1 / 27

Internet Security UTD EMBA March 30, 2001

iSecuritas, Inc. secure authenticated data exchange. Internet Security UTD EMBA March 30, 2001. Who were the first “hackers”?. MIT's Tech Model Railroad Club PDP - 1 1961. You know your co-worker is a hacker when. Everyone who ticks him or her off gets a $26,000 phone bill

yoshe
Download Presentation

Internet Security UTD EMBA March 30, 2001

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. iSecuritas, Inc. secure authenticated data exchange Internet Security UTD EMBA March 30, 2001

  2. Who were the first “hackers”? • MIT's Tech Model Railroad Club • PDP - 1 • 1961

  3. You know your co-worker is a hacker when... • Everyone who ticks him or her off gets a $26,000 phone bill • Has won the Publisher's Clearing House Sweepstakes three years running • Massive 401k contribution made in half-cent increments • You hear them murmur, "Let's see you use that VISA card now, Professor "I-Don't-Give-A's-To Any MBA Candidate!"

  4. How Secure is e-Business? • Security attacks cost U.S. corporations $266 million last year. That's more than double the average annual losses over the past three years. • Cyber-crimes being investigated by the FBI have more than doubled in the past year. • In 1999, the number soared to over 8,300 according to reports filed with the Computer Emergency Response Team, or CERT, at Carnegie Mellon University in Pittsburgh. • 90 percent of survey respondents (primarily large corporations and government agencies) detected some form of security breach last year. • 70 percent of respondents reported a serious security breach in the past year (ie: financial fraud, denial of service attacks and data theft). According to a report recently released by the Computer Security Institute and the FBI Computer Intrusion Squad.

  5. Categories of Internet Security • Website Security • Email Security • Authentication

  6. All Systems are Breakable!

  7. Website Security • Prevent Unauthorized Access to Website • Manipulation of Website Information • Protection of Proprietary Data • Credit Card Numbers • Confidential Customer Data • Financial Information

  8. Website Security Website Security can be achieved by: • Firewalls • Software & System Architecture • Security Procedures

  9. In God We Trust…. All Others We Monitor

  10. Email Security Case Studies: • International Satellite Company • International Restaurant Company • Your Company?

  11. Email Security Email Security can be achieved with: • Encryption Software • PGP, RSA, etc. • ASP Based Secure Messaging • iSecuritas

  12. Authentication

  13. Authentication

  14. E-Sign Law New Law for E-Signatures • Electronic Signatures in Global and National Commerce Act • Effective October 1, 2000 • Nationwide Legality of Digital Signatures • Agnostic about Implementation of e-Signatures • Electronic Notarizations • Opportunity to marry e-commerce with official, regulated way for confirming identity • Reduces Fraud possible with Paper Based Notaries

  15. Authentication Problem – Identity Theft • Fastest Growing Financial Crime • Industry Standard – August 21, 2000 • Theft of: • Social Security Numbers • Drivers License Numbers • Mothers’ Maiden Names • $1 Billion Problem?

  16. Authentication Problem – Identity Theft Abraham Abdallah “a pudgy, convicted swindler and high school dropout”, NY Post March 20, 2001 Nyquist vs. E*Trade [Buckman, "Heavy Losses: The Rise and Collapse of a Day Trader," Wall Street Journal, Feb. 28, 2000]

  17. Authentication Solutions (?) • Credit Card Transactions • Digital Certificates • Authentication Services

  18. iSecuritas & MBE

  19. Example 1: A CA Needs to Issue a Legally Binding Certificate • User requests certificate from CA’s web site. 4) Signer visits notary. 3) IS sends e-mail to signer. 10) CA releases certificate and notifies user. 5) Notary ID’s signer, fetches documents from IS, witnesses signing act. 2) CA web site submits request to IS. 8) IS notifies CA. 6) Notary D-signs documents and statements, then forwards to IS. 9) CA fetches signed document(s) from IS. 7) IS applies 3rd party timestamp.

  20. 4) Signer visits notary 3) IS sends e-mail to signer • Banker submits a signature request to his company’s mainframe. 5) Notary ID’s signer, and fetches documents from IS 2) Mainframe submits request to IS 8) IS notifies banker. 6) Notary D-signs documents and statements, then forwards to IS. 9) Banker fetches signed document(s) from IS. Example 2: A Corporate BankerNeeds a Notarized Signature 7) IS applies 3rd party timestamp.

  21. Example 3: A Distributor Needs a Digital Signature on a PO • User requests PO on distributor’s web site. 9) Signed PO sent to account rep , billing, shipping, etc.. 5) User fills out and D-Signs PO with notarized certificate, sends signed PO to IS. 4) User fetches PO. 3) IS sends e-mail to signer. 2) Web site submits request to IS. 7) IS notifies Distributor. 8) Distributor fetches signed PO from IS. 6) IS applies 3rd party timestamp.

  22. Bank wants to send Lawyer a secret message, but must do so on the public internet. eZ % gooRA! lURp PIP bub PUB PUB Bank uses the public key from Lawyer’s certificate, as input to an encryption engine, to produce what looks like gibberish Lawyer gives Bank their certificate. and a secret message to Lawyer, Bank verifies the certificate with the CA. eZ % gooRA! lURp PIP bub PRIV But Lawyer uses the gibberish And their private key As input to a decryption engine To find out what Bank had to say Encrypting with X.509

  23. Signing with X.509 Lawyer wants proof that Bank wrote the message. eZ % gooRA! lURp PIP bub eZ % gooRA! lURp PIP bub x3e$t^6hp PRIV to produce a hash,(signature) and uses this hash as input to a hash engine 1ey&6^%p as input to an encryption engine and their private key Bank uses their gibberish and adds the encrypted hash to their gibberish. eZ % gooRA! lURp PIP bub x3e$t^6hp to produce a hash. x3e$t^6hp as input to a hash engine Lawyer uses the gibberish (not the hash) to produce a hash. If both hashes match, then Lawyer knows that Bank signed the message. 1ey&6^%p as input to a decryption engine PUB Then Lawyer takes Bank’s encrypted hash and Bank’s public key

  24. X.509 Receipt Bank wants proof that Lawyer saw the message on the Internet, Lawyer must prove it. x3e$t^6hp 1ey&6^%p PRIV to produce a hash, and uses this hash To produce an encrypted hash (signature) as input to a hash engine as input to an encryption engine Lawyer uses Bank’s message and private key 1ey&6^%p x3e$t^6hp x3e$t^6hp Bank uses the signature to produce a hash. to produce a hash, if the hashes match, we have a valid signature. Bank uses his original message as input to a hash engine as input to a decryption engine and Lawyer’s public key PUB

  25. Obtaining an X.509 Certificate Use a random number to generate HUGE prime numbers and then create a key pair. PRIV 1ey&6^%p ********* and then store it away some place safe. Encrypt the private key with a GOOD password that you have memorized, PUB Use the public key and various bits of identifying data to construct a certificate request, Name E-Mail Address Etc. and send it to the Certificate Authority. They will investigate your identity to varying degrees, create a certificate that includes a hash encrypted with their private key, and then send you a copy as well as making it a public record. PUB

More Related