SlideShare une entreprise Scribd logo

Mis05

Télécharger en tant que PPTX, PDF
L
Lee Gomez
1  sur  54
Introduction to MIS Chapter 5 Computer Security Jerry Post Technology Toolbox: Assigning Security Permissions Technology Toolbox: Encrypting E-Mail?? Cases: Professional Sports
Outline  How do you protect your information resources?  What are the primary threats to an information system?  What primary options are used to provide computer security?  What non-computer-based tools can be used to provide additional security?  How do you protect data when unknown people might be able to find it or intercept it? What additional benefits can be provided by encryption?  How do you prove the allegations in a computer crime?  What special security problems arise in e- commerce?
Server Attacks Computer Security + Physical Dangers The Internet Data interception + external attackers Monitoring/ Internal + Privacy Spyware
Threats to Information  Accidents & Disasters  Employees & Consultants  Business Partnerships  Outside Attackers ◦ Viruses & Spyware ◦ Direct attacks & Scripts Links to business partners Virus hiding in e-mail or Web site. Employees & Consultants Outside hackers
Security Categories  Physical attack &  Logical disasters ◦ Unauthorized disclosure  Backup--off-site ◦ Unauthorized modification  Physical facilities ◦ Unauthorized ◦ Cold/Shell site withholding, Denial of ◦ Hot site Service ◦ Disaster tests ◦ Personal computers  Confidentiality,  Continuous backup Integrity, Accessibility (CIA)  Behavioral ◦ Users give away passwords ◦ Users can make mistakes ◦ Employees can go bad
Horror Stories  Security Pacific--Oct. 1978  Robert Morris--1989 ◦ Stanley Mark Rifkin ◦ Graduate Student ◦ Electronic Funds Transfer ◦ Unix “Worm” ◦ $10.2 million ◦ Internet--tied up for 3 days ◦ Switzerland  Clifford Stoll--1989 ◦ Soviet Diamonds ◦ The Cuckoo’s Egg ◦ Came back to U.S. ◦ Berkeley Labs  Hacker/youngster: Seattle ◦ Unix--account not balance ◦ Physically stole some computers and ◦ Monitor, false information was arrested ◦ Track to East German spy: Marcus ◦ Sentenced to prison, scheduled to Hess begin in 2 months  Old Techniques ◦ Decides to hack the computer system and change sentence to probation ◦ Salami slice ◦ Hacks Boeing computers to launch ◦ Bank deposit slips attack on court house ◦ Trojan Horse ◦ Mistakenly attacks Federal court ◦ Virus instead of State court ◦ Gets caught again, causes $75,000 damages at Boeing
More Horror Stories  TJ Max (TJX) 2007  Alaska State Fund 2007 ◦ A hacker gained access to ◦ Technician accidentally the retailer’s transaction deleted Alaska oil-revenue system and stole credit card dividend data file. data on millions of ◦ And deleted all backups. customers. ◦ 70 people worked overtime ◦ The hacker gained access to for 6 weeks to re-enter the unencrypted card data. data at a cost of $220,000. ◦ The hacker most likely also  Terry Childs, San Francisco had obtained the decryption key. Network Engineer ◦ TJX was sued by dozens of ◦ In 2008 refused to tell banks for the costs incurred anyone the administrative in replacing the stolen cards. passwords for the city network ◦ (2011) Hackers were arrested and sentenced. One ◦ The networks remained (Albert Gonzalez) had been running, but could not be working as a “consultant” to monitored or altered. federal law enforcement. ◦ He eventually gave them to the Mayor, but was NY Times Rolling Stones Govt Tech convicted.
Disaster Planning (older)  Backup data Backup/Safe storage Recovery Facility  Recovery facility  A detailed plan  Test the plan MIS Employees Network Business/Operations
Data Backup (in-house/old style) Power company Use the network to back up PC data. Use duplicate mirrored servers for extreme reliability. UPS Frequent backups enable Diesel generator you to recover Offsite backups from disasters are critical. and mistakes.
Disaster Planning (continuous)  How long can company survive without computers?  Backup is critical  Offsite backup is critical  Levels ◦ RAID (multiple drives) ◦ Real time replication ◦ Scheduled backups and versions  Not just data but processing ◦ Offsite, duplicate facilities ◦ Cloud computing  Still challenges with personal computer data
Continuous Backup Secure Internet connection Storage area Off-site or cloud network with computing Server cluster redundancy processing and data with built-in and RAID Use both sites redundancy continuously or switch DNS entries to transfer users in a disaster. Users connect to the servers
Threats to Users  Attacker takes over computer ◦ Virus/Trojan ◦ Phishing ◦ Unpatched computer/known holes ◦ Intercepted wireless data  Bad outcomes ◦ Lost passwords, impersonation, lost money ◦ Stolen credit cards, lost money ◦ Zombie machine, attacks others ◦ Commits crimes blamed on you
Virus/Trojan Horse From: afriend To: victim 2 3 Message: Open 1 the attachment for some excitement. 1. User opens an attached program that contains hidden virus Attachment 2. Virus copies itself into other programs on the computer 01 23 05 06 77 03 3. Virus spreads to other files and 3A 7F 3C 5D 83 94 other computers. 19 2C 2E A2 87 62 02 8E FA EA 12 79 54 29 3F 4F 73 9F Virus code
Spyware hacker Capture keystrokes Password Viruses used to delete your files. Now they become Credit card spyware and steal your data, passwords, and credit cards. Password
Stopping a Virus/Trojan Horse  Backup your data!  Never run applications unless you are certain they are safe.  Never open executable attachments sent over the Internet--regardless of who mailed them.  Antivirus software ◦ Scans every file looking for known bad signatures ◦ Needs constant updating ◦ Rarely catches current viruses ◦ Can interfere with other programs ◦ Can be expensive ◦ Can usually remove a known virus
Phishing: Fake Web Sites E-mail Really good fake of Bank account is your bank’s Web overdrawn. site. Please click here to log in. Sent to hacker who steals your Username money. Password You are tired and click the link and enter username/password.
Avoiding Phishing Attacks  Never give your login username and password to anyone. Systems people do not need it.  Be extremely cautious about bank sites and avoid clicking any links that are sent by e-mail.  Always double-check the URL of the site and the browser security settings.
Two-step Process often used by Banks Real bank site Username URL Security indicators Password Image or phrase you created earlier After checking the URL, Password: security indicators, and the image or phrase you entered when you opened the account, it is safe to enter your password.
Patching Software Vendor Hacker attacks your Researchers announces computer when you go find bug patch to a Web site time You should update immediately Zero-day attack. Hacker finds bug/hole first. Everyone is vulnerable.
Unpatched Computer/Known Holes Researchers and Bugs enable attackers Attackers learn about vendors find bugs in to create files and holes and write scripts programs. Web sites that that automatically overwrite memory and search for unpatched Vendors fix the let them take over a computers. programs and release computer. Even with updates. images and PDF files. Thousands of people run these scripts against every computer they can find You forget to update on the Internet. your computer. Someone takes over your computer. 2008, SFGate, 95% of computers need updates (online) 2011, RSA/Computerworld, 80% of browsers need updates (online)
Update Your Software  O/S: Microsoft (and Apple) ◦ Set security system to auto-update. ◦ But laptops are often turned off. ◦ Microsoft “patch Tuesday” so manually check on Wednesday or Thursday.  Browsers ◦ Some patched with operating system. ◦ Others use Help/About. ◦ Check add-ins: Java, Flash, Acrobat, …  Applications ◦ Check with vendor Web site. ◦ Try Help/About.  Monitor your network usage. ◦ Botnet software and viruses can flood your network. ◦ Slowing down traffic. ◦ Exceeding your Internet data caps.
Internet Data Transmission Eavesdropper Destination Intermediate Routers Start
Intercepted Wireless Communications Hacker installs software to capture all data traffic on the wireless network. (e.g., Firesheep) Browser cookies from the server are rarely encrypted and can be captured to impersonate you on your Web service accounts.
Protect Wireless Transmissions  Never use public wireless for anything other than simple Web surfing?  Use virtual private network (VPN) software which encrypts all transmissions from your computer to their server?  Encourage Web sites to encrypt all transmissions?  Most options have drawbacks today (2011).  Warning: Firesheep is extremely easy to use and it is highly likely someone is running it on any public network you use.  Eventually, it is likely that all Internet connections will have to use end-to-end encryption for all communication. (Which is the point of the author of Firesheep.)
Common Web Encryption: Login only Initial page, encryption keys Username/password (encrypted) Server Cookie/identifier (Not encrypted) Session and additional pages Hijacked not encrypted. With session unencrypted cookie/identifier. Intercepted User Eavesdropper hacker
Fundamental Issue: User Identification  Passwords  Alternatives: Biometrics ◦ Dial up service found 30% of ◦ Finger/hand print people used same word ◦ Voice recognition ◦ People choose obvious ◦ Retina/blood vessels ◦ Post-It notes ◦ Iris scanner ◦ DNA ?  Hints  Password generator cards ◦ Don’t use real words  Comments ◦ Don’t use personal names ◦ Don’t have to remember ◦ Include non-alphabetic ◦ Reasonably accurate ◦ Change often ◦ Price is dropping ◦ Use at least 8 characters ◦ Nothing is perfect ◦ Don’t use the same password everywhere ◦  But then you cannot remember the passwords!
Bad Passwords  Some hackers have released stolen and cracked password files. Analysis reveals the most common passwords—which are also in a list used by hackers. Do not use these as your password! Example source: Ashlee Vance, “If Your Password Is 123456, Just Make It HackMe,” The New York Times, January 20, 2010. 1. 123456 11. nicole 21. Iloveu 2. 12345 12. daniel 22. michelle 3. 123456789 13. babygirl 23. 111111 4. password 14. monkey 24. 0 5. iloveyou 15. jessica 25. Tigger 6. princess 16. lovely 26. password1 7. rockyou 17. michael 27. sunshine 8. 1234567 18. ashley 28. chocolate 9. 12345678 19. 654321 29. anthony 10. abc123 20. qwerty 30. Angel 31. FRIENDS 32. soccer
Iris Scan Panasonic http://www.eyeticket.com/ http://www.iridiantech.com/ eyepass/index.html questions/q2/features.html Algorithm patents by JOHN DAUGMAN 1994 http://www.cl.cam.ac.uk/~jgd1000/
Biometrics: Thermal Several methods exist to identify a person based on biological characteristics. Common techniques include fingerprint, handprint readers, and retinal scanners. More exotic devices include body shape sensors and this thermal facial reader which uses infrared imaging to identify the user.
Lack of Biometric Standards  Biometrics can be used for local logins.  Which can be used within a company.  But, no standards exist for sharing biometric data or using them on Web sites.  And do you really want every minor Web site to store your biometric fingerprints?
Access Controls: Permissions in Windows Find the folder or directory in explorer. Right-click to set properties. On the Security tab,assign permissions.
Security Controls  Access Control ◦ Ownership of data ◦ Read, Write, Execute, Delete, Change Permission, Take Ownership  Security Monitoring ◦ Access logs ◦ Violations ◦ Lock-outs Resou rce/F iles Users Ba la n ce Sh eet Ma rketin g Foreca st Accou n tin g Read/write Read Ma rketin g Read Read/Write E xecu tive Read Read
Single sign-on validate validate Database Web server Security Server Kerberos RADIUS Request User access login Request access
Encryption: Single Key Plain text message  Encrypt and decrypt with the same key AES ◦ How do you get the key safely to the other party? Key: 9837362 Encrypted ◦ What if there are many text people involved?  Fast encryption and Single key: e.g., AES decryption Encrypted text ◦ DES - old and falls to brute force attacks AES ◦ Triple DES - old but slightly Key: 9837362 harder to break with brute force. Plain text ◦ AES - new standard message
Encryption: Dual Key Message Message Encrypted Alice Bob Private Key Public Keys 13 Use Private Key Use Alice 29 Bob’s 37 Bob’s Bob 17 Private key Public key Alice sends message to Bob that only he can read.
Dual Key: Authentication Message Transmission Message Message+A Message+B Alice Message+A+B Private Key 13 Bob Use Public Keys Alice’s Private Key Private key Alice 29 Use 37 Use Bob 17 Use Bob’s Bob’s Alice’s Private key Public key Public key Alice sends a message to Bob Her private key guarantees it came from her. His public key prevents anyone else from reading message.
How does Bob Certificate Authority know that it is really Alice’s key?  Public key Trust the C.A. ◦ Imposter could sign up for a public key. C.A. validate ◦ Need trusted organization. applicants ◦ Several public companies, with no Public Keys Alice regulation. ◦ Verisign mistakenly issued Alice 29 a certificate to an imposter Bob 17 claiming to work for Microsoft in 2001. ◦ Browser has list of trusted Eve could impersonate root authorities. Alice to obtain a digital Eve key and send false messages that seem to come from Alice.
Encryption Summary  Encryption prevents people from reading or changing data.  Dual-key encryption can be used to digitally sign documents and authenticate users.  Encryption does not solve all problems. ◦ Data can still be deleted. ◦ Hackers might get data while it is unencrypted. ◦ People can lose or withhold keys or passwords.  Brute force can decrypt data with enough processing power. ◦ Difficult if the keys are long enough. ◦ But computers keep getting faster. ◦ Connecting a few million together is massive time reduction. ◦ Quantum computing if developed could crack existing encryption methods.
Clipper Chip: Key Escrow Decrypted conversation Escrow keys Judicial or government office Intercept Encrypted conversation Clipper chip in phones
Additional Controls  Audits http://www.lexisnexis.com/risk  Monitoring (bought ChoicePoint)  Background checks: http://www.knowx.com/ (also lexis nexis) http://www.casebreakers.com/ http://www.publicdata.com/
Computer Forensics Software: • Verify copy. Original Exact • Tag/identify files. drive copy • Scan for key words. • Recover deleted files. • Identify photos. • Attempt to decrypt files. Write blocker: • Time sequence Physically prevent • Browser history data from being • File activity altered on the • Logs original drive.
Securing E-Commerce Servers 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for passwords. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. 5. Use and regularly update anti-virus software. 6. Develop and maintain secure systems and applications. 7. Restrict access to cardholder data by business need to know. 8. Assign a unique id to each person with computer access. 9. Restrict physical access to cardholder data. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. 12. Maintain a policy that addresses information security. https://www.pcisecuritystandards.org/
Internet Firewall Internal company data servers Firewall router Keeps local data from going Company PCs to Web servers. Firewall router Examines each Internet packet and discards some types of requests.
Firewalls: Rules IP source address Allowed packets IP destination address Port source and destination Protocol (TCP, UDP, ICMP) Rules based on packet attributes Allow: all IP source, Port 80 (Web server) Disallow: Port 25 (e-mail), all destinations except e-mail server. … Internet by default allows almost all traffic. Firewalls usually configured to block all traffic, and allow only connections to specific servers assigned to individual tasks.
Intrusion Detection System (IDS) Intrusion Prevention System (IPS) Collect packet info from everywhere IDS/IPS Analyze packet data in real time. Rules to evaluate potential threats. Company PCs IPS: Reconfigure firewalls to block IP addresses evaluated as threats.
Denial Of Service Coordinated flood attack. Targeted server. Break in. Flood program. Zombie PCs at homes, schools, and businesses. Weak security.
Denial of Service Actions  Hard for an individual company to stop DoS ◦ Can add servers and bandwidth. ◦ Use distributed cloud (e.g., Amazon EC2) ◦ But servers and bandwidth cost money  Push ISPs to monitor client computers ◦ At one time, asked them to block some users. ◦ Increasingly, ISPs impose data caps—so users have a financial incentive to keep their computers clean. ◦ Microsoft Windows has anti-spyware tools to remove some of the known big threats.
Cloud Computing and Security  Cloud providers can afford to hire security experts.  Distributed servers and databases provide real-time continuous backup.  Web-based applications might need increased use of encryption.  But, if you want ultimate security, you would have to run your own cloud.
Privacy  Tradeoff between security and privacy ◦ Security requires the ability to track many activities and users. ◦ People want to be secure but they also do not want every company (or government agency) prying into their lives  Businesses have an obligation to keep data confidential  More details in Chapter 14
Technology Toolbox: Security Permissions 1. If Windows XP, Tools/Folder Options, Advanced, uncheck “Use simple file sharing” 2. Create groups and users (or pull from network definitions when available) 3. Start menu/All Programs/Administrative Tools/Computer Management or Start/Run: compmgmt.msc /s 4. Add users and groups 5. Find folder, right-click, Sharing and Security, Permissions, remove “Everyone,” Add the new group with Read permission
Quick Quiz: Assigning Security Permissions 1. Why is it important to define groups of users? 2. Why is it important to delete this test group and users when you are finished?
Technology Toolbox: Encrypting Files 1. Microsoft Office: Save with a Password: File/Info/Save with Password. Single key. 2. Install security certificates to encrypt e-mail (challenging). 3. Laptop and USB drives: Windows 7: BitLocker complete encryption. Best if the computer has a TPM: Trusted Platform Module to hold the encryption keys.
Quick Quiz: Encryption 1. Why would a business want to use encryption? 2. When would it be useful to set up dual-key encryption for e-mail? 3. In a typical company, which drives should use drive- level encryption?
Cases: Professional Sports  Football  Basketball  Baseball How do you keep data secure? Imagine the problems if one team steals playbook data from another.

Recommandé

One of 2 protect your business
One of 2 protect your businessOne of 2 protect your business
One of 2 protect your businessManagement Insights LLC
 
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallyCH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallySukanya Ben
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin RowneySymantec
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
Why your small business needs edr solution
Why your small business needs edr solution Why your small business needs edr solution
Why your small business needs edr solution Xperteks
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security SolutionsSymantec
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
 
ROBUST LOSSLESS WATERMARKING OF RELATIONAL DATABASES USING MULTIMEDIA DATA_An...
ROBUST LOSSLESS WATERMARKING OF RELATIONAL DATABASES USING MULTIMEDIA DATA_An...ROBUST LOSSLESS WATERMARKING OF RELATIONAL DATABASES USING MULTIMEDIA DATA_An...
ROBUST LOSSLESS WATERMARKING OF RELATIONAL DATABASES USING MULTIMEDIA DATA_An...anjuvipin
 

Recommandé

One of 2 protect your business
One of 2 protect your businessOne of 2 protect your business
One of 2 protect your businessManagement Insights LLC
 
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallyCH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallySukanya Ben
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin RowneySymantec
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
Why your small business needs edr solution
Why your small business needs edr solution Why your small business needs edr solution
Why your small business needs edr solution Xperteks
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security SolutionsSymantec
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
 
ROBUST LOSSLESS WATERMARKING OF RELATIONAL DATABASES USING MULTIMEDIA DATA_An...
ROBUST LOSSLESS WATERMARKING OF RELATIONAL DATABASES USING MULTIMEDIA DATA_An...ROBUST LOSSLESS WATERMARKING OF RELATIONAL DATABASES USING MULTIMEDIA DATA_An...
ROBUST LOSSLESS WATERMARKING OF RELATIONAL DATABASES USING MULTIMEDIA DATA_An...anjuvipin
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGtovmug
 
US Data Breaches Analysis
US Data Breaches AnalysisUS Data Breaches Analysis
US Data Breaches Analysisjkveragas
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Advanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionAdvanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionEntrust Datacard
 
Infromation Security as an Institutional Priority
Infromation Security as an Institutional PriorityInfromation Security as an Institutional Priority
Infromation Security as an Institutional Priorityzohaibqadir
 
Safe Computing At Home And Work
Safe Computing At Home And WorkSafe Computing At Home And Work
Safe Computing At Home And WorkJohn Steensen, MBA/TM, CISA, CRISC
 
0470170778
04701707780470170778
0470170778Alaa Khateeb
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
2 01 Terms Technology Issues
2 01 Terms Technology Issues2 01 Terms Technology Issues
2 01 Terms Technology Issueserikabonati
 
New Solutions for Security and Compliance in the Cloud
New Solutions for Security and Compliance in the CloudNew Solutions for Security and Compliance in the Cloud
New Solutions for Security and Compliance in the CloudOnline Tech
 
Future-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsFuture-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsSteven SIM Kok Leong
 
Ids
IdsIds
Idsfangjiafu
 
News Bytes - December 2012
News Bytes - December 2012News Bytes - December 2012
News Bytes - December 2012n|u - The Open Security Community
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityAndrew Wong
 
Egress Switch Datasheet
Egress Switch Datasheet Egress Switch Datasheet
Egress Switch Datasheet yonifine
 
Electronic Data Discovery
Electronic Data DiscoveryElectronic Data Discovery
Electronic Data DiscoveryCarahsoft
 
Configure The Unidentified ..
Configure The Unidentified ..Configure The Unidentified ..
Configure The Unidentified ..Cody
 
2 01 Hw
2 01 Hw2 01 Hw
2 01 Hw06maggiequ
 
Mission impossible: Protect Your Date from Cyberspace & HIPAA Violations
Mission impossible: Protect Your Date from Cyberspace & HIPAA ViolationsMission impossible: Protect Your Date from Cyberspace & HIPAA Violations
Mission impossible: Protect Your Date from Cyberspace & HIPAA ViolationsValerie Houghton
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service AttacksBrent Muir
 
2.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-112.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-11mrmwood
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 

Contenu connexe

Tendances

Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGtovmug
 
US Data Breaches Analysis
US Data Breaches AnalysisUS Data Breaches Analysis
US Data Breaches Analysisjkveragas
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Advanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionAdvanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionEntrust Datacard
 
Infromation Security as an Institutional Priority
Infromation Security as an Institutional PriorityInfromation Security as an Institutional Priority
Infromation Security as an Institutional Priorityzohaibqadir
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
2 01 Terms Technology Issues
2 01 Terms Technology Issues2 01 Terms Technology Issues
2 01 Terms Technology Issueserikabonati
 
New Solutions for Security and Compliance in the Cloud
New Solutions for Security and Compliance in the CloudNew Solutions for Security and Compliance in the Cloud
New Solutions for Security and Compliance in the CloudOnline Tech
 
Future-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsFuture-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsSteven SIM Kok Leong
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityAndrew Wong
 
Egress Switch Datasheet
Egress Switch Datasheet Egress Switch Datasheet
Egress Switch Datasheet yonifine
 
Electronic Data Discovery
Electronic Data DiscoveryElectronic Data Discovery
Electronic Data DiscoveryCarahsoft
 
Configure The Unidentified ..
Configure The Unidentified ..Configure The Unidentified ..
Configure The Unidentified ..Cody
 
Mission impossible: Protect Your Date from Cyberspace & HIPAA Violations
Mission impossible: Protect Your Date from Cyberspace & HIPAA ViolationsMission impossible: Protect Your Date from Cyberspace & HIPAA Violations
Mission impossible: Protect Your Date from Cyberspace & HIPAA ViolationsValerie Houghton
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service AttacksBrent Muir
 

Tendances (20)

Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUG
 
US Data Breaches Analysis
US Data Breaches AnalysisUS Data Breaches Analysis
US Data Breaches Analysis
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 
Advanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionAdvanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure Protection
 
Infromation Security as an Institutional Priority
Infromation Security as an Institutional PriorityInfromation Security as an Institutional Priority
Infromation Security as an Institutional Priority
 
Safe Computing At Home And Work
Safe Computing At Home And WorkSafe Computing At Home And Work
Safe Computing At Home And Work
 
0470170778
04701707780470170778
0470170778
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
2 01 Terms Technology Issues
2 01 Terms Technology Issues2 01 Terms Technology Issues
2 01 Terms Technology Issues
 
New Solutions for Security and Compliance in the Cloud
New Solutions for Security and Compliance in the CloudNew Solutions for Security and Compliance in the Cloud
New Solutions for Security and Compliance in the Cloud
 
Future-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical ThreatsFuture-proofing Supply Chain against emerging Cyber-physical Threats
Future-proofing Supply Chain against emerging Cyber-physical Threats
 
Ids
IdsIds
Ids
 
News Bytes - December 2012
News Bytes - December 2012News Bytes - December 2012
News Bytes - December 2012
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep Security
 
Egress Switch Datasheet
Egress Switch Datasheet Egress Switch Datasheet
Egress Switch Datasheet
 
Electronic Data Discovery
Electronic Data DiscoveryElectronic Data Discovery
Electronic Data Discovery
 
Configure The Unidentified ..
Configure The Unidentified ..Configure The Unidentified ..
Configure The Unidentified ..
 
2 01 Hw
2 01 Hw2 01 Hw
2 01 Hw
 
Mission impossible: Protect Your Date from Cyberspace & HIPAA Violations
Mission impossible: Protect Your Date from Cyberspace & HIPAA ViolationsMission impossible: Protect Your Date from Cyberspace & HIPAA Violations
Mission impossible: Protect Your Date from Cyberspace & HIPAA Violations
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 

Similaire à Mis05

2.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-112.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-11mrmwood
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityEric Kavanagh
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
Topic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxTopic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxjuliennehar
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
Gary managed services_naples (2)
Gary managed services_naples (2)Gary managed services_naples (2)
Gary managed services_naples (2)Gary Fincher
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
IT guide to data storage and protection
IT guide to data storage and protectionIT guide to data storage and protection
IT guide to data storage and protectiondoogstone
 
Managing and securing the enterprise
Managing and securing the enterpriseManaging and securing the enterprise
Managing and securing the enterpriseAbha Damani
 
The Breach at Limetree Updated November 18, 2017 Bac.docx
The Breach at Limetree Updated November 18, 2017 Bac.docxThe Breach at Limetree Updated November 18, 2017 Bac.docx
The Breach at Limetree Updated November 18, 2017 Bac.docxmehek4
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough? Zscaler
 
Ph d proposal_20070809
Ph d proposal_20070809Ph d proposal_20070809
Ph d proposal_20070809Todd Deshane
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingBrent Muir
 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Security Conference
 

Similaire à Mis05 (20)

2.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-112.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-11
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and Security
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
Topic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxTopic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docx
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced Threats
 
Mcafee dyntek
Mcafee dyntekMcafee dyntek
Mcafee dyntek
 
Gary managed services_naples (2)
Gary managed services_naples (2)Gary managed services_naples (2)
Gary managed services_naples (2)
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
Why Risk Management Fails
Why Risk Management FailsWhy Risk Management Fails
Why Risk Management Fails
 
IT guide to data storage and protection
IT guide to data storage and protectionIT guide to data storage and protection
IT guide to data storage and protection
 
Managing and securing the enterprise
Managing and securing the enterpriseManaging and securing the enterprise
Managing and securing the enterprise
 
The Breach at Limetree Updated November 18, 2017 Bac.docx
The Breach at Limetree Updated November 18, 2017 Bac.docxThe Breach at Limetree Updated November 18, 2017 Bac.docx
The Breach at Limetree Updated November 18, 2017 Bac.docx
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
 
Ph d proposal_20070809
Ph d proposal_20070809Ph d proposal_20070809
Ph d proposal_20070809
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
 
Web security 2012
Web security 2012Web security 2012
Web security 2012
 

Plus de Lee Gomez

February 15, 2024 - One Year Experiencing God's Presence Devotional
February 15, 2024 - One Year Experiencing God's Presence DevotionalFebruary 15, 2024 - One Year Experiencing God's Presence Devotional
February 15, 2024 - One Year Experiencing God's Presence DevotionalLee Gomez
 
The Lord's Supper celebration and worship
The Lord's Supper celebration and worshipThe Lord's Supper celebration and worship
The Lord's Supper celebration and worshipLee Gomez
 
Avail beauty presentation updated v2
Avail beauty presentation updated v2Avail beauty presentation updated v2
Avail beauty presentation updated v2Lee Gomez
 
MIS Chapter 3
MIS Chapter 3MIS Chapter 3
MIS Chapter 3Lee Gomez
 
MIS - Chapter 02
MIS - Chapter 02MIS - Chapter 02
MIS - Chapter 02Lee Gomez
 
Communication Arts 101
Communication Arts 101Communication Arts 101
Communication Arts 101Lee Gomez
 
Communication arts 101
Communication arts 101Communication arts 101
Communication arts 101Lee Gomez
 
Communication arts 101
Communication arts 101Communication arts 101
Communication arts 101Lee Gomez
 

Plus de Lee Gomez (13)

February 15, 2024 - One Year Experiencing God's Presence Devotional
February 15, 2024 - One Year Experiencing God's Presence DevotionalFebruary 15, 2024 - One Year Experiencing God's Presence Devotional
February 15, 2024 - One Year Experiencing God's Presence Devotional
 
The Lord's Supper celebration and worship
The Lord's Supper celebration and worshipThe Lord's Supper celebration and worship
The Lord's Supper celebration and worship
 
Mis07
Mis07Mis07
Mis07
 
Mis08
Mis08Mis08
Mis08
 
Avail beauty presentation updated v2
Avail beauty presentation updated v2Avail beauty presentation updated v2
Avail beauty presentation updated v2
 
Mis04
Mis04Mis04
Mis04
 
Mis06
Mis06Mis06
Mis06
 
MIS Chapter 3
MIS Chapter 3MIS Chapter 3
MIS Chapter 3
 
Mis01
Mis01Mis01
Mis01
 
MIS - Chapter 02
MIS - Chapter 02MIS - Chapter 02
MIS - Chapter 02
 
Communication Arts 101
Communication Arts 101Communication Arts 101
Communication Arts 101
 
Communication arts 101
Communication arts 101Communication arts 101
Communication arts 101
 
Communication arts 101
Communication arts 101Communication arts 101
Communication arts 101
 

Mis05

  • 1. Introduction to MIS Chapter 5 Computer Security Jerry Post Technology Toolbox: Assigning Security Permissions Technology Toolbox: Encrypting E-Mail?? Cases: Professional Sports
  • 2. Outline  How do you protect your information resources?  What are the primary threats to an information system?  What primary options are used to provide computer security?  What non-computer-based tools can be used to provide additional security?  How do you protect data when unknown people might be able to find it or intercept it? What additional benefits can be provided by encryption?  How do you prove the allegations in a computer crime?  What special security problems arise in e- commerce?
  • 3. Server Attacks Computer Security + Physical Dangers The Internet Data interception + external attackers Monitoring/ Internal + Privacy Spyware
  • 4. Threats to Information  Accidents & Disasters  Employees & Consultants  Business Partnerships  Outside Attackers ◦ Viruses & Spyware ◦ Direct attacks & Scripts Links to business partners Virus hiding in e-mail or Web site. Employees & Consultants Outside hackers
  • 5. Security Categories  Physical attack &  Logical disasters ◦ Unauthorized disclosure  Backup--off-site ◦ Unauthorized modification  Physical facilities ◦ Unauthorized ◦ Cold/Shell site withholding, Denial of ◦ Hot site Service ◦ Disaster tests ◦ Personal computers  Confidentiality,  Continuous backup Integrity, Accessibility (CIA)  Behavioral ◦ Users give away passwords ◦ Users can make mistakes ◦ Employees can go bad
  • 6. Horror Stories  Security Pacific--Oct. 1978  Robert Morris--1989 ◦ Stanley Mark Rifkin ◦ Graduate Student ◦ Electronic Funds Transfer ◦ Unix “Worm” ◦ $10.2 million ◦ Internet--tied up for 3 days ◦ Switzerland  Clifford Stoll--1989 ◦ Soviet Diamonds ◦ The Cuckoo’s Egg ◦ Came back to U.S. ◦ Berkeley Labs  Hacker/youngster: Seattle ◦ Unix--account not balance ◦ Physically stole some computers and ◦ Monitor, false information was arrested ◦ Track to East German spy: Marcus ◦ Sentenced to prison, scheduled to Hess begin in 2 months  Old Techniques ◦ Decides to hack the computer system and change sentence to probation ◦ Salami slice ◦ Hacks Boeing computers to launch ◦ Bank deposit slips attack on court house ◦ Trojan Horse ◦ Mistakenly attacks Federal court ◦ Virus instead of State court ◦ Gets caught again, causes $75,000 damages at Boeing
  • 7. More Horror Stories  TJ Max (TJX) 2007  Alaska State Fund 2007 ◦ A hacker gained access to ◦ Technician accidentally the retailer’s transaction deleted Alaska oil-revenue system and stole credit card dividend data file. data on millions of ◦ And deleted all backups. customers. ◦ 70 people worked overtime ◦ The hacker gained access to for 6 weeks to re-enter the unencrypted card data. data at a cost of $220,000. ◦ The hacker most likely also  Terry Childs, San Francisco had obtained the decryption key. Network Engineer ◦ TJX was sued by dozens of ◦ In 2008 refused to tell banks for the costs incurred anyone the administrative in replacing the stolen cards. passwords for the city network ◦ (2011) Hackers were arrested and sentenced. One ◦ The networks remained (Albert Gonzalez) had been running, but could not be working as a “consultant” to monitored or altered. federal law enforcement. ◦ He eventually gave them to the Mayor, but was NY Times Rolling Stones Govt Tech convicted.
  • 8. Disaster Planning (older)  Backup data Backup/Safe storage Recovery Facility  Recovery facility  A detailed plan  Test the plan MIS Employees Network Business/Operations
  • 9. Data Backup (in-house/old style) Power company Use the network to back up PC data. Use duplicate mirrored servers for extreme reliability. UPS Frequent backups enable Diesel generator you to recover Offsite backups from disasters are critical. and mistakes.
  • 10. Disaster Planning (continuous)  How long can company survive without computers?  Backup is critical  Offsite backup is critical  Levels ◦ RAID (multiple drives) ◦ Real time replication ◦ Scheduled backups and versions  Not just data but processing ◦ Offsite, duplicate facilities ◦ Cloud computing  Still challenges with personal computer data
  • 11. Continuous Backup Secure Internet connection Storage area Off-site or cloud network with computing Server cluster redundancy processing and data with built-in and RAID Use both sites redundancy continuously or switch DNS entries to transfer users in a disaster. Users connect to the servers
  • 12. Threats to Users  Attacker takes over computer ◦ Virus/Trojan ◦ Phishing ◦ Unpatched computer/known holes ◦ Intercepted wireless data  Bad outcomes ◦ Lost passwords, impersonation, lost money ◦ Stolen credit cards, lost money ◦ Zombie machine, attacks others ◦ Commits crimes blamed on you
  • 13. Virus/Trojan Horse From: afriend To: victim 2 3 Message: Open 1 the attachment for some excitement. 1. User opens an attached program that contains hidden virus Attachment 2. Virus copies itself into other programs on the computer 01 23 05 06 77 03 3. Virus spreads to other files and 3A 7F 3C 5D 83 94 other computers. 19 2C 2E A2 87 62 02 8E FA EA 12 79 54 29 3F 4F 73 9F Virus code
  • 14. Spyware hacker Capture keystrokes Password Viruses used to delete your files. Now they become Credit card spyware and steal your data, passwords, and credit cards. Password
  • 15. Stopping a Virus/Trojan Horse  Backup your data!  Never run applications unless you are certain they are safe.  Never open executable attachments sent over the Internet--regardless of who mailed them.  Antivirus software ◦ Scans every file looking for known bad signatures ◦ Needs constant updating ◦ Rarely catches current viruses ◦ Can interfere with other programs ◦ Can be expensive ◦ Can usually remove a known virus
  • 16. Phishing: Fake Web Sites E-mail Really good fake of Bank account is your bank’s Web overdrawn. site. Please click here to log in. Sent to hacker who steals your Username money. Password You are tired and click the link and enter username/password.
  • 17. Avoiding Phishing Attacks  Never give your login username and password to anyone. Systems people do not need it.  Be extremely cautious about bank sites and avoid clicking any links that are sent by e-mail.  Always double-check the URL of the site and the browser security settings.
  • 18. Two-step Process often used by Banks Real bank site Username URL Security indicators Password Image or phrase you created earlier After checking the URL, Password: security indicators, and the image or phrase you entered when you opened the account, it is safe to enter your password.
  • 19. Patching Software Vendor Hacker attacks your Researchers announces computer when you go find bug patch to a Web site time You should update immediately Zero-day attack. Hacker finds bug/hole first. Everyone is vulnerable.
  • 20. Unpatched Computer/Known Holes Researchers and Bugs enable attackers Attackers learn about vendors find bugs in to create files and holes and write scripts programs. Web sites that that automatically overwrite memory and search for unpatched Vendors fix the let them take over a computers. programs and release computer. Even with updates. images and PDF files. Thousands of people run these scripts against every computer they can find You forget to update on the Internet. your computer. Someone takes over your computer. 2008, SFGate, 95% of computers need updates (online) 2011, RSA/Computerworld, 80% of browsers need updates (online)
  • 21. Update Your Software  O/S: Microsoft (and Apple) ◦ Set security system to auto-update. ◦ But laptops are often turned off. ◦ Microsoft “patch Tuesday” so manually check on Wednesday or Thursday.  Browsers ◦ Some patched with operating system. ◦ Others use Help/About. ◦ Check add-ins: Java, Flash, Acrobat, …  Applications ◦ Check with vendor Web site. ◦ Try Help/About.  Monitor your network usage. ◦ Botnet software and viruses can flood your network. ◦ Slowing down traffic. ◦ Exceeding your Internet data caps.
  • 22. Internet Data Transmission Eavesdropper Destination Intermediate Routers Start
  • 23. Intercepted Wireless Communications Hacker installs software to capture all data traffic on the wireless network. (e.g., Firesheep) Browser cookies from the server are rarely encrypted and can be captured to impersonate you on your Web service accounts.
  • 24. Protect Wireless Transmissions  Never use public wireless for anything other than simple Web surfing?  Use virtual private network (VPN) software which encrypts all transmissions from your computer to their server?  Encourage Web sites to encrypt all transmissions?  Most options have drawbacks today (2011).  Warning: Firesheep is extremely easy to use and it is highly likely someone is running it on any public network you use.  Eventually, it is likely that all Internet connections will have to use end-to-end encryption for all communication. (Which is the point of the author of Firesheep.)
  • 25. Common Web Encryption: Login only Initial page, encryption keys Username/password (encrypted) Server Cookie/identifier (Not encrypted) Session and additional pages Hijacked not encrypted. With session unencrypted cookie/identifier. Intercepted User Eavesdropper hacker
  • 26. Fundamental Issue: User Identification  Passwords  Alternatives: Biometrics ◦ Dial up service found 30% of ◦ Finger/hand print people used same word ◦ Voice recognition ◦ People choose obvious ◦ Retina/blood vessels ◦ Post-It notes ◦ Iris scanner ◦ DNA ?  Hints  Password generator cards ◦ Don’t use real words  Comments ◦ Don’t use personal names ◦ Don’t have to remember ◦ Include non-alphabetic ◦ Reasonably accurate ◦ Change often ◦ Price is dropping ◦ Use at least 8 characters ◦ Nothing is perfect ◦ Don’t use the same password everywhere ◦  But then you cannot remember the passwords!
  • 27. Bad Passwords  Some hackers have released stolen and cracked password files. Analysis reveals the most common passwords—which are also in a list used by hackers. Do not use these as your password! Example source: Ashlee Vance, “If Your Password Is 123456, Just Make It HackMe,” The New York Times, January 20, 2010. 1. 123456 11. nicole 21. Iloveu 2. 12345 12. daniel 22. michelle 3. 123456789 13. babygirl 23. 111111 4. password 14. monkey 24. 0 5. iloveyou 15. jessica 25. Tigger 6. princess 16. lovely 26. password1 7. rockyou 17. michael 27. sunshine 8. 1234567 18. ashley 28. chocolate 9. 12345678 19. 654321 29. anthony 10. abc123 20. qwerty 30. Angel 31. FRIENDS 32. soccer
  • 28. Iris Scan Panasonic http://www.eyeticket.com/ http://www.iridiantech.com/ eyepass/index.html questions/q2/features.html Algorithm patents by JOHN DAUGMAN 1994 http://www.cl.cam.ac.uk/~jgd1000/
  • 29. Biometrics: Thermal Several methods exist to identify a person based on biological characteristics. Common techniques include fingerprint, handprint readers, and retinal scanners. More exotic devices include body shape sensors and this thermal facial reader which uses infrared imaging to identify the user.
  • 30. Lack of Biometric Standards  Biometrics can be used for local logins.  Which can be used within a company.  But, no standards exist for sharing biometric data or using them on Web sites.  And do you really want every minor Web site to store your biometric fingerprints?
  • 31. Access Controls: Permissions in Windows Find the folder or directory in explorer. Right-click to set properties. On the Security tab,assign permissions.
  • 32. Security Controls  Access Control ◦ Ownership of data ◦ Read, Write, Execute, Delete, Change Permission, Take Ownership  Security Monitoring ◦ Access logs ◦ Violations ◦ Lock-outs Resou rce/F iles Users Ba la n ce Sh eet Ma rketin g Foreca st Accou n tin g Read/write Read Ma rketin g Read Read/Write E xecu tive Read Read
  • 33. Single sign-on validate validate Database Web server Security Server Kerberos RADIUS Request User access login Request access
  • 34. Encryption: Single Key Plain text message  Encrypt and decrypt with the same key AES ◦ How do you get the key safely to the other party? Key: 9837362 Encrypted ◦ What if there are many text people involved?  Fast encryption and Single key: e.g., AES decryption Encrypted text ◦ DES - old and falls to brute force attacks AES ◦ Triple DES - old but slightly Key: 9837362 harder to break with brute force. Plain text ◦ AES - new standard message
  • 35. Encryption: Dual Key Message Message Encrypted Alice Bob Private Key Public Keys 13 Use Private Key Use Alice 29 Bob’s 37 Bob’s Bob 17 Private key Public key Alice sends message to Bob that only he can read.
  • 36. Dual Key: Authentication Message Transmission Message Message+A Message+B Alice Message+A+B Private Key 13 Bob Use Public Keys Alice’s Private Key Private key Alice 29 Use 37 Use Bob 17 Use Bob’s Bob’s Alice’s Private key Public key Public key Alice sends a message to Bob Her private key guarantees it came from her. His public key prevents anyone else from reading message.
  • 37. How does Bob Certificate Authority know that it is really Alice’s key?  Public key Trust the C.A. ◦ Imposter could sign up for a public key. C.A. validate ◦ Need trusted organization. applicants ◦ Several public companies, with no Public Keys Alice regulation. ◦ Verisign mistakenly issued Alice 29 a certificate to an imposter Bob 17 claiming to work for Microsoft in 2001. ◦ Browser has list of trusted Eve could impersonate root authorities. Alice to obtain a digital Eve key and send false messages that seem to come from Alice.
  • 38. Encryption Summary  Encryption prevents people from reading or changing data.  Dual-key encryption can be used to digitally sign documents and authenticate users.  Encryption does not solve all problems. ◦ Data can still be deleted. ◦ Hackers might get data while it is unencrypted. ◦ People can lose or withhold keys or passwords.  Brute force can decrypt data with enough processing power. ◦ Difficult if the keys are long enough. ◦ But computers keep getting faster. ◦ Connecting a few million together is massive time reduction. ◦ Quantum computing if developed could crack existing encryption methods.
  • 39. Clipper Chip: Key Escrow Decrypted conversation Escrow keys Judicial or government office Intercept Encrypted conversation Clipper chip in phones
  • 40. Additional Controls  Audits http://www.lexisnexis.com/risk  Monitoring (bought ChoicePoint)  Background checks: http://www.knowx.com/ (also lexis nexis) http://www.casebreakers.com/ http://www.publicdata.com/
  • 41. Computer Forensics Software: • Verify copy. Original Exact • Tag/identify files. drive copy • Scan for key words. • Recover deleted files. • Identify photos. • Attempt to decrypt files. Write blocker: • Time sequence Physically prevent • Browser history data from being • File activity altered on the • Logs original drive.
  • 42. Securing E-Commerce Servers 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for passwords. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. 5. Use and regularly update anti-virus software. 6. Develop and maintain secure systems and applications. 7. Restrict access to cardholder data by business need to know. 8. Assign a unique id to each person with computer access. 9. Restrict physical access to cardholder data. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. 12. Maintain a policy that addresses information security. https://www.pcisecuritystandards.org/
  • 43. Internet Firewall Internal company data servers Firewall router Keeps local data from going Company PCs to Web servers. Firewall router Examines each Internet packet and discards some types of requests.
  • 44. Firewalls: Rules IP source address Allowed packets IP destination address Port source and destination Protocol (TCP, UDP, ICMP) Rules based on packet attributes Allow: all IP source, Port 80 (Web server) Disallow: Port 25 (e-mail), all destinations except e-mail server. … Internet by default allows almost all traffic. Firewalls usually configured to block all traffic, and allow only connections to specific servers assigned to individual tasks.
  • 45. Intrusion Detection System (IDS) Intrusion Prevention System (IPS) Collect packet info from everywhere IDS/IPS Analyze packet data in real time. Rules to evaluate potential threats. Company PCs IPS: Reconfigure firewalls to block IP addresses evaluated as threats.
  • 46. Denial Of Service Coordinated flood attack. Targeted server. Break in. Flood program. Zombie PCs at homes, schools, and businesses. Weak security.
  • 47. Denial of Service Actions  Hard for an individual company to stop DoS ◦ Can add servers and bandwidth. ◦ Use distributed cloud (e.g., Amazon EC2) ◦ But servers and bandwidth cost money  Push ISPs to monitor client computers ◦ At one time, asked them to block some users. ◦ Increasingly, ISPs impose data caps—so users have a financial incentive to keep their computers clean. ◦ Microsoft Windows has anti-spyware tools to remove some of the known big threats.
  • 48. Cloud Computing and Security  Cloud providers can afford to hire security experts.  Distributed servers and databases provide real-time continuous backup.  Web-based applications might need increased use of encryption.  But, if you want ultimate security, you would have to run your own cloud.
  • 49. Privacy  Tradeoff between security and privacy ◦ Security requires the ability to track many activities and users. ◦ People want to be secure but they also do not want every company (or government agency) prying into their lives  Businesses have an obligation to keep data confidential  More details in Chapter 14
  • 50. Technology Toolbox: Security Permissions 1. If Windows XP, Tools/Folder Options, Advanced, uncheck “Use simple file sharing” 2. Create groups and users (or pull from network definitions when available) 3. Start menu/All Programs/Administrative Tools/Computer Management or Start/Run: compmgmt.msc /s 4. Add users and groups 5. Find folder, right-click, Sharing and Security, Permissions, remove “Everyone,” Add the new group with Read permission
  • 51. Quick Quiz: Assigning Security Permissions 1. Why is it important to define groups of users? 2. Why is it important to delete this test group and users when you are finished?
  • 52. Technology Toolbox: Encrypting Files 1. Microsoft Office: Save with a Password: File/Info/Save with Password. Single key. 2. Install security certificates to encrypt e-mail (challenging). 3. Laptop and USB drives: Windows 7: BitLocker complete encryption. Best if the computer has a TPM: Trusted Platform Module to hold the encryption keys.
  • 53. Quick Quiz: Encryption 1. Why would a business want to use encryption? 2. When would it be useful to set up dual-key encryption for e-mail? 3. In a typical company, which drives should use drive- level encryption?
  • 54. Cases: Professional Sports  Football  Basketball  Baseball How do you keep data secure? Imagine the problems if one team steals playbook data from another.