good
OLBUS800 E-Commerce 22
Semester Two 2007
Viruses
– Code that infect other programmes and then
execute when those programmes execute
OLBUS800 E-Commerce 23
Semester Two 2007
Worms
– Typically haven't had any purpose in terms of
destroying files
– Go on to a system and send a copies of
themselves to everyone on the email list and
address book
– Thus each one has a copy of the worm
Purpose:
OLBUS800 E-Commerce 24
Semester Two 2007
The Hoax as a “perfect” virus
• E-mails with false warning of a virus
• Symptoms of a hoax virus:
– Message source.
– Warning of doom and destruction
– Technical jargon
– Directions to pass it on
OLBUS800 E-Commerce 25
Semester Two 2007
Interestingly, its not always the
hackers
• Malicious actions
• by ex-employees
• Unintentional damage
• accidentally deleted a file…embarrassing but
still destruction of information
OLBUS800 E-Commerce 26
Semester Two 2007
Reducing the risks
There's no 100% guarantee that even with the best
precautions some of these things won't happen to
you, but there are steps you can take to minimize
the chances.
OLBUS800 E-Commerce 27
Semester Two 2007
Phishing
OLBUS800 E-Commerce 28
Semester Two 2007
Anonymous Surfing
Reasons to hide IP address
• Tracking: you can be found and tracked using your IP address very easily
• Attacking: your IP address gives hackers an entryway into your computer
• Puts a buffer between you and the Web site you want to look at
• Allows you to view information without being tracked
OLBUS800 E-Commerce 29
Semester Two 2007
Anonymous Surfing (…cont)
There are 2 ways:
• Anonymous Server: Anonymous servers work by retrieving web pages for you.
They hide your IP address and other important browsing information, so the remote
server does not see your information but sees the proxy server's information instead
• Free Anonymous Proxy Sites and Services: The anonymous proxy retrieves the
web pages BEFORE they are delivered to you. This way, the IP address and other
browsing information that the remote server sees does not belong to you. It belongs
to the anonymous proxy
ByPassIt
Anonymouse
HideAndGoSurf.com
OLBUS800 E-Commerce 30
Semester Two 2007
Secure Servers
• A secure server is usually used when confidential information
needs to be sent across the Internet.
• This information might be password details to allow access to a
system, or credit card or other personal details which allow some
sort of transaction to be performed
OLBUS800 E-Commerce 32
Semester Two 2007
Internet: Why is it so attractive to
criminals?
Provides opportunities for various kinds of
thefts
OLBUS800 E-Commerce 33
Semester Two 2007
Internet: Why is it so attractive to
criminals?
OLBUS800 E-Commerce 34
Semester Two 2007
Synergy between organised
crime and cyber-crime
In sum, the synergy between organized crime and
the Internet is not only very natural but also one that
is likely to flourish and develop even further in the
future.
The Internet provides both channels and targets for
crime, and enables them to be exploited for
considerable gain with a very low level of risk.
It is critical, therefore, to identify some of the ways in
which organized crime is already overlapping with
cyber-crime.
OLBUS800 E-Commerce 35
Semester Two 2007
Implications for business
• Need for major changes in thinking about
cyber-security and in planning and
implementing security measures
• Important if e-business is to reach its full
potential
OLBUS800 E-Commerce 36
Semester Two 2007
Implications for business
• The most important changes are in ‘thinking’.
This has two distinct but overlapping
dimensions:
– security has to be understood in broad rather than
narrow terms
– security can no longer be an after-thought, but needs
to be part of intelligence, planning, and business
strategy
• Many businesses are now being attacked by
cyber extortionists who demand payment in
return for not attacking the businesses’ web
presence.
OLBUS800 E-Commerce 37
Semester Two 2007
Recommendations for firms in
the high-tech sector
1. Recognize the real problem is crime, not
hacking
2. Business intelligence needs to include criminal
intelligence analysis
3. Beware of infiltration
4. Be sensitive to money laundering opportunities
5. Develop partnerships and information-sharing
arrangements
OLBUS800 E-Commerce 38
Semester Two 2007
Recommendations for firms in
the high-tech sector
• None of these measures a panacea
OLBUS800 E-Commerce 41
Semester Two 2007
Security Within™ - Configuration
based Security
• There are a number of published IT security
configuration standards:
OLBUS800 E-Commerce 42
Semester Two 2007
System Architecture: Hierarchical
OLBUS800 E-Commerce 43
Semester Two 2007
System Architecture: BelManage
– using your intranet
OLBUS800 E-Commerce 44
Semester Two 2007
Intranet based system
Advantages
• Mobile professionals can receive e-mails even
over a slow dial-up connection
• Geographically distributed operations – if your
laptops or servers have access to your
company's intranet to internet through WAN,
dial-up or satellite link, they can be managed
using BelManage
• Identifies high-risk IT assets – eg. File servers,
unauthorised software such as IM, desktops
without antivirus software
OLBUS800 E-Commerce 45
Semester Two 2007
Intranet based system
Performance thus far:
• Successfully deployed for systems with
hundreds of thousands of desktops,
servers and laptops
• Updates over 100,00 profiles daily
• 45,000 PC profiles can be uploaded to
the server in one hour
• ability to schedule when clients upload
profiles to best fit your network loading
OLBUS800 E-Commerce 46
Semester Two 2007
Reactive Vs Proactive security
approaches
Reactive Process
OLBUS800 E-Commerce 47
Semester Two 2007
Reactive Vs Proactive security
approaches
Proactive through research
• The alternate to reaction is research –
tackling the security challenge at its
source
• Creates effective defenses before attacks
even occur
OLBUS800 E-Commerce 48
Semester Two 2007
Reactive Vs Proactive: Conclusion
OLBUS800 E-Commerce 49
Semester Two 2007
Reactive Vs Proactive: Conclusion
Pre-emption
OLBUS800 E-Commerce 50
Semester Two 2007
Global Awareness of cyber security
issues…Countries finally pay heed!
Australia
OLBUS800 E-Commerce 51
Semester Two 2007
Global Awareness of cyber security
issues…Countries finally pay heed!
China
OLBUS800 E-Commerce 52
Semester Two 2007
Global Awareness of cyber security
issues…Countries finally pay heed!
Japan
South Korea
OLBUS800 E-Commerce 54
Semester Two 2007
Global Awareness of cyber security
issues…Countries finally pay heed!
Singapore
OLBUS800 E-Commerce 55
Semester Two 2007
Global Awareness of cyber security
issues…Countries finally pay heed!
Qatar
OLBUS800 E-Commerce 57
Semester Two 2007
What can you, as now ‘cyber-security aware’
managers, do to help?
• Corporate road warriors travelling with
laptops secure them with at least two-
phase security controls
– Web-based services such as Groove can be
used to circumvent corporate document
policies
Tokens
Passive Tokens
• Storage devices that contain a secret code
• Most common – plastic cards with magnetic
strips containing a hidden code
• User swipes the token through a reader
attached to a personal computer or workstation
and then enters his or her password to gain
access to the network
OLBUS800 E-Commerce 59
Semester Two 2007
New and Emerging Technologies
Tokens
Active Tokens
• Usually stand-alone electronic devices (key
chain tokens, smartcards, USB) that generate
one-time passwords
• User enters a PIN into the token. The token
then generates a password that is only good for
a single log-on
OLBUS800 E-Commerce 60
Semester Two 2007
Smart Cards
• A smart card, a type of chip card is a plastic card
embedded with a computer chip that stores and
transacts data between users.
• This data is associated with either value or
information or both and is stored and processed
within the card's chip, either a memory or
microprocessor.
OLBUS800 E-Commerce 61
Semester Two 2007
Smart Cards
Portable USB Digital Identity Device
OLBUS800 E-Commerce 62
Semester Two 2007
Biometric Systems
Biometrics is the science of measuring physical properties of
living beings.
Fingerprint scanners
Iris Scanners
Facial Recognition Systems
Voice Recognition
OLBUS800 E-Commerce 63
Semester Two 2007