Data Security Assessment and Prevention

AD660 – Databases, Security, and Web Technologies

Marcus GoncalvesSpring 2013

Total Internet Security

A gateway disconnected from the

network, inside a safelock

100feet below surface,where the only person

who has the keys …died last week.

Estimated Losses in Dollars

Causes of Incidents

Causes of Incidents from the Human Perspective

Suppliers, vendors, interns,

foreign governments, etc

14%

Hackers and Intruders

24%

Employees34%

Clients7%

Unknown21%

Main Threats

79

6155

4945

4136

3330 29 28 28

23 21 20 20 20 1814 13

0

10

20

30

40

50

60

70

80

90

100

Motivation

• Low Cost of connection (media)

• Global Reach

• Exposed Products

• Implementation of Services

• Cost Reduction

• Survey

• Research and Development of New Products

Phases of a Security Project

• Study Phase

• Decision Phase

• Implementation Phase

• Maintenance Phase

Neutrality Curve (Study Phase)

Understanding the Neutrality Curve

• Evaluation of the impact of various scenarios

• Understanding of the implementation phases

• Rejection Pilot

• Immediate Identification of Security Needed

• Understanding of what really needs protection

Possibility Curve (Study Phase)

Understanding the Possibility Curve

• Identify Security Risks (possible atacks)

• Cost Evaluation

• Identify Policies and Procedures

• Define Responsibilities

Degree of Security (Decision Phase)

Understanding the Degree of Security

• Precise Identification of Cost

• Development of Policy

• Clear Idea of the Applicable Security Model

• Accessment of Stability

Sensitive Segment: Implementation Phase

AA BB

Understanding Sensitive Segment

• Identifies the reference security point

• Enables the planning of project stages

• Assess cost for every stage of project

• Assess lenght of time for implementation

• Mobilization of local issues/resources

• Increase of quality of local security

Moving the Reference Line (Maintenance)

• Natural Process

• Dynamic Nature

• Involves adaptation and refinement

• Support for new planning

Understanding Line Movement

• System• Service • Implementation

Vulnerabilities

• Failure of the OS Architecture

• Application failure

• Lack of updates of Sistema Operacional (SPs, patches)

• Bugs on OS

Systems Failure

• Bugs on application service

• Failure of application service configuration

• Weak passwords

• Access to passwords

• Visible passwords

• Permission to privileged accounts

Service Failures

• Lack of content protection

• Lack of security policy

• Lack of user group profiles

• Failure of usability policy

• Failure in implementing security

Implementation Failures

• DNS• Brute force• Altered Ping• Network Sniffers • Java and ActiveX• Bugs on SendMail• Attack on applications• Applications based on

ODBC/JDBC• Browser failure• Web servers

Few Known Security Threats

• Invasion

• Hacking of content

• Access to passwords

• Sabotage

• Unauthorized Access to e-mail

• Espionage

• Financial frauds

Analysis of Risks

• Physical security• Logical security• Service security• Application security• Policy and procedures• Redundance and contingency

Security Project

• e-Applications should ensure (at data level)

• Integrity • Unicity• Auditing• Confidentiality

• Access controls• Ensure identity• Authorization

• Criptography

Security for E-Commerce

• To ensure identity of:• User / System• Client / Server

• Quality of data• By using identifiers• By protecting against fraud

Criptography Functions

• Math functions• Security key should resist

testings• The larger the key more

exhaustive it is to break it• Types:

• Symmetric• Asymmetric

How About Algorithms?

Symmetric System

Asymmetric System

• Math functions

• Does not characterize users

• Key size is limited

• Possible vulnerability at protocol level

• Only guarantees servers’ authenticity

SSL – Secure Socket Layer

Integration Topology: Adding DMZs

• Change (mix) protocols• Implementation of auditable systems• Centralization and analysis of logins• Individual filters• Password controls• Encrypted file system• Permission controls• Monitoring controls• Automated management

Security Integration (LAN)

• Solutions can be based on hard or software• Centralized security systems• Part of security implementation• Enables content controls (HTTP/MAIL)• Controls allowed services (rule based)• Controls the origin and destination of packages

Firewall Solution Characteristics

Alternatives…