Date post: | 26-Mar-2015 |
Category: |
Documents |
Upload: | john-anderson |
View: | 221 times |
Download: | 1 times |
Introduction to MIS 1
Copyright © 1998-2002 by Jerry Post
Introduction to MIS
Chapter 4
Security, Privacy, Anonymity
Introduction to MIS 2
Outline Threats to Information Physical Security and Disaster Planning Logical Security and Data Protection Virus Threats User Identification and Biometrics Access controls Encryption and Authentication Internet Security Issues Privacy Anonymity Cases: Healthcare Appendix: Server Security Certificates
Introduction to MIS 3
Security, Privacy, and AnonymityServer Attacks
Data interception
The Internet
Monitoring
Introduction to MIS 4
Employees & Consultants
Links to businesspartnersOutside
hackers
Threats to Information Accidents & Disasters Employees & Consultants Business Partnerships Outsiders Viruses
Virus hiding in e-mail attachment.
Introduction to MIS 5
$$
Security Categories Physical attack & disasters
Backup--off-site Cold/Shell site Hot site Disaster tests Personal computers!
Logical Unauthorized disclosure Unauthorized modification Unauthorized withholding
Denial of Service
Introduction to MIS 6
Horror Stories Security Pacific--Oct. 1978
Stanley Mark Rifkin Electronic Funds Transfer $10.2 million Switzerland Soviet Diamonds Came back to U.S.
Equity Funding--1973 The Impossible Dream Stock Manipulation
Insurance Loans Fake computer records
Robert Morris--1989 Graduate Student Unix “Worm” Internet--tied up for 3 days
Clifford Stoll--1989 The Cuckoo’s Egg Berkeley Labs Unix--account not balance Monitor, false information Track to East German spy
Old Techniques Salami slice Bank deposit slips Trojan Horse Virus
Introduction to MIS 7
Manual v Automated Data Amount of data Identification of users Difficult to detect changes Speed
Search Copy
Statistical Inference Communication Lines
Introduction to MIS 8
SunGard is a premier provider of computer backup facilities and disaster planning services. Its fleet of Mobile Data Centers can be outfitted with a variety of distributed systems hardware and delivered at a disaster site within 48 hours.
Disaster Planning
Introduction to MIS 9
Data Backup Backup is critical Offsite backup is critical Levels
RAID (multiple drives) Real time replication Scheduled backups
Introduction to MIS 10
Data Backup
Offsite backups are critical.
Frequent backups enable you to recover from disasters and mistakes.
Use the network to backup PC data.
Use duplicate mirrored servers for extreme reliability.
UPS
Power company
Introduction to MIS 11
Attachment
01 23 05 06 77 033A 7F 3C 5D 83 9419 2C 2E A2 87 6202 8E FA EA 12 7954 29 3F 4F 73 9F
1
2 3
1. User opens an attached program that contains hidden virus
2. Virus copies itself into other programs on the computer
3. Virus spreads until a certain date, then it deletes files.
Virus code
Virus
From: afriend
To: victim
Message: Open the attachment for some excitement.
Introduction to MIS 12
Dataquest, Inc; Computerworld 12/2/91National Computer Security Association; Computerworld 5/6/96http://www.info-ec.com/viruses/99/viruses_062299a_j.shtml)
Virus Damage
1999 virus costs in the U.S.: $7.6 billion.
Attacks 1991 1996 2000 2001
Viruses/Trojans/Worms 62 80 80 89
Attacks on Web servers 24 48
Denial of Service 37 39
Insider physical theft or damage of equipment
49 42
Insider electronic theft, destruction, or disclosure of data
24 22
Fraud 13 9
Introduction to MIS 13
Stopping a Virus Backup your data! Never run applications unless you are certain they are
safe. Never open executable attachments sent over the
Internet--regardless of who mailed them. Antivirus software
Needs constant updating Rarely catches current viruses Can interfere with other programs
Ultimately, viruses sent over the Internet can be traced back to the original source.
Introduction to MIS 14
User Identification Passwords
Dial up service found 30% of people used same word
People choose obvious Post-It notes
Hints Don’t use real words Don’t use personal names Include non-alphabetic Change often Use at least 6 characters
Alternatives: Biometrics Finger/hand print Voice recognition Retina/blood vessels Iris scanner DNA ?
Password generator cards Comments
Don’t have to remember Reasonably accurate Price is dropping Nothing is perfect
Introduction to MIS 15
Iris Scan
http://www.iridiantech.com/questions/q2/features.html
Algorithm patents by JOHN DAUGMAN 1994 http://www.cl.cam.ac.uk/~jgd1000/
http://www.eyeticket.com/eyepass/index.html
EyePass™ System at Charlotte/Douglas International
Airport.
Introduction to MIS 16
Several methods exist to identify a person based on biological characteristics. Common techniques include fingerprint, handprint readers, and retinal scanners. More exotic devices include body shape sensors and this thermal facial reader which uses infrared imaging to identify the user.
Biometrics: Thermal
Introduction to MIS 17
Access Controls: Permissions in Windows
Find the folder or directory in explorer.
Right-click to set properties.
On the Security tab,assign permissions.
Introduction to MIS 18
Security Controls Access Control
Ownership of data Read, Write, Execute, Delete, Change Permission, Take
Ownership
Security Monitoring Access logs Violations Lock-outs
Introduction to MIS 19
Additional Controls Audits Monitoring Background checks:
http://www.casebreakers.com/
http://www.knowx.com/
http://www.publicdata.com/
Introduction to MIS 20
Encryption: Single Key Encrypt and decrypt with the
same key How do you get the key
safely to the other party? What if there are many
people involved? Fast encryption and
decryption DES - old and falls to brute
force attacks Triple DES - old but slightly
harder to break with brute force.
AES - new standard
Plain textmessage
Encryptedtext
Key: 9837362
Key: 9837362
AES
Encryptedtext
Plain textmessage
AES
Single key: e.g., AES
Introduction to MIS 21
AliceBob
Message
Public Keys
Alice 29Bob 17
Message
Encrypted
Private Key13 Private Key
37UseBob’sPublic key
UseBob’sPrivate key
Alice sends message to Bob that only he can read.
Encryption: Dual Key
Introduction to MIS 22
Alice
BobPublic Keys
Alice 29Bob 17
Private Key13
Private Key37
UseBob’sPublic key
UseBob’sPrivate key
Bob sends message to Alice:His key guarantees it came from him.Her key prevents anyone else from reading message.
Message
Message
Encrypt+T
Encrypt+T+M
Encrypt+M
UseAlice’s
Public key
UseAlice’s
Private key
Transmission
Dual Key: Authentication
Introduction to MIS 23
Certificate Authority Public key
Imposter could sign up for a public key.
Need trusted organization. Only Verisign today, a public
company with no regulation. Verisign mistakenly issued a
certificate to an imposter claiming to work for Microsoft in 2001.
AlicePublic Keys
Alice 29Bob 17Use
Bob’sPublic key
How does Alice know that it is really Bob’s key?
Trust the C.A.
C.A. validate applicants
Introduction to MIS 24
Internet Data Transmission
Start
Destination
Eavesdropper
Intermediate Machines
Introduction to MIS 25
Encrypted conversation
Escrow keys
Clipper chipin phones
Intercept
Decrypted conversation
Judicial orgovernment office
Clipper Chip: Key Escrow
Introduction to MIS 26
Denial Of Service
Zombie PCs at homes, schools, and businesses. Weak security.
Break in.Flood program.
Coordinated flood attack.
Targeted server.
Introduction to MIS 27
Securing E-Commerce Servers
http://www.visabrc.com/doc.phtml?2,64,932,932a_cisp.html
1. Install and maintain a working network firewall to protect data accessible via the Internet.
2. Keep security patches up-to-date. 3. Encrypt stored data. 4. Encrypt data sent across networks. 5. Use and regularly update anti-virus software. 6. Restrict access to data by business "need to know." 7. Assign a unique ID to each person with computer access to data. 8. Don't use vendor-supplied defaults for system passwords and other
security parameters. 9. Track access to data by unique ID. 10. Regularly test security systems and processes. 11. Maintain a policy that addresses information security for employees
and contractors. 12. Restrict physical access to cardholder information.
Introduction to MIS 28
Internet Firewall
Company PCs
Internal company data servers
Internet
Firewall router
Firewall router
Examines each packet and discards some types of requests.
Keeps local data from going to Web servers.
Introduction to MIS 29
credit cardsorganizations
loans & licenses
financialpermitscensus
transportation data
financialregulatoryemploymentenvironmental
subscriptionseducation
purchases phone
criminal recordcomplaintsfinger prints
medicalrecords
Privacy
grocery store scanner data
Introduction to MIS 30
CookiesWeb server
User PC
time
Request page.
Send page and cookie.
Display page, store cookie.
Find page.
Request new page and send cookie.
Use cookie to identify user.
Send customized page.
Introduction to MIS 31
Misuse of Cookies: Third Party AdsUseful Web site
User PC
Useful Web Page
Text and graphics
[Advertisements]
National ad Web siteDoubleclick.com
Link to ads
Requested page
Ads, and cookie
Request page
Hidden prior cookie
Introduction to MIS 32
Wireless Privacy Cell phones require connections to towers E-911 laws require location capability Many now come with integrated GPS units Business could market to customers “in the
neighborhood” Tracking of employees is already common
Introduction to MIS 33
Privacy Problems TRW--1991
Norwich, VT Listed everyone delinquent on
property taxes Terry Dean Rogan
Lost wallet Impersonator, 2 murders and 2
robberies NCIC database Rogan arrested 5 times in 14
months Sued and won $55,000 from LA
Employees 26 million monitored
electronically 10 million pay based on
statistics
Jeffrey McFadden--1989 SSN and DoB for William Kalin
from military records Got fake Kentucky ID Wrote $6000 in bad checks Kalin spent 2 days in jail Sued McFadden, won $10,000
San Francisco Chronicle--1991 Person found 12 others using
her SSN Someone got 16 credit cards
from another’s SSN, charged $10,000
Someone discovered unemployment benefits had already been collected by 5 others
Introduction to MIS 34
Privacy Laws Minimal in US
Credit reports Right to add comments 1994 disputes settled in 30 days 1994 some limits on access to data
Bork Bill--can’t release video rental data Educational data--limited availability 1994 limits on selling state/local data 2001 rules on medical data
Europe France and some other controls 1995 EU Privacy Controls
Introduction to MIS 35
Primary U.S. Privacy Laws Freedom of Information Act Family Educational Rights and Privacy Act Fair Credit Reporting Act Privacy Act of 1974 Privacy Protection Act of 1980 Electronic Communications Privacy Act of 1986 Video Privacy Act of 1988 Driver’s Privacy Protection Act of 1994
2001 Federal Medical Privacy rules (not a law)
Introduction to MIS 36
Anonymity Anonymous servers: http://www.zeroknowledge.com Dianetics church (L. Ron Hubbard) officials in the U.S.
Sued a former employee for leaking confidential documents over the Internet.
He posted them through a Danish anonymous server. The church pressured police to obtain the name of the poster. Zero knowledge server is more secure
Should we allow anonymity on the Internet? Protects privacy Can encourage flow of information
Chinese dissenters Government whistleblowers
Can be used for criminal activity
Introduction to MIS 37
Cases: Healthcare
Introduction to MIS 38
What is the company’s current status?
What is the Internet strategy?
How does the company use information technology?
What are the prospects for the industry?
www.lilly.com
www.owens-minor.com
Cases: Eli LillyOwens & Minor, Inc.
Introduction to MIS 39
Appendix: Digital Security Certificates Digital security certificates are used to encrypt e-mail
and to authenticate the sender. Obtain a certificate from a certificate authority
Verisign Thawte (owned by Verisign) Microsoft Your own company or agency
Install the certificate in Outlook Select option boxes to encrypt or decrypt messages Install certificates sent by your friends and co-workers.
Introduction to MIS 40
Obtaining a Certificate
Introduction to MIS 41
Installing a Certificate
1. Tools + Options + Security tab
2. Choose your certificate
3. Check these boxes to add your digital signature and to encrypt messages.
4. These boxes set the default choices. For each message, you can use the options to check or uncheck these boxes.
Introduction to MIS 42
Encrypting and Signing Messages
Use the Options button and the Security Settings button to make sure the Encrypt and Signature boxes are checked. Then the encryption and decryption are automatic.