Quotable
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

Quotable PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on
  • Presentation posted in: General

Quotable. “Maybe we should have given him a bicycle.” --Ed Darden, of Atlanta, who gave his son Frank, 16 a computer for Christmas. Frank [Legion of Doom] later was arrested for hacking into a phone system, threatening service through out the Southeast.

Download Presentation

Quotable

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Quotable

Quotable

“Maybe we should have given him a bicycle.”

--Ed Darden, of Atlanta, who gave his son Frank, 16 a computer for Christmas. Frank [Legion of Doom] later was arrested for hacking into a phone system, threatening service through out the Southeast.

http://neil.franklin.ch/Jokes_and_Fun/Computer_Quotes


Information systems security

Information Systems Security

MIS 320

Kraig Pencil

Summer 2013


Is security in the headlines business week

IS Security in the HeadlinesBusiness Week


Overview

Overview

  • Introduction

  • Crimes

  • Players

  • Ways to cause trouble

  • Ways to enhance security


A is security introduction

A. IS Security - Introduction

  • Networked age  Good news/bad news

    • Good news  Easy, fast information sharing (supports linkages!!!)

    • Bad news  Easier for bad guys to get to your data

  • IS break-ins are common … and expensive

    • 2006 survey for Computer Security Institute/FBI (www.gocsi.com)

      • 616 respondents

      • Virtually all reported some form of attack(s)

      • 52% of organizations reported “unauthorized use” of IS in past year

      • Perpetrators of incidents:

        • Crackers, disgruntled employees, competitors, foreign governments


Cert reported is vulnerabilities

CERT: Reported IS Vulnerabilities


Internet crime complaint center ic3

Internet Crime Complaint Center (IC3)

2009 Report http://www.ic3.gov/media/annualreport/2009_IC3Report.pdf

  • Department of Justice up 22%

  • Median dollar loss on complaints: $575

  • Total dollar loss: $559,700,000.

  • Many crime categories, including: auction fraud, non-delivery of merchangdise, credit card fraud, computer intrusions, spam, child pornography


A is security introduction1

A. IS Security - Introduction

  • Published reports

    • Tip of the iceberg

    • Most break-ins are unreported to law enforcement … or undetected

      • Companies are afraid that customers – and potential intruders – know about problems

      • CSI/FBI survey – 30% did not report their intrusions. Of these:

        • 48% are concerned with negative publicity

        • 36% are concerned that competitors will take advantage


B is security cyber crimes

B. IS Security – Cyber Crimes

1. What types of activities do the bad guys do?

  • Viruses/worms (65% of survey group reported this problem)

    • e.g. “Macro” viruses (e.g., Love Bug), Worms (e.g., Slammer)

  • Laptop/mobile theft (47%)

    • Steal information, Gain access to other systems

  • Unauthorized access: Hacking and physical access (32%)

    • Change documents and files

      • Steal $, modify credit ratings

      • e.g., Citibank robbery -- $11 million

    • Steal information (e.g., classified info, info for identity theft)

  • Denial of service attacks (25%)

  • Phishing

    • e.g., An “official” company e-mail used to gather personal information, passwords, SSN, etc.


Macro virus example the love bug

Macro Virus Example: The Love Bug


Warnings at the workplace worms and viruses

Warnings at the Workplace - Worms and Viruses

http://computer.howstuffworks.com/worst-computer-viruses.htm


Theft of unauthorized information identity theft

Theft of unauthorized information: Identity Theft?

Average identity theft victim

 Spends 600 hrs and $16,000 to recover

(www.idtheftcenter.org)


Denial of service attack

Denial of Service Attack

A hacker’s virus installs a program on many computers.

On command, they become zombies

They all ping* the “target” again and again –

The overload crowds out legitimate page requests, creating a Denial of Service to customers.

Target: EPen.com

Buenos días

Grrrrr!

Yo!

Bon jour

Gut’n Tag

Konnichiwa


Denial of service attack1

Denial of Service Attack

A hacker’s virus installs a program on many computers.

On command, they become zombies

They all ping* the “target” again and again –

The overload crowds out legitimate page requests, creating a Denial of Service to customers.

Target: EPen.com

Buenos días

Grrrrr!

Yo!

Bon jour

Gut’n Tag

Konnichiwa


Denial of service attack2

Denial of Service Attack

Cloud Computing to the rescue???

Cloud services are usually “scalable”  providers can instantly add more servers to handle the increased greetings from the zombie computers.

http://www.smartertechnology.com/c/a/Smarter-Strategies/3-Reasons-Clouds-Prevent-CyberAttacks/?kc=EWKNLSTE12232010BESTOF4

Target: EPen.com

Buenos días

Grrrrr!

Yo!

Bon jour

Gut’n Tag

Konnichiwa


Quotable

Phishing Example


Quotable

Phishing Example 2


Insiders

Insiders

  • You have to trust someone, but …

    • Insiders account for much of “lost” data

      • “stolen credentials have become the most common way attackers gain access to enterprises. But the credentials were rarely stolen using sophisticated methods. Instead, malicious insiders were involved in 48% of cases -- a 26% increase vs. last year -- and in some cases, freely revealed their administrative passwords, enabling attackers easy access to sensitive data” (SearchSecurity.com: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1517422,00.html)


C is security the players

C. IS Security – The Players

Hackers: people who break into computers and computer networks

  • White-hat hackers

    … hobbyists who follow “hacker code”; curious, not malicious

    … or professional consultants who find security holesin the client’s own systems: perform penetration tests and vulnerability assessments

  • Black-hat hackers // Crackers

    • Cyber vandals; cause trouble for fun

    • Commit premeditated cyber crime, steal information, $$, etc.


C is security the players1

C. IS Security – The Players

Hackers: people who break into computers and computer networks

  • Hacktivist – Politically or socially motivated hacker

    • Site defacing

    • Denial-of-Service (DoS) attack

  • Cyberterrorist – deliberate, large-scale disruption of computer networks

    Hacker Conventions

  • DEF CON

    • World’s Largest

  • Black Hat

    Hacker Films

  • Wargames

  • Takedown


Well known cyber crooks

Well-known Cyber Crooks*

  • Kevin Mitnick – superstar of hacking

  • Active 1980 – 1995

  • Never profited or caused damage

  • 5 years in prison (8 months in solitary confinement)

  • “Social engineering” specialist: “no patch for stupidy”

  • Now a well-paid security consultant, speaker, writer

Kevin Mitnick

* http://www.itsecurity.com/features/top-10-famous-hackers-042407/


Well known cyber crooks1

Well-known Cyber Crooks*

  • Vladimir Levin – Russian

  • Transferred $10.7 million from Citibank accounts

  • Captured in London, transferred to US, convicted/sentenced to 3 years

  • Citibank managed to recover 95% of the funds

  • Adrian Lamo 2002-2004

  • Victims: Yahoo!, Citigroup, Cingular, NY Times

  • “Homeless hacker” was also helpful. Unauthorized penetration testing. Voluntarily informed some victims of their security weaknesses.

  • Arrested/Convicted/Ordered to pay $65,000 to NY Times

  •  Robert Alan Soloway – the “Spam King”

  • 2008 47 months in federal prison, and $700,000 restitution

  • $7.8 million civil judgment awarded to Microsoft.

  • Others: Stephen Wozniak (blue boxes), Tim Berners-Lee (Oxford)

Adrian Lamo

* http://www.itsecurity.com/features/top-10-famous-hackers-042407/


D examples of hacker tools techniques

D. Examples of hacker tools/techniques

  • Password cracker programs

    • Example approaches: Use “reverse encryption”, Look for “dictionary” words & common names

  • Sniffers

    • “Eavesdropping” program/device

    • Use to capture usernames and passwords for people doing remote computer logins

    • Place program on node of Internet and “sniff” for usernames and passwords

  • Social engineering

    • Hacker poses as a “good guy” and asks unsuspecting people for information

    • Often done via phone

      • E.g., “What kind of computer system are you using?”


A hacker tool password cracker available on the internet

A Hacker Tool: “Password cracker” available on the Internet


E is security ways to address combat security risks

E. IS Security – Ways to address/combat security risks

  • Password management

    • Do not use dictionary words

    • Create new combinations of letters and digits

      • Combine letters, numbers, special characters, and both upper and lower casee.g., gaRDen+493

      • Use mnemonic tricks to remember odd combinations letters of words in an expression

        • e.g., tbontbtitq (or even better: 2b*o02b*t1tq)

          “To be or not to be, that is the question”

    • Change passwords frequently


E is security ways to address combat security risks1

E. IS Security – Ways to address/combat security risks

2. Use firewalls

  • HW/SW that acts a buffer between a network and the rest of the World

  • Can keep out … unauthorized traffic

  • Can keep in … corporate secrets

    3. Encryption

  • Scramble a message/data so that others can not understand it

    4. Advisory organizations

  • Post warnings and “patches” for reported security problems

  • e.g., Computer Emergency Response Team (CERT)

Image source: http://computer.howstuffworks.com/firewall.htm


Vulnerability alert from cert

Vulnerability Alert from CERT


E is security ways to address combat security risks2

E. IS Security – Ways to address/combat security risks

5. Security software

  • Antivirus software

  • Intrusion detection software


E is security ways to address combat security risks3

E. IS Security – Ways to address/combat security risks

6. Hire a good hacker

  • Break into your system and/or provide advice

  • Help you identify security holes

U.S. HIRED HACKER TO DETECT DIGITAL SPYING BY EMPLOYEES

  • WASHINGTON, D.C. – In the cyber age, there are few things so damaging as a determined insider with the right passwords.

  • The Defense Department hired a former hacker to lead a research program to detect digital spying by employees. PeiterZatko is in charge of Cyber Insider Threat program at the Defense Advanced Research Projects Agency, or DARPA. “I’ve played both offense and defense.”

  • His program is years away from any deployable solutions. In the meantime, the WikiLeaks releases show that the Pentagon failed to take basic steps to protect sensitive information, such as detecting and preventing unauthorized downloads.

  • MCCLATCHY

  • November 30, 2010

  • Redacted by Kraig Pencil


E is security ways to address combat security risks4

E. IS Security – Ways to address/combat security risks

6. Hire a good hacker

Kevin Mitnick – a busted hacker …

Emerges from prison and begins career as an IS Security consultant, writes a book


A parting thought

A Parting Thought …

The most likely way for the world to be destroyed, most experts agree, is by accident. That’s where we come in; we’re computer professionals. We cause accidents.

- Nathaniel Borenstein, co-creator of MIME


  • Login