Documente Academic
Documente Profesional
Documente Cultură
Security Attack
Security mechanism
Security Service
Security Attacks
Normal Flow Interruption
Interception
Modification
Fabrication
Active threats
Masquerade Replay Modification of message contents Denial of service
Security Services
Confidentiality Authentication Integrity Nonrepudiation Access control Availability
Authentication Confirms that the sender and the receiver are authentic
Also that there is not interference from third parties
Integrity Makes sure that there is no stream modification and denial of service
Nonrepudiation This prevents either the sender or receiver from denying a transmitted message.
Principal
Principal
Message
Information channel
Message
Secret Information
Secret Information
Opponent
Data Assets
Paper Documents
Software Assets
Physical Assets Services
You let web content, e-mail and files into your networks without being questioned - You are inviting trouble
Use of unauthorized CDs and other storage devices - they could make your system vulnerable Lack of a defined security policy, password policy or poor password can cause a compromise in the security Access of ex-employees could prove the most dangerous Natural disasters
PREVENTION
DETECTION
REACTION
Let us now look at the most dangerous of them all The insider
Always remember that the Principal threats to information assets (Company) are from the inside.
Most of the system managers believed that the threat was always from outside and therefore all security systems were preventive.
Now they have started realizing that people back home are more dangerous.
SOME FACTS
The U.S. Chamber of Commerce reported that 75 % of all employees steal from their employers, causing one third of all corporate bankruptcies. The FBI found that insider information theft accounts for 40% of all computer related losses. They have also reported that insider information theft losses have increased on average by 49 % annually for the past 5 years.
DANGEROUS INSIDERS ?
Insiders have the means to access the information we protect so vigilantly from attackers from the outside. Insiders have the means to invisibly copy your information and communicate it to others One in every three business-closures is the direct result of employee theft Hackers have never put a company out of business (though they cause damage ), but insiders have shut businesses down.
THE IMPACT
PERSONAL INFORMATION WARFARE PUBLIC INFORMATION WARFARE CORPORATE INFORMATION WARFARE GOVERNMENT INFORMATION WARFARE
Current Solutions
The best of technology
Firewalls, IDSs, Anti-Viruses, Encryption, Content Filters Automatic lock out 2 Way Authentication
Are we safe ?
Look at the instances of frauds in-spite of the controls
Instances of frauds in the finance/banking sector Many of them are not publicized, but they exist Common thread:
Internal employee sells information for money Internal employee sends source code to unauthorized personal account
3 biggest threats.
Character Weakness
Emotions/ Behavior
Reluctance to Change
Curiosity
Threats.
Attacker calls random employees in an organization The following conversation takes Place
I am calling from the CFOs room I am your ERP consultant. We are implementing a new system to process your salaries starting from next month onwards We need your user name and password to integrate your salary processing to your user account
Threats.
External Security Consultant places 6 CD-ROMs in specific locations Rest Room, Conference Room CD-ROM is titled 2006 Financials and Lay Offs Within a few hours each of these CD-ROMs are grabbed by employees Employees run the CDs Each CD has a hidden script which records IP address of host machine
All behavior is learned through the consequences that follow. If the person likes the consequence, the behavior will be repeated; if the person does not like the consequence, the behavior is less likely to be repeated
Objectives
Grant legal recognition for transactions carried out by electronic means. Legal recognition to digital signature Facilitate electronic filing of documents Electronic storage of data Legal sanction to fund transfer Legal recognition to books of accounts by bankers in electronic forms To amend the Indian Penal code, the Indian Evidence act, 1872, the bankers book evidence act 1891 and the RBI Act 1934.
Scope
Use of asymmetric digital signatures Authentication of records using digital signatures Electronic governance Attribution, receipt and despatch of electronic records. Certifying authorities and regulations Digital signature certification Cyber regulations Offences and implications Network service providers liabilities and exceptions