280 likes | 438 Views
Global Security and Security Design for e-commerce. 제조통합자동화 연구실 석사 1 년 강윤철. Contents. Introduction Global Security Solutions Integrating Security Design. Introduction. Insecurity rising Basics. Internet attacks double.
E N D
Global Security and Security Design for e-commerce 제조통합자동화 연구실석사 1년 강윤철 MAI Lab 2002
Contents • Introduction • Global Security Solutions • Integrating Security Design MAI Lab 2002
Introduction Insecurity rising Basics MAI Lab 2002
Internet attacks double The growth in the Web and availability of inexpensive computers has lead to more insecure computers and more curious hackers probing the Internet Source:http://news.cnet.com/news/0-1003-200-7532673.html?tag= mn_hd MAI Lab 2002
Spoofing / Sniffing / DoS / DDoS / Scanning • Spoofing - Authentication - IP Spoofing (‘1995 Kevin Mitnick) • Sniffing - 네트워크 상에서 패킷을 가로채는 방법 • DoS / DDoS - Sync flooding - Buffer Overflow - Logic Bomb - Nuke / Ping attack • Port Scanning - ftp:21, telnet:23, smtp:25, http:80, shell:514 … SYN SYN ACK ACK A B <3-way handshaking> MAI Lab 2002
Global Security Solutions Date: 2002-9-11 COEX Convention Grand Ballroom 104-105 MAI Lab 2002
사이버테러와 정보전 • 정보전이란? - 정보우위를 달성하기 위하여, 아군의 정보를 보호하고 적군의 정보를 공격하는 일체의 행위 • 정보전의 특징 - 저렴한 비용/익명성 가능/테러리스트들의 희생이 적음 - 즉각적이고 예기치 못한 행위 가능 • 정보전 방어의 형태 - Prevention, Deterrence, Indications and warnings, Detection, Emergency preparedness, Response MAI Lab 2002
15분의 전쟁 • “In the future, everybody will have 15 minutes of fame” - Andy Warhol • Code Red/Morris internet worm • Hyper-virulent active worms(“Warhol Worms”) • Morris Worm, 1988 • MIW, ADM Worm, 1999 • Ramen/Li0n/Carko/Sadmin/Red, 2001 • Code Red, Code Red II/III, Code Blue, 2001 • Nimda, Nimda.e, 2001 MAI Lab 2002
Nimda Worm (1/2) • Target system : MS Windows95, 98, ME, NT, 2000 • Super exploit은 아니지만… • 공격경로 - e-mail 첨부: Trojan Worm - 공유 파일을 통한 감염 - 감염된 webserver 접속을 통한 감염 - MS IIS 4.0/5.0 취약점을 통한 공격 - Code Red II와 sadmin/IIS 의해서 만들어진 백도어를 통한 공격 • 공격대상 - e-mail 첨부 - IP 선정 - 50%는 동일한 B class IP (처음두개의 octet이 같은 IP주소) - 25%는 동일한 A class IP (첫번째 octet이 같은 IP주소) - 25%는 랜덤한 IP MAI Lab 2002
Nimda Worm (2/2) 8:25 First infection report 8:29 Arrive at enterprise 8:30 Start the infection 8:32 File server infected 8:35 Mail server infected 8:37 Administrative fn. destroyed 8:45 Network down MAI Lab 2002
Change of IT manager’s attitude Before NIMDA After NIMDA Solutions has to work Better than competitor Live update of Virus pattern Quick expert response Trusted brand The best technology MAI Lab 2002
Other threats • Client/Kernel Backdoor • Social Engineering • Worm Virus • DDos Attacks, Malicious Agents • Cyber War Arms • Attacks to Security Products • What the hell is with Korea? MAI Lab 2002
프로세스 기반의 체계 Process 기반의 체계 Security is the process, not products “기술이 보안문제를 해결할 수 있다고 믿는 사람은 문제도 기술도 이해하지 못하고 있는 것이다” – Bruce Schneier 창>방패 ? Threats Vulnerability Safeguard MAI Lab 2002
정보보호기술 • History: CommSec, CompuSec, NetSec, InfoSec, IW, IA • Change: Security Assurance 암호기술 및 서비스중심에서 Availability를 중시하는 방향 • Definition: The protection of information against unauthorized disclosure, transfer, modification, or destruction whether accident or intentional Confidentiality , Integrity , Availability • Vulnerability Monitoring, Building It Secure, Security Awareness and Training, Avoiding Single Points of Failure, Risk Management, Incident handling, Obstacles MAI Lab 2002
End to End Solutions 1)Firewall, IDS와 같은 보안제품 외부침입차단, 탐지 시스템 ex> Cisco PIX Firewall, Secure IDS, Info Center 2)보안관제 시스템 24시간 원격 모니터링 & 기술 지원 - Network Availability Management - intrusion Detection and Response ex> Coconut 3)기업방역 전담 회사 Virus Life cycle에 따른 전사적, 자동적 방역체계 시스템 ex> TrendMicro - TMEPS 4)기업내부 요소보완 Intranet 에서의 보안 ex> Intel - IPSec 1),2),3) 인터넷, WAN 보완 • LAN 보완 MAI Lab 2002
접속제어 LAN 보완 WAN 보완 사용자 인터넷 라우터/방화벽 서버 모바일 사용자 MAI Lab 2002
Integrating Security Design “Integrating security design into the software development process for e-commerce systems” M.T chan,L.F. Kwok, City University of Hong Kong, Hong Kong Information Management &Computer Security,2001 MAI Lab 2002
Introduction • e-commerce systems are built on top of the WWW and Internet • WWW and Internet are well known for their exposure to security threats of various kinds • SDPSS (Software Development Process for Secured Systems) • UML (Unified Modeling Language) MAI Lab 2002
Security design and software development process • Different technologies and disciplines such as programming languages, Web servers, network topologies and design • WWW security FAQ ,2001 – how? • SSE-CMM (Systems Security Engineering – Capability Maturity Model) ,1999 - what? • TCSEC (Trusted Computer System Evaluation Criteria), 1985 • Quality attributes for security, 1995 MAI Lab 2002
SSE-CMM • Three major areas in Security Engineering EngineeringProcess RiskProcess AssuranceProcess MAI Lab 2002
Risk Process • Require assessment of four important entities: 1. Impact 2. Security risk 3. Threats 4. Vulnerabilities A security design pattern MAI Lab 2002
Engineering Process • In SDPSS, these five types of UML diagrams should be included as a standardized approach. use case, class, collaboration, component, deployment diagrams. • Step 1. Object and collaboration modeling 2. Tier identification 3. Component identification 4. Deployment specification • After step, - Make unstructured hyper-linked Web pages maintainable and tractable. - Provide a generic model so that security design will be meaningful and applicable - Architecture clear, precise definition of security perimeter - give flexibility to designers to perform trade-off in security design MAI Lab 2002
A use case diagram for a typical supply-chain system MAI Lab 2002
Collaboration diagram for the place order use case MAI Lab 2002
Assurance Process • All vulnerabilities, impacts, threats and risks could be continuously monitored and updated. Security is NotproductBut process • By separating the risk and the engineering process, any updated countermeasures can be easily implemented without intensive modification of the application system MAI Lab 2002
Conclusion • Proposed a software development process for e-commerce systems with security design integrated into it. • Three major process in the SSE-CMM • Using UML • Future work, large scale e-commerce systems MAI Lab 2002
Reference • Global Security Solutions Seminar, 2002.9.11,Coex grand ballroom 정보보호 기술 및 산업동향 – KAIST 임채호 교수 토탈 보안관리 –시스코 시스템즈 코리아 김창섭 차장 시스코 시큐리티 파트너:코코넛 이정훈 과장 차세대 기업 안티바이러스 전략 –한국 트렌드 마이크로 End-to-end 보안 솔루션 –인텔코리아 이호상 부장 • Integrating security design into the software development process for e-commerce systems,M.T.Chan,L.F. Kwok,City University Hong Kong, Hong Kong, Information Management & Computer Security 2001,112-122 • Hacking@Linux , A.H.C Team, 마이트Press,2000.8,130-156 MAI Lab 2002