CHAPTER 3 Information Privacy and Security
Feb 25, 2016
CHAPTER 3
Information Privacy and Security
CHAPTER OUTLINE
Ethical Issues in Information Systems
Threats to Information Security
Protecting Information Resources
2
Ethical Issues in Information Systems
Issues and standards of conduct pertaining to the use of information systems
1986 – Richard O. Mason article
3
Threats to Information Privacy
Data aggregators and digital dossiers (linking personal information in multiple databases)
Could this happen to you?
Electronic Surveillance
4
Information on Internet Bulletin Boards, Blog Sites, and Social Networking Sites
Threats to Information Security Issues:
Confidentiality, Integrity, Availability (CIA)
Natural causes vs. human causes
Outsider threats vs. insider threats e.g., the Gucci case, the FDA case
Protection vs. convenience5
Major Categories of IS Security Threats
Accidents and natural disasters Unauthorized Access
Thefts, eavesdropping, masquerading, etc. Computer Malware
Viruses, worms, Trojan horses, spyware, adware, etc. Spamming and phishing Cyber warfare
Denial of service (DoS) attacks, online vandalism, etc.
6
Example: Password Security
Calculated guessing
Brute force attacks Exhaustive search until a match is found How long would it take?
Shoulder surfing
Social engineering7
Example: Denial of Service (DoS) Attacks
Attackers prevent legitimate users from accessing services
Targets include servers and communication circuits
The Estonian Attack Distributed DoS attacksUse compromised computers (zombies or botnets) to launch massive attacks 8
Protecting Information Resources IS Security Audits (Risk Analysis)
Indentify information assets Prioritize assets to be protected
9
There is always risk!And then there is real risk!
Risk Mitigation Strategies
Risk limitation – Implement countermeasures (controls)
Risk acceptance – Prepared to absorb damages
Risk transfer – Transfer risks to a third party
Sample Risk Limitation Worksheet
1. Disaster recovery plan2. Halon fire system/sprinklers3. Not on or below ground level4. UPS on servers5. Contract guarantees from IXCs6. Extra backbone fiber laid between servers
7. Virus checking software present8. Extensive user training on viruses9. Strong password software10. Extensive user training on security11. Application Layer firewall
Threats Assets (w/ priority)
Disruption and DisasterFire Flood Power Circuit Virus Loss Failure
Unauthorized AccessExternal Internal EavesdropIntruder Intruder
(92) Mail Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10
(90) Web Server 1,2 1,3 4 5, 6 7, 8
9, 10, 11 9, 10
(90) DNS Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10
(50) Computers on 6th floor 1,2 1,3 7, 8 10, 11 10
(50) 6th floor LAN circuits 1,2 1,3
(80) Building A Backbone 1,2 1,3 6
(100) Database Server 9 9
… … … … … … … … …
Countermeasures
1,2 1,3 4 5, 6 7, 8
11
Access Control Mechanisms
Physical Controls Chain and locks
Network Controls Firewalls Virtual Private Networks (VPNs) Employee monitoring systems Authentication and Encryption techniques
12
Firewall Architecture for Large Organizations
13
Virtual Private Network and Tunneling
14
Authentication Techniques
Something you know Strong password CAPTCHA
Something you have Smart cards / keys Hardware authentication
Something you are or you do Biometrics
16
Encryption Techniques Mathematical manipulation of digital data to
provide Confidentiality – only intended recipient can
read a message Authentication – proving one’s identity Information Integrity – assurance of unaltered
message Nonrepudiation – using digital signatures to
prevent disputes between parties exchanging messages
17
Every encryption method has two parts: a mathematical procedure and a key Example procedure — shift in alphabetical order by N
letters Example key — N = 4
Plaintext Encryption Ciphertext Decryption Plaintext
“TAKEOVER” “XEOISZIV” “TAKEOVER”
Procedure +Key
Procedure +Key
Transmitted
The Encryption Concept
18
Encryption: Key Length
The key is a value that may be “guessed” by exhaustive search (brute force attacks)
A large key makes exhaustive search very difficult or virtually impossible If key length is n bits, 2n tries may be needed Weak key: up to 56 bits Strong key: 128 bits or longer
Key size(bits)
Number ofAlternative Keys
Time Required at106 tries/sec
Time Required at 1012 tries/sec
56 256 = 7.2 x 1016 1,142 years 10 hours
128 2128 = 3.4 x 1038 5.4 x 1024 years 5.4 x 1018 years19
Common Encryption Techniques
Symmetric (private) key encryption system Sender and recipient use the same key Key distribution and management problems
Asymmetric (public) key encryption system Each individual has a pair of keys
Public key – freely distributed Private key – kept secret
20
How Public Key Encryption Works
21
DecryptEncrypt
E-Commerce Security
Certificate Authority Third party – trusted middleman
Verifies trustworthiness of a Web site Checks for identity of a computer Provides public keys
Secure Sockets Layer (SSL) Developed by Netscape Standard technique for secure e-commerce
transactions (https)22