Self-learning materials for Information Technology Competence (ITC) Test

1

• Fundamental Concepts

• IS Issues in Daily Computer and Internet Usage

• Public Key Infrastructure, SSL, and Digital Certificates

• Information Security Software Demo

• Information Security Policies and Practices

• Useful Links on Information Security

Outline

2

Security (Information Security) Services:

What does information security (IS) provide?

• Authentication

• Confidentiality

• Integrity

• Non-repudiation

• Availability

Security Services

3

• Authentication – refers to the validation of the identity of

an entity, before it is being authorized to access further information and services

• Confidentiality – refers to the protection of information

from being disclosed to unauthorized parties

• Integrity – refers to the protection of information from

being altered by unauthorized parties

• Non-repudiation – refers to the prevention of message

senders or digital signature signers to deny having sent or signed the corresponding digital message

• Availability – refers to the assurance that information is

available to authorized parties when requested

Security Services

4

Hackers

• Hackers are those who attack computer systems and networks for unauthorized accesses

• Some of them do so for malicious purposes such as stealing or corrupting data

• Some of them are just for fun

• Some of them hack with the goal of testing the security of systems and networks

Threats to Information Security

5

Backdoors

• Backdoors are mechanisms that originally established by system administrators and software manufacturers for system maintenance and software status checking

• Allow one to bypass normal authentication and gain access to computer systems

• Backdoor accesses remain hidden from casual inspection. One may not even know their existence on the computer

• However, hackers always have their ways to find them out and uses backdoor as a springboard to hack

Threats to Information Security

6

Security Loopholes

• Security loopholes are bugs in software that can be exploited for security attacks and intrusions

• Even popular software such as Microsoft Windows cannot totally eliminate loopholes

• Sometimes, backdoors which are originally benign in nature are exploited by hackers to launch intrusions, and they eventually become security loopholes

Threats to Information Security

7

To defense against various security threats, we should:

• Install protection software such as anti-virus programs and personal firewalls

• Perform regular software updates to block the security loopholes

• Software manufacturers announce security bugs and release security patches from time to time • Pay attention to newly available patches and perform

software updates often e.g. Microsoft Safety & Security Center (http://www.microsoft.com/security/)

Information Security Measures

8

Let’s have a brief introduction of

IS Issues in Daily Computer and Internet Usage

9

Computer Viruses Worms

Trojans

Spyware

Network Security for Computer Users

Spam

Adware

Phishing

• Computer viruses are executable codes that hide inside a program and then infect other programs

• Computer viruses damage our computers in many different ways, such as • Deleting files

• Erasing programs, and

• Prompting annoying messages

• They can also replicate themselves without user intervention

Computer Viruses

10

Symptoms of computer virus infection include (but not limited to)

• Display of unusual messages or images

• Reduction of available memory

• Appearance of unknown programs or files

• Corrupted files

• Malfunction of programs and files

Computer Viruses

11

• First, the virus hides inside a program or file and remains inactive until the infected program is run

• Once the infected program or file is executed, the virus is run as well

• It then infects other programs on the computer hard disk by duplicating itself

• The computer is then inflected

How Computer Viruses Work?

12

• How we get the infected files?

• We can receive files and programs that are infected by computer viruses in many ways, including • Email attachments

• Newsgroup message attachments

• Internet downloads, and

• File transfer through instant messaging

How Computer Viruses Work?

13

• Is a special kind of computer virus

• The name Trojans come from the story of Trojan horse, in which the Greek solders hid inside a hollow wooden structure and thus sneaked through the city walls of Troy

• In computer security, a Trojan is a program that performs other than what it is expected • e.g. A program claims to be a game but instead it creates

backdoors for the hackers to gain unauthorized accesses to a computer

• Unlike general computer viruses, Trojans do not replicate themselves normally

Trojans

14

• Worms are another kind of computer viruses

• Spread directly from computer to computer without any action taken part by the computer users • e.g. The Sasser worms that widespread in 2004

automatically scans computers on a network that have a particular Windows security loophole

Worms

15

In case we suspect a computer being infected by viruses …

• We should disconnect the computer from the network immediately!

• Next, run antivirus program to scan the computer for viruses

• If the computer is infected, the antivirus program will report the found viruses and the corresponding infected files after the virus scanning • Usually, antivirus programs try cleaning the found viruses

• In case the viruses cannot be cleaned, the infected files will be quarantined

• It is too late to install antivirus programs at time you suspect your computer having been infected by viruses • Therefore, antivirus programs should always be installed at the very

first beginning

What If My Computer Get Infected?!

16

• Not being regarded as computer viruses • Yet can be very annoying and dangerous

• Sometimes being referred to as malware

Malware = software that has malicious purposes

• Computer users often install them unknowingly

Spyware and Adware

17

• Spyware monitors computer users and collect their information • e.g. a keyboard monitor

spyware program can log every keystroke you type

• Adware’s mission is to show advertisements • Usually via pop-up

windows or embedded in a Web page

Spyware and Adware

18

• How do we get them? • They install themselves onto a computer by exploiting

Web browser security loopholes

• Sometimes come with the freeware that can be freely downloaded from the Web

• We may get them also when we click unknown hyperlinks out of curiosity

• We should take precautions similar to those dealing with computer viruses

Spyware and Adware

19

• Internet connection is essential to almost every computer

• Security risk also increases

Network Security for Users

20

• Data being transmitted over the network can be read by computer software called “Packet Analyzers”

• Wireless networks are vulnerable because users are sharing the same network in open air

Packet Sniffing

21

0010101… Network Segment …00110101… Client computer Server (e.g. Gmail.com)

010101…

010101…

Network Analyzed installed

Email Viruses

• Are computer viruses that spread by means of emails

• Can spread by duplicating and sending themselves to email addresses in the address book of the email application

• Usually exist in form of email file attachments

• Sometimes can spoof sender addresses

• In March 1999, the Melissa email virus forced a number of global companies, including Microsoft, to turn off their e-mail systems completely!

Electronic Communication Security

22

• Email Spam • Unsolicited junk emails from

unknown sender

• Can arrive in a huge volume and can be annoying

• Why it is bad? • Spam occupies Internet and email

server resources

• Uses up email disk quota

• Takes extra time from us to wade through a large number of spam emails to locate the legitimate ones

Electronic Communication Security

23

Dealing with Spam (at Server Side)

• Most Internet Service Providers have installed Anti-spam programs in their email servers • e.g. the IronPort Anti-Spam Service of ITS

http://its.web.ied.edu.hk/antispam/

• Emails that are suspected to be spam are put to the quarantine server and are not directly delivered to users’ email boxes

Electronic Communication Security

24

Dealing with Spam (at Client Side)

• Server side anti-spam measures cannot totally remove spam • We should take client-side precautions, for example:

• Do not response to the spam

• Do not post your and your friends’ email addresses on the Web

• Avoid including HTML email links in your personal homepage

• Create filter rules in our own email applications to filter out unwanted spam emails

Electronic Communication Security

25

Phishing • Is a technique to steal ones’ important personal

information • Is usually conducted by emails • Phishers pretend as organizations such as a bank,

send emails and ask the recipients to enter personal information, account numbers and passwords to a counterfeit Web site that looks like that of the “real” organization

• Beware! Legitimate organization do not seek clients’ information in such way. When in doubt, you should call the genuine organization’s customer service hotline to verify.

Electronic Communication Security

26

• Public Key Infrastructure, or PKI in short, is an umbrella term for a set of security technologies based on public key cryptography • Digital Certificates • Digital Signature • Public Key encryption • …

• PKI provides security to the World Wide Web as well as computer systems and networks

WWW Security and PKI

27

• Cryptography enables us to communicate secretly by encrypting messages with keys • Symmetric Cryptography: a same key is used for

encryption and decryption • Asymmetric Cryptography: encryption key and decryption

key are different A pair of keys: private key and public key Therefore also called “Public Key Cryptography”

WWW Security and PKI

28

Public Key Private Key

Suppose Alice wants to send a message to Bob:

“Symmetric Key Cryptography (no PKI)”

Encryption: Symmetric Key Cryptography Case

29

Alice’s Key = Bob’s Key

Encrypt the message with Alice’s key

Decrypt the message with Bob’s key

Suppose Alice wants to send a message to Bob:

“Asymmetric Key Cryptography (PKI)”

Encryption: Symmetric Key Cryptography Case

30

Public Key ≠ Private Key Public key is known to the public, Private key is kept secret

Encrypt the message with Bob’s public key

Decrypt the message with Bob’s private key Bob has a pair of key: private and public

Public Key Private Key

With PKI, suppose Alice wants to sign on the message to Bob so that Bob can be assured it is really from Alice:

Digital Signature with PKI

31

Verify the signature with Alice’s public key For security reason, encryption and signature should use different key pairs

Sign the message with Alice’s private key Public Key

Private Key

• Public keys are published in WWW by means of digital certificates

• A digital certificate is an electronic file containing information about the certificate holder and is authorized by the Certificate Authority (CA)

• Main components on a Digital Certificate • Certificate holder’s Information • Certificate holder’s public key • Certificate Authority’s digital signature • Expiry date

Digital Signature with PKI

32

• SSL is the abbreviation of Secure Socket Layer • Is a communication protocol for providing authentication

and confidentiality to Internet traffic

• Digital certificate is required for communication over SSL

• When we connect to a Web site over SSL • We can see a small lock at the lower right hand corner

• The URL begins with HTTPS instead of HTTP

33

Digital Signature with PKI

• Software that safeguards security and privacy of information and computer systems

• In particular: • Anti-virus programs defend against computer viruses • Anti-spyware and anti-adware programs defend against

spyware and adware • Personal firewalls defend against security threats in

network connections

• Nowadays, popular antivirus software provide the above protections all-in-one

• Outdated security software may not be able to protect your computer

Security Software

34

• Information security depends much on the safe practices of the computer users

• Computer users are often regarded as the weakest link in information security

• Organizations with a large number of computer users often define the Acceptable Use Policy (AUP) • AUP is a set of rules that governs the use of organization

computers, networks, and the Internet by members within an organization

• The HKIEd also has its own AUP for staff and students • http://its.web.ied.edu.hk/policies/regulations.htm • http://its.web.ied.edu.hk/policies/naup.htm

Security Policies and Practices

35

Good Practices for Safe Computing • Install and always enable anti-virus and anti-spyware

programs • Do not open executable files from an email attachment • Read all messages in plain text • Scan all newly downloaded files and email attachments before

you open or install them • Check out and install Windows Updates regularly • Always enable personal firewalls • Set strong and non-trivial passwords (e.g. E12$n5s2), and

change the password from time to time • Backup files and data regularly • Do not share local files or directories by file sharing

36

Security Policies and Practices

Good Practices for Safe Computing • Disconnect from the Internet and wireless connections when

not in use • Keep your desktop and laptop computers physically safe • Update antivirus program regularly to ensure the latest

version of the program has been installed • Always enable real-time antivirus protection • Scan the computer for viruses regularly • Check out and install Windows Updates regularly • Remember your passwords in your own memory. Don’t write

them down or share them with other people • One should promptly log out of other user’s account before

using the computer

37

Security Policies and Practices

The HKIEd

• Information Security Policy • The policy aims to protect the HKIEd’s members

and its reputation through the protection and preservation of Confidentiality, Integrity and Availability (CIA); and to set out the information security management framework for protecting: • Personal, vital and sensitive information; • Infrastructure and information systems; and • Authorized information users and administrators of the

above.

Useful Links

38

The HKIEd • Network Acceptance Usage Policy • This Acceptable Usage Policy applies to all users of

the HKIEd Campus Network and its purpose is to ensure that every network user can enjoy a secure, reliable and productive working environment. This policy covers areas on proper usage, legal aspects, respect for the rights of others and regulation enforcement.

Useful Links (con’t)

39

Hong Kong Computer Emergency Response Team (HKCERT) • HKCERT Coordination Center • HKCERT coordinates computer and network security

incidents for Hong Kong enterprises and Internet users. Its Web site contains articles, news, and useful links of information security.

Useful Links (con’t)

40

Office of the Government Chief Information Officer, HKSAR Government • InfoSec • The Web site aims at promotion and public

education on information security; contains rich resources on information security as well as measures and the best practices for prevention of computer related crimes.

Useful Links (con’t)

41