INFORMATION SECURITY

IN THE

DIGITAL WORLD

NAME

Abstract

Information security is the process of detecting and preventing unauthorized users access to your network, computer, and ultimately your personal information. Information security is huge and many casual users do not even think about it, or if they do, only as an afterthought. This is one of the worst things that you can do in this day and age especially with the abundance of technology in our everyday lives. Everyone should care and be concerned about all levels of information security as a breach in security could mean financial ruin, personal embarrassment, stolen trade secrets, and much more.

Intruders come from a wide variety of places and could be someone as simple as your next door neighbor stealing wireless internet from you to Chinese agents stealing classified weapon system designs from the US government. With the complexities of software these days there will always be vulnerabilities to expose and utilize which is why every user needs to stay on top of their own security. This typically means applying the latest operating system and software patches, maintaining a firewall and up to date virus scanning software, being intelligent about where you web surf and what you click on, and just being as smart in the digital world as you are in the physical world.

This paper will cover some of the types of network attacks that are out there as well as various computer security threats that may be encountered as well as various preventative measures that can be utilized to minimize your exposure to attack. Primarily the paper will be based on small office and home networks but much of the information discussed will apply to any size network.

The number one rule when it comes to information security is that the human is the first point of weakness You can have the most secure network, computer, or system and all it takes it for one person to fall victim to a social engineering attack to compromise everything. Granger (2006, Top five hacking moments on film section, para. 3) notes that, “by merely trying to prevent infiltration on a technical level and ignoring the physical-social level, we are leaving ourselves wide open to attack.” Hollows (2005, Monitoring and Vulnerability Management section, para. 2) goes on to say, “Many security systems and technologies have been deployed to prevent intruders from accessing high value systems, [however]… an organization simply cannot patch against social engineering.” Social engineering as defined by Pestana (2010, Social Engineering and Computer Security, pg. 4) describes that, “all tactics have the same aim and use the same techniques” and, “the goal is to manipulate victims through a “bug” in the human hardware. They all create scenarios that are designed to persuade victims to release information or perform an action.”

One of the major hurdles with e-commerce growth is security and the consumers concern of putting their personal information out there to the “great beyond” that is the internet. This is especially true with the rapid increase in identity thefts as of late. Identity theft, as defined by WordNet Search (Princeton, 2010), is, “The co-option of another person's personal information (e.g., name, Social Security number, credit card number, passport) without that person's knowledge and the fraudulent use of such knowledge).”

Thankfully security and protection of consumers’ personal information is now a primary focus of any successful e-commerce business. Without either any business would quickly lose any form of credibility and consumers would look elsewhere to make their purchases as the word spread of a sites poor security and flakey personal protection. The basic principles of customer protection as defined by the E-Commerce Digest (2010) are:

• Privacy: Information must be kept from unauthorized parties.

• Integrity: Message must not be altered or tampered with.

• Authentication: Sender and recipient must prove their identities to each other.

• Non-repudiation: Proof is needed that the message was indeed received.

Privacy is handled by encryption. There are various methods of encryption in use today. Public key infrastructure (PKI) is quite common and consists of a public key which encrypts the message and a private key which decrypts the message. Everyone has access to the public key but only the recipient has the private key. To prove the identity of the sender the encrypted message is encrypted again with the private key which is the basis of RSA and Pretty Good Privacy (PGP). As described by Wikipedia (2010):

In cryptography, RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) is an algorithm for public-key cryptography.[1] It is the first algorithm known to be suitable for signing as well as encryption, and was one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.

[pic]

Figure 6

PKI is not a great way to encrypt and send large amounts of data and therefore is typically used as a first step. This first step encryption allows two parties to select a key for symmetric secret key encryption. The two groups use keys that have been generated for the message to be sent by a key distribution center. The keys are not the same but are shared between the distribution center which enables the message to be read. The symmetric keys are encrypted in the RSA method.

To meet the need for authentication and integrity are digital signatures and certificates. As detailed in the E-Commerce Digest (2010) the process is described as;

A plain text message is run through a hash function and so given a value: the message digest. This digest, the hash function and the plain text encrypted with the recipient's public key is sent to the recipient. The recipient decodes the message with their private key, and runs the message through the supplied hash function to that the message digest value remains unchanged (message has not been tampered with). Very often, the message is also time stamped by a third party agency, which provides non-repudiation.

[pic]

Figure 7

Authentication is provided with a third party by checking the digital certificate. This document is issued by a certificate authority such as VeriSign that identifies each merchant from one another and lets you know that the site that you are on is the real deal.

Secure Socket Layers (SSL) also plays a very important role in providing you with security and ensuring authentication. To verify that a secure session is taking place is typically indicated by a key icon located at the bottom of the web browser being used as well as the address bar displaying HTTPS before the web link. SSL sits between the transport protocol and the application and provides what is known as Transport Layer Security (TLS).

SSL is comprised of multiple steps. The first step is fragmentation in which each upper-layer message is fragmented into blocks of 16384 bytes or less followed by optional compression. Next a message authentication code is computed in which a shared secret key is used. A hash code is calculated with a message, a secret key, and some padding and the receiver does the same calculation and compares the incoming MAC value with the value that it just computed. If the values match then no alteration of the message happened in transit and if they do not match then an attached altered the message or an error had occurred and data was lost. After this step the compressed message plus the MAC are encrypted using symmetric encryption and a header is added.

[pic]

Figure 8

The handshaking protocol portion of SSL is considered the most complex. This protocol allows the server and client to authenticate one another and negotiate an encryption and MAC algorithm and crypto keys to be used to protect data sent in an SSL record. Stallings (1998) provides a nice easy to read chart on how the SSL handshake protocol works:

Figure 9

With SSL the consumer can feel confident that their credit card and other personal information will be transmitted safely from their internet device to the e-commerce business that their purchase was performed at. The next logical step in security actually takes place at the web server where the consumers data is now being stored which itself is vulnerable to attack from outside forces, such as hackers, intent on gaining access to this valuable information for their own personal gain and fortune. A way to minimize the merchants’ actual involvement in holding this personal information was developed called Secure Electronic Transaction (SET). This method was developed by Visa and MasterCard and uses PKI for privacy and digital certificates to authenticate the merchant, consumer and bank. SET does not make it possible for sensitive information to be seen by the merchant nor is anything stored by them on their own servers.

References

Granger, Sarah. (2006). Social Engineering Reloaded. Security Focus. Retrieved April
3, 2006 from http://www.securityfocus.com/print/infocus/1860

Hollows, Phil. (2005). Hackers are Real-Time. Are You? Sarbanes-Oxley Compliance
Journal. Retrieved April 3, 2006 from http://www.sox.com/Feature/detail.cfm?ArticleID=623