data security assessment and prevention ad660 – databases, security, and web technologies marcus...
TRANSCRIPT
![Page 1: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/1.jpg)
Data Security Assessment and Prevention
AD660 – Databases, Security, and Web Technologies
Marcus GoncalvesSpring 2013
![Page 2: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/2.jpg)
Total Internet Security
A gateway disconnected from the
network, inside a safelock
100feet below surface,where the only person
who has the keys …died last week.
![Page 3: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/3.jpg)
Estimated Losses in Dollars
![Page 4: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/4.jpg)
Causes of Incidents
![Page 5: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/5.jpg)
Causes of Incidents from the Human Perspective
Suppliers, vendors, interns,
foreign governments, etc
14%
Hackers and Intruders
24%
Employees34%
Clients7%
Unknown21%
![Page 6: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/6.jpg)
Main Threats
79
6155
4945
4136
3330 29 28 28
23 21 20 20 20 1814 13
0
10
20
30
40
50
60
70
80
90
100
![Page 7: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/7.jpg)
Motivation
• Low Cost of connection (media)
• Global Reach
• Exposed Products
• Implementation of Services
• Cost Reduction
• Survey
• Research and Development of New Products
![Page 8: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/8.jpg)
Phases of a Security Project
• Study Phase
• Decision Phase
• Implementation Phase
• Maintenance Phase
![Page 9: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/9.jpg)
Neutrality Curve (Study Phase)
![Page 10: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/10.jpg)
Understanding the Neutrality Curve
• Evaluation of the impact of various scenarios
• Understanding of the implementation phases
• Rejection Pilot
• Immediate Identification of Security Needed
• Understanding of what really needs protection
![Page 11: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/11.jpg)
Possibility Curve (Study Phase)
![Page 12: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/12.jpg)
Understanding the Possibility Curve
• Identify Security Risks (possible atacks)
• Cost Evaluation
• Identify Policies and Procedures
• Define Responsibilities
![Page 13: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/13.jpg)
Degree of Security (Decision Phase)
![Page 14: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/14.jpg)
Understanding the Degree of Security
• Precise Identification of Cost
• Development of Policy
• Clear Idea of the Applicable Security Model
• Accessment of Stability
![Page 15: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/15.jpg)
Sensitive Segment: Implementation Phase
AA BB
![Page 16: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/16.jpg)
Understanding Sensitive Segment
• Identifies the reference security point
• Enables the planning of project stages
• Assess cost for every stage of project
• Assess lenght of time for implementation
• Mobilization of local issues/resources
• Increase of quality of local security
![Page 17: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/17.jpg)
Moving the Reference Line (Maintenance)
![Page 18: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/18.jpg)
• Natural Process
• Dynamic Nature
• Involves adaptation and refinement
• Support for new planning
Understanding Line Movement
![Page 19: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/19.jpg)
• System• Service • Implementation
Vulnerabilities
![Page 20: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/20.jpg)
• Failure of the OS Architecture
• Application failure
• Lack of updates of Sistema Operacional (SPs, patches)
• Bugs on OS
Systems Failure
![Page 21: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/21.jpg)
• Bugs on application service
• Failure of application service configuration
• Weak passwords
• Access to passwords
• Visible passwords
• Permission to privileged accounts
Service Failures
![Page 22: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/22.jpg)
• Lack of content protection
• Lack of security policy
• Lack of user group profiles
• Failure of usability policy
• Failure in implementing security
Implementation Failures
![Page 23: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/23.jpg)
• DNS• Brute force• Altered Ping• Network Sniffers • Java and ActiveX• Bugs on SendMail• Attack on applications• Applications based on
ODBC/JDBC• Browser failure• Web servers
Few Known Security Threats
![Page 24: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/24.jpg)
• Invasion
• Hacking of content
• Access to passwords
• Sabotage
• Unauthorized Access to e-mail
• Espionage
• Financial frauds
Analysis of Risks
![Page 25: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/25.jpg)
• Physical security• Logical security• Service security• Application security• Policy and procedures• Redundance and contingency
Security Project
![Page 26: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/26.jpg)
• e-Applications should ensure (at data level)
• Integrity • Unicity• Auditing• Confidentiality
• Access controls• Ensure identity• Authorization
• Criptography
Security for E-Commerce
![Page 27: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/27.jpg)
• To ensure identity of:• User / System• Client / Server
• Quality of data• By using identifiers• By protecting against fraud
Criptography Functions
![Page 28: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/28.jpg)
• Math functions• Security key should resist
testings• The larger the key more
exhaustive it is to break it• Types:
• Symmetric• Asymmetric
How About Algorithms?
![Page 29: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/29.jpg)
Symmetric System
![Page 30: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/30.jpg)
Asymmetric System
![Page 31: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/31.jpg)
• Math functions
• Does not characterize users
• Key size is limited
• Possible vulnerability at protocol level
• Only guarantees servers’ authenticity
SSL – Secure Socket Layer
![Page 32: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/32.jpg)
Integration Topology: Adding DMZs
![Page 33: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/33.jpg)
• Change (mix) protocols• Implementation of auditable systems• Centralization and analysis of logins• Individual filters• Password controls• Encrypted file system• Permission controls• Monitoring controls• Automated management
Security Integration (LAN)
![Page 34: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/34.jpg)
• Solutions can be based on hard or software• Centralized security systems• Part of security implementation• Enables content controls (HTTP/MAIL)• Controls allowed services (rule based)• Controls the origin and destination of packages
Firewall Solution Characteristics
![Page 35: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/35.jpg)
Alternatives…
![Page 36: Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013](https://reader030.vdocuments.us/reader030/viewer/2022032710/56649f045503460f94c1844e/html5/thumbnails/36.jpg)