securing consumers online - viva university · securing consumers online lecture by dr richard...

Research Methods – Dr Richard Boateng [[email protected]] Photo Illustrations from Getty Images – www.gettyimages.com 1

Purdue University and UGBS

Securing

Consumers Online

Lecture By Dr Richard Boateng, UGBS, Ghana

Email: [email protected]

Original Slides by Dr. Elisa Bertino CERIAS and CS &ECE Departments, Purdue University

Dr. Elisa Bertino and Dr Richard Boateng [[email protected]]

Photo Illustrations from Getty Images – www.gettyimages.com 2

• Read Chapter 8 – Securing Information

Systems



Millennials

• Of those born between 1979 and 1994,

over 90% use the internet.

• They grew up with the internet.

• 80% have cell phones and 36% use text

messaging.

• Most have broadband for downloading

music and watching videos online.

• This group is a proving ground for the

future.

3



4

Millennials are

Confident.

Connected.

Open To Change.



80: Percentage of Millennials who have texted in the

last 24 hours. 5

http://pewresearch.org/pubs/1437/millennials-profile

Millennials are

Confident.

Connected.

Open To

Change.



83: Percentage of Millennials who sleep with their cell

phone on or right next to their bed, making it the first

and last thing they often reach for each day.

6

http://pewresearch.org/pubs/1437/millennials-profile



Read More about Millennials

• www.tinyurl.com/millennialsprofile

7



Learning Objectives

Managers need to know the special issues which

influence security of consumers online. This is

relevant in knowing how to develop appropriate

strategies to attract and sustain consumer interest

in services and products provided through the

internet.

The session will seek to explore the following:

1. Information Security: basic concepts

2. Privacy: basic concepts and comparison with security

3. Types of online security breaches

4. How to address security breaches

5. How to secure consumers and protect them from breaches.




Information Security

• A state of being free from

– unauthorized use of the system

and its resources,

– misuse of the system and its

resources, and

– disturbance of the system's

operations

• The field of study about techniques

for achieving and maintaining such a

secure state




Information Protection - Why?

• Information is an important strategic and

operational asset for any organization

• Damages and misuses of information affect

not only a single user or an application; they

may have disastrous consequences on the

entire organization

• Additionally, the advent of the Internet as

well as networking capabilities has made the

access to information much easier




Information Security: Main Requirements


Information

Security

Availability

Confidentiality

Integrity



Information Security: Examples

• Consider a payroll database in a corporation, it

must be ensured that:

– salaries of individual employees are not disclosed

to arbitrary users of the database

– salaries are modified by only those individuals that

are properly authorized

– paychecks are printed on time at the end of each

pay period




Information Security - main requirements

• Confidentiality - it refers to information protection from unauthorized read operations

– the term privacy is often used when data to be protected refer to individuals

• Integrity - it refers to information protection from modifications; it involves several goals:

– Assuring the integrity of information with respect to the original information (relevant especially in web environment) – often referred to as authenticity

– Protecting information from unauthorized modifications

– Protecting information from incorrect modifications – referred to as semantic integrity

• Availability - it ensures that access to information is not denied to authorized subjects




Attributes of Information Information Quality – it is not considered traditionally as

part of information security but it is very relevant

CARTA Model (Richard Heeks)

1. Completeness – ensure that subjects receive all information they

are entitled to access, according to the stated security policies

2. Accuracy – information received is accurate

3. Reliable – is the information dependable? Does it come from a

credible source?

4. Timely – is the information provided on time or just in time for

decision-making?

5. Appropriateness – is the information communicated in the

appropriate manner?




Possible Targets of Security Threats

• Information: Unauthorized Access to the

Information Stored in the System

• Control: Executing Unauthorized Control

of the System or Its Component(s)

• Functionality / Performance /

Availability: Disabling or Degrading the

functionality, Performance or Availability of

the System




Classes of Threats

1. Disclosure – Snooping, Trojan Horses, Worms, Viruses

– Snooping : the unauthorized interception of information; an example is passive wiretapping, where the attacker monitors communications.

– Computer virus: attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels. the virus may exist on your computer but it actually cannot infect your computer unless you run or open the malicious program. A virus cannot be spread without a human action, such as running an infected program.


Beal, V. (2011) The The Difference Between a Computer Virus, Worm and Trojan Horse, Webopedia, Retrieved on

June 20 2012 from http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp



Classes of Threats


– Worm : A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any human action.

– The biggest danger with a worm is its capability to replicate itself on your system, it could send out hundreds or thousands of copies of itself. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line.






Classes of Threats


– Trojan Horse: a Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining your hard disk.

– Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.






Classes of Threats

2. Deception and Social Engineering – Modification, spoofing

– Modification: an example is active wiretapping, where the attacker injects something into a communication or modifies parts of the communication. Modification is sometimes called alteration.

– Social Engineering: is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques."Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. Spoofing is an example of social engineering.

– Spoofing: Use by an authorized individual of legitimate identification and authentication (I&A) data to impersonate a legitimate user.




Classes of Threats

3. Disruption – Modification

4. Usurpation

– Wrongfully seizing and holding

– Modification, spoofing, delay, denial of service

– Denial of Service: the inability to access a service is

a security problem regardless of whether the reason

is intentional (an attack) or unintentional (not an

attack). DoS can be due to limits of resources which

may stem from misuse by other users (downloading

movies during office hours).




Possible Source(s) of Threats

• Inside the System

– Internal organizational information

systems and technologies

– Such as: Firm’s website or computers

• Outside the System

– A partner or customer’s system

– Manufacturer of computers or devices

• Interface to the System (including

communication channels)

– A tapped network or mobile device




Attack The

Assembly Line



Information Security: A Complete Solution

• It consists of:

– first defining a security policy

– then choosing some mechanism to enforce the

policy

– finally providing assurance that both the

mechanism and the policy are sound


SECURITY LIFE-CYCLE



Policies and Mechanisms

• Policy says what is, and is not, allowed

– This defines “security” for the information

• Mechanisms enforce policies – technical, in which controls in the computer enforce the policy;

for example, the requirement that a user supply a password to

authenticate herself before using the computer

– procedural, in which controls outside the system enforce the

policy; for example, firing someone for bringing in a disk

containing a game program obtained from an untrusted source

• Composition of policies – If policies conflict, discrepancies may create security

vulnerabilities




Approaches to Information Security

1. Prevention of Threats → Policies • Attempt to design a system so that it's perfectly secure

2. Exclusion of Unknown Entities → Identification and

Authentication • Attempt to distinguish well-known entities from suspicious entities

3. Hiding Important Information → Cryptography • Attempt to make critical information incomprehensible

Theoretically, except one-time pad, there is no encryption scheme

perfectly secure.

4. Detection of Potential Threats → Monitoring, Auditing,

Detection, and Confinement • Attempt to identify violation of security policies or possible trials of

intrusion to a system




Encryption

• In cryptography, encryption is the process of

transforming information (referred to as plaintext)

using an algorithm (called cipher) to make it

unreadable to anyone except those possessing

special information, usually referred to as a key.

• The result of the process is encrypted information

(in cryptography, referred to as ciphertext).




Encryption

• The gold is in Kumasi

• Tahserver wgeoldr sell in klumtatsiy

• 123 456 78 79 abcd87



Information Security – Mechanisms

• Confidentiality is enforced by the access control

mechanism

• Integrity is enforced by the access control mechanism

and by the semantic integrity constraints

• Availability is enforced by the recovery mechanism and

by detection techniques for DoS attacks – an example of

which is query flood




Information Security – How?

Additional mechanisms

• User authentication - to verify the identity of subjects wishing to access the information

• Information authentication - to ensure information authenticity - it is supported by signature mechanisms

• Encryption - to protect information when being transmitted across systems and when being stored on secondary storage

• Intrusion detection – to protect against impersonation of legitimate users and also against insider threats. Eg banks




Information Security – How?

• Information must be protected at various levels:

– The operating system (updates)

– The network (internet security software)

– The data management system (access control)

– Physical protection is also important (physical

security)




Data vs Information – which is important?

• Computer security is about controlling access to information and resources

• Controlling access to information can sometimes be quite elusive and it is often replaced by the more straightforward goal of controlling access to data

• The distinction between data and information is subtle but it is also the root of some of the more difficult problems in computer security

• Data represents information. Information is the (subjective) interpretation of data




Inference - Example

Name Sex Programme Units Grade Ave Actual Grade

Alma F MBA 8 63 36 + 2 = 38

Bill M CS 15 58 85 + 2 = 87

Carol F CS 16 70 7 + 2 = 9

Don M MIS 22 75 57 +2 = 59

Errol M CS 8 66 66 + 2 = 68

Flora F MIS 16 81 18 + 2 = 20

Gala F MBA 23 68 86 + 2 = 88

Homer M CS 7 50 5 + 2 = 7

Igor M MIS 21 70 7 + 2 = 9


Interchange

numbers + 2



Assurance Assurance is a measure of how well the system meets its requirements; more

informally, how much you can trust the system to do what it is supposed to

do. It does not say what the system is to do; rather, it only covers how well

the system does it.

• Specification

– Requirements analysis - The specification can be high-level or low-level

(for example, describing what the system as a whole is to do vs. what

specific modules of code are to do).

– Statement of desired functionality

• Design

– How system will meet specification - An analyst also must show the

design matches the specification.

• Implementation

– Programs/systems that carry out design




Case Studies


See Session Notes on the Class Website



Management and Legal Issues

• Cost-Benefit Analysis

– Is it more cost-effective to prevent or recover?

• Risk Analysis

– Should we protect some information?

– How much should we protect this information?

• Laws and Customs

– Are desired security measures illegal?

– Will people adopt them?





• Security does not end when the system is completed. Its

operation affects security. A “secure” system can be

breached by improper operation (for example, when accounts

with no passwords are created). The question is how to assess

the effect of operational issues on security.

• Cost-Benefit Analysis: this weighs the cost of protecting data

and resources with the costs associated with losing the data.

Among the considerations are the overlap of mechanisms’

effects (one mechanism may protect multiple services, so its

cost is amortized), the non-technical aspects of the

mechanism (will it be impossible to enforce), and the ease of

use (if a mechanism is too cumbersome, it may cost more to

retrofit a decent user interface than the benefits would warrant).





• Risk Analysis: what happens if the data and resources are

compromised? This tells you what you need to protect and

to what level. Cost-benefit analyses help determine the risk

here, but there may be other metrics involved (such as

customs).

• Laws and Customs: these constrain what you can do.

Customs involve non-legislated things, like the use of urine

specimens to determine identity. That is legal, at least in the

US in some cases; but it would never be widely accepted as

an alternative to a password.




Human Factor Issues

• Organizational Problems

– Power and responsibility

– Financial benefits

• People problems

– Outsiders and insiders

– Social engineering




Human Factor Issues

• Organizations: the key here is that those responsible for

security have the power to enforce security. Otherwise

there is confusion, This arises when system

administrators, for example, are responsible for security,

but only security officers can make the rules.

• Preventing this problem (power without responsibility, or

vice versa) is tricky and requires capable management.

What’s worse is that security is not a direct financial

incentive for most companies because it doesn’t

bring in revenue. It merely prevents the loss of revenue

obtained from other sources.




Human Factor Issues

• People problems are by far the main source of security

problems. Outsiders are attackers from without the

organization; insiders are people who have authorized

access to the system and, possibly, are authorized to

access data and resources, but use the data or

resources in unauthorized ways.

• It is speculated that insiders account for 80-90% of all

security problems, but the studies generally do not

disclose their methodology in detail, so it is hard to know

how accurate they are.




Key Points

• Policies define security, and mechanisms

enforce security

– Confidentiality

– Integrity

– Availability

• Importance of assurance

• The human factor


securing consumers online - viva university · securing consumers online lecture by dr richard...

Documents