1 / 69

Integrity and Security Control

Integrity and Security Control. Security Breaches. TORONTO, Nov. 9 /CNW/ -TELUS and the Rotman School of Management released their third annual study on Canadian IT security, revealing that Canadian companies experienced a 29 per cent increase in security breaches from 2009 to 2010.

beau
Download Presentation

Integrity and Security Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integrity and Security Control

  2. Security Breaches TORONTO, Nov. 9 /CNW/ -TELUS and the Rotman School of Management released their third annual study on Canadian IT security, revealing that Canadian companies experienced a 29 per cent increase in security breaches from 2009 to 2010. The study also found that the annual cost of these security breaches dropped considerably from $834,000 to $179,508 during the same one-year period.

  3. Recent FBI Computer Security Institute survey • 85% of large companies and government agencies have detected computer breaches in past 12 months • 64% acknowledged financial losses • 35% quantified the losses totaled to $375 million

  4. Cost of Security Breach • The average large company loses $20,000 per hour during the first 72 hours of its response to a security breach • Leaky security costs companies 6%-7% of annual revenue • Loss of business, decreased customer confidence, increased insurance, expenditures of public relations

  5. Objectives of Integrity Controls • Ensure that only appropriate and correct business transactions occur • Ensure that transactions are recorded and processed correctly • Protect and safeguard assets of the organization • Software • Hardware • Information

  6. Information security • Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.

  7. The Importance of Security in e-Commerce • The Internet presents enormous business opportunities • The Internet is open to public, vulnerable to various of attacks • One of the major hurdles that we face in achieving the full potential of Internet-based electronic commerce is security • New threats from terrorism and cyber warfare

  8. Points of Security and Integrity Controls

  9. Input Integrity Controls • Used with all input mechanisms • Additional level of verification to help reduce input errors • Common control techniques • Field combination controls • Value limit controls • Completeness controls • Data validation controls

  10. Output Integrity Controls • Ensure output arrives at proper destination and is correct, accurate, complete, and current • Destination controls - output is channeled to correct people • Completeness, accuracy, and correctness controls • Appropriate information present in output

  11. Data Integrity Controls • Access controls • Data encryption • Transaction controls • Update controls • Backup and recovery protection

  12. Integrity Controls to Detect and Prevent Fraud • Control of fraud requires both manual procedures and computer integrity controls

  13. Designing Security Controls • Security controls protect assets of organization from all threats • External threats such as hackers, viruses, worms, and message overload attacks • Security control objectives • Maintain stable, functioning operating environment for users and application systems (24 x 7) • Protect information and transactions during transmission outside organization (public carriers)

  14. Access control

  15. Security for Access to Systems • Used to control access to any resource managed by operating system or network • User categories • Unauthorized user – no authorization to access • Registered user – authorized to access system • Privileged user – authorized to administrate system • Organized so that all resources can be accessed with same unique ID/password combination

  16. Users and Access Roles to Computer Systems

  17. Managing User Access • Most common technique is user ID / password • Authorization – Is user permitted to access? • Access control list – users with rights to access • Authentication – Is user who they claim to be?

  18. Computerized User Authentication Techniques • Password-based systems: something that you know • Physical tokens: something that you have • Biometrics: something that you are • Location: someplace you are • Reference: third party authentication

  19. Password problem • Has to be stored in file • May be intercepted • May forget • May easy to guess • May tell other people

  20. Physical Tokens • Access card, storage token, synchronous one-time password generator, challenge-response, digital signature token • Human-interface token, smart card, PCMCIA card • The token does not prove who you are • Token may be copied or forged • Token may be used with password

  21. Biometrics • An image of person’s face • Fingerprints • Footprints and walking style • Hand shape and size • Pattern of blood vessels in the retina • DNA patterns • Voice prints • Handwriting techniques • Typing characteristics

  22. LOOP WHORL ARCH DOT LAKE ISLAND BIFURCATION END Fingerprints MAIN SHAPES: MINUTIAE: EACH PERSON HAS A UNIQUE ARRANGEMENT OF MINUTIAE: SOURCE: C3i

  23. Fingerprint Capture ST-Micro TOUCHCHIP (Capacitative) Thompson-CSF FingerChip (Thermal-sensed swipe) DEMO1, DEMO2 American Biometric Company BioMouse (Optical) Biometric Partners Touchless Sensor

  24. Iris Scan • Human iris patterns encode ~3.4 bits per sq. mm • Can be stored in 512 bytes • Patterns do not change after 1 year of life • Patterns of identical twins are uncorrelated • Chance of duplication < 1 in 1078 • Identification speed: 2 sec. per 100,000 people PERSONAL IRIS IMAGER Companies: British Telecom, Iriscan, Sensar SOURCE: IRISCAN

  25. Signature Dynamics • Examines formation of signature, not final appearance • DSV (Dynamic signature verification) • Parameters • Total time • Sign changes in x-y velocities and accelerations • Pen-up time • Total path length • Sampling 100 times/second Companies: CyberSIgn, Quintet, PenOp, SoftPro SignPlus,

  26. Error in Biometric Systems VERY BAD BAD SOURCE: IDEX

  27. Problems with biometrics • A person’s biometric “print” must be on file before that person can be identified • Require expensive, special purpose equipment • Unprotected biometrics equipment is vulnerable to sabotage and fraud • Possibility of false match

  28. Transaction Security

  29. Transaction Security • Authentication: A user must be able to prove his identity to the other party. (“I am Joan Thomas and I live at...”) • Integrity: Each party must be comfortable that exchanged information wasn’t altered during transmission by a third party or corrupted by misfortune. (“I ordered three items not four...”) • Nonrepudiation: Each party must be assured that the counterparty won’t be able to deny being the originator or receiver of information. (“I didn’t order that item...”) • Confidentiality: Parties must be able to exchange information securely without it falling into the hands of a third party. (“My credit card number is...”)

  30. Protective measures • Sending and receiving encrypted messages or data, • Using digital certificates to authenticate the parties involved in the transaction, and • Virtual Private Networks

  31. Cryptography Cryptography is the practice and study of hiding information. • Encryption converting ordinary information (plain text) into unintelligible gibberish (cipher text) so unauthorized users cannot read it • Decryption Converting encrypted data back to its original state

  32. Cryptography techniques • Symmetric cryptosystems • Public-key cryptosystems • Integrity check-values (message digest) • Digital Certificate • Digital Signature

  33. Data Security • Symmetric key – same key encrypts and decrypts • Asymmetric key – a pair of different keys for encryption and decryption. • Public key • Private key

  34. Symmetric Cryptography

  35. Symmetric Cryptography • The same key is used for encryption and decryption • Operates as block cipher (fixed size) or stream cipher (arbitrary size, byte by byte) • Fast encryption and decryption • Require secure key distribution

  36. S P E C I A L T Y B D F G H J K M N O Q R U V W X Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z C O N S U L T I N G D S R A V G H E R M EXAMPLE: Role of the Key in Cryptography • The key is a parameter to an encryption procedure • Procedure stays the same, but produces different results based on a given key Plain text Cipher text NOTE: THIS METHOD IS NOT USED IN ANY REAL CRYPTOGRAPHY SYSTEM. IT IS AN EXAMPLE INTENDED ONLY TO ILLUSTRATE THE USE OF KEYS.

  37. Public Key Cryptosystems • A pair of related keys:Private key (kept secret) Public key (publicly known)They are related but it is not feasible to determine the private key by knowing the public key • Two ways of use:Encryption mode: make sure a right person receives messageAuthentication mode: make sure message is from a right person • Solving key distribution problem

  38. Public-Key (Asymmetric) Encryption 3. SITE USES ITS PRIVATE KEY FOR DECRYPTION 2. SENDERS USE SITE’S PUBLIC KEY FOR ENCRYPTION 4. ONLY WEBSITE CAN DECRYPT THE CIPHERTEXT. NO ONE ELSE KNOWS HOW 1. USERS WANT TO SEND PLAINTEXT TO RECIPIENT WEBSITE SOURCE: STEIN, WEB SECURITY

  39. Digital Signatures and Certificates • Encryption of messages enables secure exchange of information between two entities with appropriate keys • Digital signature encrypts document with private key to verify document author • Digital certificate is institution’s name and public key that is encrypted and certified by third party • Certifying authority: VeriSign or Equifax

  40. Digital Certificate • CertificateA document containing a certified statement, especially as to the truth of something • Digital certificateInformation digitally signed by trusted certificate authority such as VeriSign

  41. Certification Authorizer • GlobalSign NV-SA. GlobalSign is the Leading European Trusted Network of Certification Authorities (CA) that, signs and manages digital certificates • Thawte Certification offers free personal certificates for signing and encrypting e-mail. Thawte is a global CA that has already certified 30% of the world’s Internet e-commerce servers.

  42. Public-key Certificate • Identify the holder of the private-key • A Certificate consists of • Subject Identification information • Subject public key value • Certification authority name • Certification authority’s digital signature

More Related