1 / 37

Overview

Digital Certificates Securing Email Communication Nicholas Davis, IS Consultant/Admin DoIT Middleware. Overview. What are digital certificates? What can digital certificates be used for? How could digital certificates have been used avoid data theft at Ameritrade?

sashley
Download Presentation

Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Digital CertificatesSecuring Email CommunicationNicholas Davis, IS Consultant/Admin DoIT Middleware

  2. Overview What are digital certificates? What can digital certificates be used for? How could digital certificates have been used avoid data theft at Ameritrade? Other methods of authentication Social Engineering Summary & Discussion

  3. What is a Digital Certificate? A digital certificate can be thought of as an electronic passport It is used it to digitally sign email and documents It’s components can be used to encrypt email and attachments for end to end security. It can secure databases and other server data

  4. Public Key Cryptography

  5. Digital Certificates Functions • Authentication – Proof that you are who you claim to be • Encryption – encoding information in such a way as to make it unreadable • Non-repudiation – Inability to deny having sent specific information or having accessed a specific system • Data Integrity – Proof that the data has not been altered since it was originally sent

  6. Public Key Cryptography • A digital certificate is made up of two keys, a private key and a public key • Public key is used for encrypting and verifying a person’s digital signature • Private key is used for decrypting and digitally signing

  7. Digital Certificates Are For Machines Too • SSL – Secure Socket Layer • Protection of data in transit • Protection of data at rest • Where is the greater threat?

  8. Using a Digital Signature for Email Signing Provides proof that the email came from the purported sender (Authenticating the user) Provides proof that the contents of the email have not been altered from the Original form (Message Integrity)

  9. Why Is Authenticating the Sender So Important?

  10. What if This Happens at UW-Madison? Could cause harm in a critical situation Case Scenario Multiple hoax emails sent with Chancellor’s name and email. When real crisis arrives, people might not believe the warning. It is all about trust!

  11. Digital Signing Summary • Provides proof of the author • Testifies to message integrity • Valuable for both individual or mass email • Supported by Wiscmail Web client (used by 80% of students)

  12. What Encryption Does Encrypting data with a digital certificate secures It end to end. While in transit Across the network While sitting on email servers While in storage On your desktop computer On your laptop computer On a server

  13. Encryption Protects the Data Physical theft from office Physical theft from airport Virtual theft over the network

  14. Why Encryption is Important • Keeps private information private • HIPAA, FERPA, SOX, GLB • Proprietary research • Human Resource issues • Legal Issues • PR Issues

  15. Where is my Certificate Stored? • You digital certificate is stored either on your machine or on a cryptographic USB hardware device • Dual factor authentication

  16. What does it actually look like in practice? -Sending-

  17. What does it actually look like in practice (unlocking my private key)-receiving-

  18. What does it actually look like in practice?-receiving- (decrypted)

  19. Digitally signed and verified; Encrypted

  20. What does it actually look like in practice?-receiving- (intercepted)

  21. Benefits of Using Digital Certificates Provide global assurance of your identity, both internally and externally to the UW-Madison Provide assurance of message authenticity and data integrity Keeps private information private, end to end, while in transit and storage You don’t need to have a digital certificate To verify someone else’s digital signature Can be used for individual or generic mail accounts.

  22. Who Uses Digital Certificates at UW-Madison? DoIT UW Police and Security Office of the Registrar Office of Financial Aid Office of Admissions Primate Research Lab Medical School Others

  23. Who Uses Digital Certificates Besides UW-Madison? US Department of Defense US Department of Homeland Security All Western European countries Dartmouth College University of Texas at Austin Johnson & Johnson Raytheon Others

  24. The Telephone Analogy When the telephone was invented, it was hard to sell. It needed to reach critical Mass and then everyone wanted One.

  25. That All Sounds Great In Theory…..But • The world seems to get along just fine without digital certificates… • Oh, really? • Let’s talk about Ameritrade

  26. 1971, Ameritrade is founded • Provides securities brokerage services and technology-based financial services • 2006, TD Ameritrade reported more than 6.2 million accounts and average client trades of 216,970 per day. The company had $276 billion in client assets. • Summer, 2007, Ameritrade customers begin receiving stock pump and dump spam • September 14, 2007, Ameritrade states that it has found and removed “unauthorized code” from one of its databases. • What went wrong? How could it have been avoided? Are legacy systems to blame?

  27. Unauthorized code in database allowed names and mailing addresses to be harvested and used for spamming investment related email How did this code get there? Ameritrade claims that the investigation is ongoing and that they don’t have all the facts yet….You decide who is responsible.

  28. Are Usernames and Passwords to blame? • Why do we have usernames and passwords? • Authenticate and Authorize, control access rights • Why are usernames and passwords a bad idea? • Theft, sniffing, shoulder surfing, brute force attacks, concurrent usage, intentional sharing to thwart technical controls. • Would authenticating with digital certificates have helped?

  29. Digital Certificates vs. Passwords • Password = something you know • Digital Certificate = something you have • Digital Certificate on a hardware token = dual factor authentication

  30. Database Information • Storing data in the clear • Storing data in encrypted form • Both have their advantages • Could Ameritrade had benefited from using an encrypted database?

  31. Summary of Ameritrade Issue • Using a digital certificate for authentication would have provided additional assurance • Using a digital certificate to encrypt the data within the database • Dual tiered approach to data protection

  32. Other Authentication Technologies Proximity Based Authentication Biometrics One Time Password devices

  33. Proximity Based Authentication and Authorization • Usually radio-frequency responders • Base station recognizes token • Communicates with access-control system • Initiates automatic logon • Can have two-factor authentication • Immediate screen lock when user leaves

  34. One Time Password Devices • RSA SecurID • Addresses many username/password concerns • Time based • Event based • Only good for authentication

  35. Social Engineering Threats • If you insist on username/password, beware of: • Threatening behavior • Authoritarian behavior • Flattery

  36. The Importance of Maintaining a Trusted Network • Control who has access to your systems with dual factor authentication • Do daily data comparisons • Keep critical data encrypted when possible • Apply patches and updates • Look at the logs regularly

  37. Question and Answer Sessionndavis1@wisc.edu As you seek to find the truth, don’t forget to protect your information!

More Related