23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 1 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick NDS CRM.

Präsentation zum Thema: "23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 1 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick NDS CRM."—  Präsentation transkript:

1 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 1 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick NDS CRM Modul 3 Prof. Dr. Andreas Steffen © 2003 Zürcher Hochschule Winterthur E-Security und Datenschutz I Introduction

2 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 2 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Today's Agenda Security Goals Common Threats CRM and Privacy Security Policies

3 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 3 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick E-Security und Datenschutz I Security Goals

4 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 4 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Security Goals in e-Commerce: CIA + Privacy + Identity Confidentiality Sensitive company information and customer data must be protected from unauthorized access. Integrity Data must be protected from getting accidentally or mischievously changed either in its storage location or during transmission. Availability In a global business environment the server and communications infrastructure must be available on a 24/7 basis. Privacy The privacy rights of the customers must be protected. Collected personal data shall be used only for those purposes the customer agreed upon. Authentication In any electronic transaction the true identity of customers and company staff should be established. Non-Repudiation There should be a provable association between an electronic transaction and the person who initiated it.

5 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 5 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick E-Security und Datenschutz I Need for Confidentiality Threat by Foreign Governments

6 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 6 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Echelon – Global Eavesdropping Network Run by the National Security Agency (NSA) Monitoring of global satellite communications (phone, fax, e-mail) Bad Aibling, Bavaria

7 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 7 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick

8 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 8 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Many Hops to www.novartis.com traceroute to www.novartis.com (164.109.68.201) 1 is1-svn.zhwin.ch(160.85.128.1) Winterthur 2 intfw.zhwin.ch(160.85.111.1) 3 160.85.105.1(160.85.105.1) 4 130.59.38.93(130.59.38.93) 5 rtrZUSW1-A4-0-1135.switch.ch(130.59.38.250) Zurich 6 swiEZ2-G6-1.switch.ch (130.59.33.249) 7 swiIX1-G2-3.switch.ch (130.59.36.250) 8 zch-b1-geth4-1.telia.net (213.248.79.189) 9 ffm-bb2-pos0-3-1.telia.net (213.248.79.185) Frankfurt 10 prs-bb2-pos0-2-0.telia.net (213.248.64.197) Paris 11 ldn-bb2-pos0-2-0.telia.net (213.248.64.165) London 12 nyk-bb2-pos6-0-0.telia.net (213.248.65.94) New York 13 nyk-i1-pos2-0.telia.net (213.248.82.22) 14 so-0-1-0.edge1.NewYork1.Level3.net(209.244.160.161) 15 ge-2-1-0.bbr2.NewYork1.level3.net(64.159.4.149) 16 unknown.Level3.net (64.159.3.254) 17 gige7-0.ipcolo1.Washington1.Level3.net(64.159.18.3) Washington 18 unknown.Level3.net (209.246.46.90) 19 gigabitethernet7-0.dca2c-fcor-rt2.netsrv.digex.net (164.109.3.94) 20 164.109.3.166 (164.109.3.166) 21 164.109.92.14 (164.109.92.14) 22 164.109.68.201 (164.109.68.201)

9 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 9 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Global Submarine Cable Map 2003 Cable tapping pod laid by US submarine off Khamchatka

10 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 10 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Known Cases of Industrial Espionage Airbus, 1994, fax and phone calls intercepted by NSA McDonnell-Douglas won 6 billion $US contract with Saudi Arabian national airline. Reason: Uncovering of bribes. ICE/TGV, 1993, phone and fax tapped in Siemens Seoul office Siemens lost contract for Korean high-speed train to GEC-Alsthom. Reason: Competitor knew cost calculations done by Siemens. Thomson-CSF, 1994, communications intercepted by NSA/CIA Thomson-CSF lost huge Brazilian rainforest radar contract to Raytheon. Reason: Uncovering of bribes. Estimated yearly damage due to industrial espionage 10 billion Euro p.a. for Germany alone Source: European Commission Final Report on ECHELON, July 2001

11 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 11 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick E-Security und Datenschutz I Need for Confidentiality Threat by Hackers

12 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 12 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick World Economic Forum 2001 in Davos Entire WEF database was stolen by hackers 161 Mbytes of data 27'000 names 1'400 credit card numbers phone numbers and home addresses

13 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 13 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Web Defacing

14 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 14 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Web Defacing Source: Ruben Kuswanto, "Web Defacing", February 25 2003

15 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 15 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick WLAN War Driving

16 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 16 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick WLAN War Driving Map of Southern California http://pasadena.net/apmap/ 1500 mapped Access Points

17 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 17 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick WLAN War Driving Map of Zurich Source: Tages-Anzeiger, Oct. 14 2002 >700 access points, a majority of them with disabled WEP encryption

18 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 18 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick WLAN War Driving using NetStumbler NetStumbler available from http://www.netstumbler.com Laptop or PDA platform, optionally equipped with GPS device

19 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 19 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Cain Password Recovery Tool Cain available from http://www.oxid.it ARP poisoning, SSH and HTTPS man-in-the-middle attacks

20 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 20 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Sniffing is easy!

21 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 21 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Network Setup default gateway 160.85.160.1 00:D0:03:22:7C:0A Target mobt6103e 160.85.169.50 00:C0:97:14:B8:71 Attacker usrw3200 160.85.162.219 00:02:B3:21:2C:8C Victim ZHW Netz Internet kermit 160.85.134.140 08:00:20:C3:CE:48 Destination EDU Netz Hostname IP network address MAC interface card address Switch

22 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 22 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick E-Security und Datenschutz I Need for Availability Threat by DoS Attacks

23 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 23 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Denial of Service (DoS) Attacks ping –c 1 160.85.143.255 13:36:52.196291 pluto.zhwin.ch > 160.85.143.255: icmp: echo request 13:36:52.196513 janus.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.196560 labserver03.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.196586 labserver01.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.196603 is1-svn.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.196871 notekgc.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.196910 statler.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.196940 andromeda.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.197296 iplds2.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.197325 milkyway.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.197410 kermit.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.197584 e520ks01.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.197653 console.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.197670 charly.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.197960 www.frau-und-technik.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.198017 splash.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.198363 iplds1.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.198652 twins.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.198937 mac608.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.199915 draco.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.201847 inpc9.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.205905 e321lj.zhwin.ch > pluto.zhwin.ch: icmp: echo reply 13:36:52.216502 pmsrv.zhwin.ch > pluto.zhwin.ch: icmp: echo reply

24 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 24 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick DoS – Ping Attack with IP Spoofing Corporate Network Victim Internet Attacker pings to broadcast address of corporate network with spoofed source address of victim Firewall

25 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 25 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick State-of-the-Art Distributed DoS Attack Victim Internet Attacker Attacker feeds a virus e.g. via email into the Internet Virus infects thousands of hosts and installs a Trojan horse On a given date all Trojans start flooding the Victim e.g. with HTTP requests

26 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 26 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick E-Security und Datenschutz I CRM and Privacy

27 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 27 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick CRM and Privacy Source: PriceWaterhouseCoopers, "Risks of Customer Relationship Management", ISACF, 2003 Trust A customer who trusts the organization to respect personal information is more likely to transact with the organization and to provide more information to allow the organization to service his/her need. Contrary Viewpoints: Marketers see enormous possibilities for targeted advertising and cross-selling. Privacy Advocates want organizations to collect minimal information, do as little as possible with that information, and ask for permission first. Regulators are looking at more effective enforcement. Lawyers juggle new compliance requirements and legal risks. Consumers are left wondering if they really have any privacy left at all.

28 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 28 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick E-Risks jeopardizing Customer Privacy An organization risks violating the privacy of its customers in several of the following ways: Security Breaches Unintentional security breaches that allow unauthorized people to view personal information about customers. Faulty Authentication Failing to correctly authenticate customers before allowing them to access personal data. Missing or Unheeded Confidentiality Agreements Failing to secure confidentiality agreements with vendors that host parts of the system or have access to the data. Unsufficient Access Restrictions Failing to restrict employee access at the application or database level to prevent customer data being used in profiling or other marketing activities that breach the organization's privacy policy, e.g. failing to honor customer opt-outs. Source: PriceWaterhouseCoopers, "Risks of Customer Relationship Management", ISACF, 2003

29 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 29 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Conclusions Due to the large amount of personal data maintained by organizations implementing CRM strategies, the ease with which the data can be electronically transferred, and the threat to personal privacy if they are misused, … Source: PriceWaterhouseCoopers, "Risks of Customer Relationship Management", ISACF, 2003 … organizations must establish formal programs to address privacy in the context of CRM deployments. In order to be effective, these programs need executive support, appropriate resources and representation from a significant portion of the organization.

30 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 30 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick E-Security und Datenschutz I Security Policies

31 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 31 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Security Policies "There should be a commonly understood set of practices and procedures to define management's intentions for the security of e-Commerce." Deloitte&Touche, "E-Commerce Security – Enterprise Best Practices", ISACF, 2000

32 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 32 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Effectiveness of Security Policies Research has shown that there is only limited correlation between a written statement of policy and management's statisfaction with the attainment of its security objectives. The reason seems to be that so-called Internet time is too fast to merit taking the time to write down all the policies that have evolved. Overall information protection policies are required. Simply to address confidentiality, integrity and availablity (CIA) as they apply to e-Commerce is to miss the unique policy issues prescribed for doing business on the Internet. It appears that the highest level of satisfaction with security – policy, direction and enforcement – is achieved when many parties (e.g. sales, marketing, supply chain management, and information technology) are involved and responsible. Source: Deloitte&Touche, "E-Commerce Security – Enterprise Best Practices", ISACF, 2000, pp. 41-44

33 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 33 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick The five Elements of Effective Security Policies Language Loosely constructed statements potentially lead to misinterpretations of the policies. The policies must be written such that expectations are clear. Feasability Policies must be reasonable and practical. If policies are not logical, or within reasonability, they may not be implemented. Responsibility Policies must clearly define who is responsible and to whom the policy applies. Consistency Inconsistent use of word and definitions can mislead the reader and potentially confuse the message of the policy. Examples include "data" vs. "information" and "approval" vs. "authorization". Comprehensive Gaps in the coverage of policies will discredit them. The policies must consider all aspects of information security and where possible, the policies should be linked to other corporate policies. Source: PriceWaterhouseCoopers, "Risks of Customer Relationship Management", ISACF, 2003

34 23.09.2003/Andreas Steffen NDS_CRM_Security_1 Seite 34 E-Security und Datenschutz Zürcher Hochschule Winterthur Modul 3 Technologie – Überblick Security Policies "Policies enable; they do not just deny." PriceWaterhouseCoopers, "Risks of Customer Relationship Management", ISACF, 2003