Systeemanalyse in Ontwerpprojecten
Download
Report
Transcript Systeemanalyse in Ontwerpprojecten
Security and Technology (WM0823TU)
Lecture 5-6: Information and ICT Security,
threats, cybercrime risks and
how to deal with them
Jan van den Berg
July 17, 2015
1
Faculty
Vermelding
of Technology,
onderdeel organisatie
Policy and Management
Course overview (still provisional…)
Week #
Date
Subjects
Lecturer
35 (1)
Tuesday August 31
introduction: the risk society and the goals of the security &
technology course
JvdB
36 (2)
Monday September 6
refresh first lecture;
financial risks: dealing with market risk: Assignment 1
JvdB
36 (3)
Wednesday September 8
financial risks cont.: dealing with credit risk, operational risk, …
JvdB
37 (4)
Monday September 13
risk analysis of the infrastructure Internet, an analysis
framework: Assignment 2
JvdB
37 (5)
Wednesday September 15
information security: an introduction
JvdB
38 (6)
Monday September 20
information security: threats, cybercrime, and how to deal
deal with them: Assignment 3
JvdB
38 (7)
Wednesday September 22
a topic from safety science
Ben Ale
39 (8)
Monday September 27
information quality in public safety networks
NB
39 (9)
Wednesday September 29
securing the supply chain: some case studies
JvdB/YT??
40 (10)
Monday October 4
calculation techniques for risk analysis in river- and coastal
engineering
PvG
40 (11)
Wednesday October 6
reliability of software, human factors, and their lessons for the
management of the Maeslant storm surge barrier
JvdB
41 (12)
Monday October 11
wrap-up, preparation for the final examination
JvdB
July 17, 2015
2
Motivation: role of ICT in our society
• ICT is an enabling technology for data /information provision:
delivery of the right data and information at the right place, at
the right time, to the right person (e.g., in finance, supply chain
security, dealing with crises, public safety, …) information
security (the term ‘information safety’ is not in use)
• Certain ICT-facilities, including the Internet, can be considered
as a critical infrastructure, the security and safety of which
should be conserved Internet security
• ICT is of importance for individuals and for society as a whole:
in economics, information is sometimes even termed the 4th
production factor (ex.: news steers stock price dynamics!)
• Summarizing, there is a need for information and ICT security
management (including the Internet)
July 17, 2015
3
Agenda
• Background and Conceptualization
• Information Security
• ICT Security
• Intentional threats = Hacking attacks: how does it work?
• Other cybercrime threats
• Dealing with the threats
• Information Security Measures & Management
• Internet Security Measures & Management
• Assignment of the week
• References
July 17, 2015
4
Information Security defined
• Most common definition: Information Security = Computer
Security = ICT Security (this is different from SRMBok book!!)
• Information Security (IS) is about the safety & security
features/requirements/values (CIAA)
• Confidentiality (access to information for authorized entities/identities
only)
• Integrity (safeguarding accuracy and completeness of information
and processing methods)
• Availability (ensuring access to data and information when required)
• Accountability (ensuring that each action is linked unambiguously to
its initiator) (accountable = verantwoordelijk)
• Note: this a very technical perspective: content/meaning of
information are not considered! issues like correctness of
source data, their effectiveness, human privacy, etc. are outside
the scope of IS.
July 17, 2015
5
Information Security defined,
SRMBoK
Section 7.5: ICT security
•
•
7.5.5 focuses on ICT security defined in terms of the preservation of
CIA (like the BS7799 and its followers)
7.5.6 discusses some basic threats
Section 7.6: Information security
•
•
•
•
7.6.1 focuses on Information security defined in terms of the
preservation of CIA and, in addition, utility or usefulness, authenticity
or non-repudation (= accountability), and control or possession
7.6.2 discusses the information lifecycle:
7.6.3 discusses some vulnerabilities
7.6.4 discusses classification of
information, also important in non-ICT world
July 17, 2015
6
7.6.4 Information Classification
• Information should be classified in a certain way such
that people are only authorized to access (read, write
and execute) certain data, information and programs
• Big organizations often apply role-based access control
where rights are linked to the different roles people do
have: a hard problem to keep it simple (why?)
• In governments and military organzations, a
hierarchical model like Bell-La Padula model is often
applied with strict read and write rules in a hierarchical
setting of document flows: ‘no read-up’ and ‘no write
down’ are two basic principles (can you explain them?).
July 17, 2015
7
7.6.5 Intellectual Property Rights
• Intellectual property is a term referring to a
number of distinct types of creations of the mind for
which property rights are recognised—and the
corresponding fields of law.
• Under intellectual property law, owners are granted
certain exclusive rights to a variety of intangible
assets, such as musical, literary, and artistic works;
discoveries and inventions; and words, phrases,
symbols, and designs.
• Common types of intellectual property include
copyrights, trademarks, patents, industrial design
rights and trade secrets in some jurisdictions.
July 17, 2015
8
Information Security: why and how?
• Why information security? (as part of Business Continuity)
• To prevent/reduce/minimize damage to the
‘business’~minimize expected losses: often hard to quantify!
• To be compliant: SOX, Basel II, Tabaksblat,…
• Solution: What can we do?
• Physical/Logical (20%), and Organizational measures (80%)
of preventative, corrective and repressive character
at a strategic, tactic and operational level
• Implementation of ISM: how to do it in practice?
• Using Best Practices like ISO-17799, ITIL, COBIT, SPRINT, …
(not available for free: BS7799 is on BB!) which include all
above-given types of measures…
July 17, 2015
9
Framework of Thinking: repetition
• Information Security (IS) is about the four generic
safety & security features/requirements/values (CIAA)
• Confidentiality (access to information for authorized
entities/identities only)
• Integrity (safeguarding accuracy and completeness
of information and processing methods)
• Availability (ensuring access to data and
information when required)
• Accountability (ensuring that each action is linked
unambiguously to its initiator)
July 17, 2015
10
Framework of Thinking, cont.
• Security Services (SSs) are functions that enhance the security
requirements of an information system (i.e., the probability that
an IS is in a secure state)
• Example SSs are identification, authentication, authorization,
(role-based) access control, certification, digitally signing, time
stamping, non-repudiation, data hiding, availability enhancement
• A threat is a potential violation of information security which, by
exploitation of vulnerabilities, may result into security incidents
• Intentional actions that could violate IS are often termed attacks
• Initiators of attacks are termed attackers, crackers, script-kiddies,
white hats, black hats, … see further below
July 17, 2015
11
Security requirements and some
security services for enabling secure
communication
July 17, 2015
12
Framework of Thinking, cont.
• A security mechanism or control (preventive, detective or
corrective) is a measure/method/tool or procedure for
implementing a security service
• Examples are login software, encryption/decryption tools,
segregation of duties, defining a security policy, incident
management procedures, identification of risks from a third party,
user training, physical entry controls, backing-up of data, clear
desk/screen policy, controls against malicious software, user
registration, forcing correct use of passwords, intrusion detection,
system recovery procedures
• Security is only as strong as the weakest link in the chain, so
security is a matter of degree: there is no 100% secure system!
July 17, 2015
13
Example: implementing access control
•
Security service Access Control at a computer system, banking
system, public transport system, etc. is built up from several
other security services
1.
Identification using user id (implemented by security mechanisms
like a login name, email address, banking or other pass), usually
not secrete
2.
3.
•
Authentication: implemented by security mechanisms like ‘what
you know’ (e.g., password), AND/OR ‘what you have’ (e.g.,
chipcard, banking pass, digipass), AND/OR ‘what you are’
(fingerprint, iris scan, DNA-string), AND/OR ‘where you are’…
Authorisation: giving the authenticated user (possibly, in a specific
role) access to system services based on a security mechanism like
a (possibly role-based) ‘authorization matrix’
Other example will follow below (in section “dealing with the
threats”)
ICT as infrastructure: from Internet
to WWW and Semantic Web
• ARPA network: network with basic communication functionality
(like TCP/IP) in the ’60ies of previous century
• 1991: Tim-Berners Lee at CERN (Geneve) has the idea of
connecting information sources using links (defined by URLs); this
results into the World Wide Web
• Business/government/individuals take up the challenge ebusiness, e-government, social networks, etc.
• Development of the browser made Internet accessible to anyone;
this includes accessible for hackers
• Future: Semantic Web making the WWW a smart Web for data,
information and knowledge exchange
(http://en.wikipedia.org/wiki/Semantic_Web )
July 17, 2015
15
Agenda
• Background and Conceptualization
• Information Security
• Internet Security
• Intentional threats = Hacking Attacks: how does it work?
• Other cybercrime
• Dealing with the threats
• Information Security Measures & Management
• Internet Security Measures & Management
• Assignment of the week
• References
July 17, 2015
16
Hackers terminology [2]
• White hackers, gurus or wizards: hackers having
specialist IT-knowledge to be used legally with best
intentions (e.g., information security experts)
• Black hats or crackers: hackers with illegal intentions
(e.g., distribution of copyrighted software, trying to shut down
systems with distributed-denial-of-service (ddos) attacks)
• Script kiddies
• (often young) people without technical knowledge having bad
intentions;
• use available cracking software, often just for fun
• Grey hats or ethical hackers: illegal activities with best
intentions (e.g., penetration in systems and making this public)
July 17, 2015
17
Hacking: how does it work?
From a technical perspective
• Internet software (TCP/IP) uses so-called ports for connection
purposes
• Actually, more than 65000 port numbers are in use: e.g., email
uses port 25, web pages use port 80 (behind ports you often find
servers that answer requests from clients like a browser)
• Port scanners check (by sending IP-packets) whether certain
ports have open access: see e.g. www.insecure.org/nmap/
• Vulnerability scanners look for vulnerabilities like in the software
used (old software that has not being patched): see e.g.
www.nessus.org
• Packet sniffers (or protocol analyzers) look at the content of
incoming/outgoing IP-packets: see e.g. www.ethereal.com, e.g.
look for passwords
July 17, 2015
18
Hacking : how does it work?, cont.
• Best known vulnerability is buffer overflow: a short
program is placed in an unprotected memory location
such that the computer starts to execute this code…
• Identification of ‘all known exploits’ (techniques to exploit
vulnerabilities) is not difficult: available on the Ethical
Hacker Network
• Virus and other malicious programs (malware) may
exploit these vulnerabilities: there exist many types!
• Password guessing software discovers passwords of users
July 17, 2015
19
Malicious programs [3]
July 17, 2015
20
Malicious programs, cont.
• There exist malicious software of many types, often
• as part of other software and
• distributed via the WWW
• A taxonomy of malicious software:
• independent replicating bacteria: they just reproduce
exponentially taking up all resources
• independent worms: once active, they replicate themselves
using email, remote login or remote execution software; in
addition, they perform a ‘certain action’
• zombies: a zombie is a program that secretly takes over
another Internet-attached computer to launch difficult to trace
attacks
July 17, 2015
21
Dependent malicious software
• Dependent software need a host program:
• trap doors: gain unauthorized access using a
certain input sequence (built-in by programmers:
ctrl-alt-del is a good, secure example);
• logic bombs: embedded code that ‘explodes’
under special circumstances (a time or date e.g.)
• Trojan horses: embedded code in an apparently
useful routine
• viruses: infect other executables, the corresponding code is
embedded (resulting into an identifiable piece of code)
• For more details, see [3]
July 17, 2015
22
Other technical hacking practices
• war driving: looking for non-encrypted WIFI networks
using a laptop and a car: see e.g.
http://wifiscanner.sourceforge.net/
• social engineering is about misleading people (here by
letting them activate certain pieces of software or providing
sensitive data including passwords) based on
• pretending authority (being responsible computer system manager)
or being a friend or colleague
• flirting and flattering
using personal conversation, spam (see slide 27), phishing and/or
pharming (see next slide), …
July 17, 2015
23
Phishing and Pharming
• Phishing
• Ask for confidential data like passwords
• Ask for clicking on a hyperlink that imitates a well-known bank
or other system’s website where user has to fill in confidential
data
• Very many phishing attacks do currently occur
• Pharming (sophisticated type of phishing)
• Even if user types correct name like www.abnamro.nl, user is
re-routed without knowing this…
July 17, 2015
24
Hacking : having entered, what’s next?
• White hackers are done… (they have got their kick from
being capable of entering the system)
• Black and ethical hackers start collecting valuable
information
• Script kiddies are often just interested in ‘defacing web
sites’…
• Professional hackers remove traces and/or create a
back door for future use…
July 17, 2015
25
Agenda
• Background and Conceptualization
• Information Security
• Internet Security
• Intentional threats = Hacking attacks: how does it work?
• Other cybercrime threats
• Dealing with the threats
• Information Security Measures & Management
• Assignment of the week
• References
July 17, 2015
26
Spam
• Sending spam is cheap and success rate is not low: +/- 20% of
people have at least once bought stuff based on spam email [2]
• First spam was already sent in the 70ies…
• Collecting email addresses is facilitated by spiders (see, e.g.,
www.massmailsoftware.com/extractweb )
• Measures against spam (not always very effective…!)
• Filtering against blacklist (refuse) and white list (accept)
• Bayesian filtering: look for similarities
• …
• Penalties can be high: up to 20.000 euro in the Netherlands!
July 17, 2015
27
DoS attacks, mail bombs and more
• 90-ies: Internet would make the world a better place…
• March 2000: dotcom bubble bursts (by non-technical threats):
NASDAQ collapses from 5048,62 till 1114,11 on October 2002
(did we forget something in the recent history??)
• Anyway, the Internet is simply not a safe place: dos
(denial-of-service) attacks by
• sending many packets: IP-spoofing (other computers are
requested to send messages to one single computer, example of
distributed dos (ddos) attacks)
• destabilization: packets that make computers crashing
• true warfare: physical bombs or bullits
July 17, 2015
28
Attacking crucial parts of the Internet
• Domain Name System: originally 13 root servers (see
http://www.root-servers.org/ for those and other important servers;
see also http://www.isoc.org/briefings/ )
• October 21 2002: 9 of 13 root servers suffered from a ddos
attack!!
• Are we approaching ‘zero day’? Some experts do thing so,
see e.g.
http://www.pewinternet.org/Infographics/The-Future-of-the-Internet-I.aspx
• Another ‘single-point-of-failure’: Amsterdam Internet
Exchange (AMS_IX), 2nd biggest Internet junction in the
world http://nl.wikipedia.org/wiki/Amsterdam_Internet_Exchange
July 17, 2015
29
Cybercrime in the Netherlands [2]
• August 1985, phone number database of PTT (KPN) is
entered by two Dutch hackers: 008-database is
protected with the easy-to-guess password ‘008’…
• 1989: 1st publication of techno-anarchistic journal
‘Hack-Tic’
• 1992: ‘Hack-Tic’ decides to become an ISP based on
telephone lines hired from the ‘enemy’, the PTT (KPN)
• 1994: ISP activities of Hack-Tic are bundled in XS4ALL
• 1998: KPN Telecom buys XS4ALL, the anarchists have
changed their role from hackers to business men…
Agenda
• Background and Conceptualization
• Information Security
• Internet Security
• Intentional threats = Hacking Attacks: how does it work?
• Other Cybercrime
• Dealing with the threats
• Information Security Measures & Management
• Assignment of the week
• References
July 17, 2015
31
IS Management = set of best practices
• No ready-to-use solution is available!
• Concerns a set of best practices, e.g., the BS7799 [1] (now an
ISO standard with # 17799): “BS 7799-1 was first issued in 1995
to provide a comprehensive set of controls comprising best
practices in information security”
• BS7799 distinguishes 10 categories: security policy, security
organization, asset classification and control, personnel security,
physical and environmental security, communications and
operations management, access control, systems development
and maintenance, business continuity management, compliance
July 17, 2015
32
Information security: risk analysis
and response
• preventive measures relate to
• taking away threats (e.g., hackers)
• minimization of vulnerabilities (e.g.,
repairing software errors, use of
strong keys when using encryption)
• detective measures relate to
• discovery of IS incidents (e.g. virus
scan, intrusion detection) in order to
minimize the impact based on relieving
measures (e.g., data saving & system
shut down)
• corrective measures relate to
• return to business-as-usual state
(based on repair or use of backup
facilities)
July 17, 2015
Threat
Preventive
measures
Incident
Detective
measures
Damage
Corrective
measures
Recovery
33
Risk analysis in the business: look at
information dependence of the critical
processes
Basic steps
of an
information
security
maturity
assessment:
Hacking: taking measures
• Preventively taking away threats caused by hackers knowing that
•
•
•
•
hackers act anonymously on the Internet
collect their hacking software from the same Internet
no worldwide central authorities exist,
Internet crime is often part of the ‘organized crime’, …
is a hard task and sometimes impossible
• Next to preventive, we need many detection and recovery measures
• Some things we can do:
• secure the systems (e.g., separate internal network from Internet): see below
• make their users aware of risks (see also below)
• start investigations to understand the problems: bureaus digitale expertise
(experts within Dutch police organization)
• start forensic research (concerns ‘truth-finding in criminal proceedings’) e.g.,
by the ‘mining’ of all kinds of data sources (NFI)
• involve society: meldpunt computercriminaliteit
• deter hackers by imposing high penalties and long imprisonments: wet
computercriminaliteit
Technical Security Measures
(from the BS7799 categories)
• Physical security (not elaborated here)
• System and Network (S&N) Security
• Access control (identification, authentication,
authorization)
• Development (~ software engineering) and
Maintenance (not elaborated here)
July 17, 2015
36
System & Network Security
• IT Systems' security is part of information security management;
it consists of a balanced set of controls based on best practices,
e.g.,
• IT-infrastructure (software and hardware): how to keep the
systems up and running, e.g., against earthquakes and DDOSattacks?
• Firewalls and Intrusion Detection systems (problem of false
positives)
• Access control and Authorization
• Email and Web Security
• Critical updates
• Anti-virus software and vulnerability testing
• Back-ups and overtaking places
July 17, 2015
37
Infrastructure: segmentation
• Demilitarized Zones (DMZs), at least one
• Situated between 'hostile' outside network (Internet) and
internal network: protected by firewalls and monitored
• Access to each DMZ should be explicitly authorized
• DMZs can be structured in a multi-level hierarchy
• first level: publicly accessible services like web server,
DNS, mail servers
• second level: database services only accessible to
application servers from the first level DMZ
• Internal network may be protected by a separate firewall
July 17, 2015
38
Example architecture
July 17, 2015
39
Connections' control
• Here done by a firewall having 5 network interfaces
• Depending on the security policy implemented using
• source and destination of requests
• protocol used
• firewall should (not) admit specific data traffic
• Correct and save firewall configuration is essential
• Preferably, firewalls apply Network Address Translation where
internal addresses are used in the internal network
(see: http://www.vicomsoft.com/knowledge/reference/nat.html )
July 17, 2015
40
Access Control and Authorization
• Usually three steps
• Identification, e.g., an id or name (sometimes on a card)
• Authentication, usually based on
(i) what you know (a key word or access code) and/or
(ii) what you have ( passport or other (e-)card) and/or
(iii) who you are (finger, iris, dna) and/or
(iv) where you are (each moment in time), (e.g., you cannot
be at one place at the same time nor travel faster then the
velocity of light …)
• Authorization, e.g., based on role-based access control matrix
where you current role defines your current access rights
July 17, 2015
41
Dealing with spam
• Sending spam is cheap and success rate is not low: +/- 20% of
people have at least once bought stuff based on spam email [2]
• First spam was already sent in the 70ies…
• Collecting email addresses is facilitated by spiders (see, e.g.,
www.massmailsoftware.com/extractweb )
• Measures against spam (not always very effective…!)
• Filtering against blacklist (refuse) and white list (accept)
• Bayesian filtering: look for similarities
• …
• Penalties can be high: up to 20.000 euro in the Netherlands!
July 17, 2015
42
Role of Cryptography, some examples
• Authorization: cryptography can help to verify
correctness of pincode or passwords by applying
‘message digest’: passwords (together with idinformation) are stored in a ‘hashed way’ (so original
pincode is nót stored!!); more details are here
• Cryptography can also be used to implement
confidentiality, integrity, non-repudiation by using
• private key cryptography usually in combination with
• public key cryptography
July 17, 2015
43
Public and Private Key Cryptography
• Private key cryptography: two communications parties encrypt
and decrypt data using the same, secrete key
there is a key distribution problem
• applications: ensuring C and I (from CIAA)
• Public key cryptography: two communications parties encrypt and
decrypt data using two complementary keys, one public key for
encryption and one secret key for decryption or digital signing
• applications: secret key exchange for applying private key
cryptography, digitally signatures
need for digital certificates binding public keys uniquely to
individuals (signed by trusted third parties)
• For more details, see e.g. [3]
July 17, 2015
44
Symmetric-key algorithms
• In conventional cryptography, one key k is used both
for encryption (E) of plaintext P and decryption (D) of
ciphertext C:
C Ek (P)
P Dk (C )
• Examples: old DES algorithm and new AES algorithm
45
Public-key Cryptography: theory
• In 1976, (code rebels) Diffie and Hellman proposed the idea of
using different keys for encryption and decryption
• More formally:
C Ek (P) ,
P Dk ' (C)
where
• the private key k' cannot be derived from the public key k
• the private key k' cannot be found by a ‘chosen plaintext
attack’
• However, they did not offer an implementation!
• In 1977, Rivest, Shamir and Adleman (RSA) offered a successful
one (see below)
46
Advantages of PK Cryptography
• Communication partners not knowing each other (like
you and ‘Amazon’) can send secure messages to each
other provided
• the secrete key is really kept secret by its owner
• the public key is unambiguously linked to its owner
(can be established based on a chain of trust: remember the way you
are unambiguously linked to the person mentioned in your passport!!)
Exercise: prove this statement!
• Messages can be electronically signed enabling the
implementation of non-repudiation (see below)
47
RSA (1)
• Rivest, Shamir, and Adleman proposed the first public
key algorithm, termed the RSA algorithm:
1. Choose two large primes, p and q
(typically > 10^120, sic!)
Simple example: p = 3, q = 11
2. Compute n = p x q and z = (p - 1) * (q - 1)
Here, n = 33, z = 20
3. Choose a number called d, ‘relatively prime’ to z,
i.e., d and z may not have common factors
Here, we choose d = 7
48
RSA (2)
4. Find an f such that f x d = 1 mod z, i.e., dividing
f x d by z should yield a remainder of 1
Here, solve 7f = 1 mod 20 f =3.
5. Encryption is done by calculating C P f (modn)
To do so, plaintext is 'coded', e.g., a =1, b=2, c=3,
d=4, e=5, etc. To encrypt an ‘e’, we calculate 5^3
(mod 33) = 125 (mod 33) = 26 = cipher text C
6. Decryption is done by calculating C d (modn) P (!)
Here: 26^7 (mod 33) =8031810176 (mod 33)
= 5 = P, so we recovered the ‘e’!!
49
Install critical updates
• Weaknesses in Operating Systems (Windows) and
Applications are common download critical updates
automatically
• Activate "Automatic Updates":
July 17, 2015
50
Install critical updates, cont.
July 17, 2015
51
Anti-virus/anti-malicious software
• Install McAfee/AVG/… software
• Let system automatically look for new anti-virus
updates: the standard of today
July 17, 2015
52
Apply vulnerability testing
• Playing the role of white hacker, attacker or scriptkiddy:
July 17, 2015
53
Apply vulnerability testing, cont.
July 17, 2015
54
Back-ups
• The need of making back-ups needs no further
explanation
• Outsourced Automatic Back-up services are available
• Idem: need for 'overtaking places' = back-up systems
July 17, 2015
55
Intrusion detection
• Network-based and Host-based Intrusion Detection
• Two general approaches
• statistically anomaly detection: threshold based (using
frequency of occurrences) or profile based (compare credit
card fraud)
• rule-based detection: anomaly = deviation from previous used
patterns
• Intelligent intrusion detection is still a very hard problem:
• need for learning systems
• need for decision making based on multi-sensor data to avoid
too many false positives
July 17, 2015
56
Last but not least: execute awareness
programs
• All technical measures (may) fail in case users are not
aware of the risks and behave accordingly…
(do you also lock your computer when leaving the room?)
(do you have a clean desk policy?)
• Awareness programs concern 40% of the informtion
security investment costs
Research topics related to
Information and Internet Security
• Ideally: Integrated Security in a Networked World
• Technical topics
• managing your private information
• biometric authentication
• security of mobile applications
• security on the Semantic Web
• implementing role-based access control
• Organizational topics
• costs-benefits analysis of security programs
• where to save biometric data?
• from accountancy to e-accountancy
• efficiently estimating the security level needed
• governance of Internet: a hot topic of research! (see ECP.nl)
July 17, 2015
58
Agenda
• Background and Conceptualization
• Information Security
• Internet Security
• Intentional threats = Hacking Attacks: how does it work?
• Other Cybercrime
• Dealing with the treats
• Information Security Measures & Management
• Internet Security Measures & Management
• Assignment of the week
• References
July 17, 2015
59
Assignment 3: choose one of the
following small group assignments
1. Explain the working of the RSA algorithm by constructing an
example: show all calculations by using excel. Also describe
a) the strength of this algorithm (which relates to the length used
for the keys) and
b) the underlying mathematics
2. To implement digital confidentiality, integrity and nonrepudiation, etc. a Public Key Infrastructure (PKI) should be set
up based on certificates and Certifying Authorities.
Describe the structure and working of a PKI, and analyse
critically the chain of trust of examples of PKIs that are in use.
Assignment 3, cont.
3. Do a literature review to collect information on how
the NLs and/or European community deals with the
hacking problem: describe threats, vulnerabilities
and all kinds of measures that are taken at national
and international level: find your own scope
4. Like above #3.: focus on the work by the police and
international security organizations (like the AIVD in
the NLs) to track and trace hackers (individuals and
members of the organized crime like the maffia)
Agenda
• Background and Conceptualization
• Information Security
• Internet Security
• Intentional threats = Hacking Attacks: how does it work?
• Other Cybercrime
• Dealing with the treats
• Information Security Measures & Management
• Internet Security Measures & Management
• Assignment of the week
• References
July 17, 2015
62
References
[1] BS7799: available in BlackBoard under “Course Documents”
[2] Arjan Dasselaar, “Handboek Digitale Criminaliteit, over daders,
daden en opsporing”, Van Duuren Media, 2005
[3] William Stallings, “Network Security Essentials”, 2nd ed., Prentice
Hall, 2003
July 17, 2015
63