Slide 1:Issues, Trends and Strategies for Computer Systems Management
UMUC Graduate School of Management and Technology Chapter 4. Security, Privacy, and Anonymity Administrative issues. Before we look at technological advances and trends, we need to look back at what has happen in computer systems. This foundation may provide some insight about why things are the way they are now.Administrative issues. Before we look at technological advances and trends, we need to look back at what has happen in computer systems. This foundation may provide some insight about why things are the way they are now.
Threats to Information Physical Security and Disaster Planning Logical Security and Data Protection Virus Threats User Identification and Biometrics Access controls Encryption and Authentication Internet Security Issues Privacy Anonymity
Slide 3:Security, Privacy, and Anonymity
Server Attacks Data interception The Internet MonitoringEmployees & Consultants Links to business partners Outside hackers
Slide 4:Threats to Information
Accidents & Disasters Employees & Consultants Business Partnerships Outsiders Viruses Virus hiding in e-mail attachment.$$
Slide 5:Security Categories
Physical attack & disasters Backup--off-site Cold/Shell site Hot site Disaster tests Personal computers! Logical Unauthorized disclosure Unauthorized modification Unauthorized withholding Denial of Service
Slide 6:Horror Stories
Security Pacific--Oct. 1978 Stanley Mark Rifkin Electronic Funds Transfer $10.2 million Switzerland Soviet Diamonds Came back to U.S. Equity Funding--1973 The Impossible Dream Stock Manipulation Insurance Loans Fake computer records Robert Morris--1989 Graduate Student Unix “Worm” Internet--tied up for 3 days Clifford Stoll--1989 The Cuckoo’s Egg Berkeley Labs Unix--account not balance Monitor, false information Track to East German spy Old Techniques Salami slice Bank deposit slips Trojan Horse VirusSunGard is a premier provider of computer backup facilities and disaster planning services. Its fleet of Mobile Data Centers can be outfitted with a variety of distributed systems hardware and delivered at a disaster site within 48 hours.
Slide 7:Disaster Planning
Slide 8:Data Backup
Backup is critical Offsite backup is critical Levels RAID (multiple drives) Real time replication Scheduled backups
Slide 9:Data Backup
Offsite backups are critical. Frequent backups enable you to recover from disasters and mistakes. Use the network to backup PC data. Use duplicate mirrored servers for extreme reliability. UPS Power companyAttachment 01 23 05 06 77 03 3A 7F 3C 5D 83 94 19 2C 2E A2 87 62 02 8E FA EA 12 79 54 29 3F 4F 73 9F 1 2 3 1. User opens an attached program that contains hidden virus 2. Virus copies itself into other programs on the computer 3. Virus spreads until a certain date, then it deletes files. Virus code
From: afriend To: victim Message: Open the attachment for some excitement.Dataquest, Inc; Computerworld 12/2/91 National Computer Security Association; Computerworld 5/6/96 http://www.info-ec.com/viruses/99/viruses_062299a_j.shtml)
Slide 11:Virus Damage
1999 virus costs in the U.S.: $7.6 billion.
Slide 12:Stopping a Virus
Backup your data! Never run applications unless you are certain they are safe. Never open executable attachments sent over the Internet--regardless of who mailed them. Antivirus software Needs constant updating Rarely catches current viruses Can interfere with other programs Ultimately, viruses sent over the Internet can be traced back to the original source.
Slide 13:User Identification
Passwords Dial up service found 30% of people used same word People choose obvious Post-It notes Hints Don’t use real words Don’t use personal names Include non-alphabetic Change often Use at least 6 characters Alternatives: Biometrics Finger/hand print Voice recognition Retina/blood vessels Iris scanner DNA ? Password generator cards Comments Don’t have to remember Reasonably accurate Price is dropping Nothing is perfect
Slide 14:Iris Scan
http://www.iridiantech.com/ questions/q2/features.html Algorithm patents by JOHN DAUGMAN 1994 http://www.cl.cam.ac.uk/~jgd1000/ http://www.eyeticket.com/ eyepass/index.html EyePass™ System at Charlotte/Douglas International Airport.Several methods exist to identify a person based on biological characteristics. Common techniques include fingerprint, handprint readers, and retinal scanners. More exotic devices include body shape sensors and this thermal facial reader which uses infrared imaging to identify the user.
Slide 15:Biometrics: Thermal
Slide 16:Access Controls: Permissions in Windows
Find the folder or directory in explorer. Right-click to set properties. On the Security tab,assign permissions.
Slide 17:Security Controls
Access Control Ownership of data Read, Write, Execute, Delete, Change Permission, Take Ownership Security Monitoring Access logs Violations Lock-outs
Slide 18:Additional Controls
Audits Monitoring Background checks: http://www.casebreakers.com/ http://www.knowx.com/ http://www.publicdata.com/
Slide 19:Encryption: Single Key
Encrypt and decrypt with the same key How do you get the key safely to the other party? What if there are many people involved? Fast encryption and decryption DES - old and falls to brute force attacks Triple DES - old but slightly harder to break with brute force. AES - new standard Plain text message Encrypted text Key: 9837362 Key: 9837362 AES Encrypted text Plain text message AES Single key: e.g., AESAlice Bob Message Public Keys Alice 29 Bob 17 Message Encrypted Private Key 13 Private Key 37 Use Bob’s Public key Use Bob’s Private key Alice sends message to Bob that only he can read.
Slide 20:Encryption: Dual KeyAlice Bob Public Keys Alice 29 Bob 17 Private Key 13 Private Key 37 Use Bob’s Public key Use Bob’s Private key Bob sends message to Alice: His key guarantees it came from him. Her key prevents anyone else from reading message. Message Message Encrypt+T Encrypt+T+M Encrypt+M Use Alice’s Public key Use Alice’s Private key Transmission
Slide 21:Dual Key: Authentication
Slide 22:Certificate Authority
Public key Imposter could sign up for a public key. Need trusted organization. Only Verisign today, a public company with no regulation. Verisign mistakenly issued a certificate to an imposter claiming to work for Microsoft in 2001. Alice Public Keys Alice 29 Bob 17 Use Bob’s Public key How does Alice know that it is really Bob’s key? Trust the C.A. C.A. validate applicants
Slide 23:Internet Data Transmission
Start Destination Eavesdropper Intermediate MachinesEncrypted conversation Escrow keys Clipper chip in phones Intercept Decrypted conversation Judicial or government office
Slide 24:Clipper Chip: Key Escrow
Slide 25:Denial Of Service
Zombie PCs at homes, schools, and businesses. Weak security. Break in. Flood program. Coordinated flood attack. Targeted server.
Slide 26:Securing E-Commerce Servers
http://www.visabrc.com/doc.phtml?2,64,932,932a_cisp.html 1. Install and maintain a working network firewall to protect data accessible via the Internet. 2. Keep security patches up-to-date. 3. Encrypt stored data. 4. Encrypt data sent across networks. 5. Use and regularly update anti-virus software. 6. Restrict access to data by business "need to know." 7. Assign a unique ID to each person with computer access to data. 8. Don't use vendor-supplied defaults for system passwords and other security parameters. 9. Track access to data by unique ID. 10. Regularly test security systems and processes. 11. Maintain a policy that addresses information security for employees and contractors. 12. Restrict physical access to cardholder information.
Slide 27:Internet Firewall
Company PCs Internal company data servers Internet Firewall router Firewall router Examines each packet and discards some types of requests. Keeps local data from going to Web servers.credit cards organizations loans & licenses financial permits census transportation data financial regulatory employment environmental subscriptions education purchases phone criminal record complaints finger prints medical records
grocery store scanner data
Web server User PC time Request page. Send page and cookie. Display page, store cookie. Find page. Request new page and send cookie. Use cookie to identify user. Send customized page.
Useful Web site User PC Useful Web Page Text and graphics [Advertisements] National ad Web site Doubleclick.com Link to ads Requested page Ads, and cookie Request page Hidden prior cookie
Slide 31:Wireless Privacy
Cell phones require connections to towers E-911 laws require location capability Many now come with integrated GPS units Business could market to customers “in the neighborhood” Tracking of employees is already common
Slide 32:Privacy Problems
TRW--1991 Norwich, VT Listed everyone delinquent on property taxes Terry Dean Rogan Lost wallet Impersonator, 2 murders and 2 robberies NCIC database Rogan arrested 5 times in 14 months Sued and won $55,000 from LA Employees 26 million monitored electronically 10 million pay based on statistics Jeffrey McFadden--1989 SSN and DoB for William Kalin from military records Got fake Kentucky ID Wrote $6000 in bad checks Kalin spent 2 days in jail Sued McFadden, won $10,000 San Francisco Chronicle--1991 Person found 12 others using her SSN Someone got 16 credit cards from another’s SSN, charged $10,000 Someone discovered unemployment benefits had already been collected by 5 others
Slide 33:Privacy Laws
Minimal in US Credit reports Right to add comments 1994 disputes settled in 30 days 1994 some limits on access to data Bork Bill--can’t release video rental data Educational data--limited availability 1994 limits on selling state/local data 2001 rules on medical data Europe France and some other controls 1995 EU Privacy Controls
Slide 34:Primary U.S. Privacy Laws
Freedom of Information Act Family Educational Rights and Privacy Act Fair Credit Reporting Act Privacy Act of 1974 Privacy Protection Act of 1980 Electronic Communications Privacy Act of 1986 Video Privacy Act of 1988 Driver’s Privacy Protection Act of 1994 2001 Federal Medical Privacy rules (not a law)
Anonymous servers: http://www.zeroknowledge.com Dianetics church (L. Ron Hubbard) officials in the U.S. Sued a former employee for leaking confidential documents over the Internet. He posted them through a Danish anonymous server. The church pressured police to obtain the name of the poster. Zero knowledge server is more secure Should we allow anonymity on the Internet? Protects privacy Can encourage flow of information Chinese dissenters Government whistleblowers Can be used for criminal activity