1 / 35

Data interception. The Internet. Monitoring. 4. Employees & Consultants ... Sued a former employee for leaking confidential documents over the Internet. ...

Roberta
Download Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    Slide 1: Issues, Trends and Strategies for Computer Systems Management

    UMUC Graduate School of Management and Technology Chapter 4. Security, Privacy, and Anonymity Administrative issues. Before we look at technological advances and trends, we need to look back at what has happen in computer systems. This foundation may provide some insight about why things are the way they are now.Administrative issues. Before we look at technological advances and trends, we need to look back at what has happen in computer systems. This foundation may provide some insight about why things are the way they are now.

    Slide 2:Agenda

    Threats to Information Physical Security and Disaster Planning Logical Security and Data Protection Virus Threats User Identification and Biometrics Access controls Encryption and Authentication Internet Security Issues Privacy Anonymity

    Slide 3:Security, Privacy, and Anonymity

    Server Attacks Data interception The Internet Monitoring

    Employees & Consultants Links to business partners Outside hackers

    Slide 4:Threats to Information

    Accidents & Disasters Employees & Consultants Business Partnerships Outsiders Viruses Virus hiding in e-mail attachment.

    $$

    Slide 5:Security Categories

    Physical attack & disasters Backup--off-site Cold/Shell site Hot site Disaster tests Personal computers! Logical Unauthorized disclosure Unauthorized modification Unauthorized withholding Denial of Service

    Slide 6:Horror Stories

    Security Pacific--Oct. 1978 Stanley Mark Rifkin Electronic Funds Transfer $10.2 million Switzerland Soviet Diamonds Came back to U.S. Equity Funding--1973 The Impossible Dream Stock Manipulation Insurance Loans Fake computer records Robert Morris--1989 Graduate Student Unix “Worm” Internet--tied up for 3 days Clifford Stoll--1989 The Cuckoo’s Egg Berkeley Labs Unix--account not balance Monitor, false information Track to East German spy Old Techniques Salami slice Bank deposit slips Trojan Horse Virus

    SunGard is a premier provider of computer backup facilities and disaster planning services. Its fleet of Mobile Data Centers can be outfitted with a variety of distributed systems hardware and delivered at a disaster site within 48 hours.

    Slide 7:Disaster Planning

    Slide 8:Data Backup

    Backup is critical Offsite backup is critical Levels RAID (multiple drives) Real time replication Scheduled backups

    Slide 9:Data Backup

    Offsite backups are critical. Frequent backups enable you to recover from disasters and mistakes. Use the network to backup PC data. Use duplicate mirrored servers for extreme reliability. UPS Power company

    Attachment 01 23 05 06 77 03 3A 7F 3C 5D 83 94 19 2C 2E A2 87 62 02 8E FA EA 12 79 54 29 3F 4F 73 9F 1 2 3 1. User opens an attached program that contains hidden virus 2. Virus copies itself into other programs on the computer 3. Virus spreads until a certain date, then it deletes files. Virus code

    Slide 10:Virus

    From: afriend To: victim Message: Open the attachment for some excitement.

    Dataquest, Inc; Computerworld 12/2/91 National Computer Security Association; Computerworld 5/6/96 http://www.info-ec.com/viruses/99/viruses_062299a_j.shtml)

    Slide 11:Virus Damage

    1999 virus costs in the U.S.: $7.6 billion.

    Slide 12:Stopping a Virus

    Backup your data! Never run applications unless you are certain they are safe. Never open executable attachments sent over the Internet--regardless of who mailed them. Antivirus software Needs constant updating Rarely catches current viruses Can interfere with other programs Ultimately, viruses sent over the Internet can be traced back to the original source.

    Slide 13:User Identification

    Passwords Dial up service found 30% of people used same word People choose obvious Post-It notes Hints Don’t use real words Don’t use personal names Include non-alphabetic Change often Use at least 6 characters Alternatives: Biometrics Finger/hand print Voice recognition Retina/blood vessels Iris scanner DNA ? Password generator cards Comments Don’t have to remember Reasonably accurate Price is dropping Nothing is perfect

    Slide 14:Iris Scan

    http://www.iridiantech.com/ questions/q2/features.html Algorithm patents by JOHN DAUGMAN 1994 http://www.cl.cam.ac.uk/~jgd1000/ http://www.eyeticket.com/ eyepass/index.html EyePass™ System at Charlotte/Douglas International Airport.

    Several methods exist to identify a person based on biological characteristics. Common techniques include fingerprint, handprint readers, and retinal scanners. More exotic devices include body shape sensors and this thermal facial reader which uses infrared imaging to identify the user.

    Slide 15:Biometrics: Thermal

    Slide 16:Access Controls: Permissions in Windows

    Find the folder or directory in explorer. Right-click to set properties. On the Security tab,assign permissions.

    Slide 17:Security Controls

    Access Control Ownership of data Read, Write, Execute, Delete, Change Permission, Take Ownership Security Monitoring Access logs Violations Lock-outs

    Slide 18:Additional Controls

    Audits Monitoring Background checks: http://www.casebreakers.com/ http://www.knowx.com/ http://www.publicdata.com/

    Slide 19:Encryption: Single Key

    Encrypt and decrypt with the same key How do you get the key safely to the other party? What if there are many people involved? Fast encryption and decryption DES - old and falls to brute force attacks Triple DES - old but slightly harder to break with brute force. AES - new standard Plain text message Encrypted text Key: 9837362 Key: 9837362 AES Encrypted text Plain text message AES Single key: e.g., AES

    Alice Bob Message Public Keys Alice 29 Bob 17 Message Encrypted Private Key 13 Private Key 37 Use Bob’s Public key Use Bob’s Private key Alice sends message to Bob that only he can read.

    Slide 20:Encryption: Dual Key

    Alice Bob Public Keys Alice 29 Bob 17 Private Key 13 Private Key 37 Use Bob’s Public key Use Bob’s Private key Bob sends message to Alice: His key guarantees it came from him. Her key prevents anyone else from reading message. Message Message Encrypt+T Encrypt+T+M Encrypt+M Use Alice’s Public key Use Alice’s Private key Transmission

    Slide 21:Dual Key: Authentication

    Slide 22:Certificate Authority

    Public key Imposter could sign up for a public key. Need trusted organization. Only Verisign today, a public company with no regulation. Verisign mistakenly issued a certificate to an imposter claiming to work for Microsoft in 2001. Alice Public Keys Alice 29 Bob 17 Use Bob’s Public key How does Alice know that it is really Bob’s key? Trust the C.A. C.A. validate applicants

    Slide 23:Internet Data Transmission

    Start Destination Eavesdropper Intermediate Machines

    Encrypted conversation Escrow keys Clipper chip in phones Intercept Decrypted conversation Judicial or government office

    Slide 24:Clipper Chip: Key Escrow

    Slide 25:Denial Of Service

    Zombie PCs at homes, schools, and businesses. Weak security. Break in. Flood program. Coordinated flood attack. Targeted server.

    Slide 26:Securing E-Commerce Servers

    http://www.visabrc.com/doc.phtml?2,64,932,932a_cisp.html 1. Install and maintain a working network firewall to protect data accessible via the Internet. 2. Keep security patches up-to-date. 3. Encrypt stored data. 4. Encrypt data sent across networks. 5. Use and regularly update anti-virus software. 6. Restrict access to data by business "need to know." 7. Assign a unique ID to each person with computer access to data. 8. Don't use vendor-supplied defaults for system passwords and other security parameters. 9. Track access to data by unique ID. 10. Regularly test security systems and processes. 11. Maintain a policy that addresses information security for employees and contractors. 12. Restrict physical access to cardholder information.

    Slide 27:Internet Firewall

    Company PCs Internal company data servers Internet Firewall router Firewall router Examines each packet and discards some types of requests. Keeps local data from going to Web servers.

    credit cards organizations loans & licenses financial permits census transportation data financial regulatory employment environmental subscriptions education purchases phone criminal record complaints finger prints medical records

    Slide 28:Privacy

    grocery store scanner data

    Slide 29:Cookies

    Web server User PC time Request page. Send page and cookie. Display page, store cookie. Find page. Request new page and send cookie. Use cookie to identify user. Send customized page.

    Slide 30:Misuse of Cookies: Third Party Ads

    Useful Web site User PC Useful Web Page Text and graphics [Advertisements] National ad Web site Doubleclick.com Link to ads Requested page Ads, and cookie Request page Hidden prior cookie

    Slide 31:Wireless Privacy

    Cell phones require connections to towers E-911 laws require location capability Many now come with integrated GPS units Business could market to customers “in the neighborhood” Tracking of employees is already common

    Slide 32:Privacy Problems

    TRW--1991 Norwich, VT Listed everyone delinquent on property taxes Terry Dean Rogan Lost wallet Impersonator, 2 murders and 2 robberies NCIC database Rogan arrested 5 times in 14 months Sued and won $55,000 from LA Employees 26 million monitored electronically 10 million pay based on statistics Jeffrey McFadden--1989 SSN and DoB for William Kalin from military records Got fake Kentucky ID Wrote $6000 in bad checks Kalin spent 2 days in jail Sued McFadden, won $10,000 San Francisco Chronicle--1991 Person found 12 others using her SSN Someone got 16 credit cards from another’s SSN, charged $10,000 Someone discovered unemployment benefits had already been collected by 5 others

    Slide 33:Privacy Laws

    Minimal in US Credit reports Right to add comments 1994 disputes settled in 30 days 1994 some limits on access to data Bork Bill--can’t release video rental data Educational data--limited availability 1994 limits on selling state/local data 2001 rules on medical data Europe France and some other controls 1995 EU Privacy Controls

    Slide 34:Primary U.S. Privacy Laws

    Freedom of Information Act Family Educational Rights and Privacy Act Fair Credit Reporting Act Privacy Act of 1974 Privacy Protection Act of 1980 Electronic Communications Privacy Act of 1986 Video Privacy Act of 1988 Driver’s Privacy Protection Act of 1994 2001 Federal Medical Privacy rules (not a law)

    Slide 35:Anonymity

    Anonymous servers: http://www.zeroknowledge.com Dianetics church (L. Ron Hubbard) officials in the U.S. Sued a former employee for leaking confidential documents over the Internet. He posted them through a Danish anonymous server. The church pressured police to obtain the name of the poster. Zero knowledge server is more secure Should we allow anonymity on the Internet? Protects privacy Can encourage flow of information Chinese dissenters Government whistleblowers Can be used for criminal activity

More Related