Вы находитесь на странице: 1из 12

UNIT 9

Emerging Issues in IT Security

Trustworthy Computing
It is important for businesses to provide their customers with a trustworthy
environment
Trustworthy environment- customers feel safe to transact business
Creating a trustworthy computing environment is not a one-time activity;
it is a continuous activity
Businesses can take maximum advantage of computing devices and related
information systems only when they are dependable and trustworthy
Trustworthy Computing Framework
Trustworthy computing- term coined by Microsoft in its attempt to
enhance computer security and reliability to the same levels as modern
telephones
Environment in which computer systems, software, and information
resources are insulated from unintentional and intentional
unauthorized access, manipulation and destruction.
The trustworthy environment created for an e-commerce transaction requires
integration of systems, engineering, policy, procedures and processes and
attitudes if the users of the systems
Requirements for integration
Reliable computer systems
Software considerations
No loopholes which could be exploited
Conformity to the policies laid down by the business
Objective of Trustworthy Computing
Security- viruses and other malicious codes will not enter the customers
system via the business system; no unauthorized access

Privacy- personal information that the business collects on behalf of the


customer will not be disclosed to an unauthorized third party
Reliability- customer does not have to worry about whether it will work
properly with the existing applications
Business integrity- service provider responds rapidly and effectively to
queries from the customers
Resources for Trustworthy Computing
Secure by design- secure design architecture could use encryption for
sensitive data
Secure by default- secure the software with appropriate security measures
and disabling the vulnerable models or parts of the software before shipping
Secure by deployment- security updates could be installed automatically
after every new release or after a specified period of time
Privacy- giving customers and users appropriate notices about how their
personal information would be collected, used, disseminated, and destroyed
Availability- maximizing mean time between failures, by communicating
performance objectives, policies, and standards for system availability
throughout the organization
Manageability- computer systems are designed to manage themselves
Accuracy- design of systems should consist of such measures such as RAID
to minimize data loss or corruption
Usability- software applications must be user- friendly and appropriate help
should be available
Responsiveness- this deals with the commitment by senior management to
the principle that credibility, availability, reliability, and security take
precedence over any other process
Transparency- transparency and integrity of the business transactions are
maintained at all costs
Execution of Trustworthy Computing
Execution reflects the way an organization carries out its business operations
in order to deliver the building blocks of trustworthy computing
Three constituents of execution

Intents- organizational policies and procedures that provide the


specifications for design, implementation, and support of the computer
and information resources
Implementation- process that realized the intents
Evidence- means for verification of whether the implementation has
delivered the desired results
Radio Frequency Identification (RFID)
Comprises transponders (aka tags), readers and application systems for
further processing of the acquired data
Operate on low, high, or ultra-high frequencies
Two varieties of tags
Passive- do not have an onboard power supply and have limited
memory
Active- support onboard memory and are capable of storing several
MB of information
How RFID Systems Work
A typical RFID system consists of a tag, a reader and an application host
that not only governs the systems but also acquires information from the tags
and processes it
RFID tag- consists of a microchip or memory, capacitors, and an antenna
coil
Holds a unique identifier in its memory (electronic product code)
Reader- can be fixed as well as mobile
Two principles
Inductive coupling- the readers antenna coil generates a magnetic
field and induces voltage in the coil of the tag
Using amplitude shift keying (ASK) method, data is
transferred from the reader to the tag
Works below 30MHz frequency

Backscatter coupling- the tag receives energy from the


electromagnetic field that is emitted by the reader
Date is transferred to a reader through reflection of modulated
power by the transponder
Used with frequencies in excess of 100MHz
In a typical supply chain environment, each item might be fitted with an RFID
tag
Unique EPC for each item could be electronically programmed
Tags attached to each item are read by an antenna which passes the EPC
information to the middleware or a savant
Savant- acts as a buffer between the reader and other organizational
information systems
Remains connected to the readers and behaves as a router of the RFID
network
Primary functions- data smoothing, data forwarding, data storage
EPC is the only information stored on the tag
Data exclusive to the item could be stored on a server located on a
connected local area network or on the Internet
Access to this information is made possible by an application of the concept
of domain name system (DNS). The EPC stored in the savant is interpreted
into a unique address of an object naming service (ONS), which points to a
physical mark up language (PML) server
Security of RFID Systems
Confidentiality- most of the tags do not have an access control mechanism;
communication between the reader and tag could be intercepted in the
immediate vicinity
Integrity- there is no way of preserving the integrity of the data being
transmitted; in the absence of control, it is also easy to manipulate the tag
memory
Availability- frequency jamming devices could be used to disturb the
frequency of the RFID system
Authenticity- unique identifier of the tag could be spoofed or manipulated

Anonymity- not difficult to read a tag carried by a consumer on an item that


they purchased
Security Safeguards for RFID Systems
Access control and authentication
Destroying the tag after use
Data-at-Rest Encryption Appliance Technology
Several ways of gaining access to Windows OS
No provision in NTFS permission, which could resist administrator from
accessing the file
A hacker who gain access to the OS can easily use system
administrator to manipulate information
Permission checking could be bypassed by booting the server to a
different OS to get around any access control that might be in place.
Windows provides an encrypted file system (EFS), which is capable of
encrypting the file on the users password
It is important to keep two facts in consideration
Encryption cannot and does not restrict anyone from deleting the file
Encryption cannot provide protection against changes to the file
contents: however, it can tell whether changes have been made
Encryption is done at two levels
Data in motion encryption
Carried out on the data in motion
Data at rest encryption
Carried out at the data that resides in the corporate databases
Data in motion encryption
Way of safeguarding data when it is in motion; that is, when it is being
transmitted from the client to the server on a network, or when it is being
transmitted from the server to a client

Does not necessarily have to be a LAN; it could be a wireless network or even


the Internet, SSL, TLS and IPSEC
Implemented at the session level
Network layer higher than the encryption of the protocol
Data at rest encryption
Safeguards data that is at rest, whereby it helps in encrypting information
that resides in corporate databases
Extremely important as most attacks are aimed at the databases, where data
resides for long period
Data at rest can be encrypted at several levels
Encrypting the entire database also introduces certain limitations, such as:
Performance problems hampers speed and efficiency
Different encryption keys same data used by different
departments
Unauthorized access file level encryption protects information at
the OS level
More efficient way of encrypting data is to encrypt sections of a database
Enhancing performance by encrypting the sensitive information only
(e.g. credit card numbers)
Restricts the system administrator from accessing the database (e.g.
users password)
Quantum encryption
Stephen Weisner proposed and coined the term conjugate coding
Quantum encryption applies the laws of quantum physics to improve
modern cryptographic techniques
Bell Labs developed techniques for quickly cracking seemingly secure
encryption codes using quantum encryption
Confidentiality of data transmission main reason for an investment in
quantum security

Quantum encryption relies on techniques that keep data secret through the
application of the law of physics. This solves the key distribution problem
How it works:
Quantum cryptography uses the physical phenomenon of light called
polarization
Polarization occurs when light waves are passed through a
polarized filter, which allows only light waves with the same orientation
as the filter to pass
Photon detector identifies information about the polarization of the
photons
Polarization states can therefore be used to encode data as zeros and
ones
Qubit single quantum information
Bases pairs of perpendicular polarization states
Quantum key distribution can be achieved by sending a string of
photons that have random polarizations, which are converted to a
series of binary numbers
If this string of numbers representing the encryption key is intercepted
by an eavesdropper, this is detected by the sender and the receiver.
The key is discarded and a new one is requested until a key that has
not been intercepted is received
Principle of quantum encryption does not operate on securing the
message as it is transmitted but on the retrospective realization of
whether it has been tampered along the way
Quantum encryption is not suitable for keeping the message secret but
for transmitting the encryption keys that could then be used with
traditional encryption schemes to protect the message itself
Quantum encryption protocols:
BB84 protocol most popular version of quantum encryption
protocols, that was developed by Bennett and Brassard
Privacy on the Internet
Business around the globe now have the capacity to reach the remotest parts
of the world without needing a physical presence there

Information and communication technology, especially the internet, is at the


core of these political, economic, and social transformations

The internet is unregulated, and the laws and legislation of any one country
do not apply to internet activities that originate in a different country

The cyber public needs to be extra careful about giving away personal
information, as there is always a chance of its being misused

Ways in which privacy could be infringed on the internet:


Cookies
Surfing history
Information gathered by agencies
Freeware software
Electronic commerce
Email
Spam
Chatrooms
Cookies
Contain information that a website sends to a browser of a user when
the user accesses information from that website
These cookies reside on the users computer, and each time the user
accesses the same website, the cookies pertaining to that website are
updated
Businesses use these cookies to profile customers who visit their
website as well as for other marketing purposes
Cookies themselves do not pose any harm to the individual, but it can
be used by a hacker to profile the buying trends and habits of the
customer
What can the user do?
Turn the status of the cookie file to Read only, which means that
cookies last only for the time that the browser is active
Delete the cookies when the browser is shut down

Surfing history
HyperText Transfer Protocol (HTTP) has certain provisions that
allow for tracking the surfing history
Other information that could be sent through the HTTP are email
address and the last website visited
Information gathered by agencies
Many agencies such as universities, businesses such as telephone
services and government departments sometimes publish collected
information on their websites. This is done in order to provide their
users with an option for online searching
This information is gathered by different website companies, which sell
it to businesses and other agencies. This information could be used to
create a rough profile of a person
What can the user do?
Be cautious about providing information that could be published
on the internet
Freeware software
Some of the free software available on the internet might contain spy
programs (spyware) that relay usage data to the originator of the
software
This is extremely dangerous, as free software might also contain
viruses or malicious codes
Electronic Commerce
It provides a lucrative option to hackers in the shape of credit card
numbers
Although, when data is transferred, most of the businesses use Secure
Sockets and other security measures, there is no particular fool proof
security mechanism when data is stored in databases
In some instances, data from websites have been hacked
What can the user do?

Ensure that the business is genuine and has appropriate security


mechanisms in place
Email
It bears a lot of information about a person
Can help determine the persons name, and where he works (ex.
.gov, .org, .edu, .net, .au, .uk)
Moreover, in most organizations, the email ID is also the user ID for
logging on to the organizations computers, which provides potential
hackers with a starting point for hacking the system
Spamming
Sending junk emails
It starts when people give out their email addresses at websites where
they but something or register online
Different companies and Internet Service Providers keep track of these
addresses, and sell them to businesses that operate on the internet
Chatrooms
In a chat room it is easy to get carried away and start thinking that the
other person is really who they say they are
In such circumstances people might give out personal details such as
their address, real name or phone number
Information Security and Civil Liberties in Cyberspace
Controlling the flow of information in the internet is extremely difficult, if not
impossible
There is much more information available in electronic form on which we rely
and believe to be what it appears to be, for example Internet-based news
sources, business and academic documents and images, most of which has
its own intention and purpose
The internet on one hand fosters critical thinking and on the other hand could
also prove to be a tool for cultural and cognitive invasion
The availability of information in the cyberspace can be likened to an almost
limitless library where anyone can upload information for the public to read

A distinguishing feature of the information society is the abundance of


information that is changing human activities and human relations
The internet provides information on almost every aspect of life, however,
having an abundance of information does not necessarily mean that people
become informed; The real value produced by the information provider
comes in locating and communicating what is going to be beneficial to the
society.
The authenticity , reliability, and validity of Internet-based information is
more important than just access to information
Information generally has bias; therefore authenticity is not limited to
verifying authorship and attributes of a document. It includes such attributes
as completeness, accuracy, trustworthiness, correctness, validity, integrity,
faithfulness, originality, meaningfulness, and suitability for an intended
purpose
Two cultures in evaluating information (Hall, 1989):
Low-context cultures - people from this backgrounds look for depth
and detail of information and like to receive important information in a
simple and uncomplicated way
High context-cultures people from these cultures are concerned
about the source of the information, the status or position of the
information source and the method chosen to deliver the message
Authenticity
Search engines on the internet assist users in finding information but
also contribute towards pluralism or multiplicity
Although the internet facilitates critical thinking skills, it also points in
another direction: that there is no ultimate truth available on the
internet,; therefore, the authenticity of information is subject to doubt
if it is taken in isolation from the environment in which the information
originated
The characteristic of openness and decentralization are essential to the
Internet, as they provide it with its fuel; that is, information.
Consequently, the system is bound to accept different kinds and levels
of information for its operation and growth, and inevitably there will be
information that could be termed as unauthentic, manipulated and
unqualified.
Role of institutions in establishing authenticity on the internets

The internet and its apparatus function as a global unit, and any
national government embarking to control information on the internet
cannot succeed
The solution to the issue of authenticity of information in cyberspace
lies in cooperation between communities, nations, commercial and
non-commercial organizations and supranational organizations
There needs to be a global convention for internet content, to which
every country needs to conform

Вам также может понравиться