Data Security Assessment and Prevention
AD660 – Databases, Security, and Web Technologies
Marcus GoncalvesSpring 2013
Total Internet Security
A gateway disconnected from the
network, inside a safelock
100feet below surface,where the only person
who has the keys …died last week.
Estimated Losses in Dollars
Causes of Incidents
Causes of Incidents from the Human Perspective
Suppliers, vendors, interns,
foreign governments, etc
14%
Hackers and Intruders
24%
Employees34%
Clients7%
Unknown21%
Main Threats
79
6155
4945
4136
3330 29 28 28
23 21 20 20 20 1814 13
0
10
20
30
40
50
60
70
80
90
100
Motivation
• Low Cost of connection (media)
• Global Reach
• Exposed Products
• Implementation of Services
• Cost Reduction
• Survey
• Research and Development of New Products
Phases of a Security Project
• Study Phase
• Decision Phase
• Implementation Phase
• Maintenance Phase
Neutrality Curve (Study Phase)
Understanding the Neutrality Curve
• Evaluation of the impact of various scenarios
• Understanding of the implementation phases
• Rejection Pilot
• Immediate Identification of Security Needed
• Understanding of what really needs protection
Possibility Curve (Study Phase)
Understanding the Possibility Curve
• Identify Security Risks (possible atacks)
• Cost Evaluation
• Identify Policies and Procedures
• Define Responsibilities
Degree of Security (Decision Phase)
Understanding the Degree of Security
• Precise Identification of Cost
• Development of Policy
• Clear Idea of the Applicable Security Model
• Accessment of Stability
Sensitive Segment: Implementation Phase
AA BB
Understanding Sensitive Segment
• Identifies the reference security point
• Enables the planning of project stages
• Assess cost for every stage of project
• Assess lenght of time for implementation
• Mobilization of local issues/resources
• Increase of quality of local security
Moving the Reference Line (Maintenance)
• Natural Process
• Dynamic Nature
• Involves adaptation and refinement
• Support for new planning
Understanding Line Movement
• System• Service • Implementation
Vulnerabilities
• Failure of the OS Architecture
• Application failure
• Lack of updates of Sistema Operacional (SPs, patches)
• Bugs on OS
Systems Failure
• Bugs on application service
• Failure of application service configuration
• Weak passwords
• Access to passwords
• Visible passwords
• Permission to privileged accounts
Service Failures
• Lack of content protection
• Lack of security policy
• Lack of user group profiles
• Failure of usability policy
• Failure in implementing security
Implementation Failures
• DNS• Brute force• Altered Ping• Network Sniffers • Java and ActiveX• Bugs on SendMail• Attack on applications• Applications based on
ODBC/JDBC• Browser failure• Web servers
Few Known Security Threats
• Invasion
• Hacking of content
• Access to passwords
• Sabotage
• Unauthorized Access to e-mail
• Espionage
• Financial frauds
Analysis of Risks
• Physical security• Logical security• Service security• Application security• Policy and procedures• Redundance and contingency
Security Project
• e-Applications should ensure (at data level)
• Integrity • Unicity• Auditing• Confidentiality
• Access controls• Ensure identity• Authorization
• Criptography
Security for E-Commerce
• To ensure identity of:• User / System• Client / Server
• Quality of data• By using identifiers• By protecting against fraud
Criptography Functions
• Math functions• Security key should resist
testings• The larger the key more
exhaustive it is to break it• Types:
• Symmetric• Asymmetric
How About Algorithms?
Symmetric System
Asymmetric System
• Math functions
• Does not characterize users
• Key size is limited
• Possible vulnerability at protocol level
• Only guarantees servers’ authenticity
SSL – Secure Socket Layer
Integration Topology: Adding DMZs
• Change (mix) protocols• Implementation of auditable systems• Centralization and analysis of logins• Individual filters• Password controls• Encrypted file system• Permission controls• Monitoring controls• Automated management
Security Integration (LAN)
• Solutions can be based on hard or software• Centralized security systems• Part of security implementation• Enables content controls (HTTP/MAIL)• Controls allowed services (rule based)• Controls the origin and destination of packages
Firewall Solution Characteristics
Alternatives…