CHAPTER 3

CHAPTER 3

Information Privacy and Security

CHAPTER OUTLINE

Ethical Issues in Information Systems

Threats to Information Security

Protecting Information Resources

2

Ethical Issues in Information Systems

Issues and standards of conduct pertaining to the use of information systems

1986 – Richard O. Mason article

3

Threats to Information Privacy

Data aggregators and digital dossiers (linking personal information in multiple databases)

Could this happen to you?

Electronic Surveillance

4

Information on Internet Bulletin Boards, Blog Sites, and Social Networking Sites

Threats to Information Security Issues:

Confidentiality, Integrity, Availability (CIA)

Natural causes vs. human causes

Outsider threats vs. insider threats e.g., the Gucci case, the FDA case

Protection vs. convenience5

Major Categories of IS Security Threats

Accidents and natural disasters Unauthorized Access

Thefts, eavesdropping, masquerading, etc. Computer Malware

Viruses, worms, Trojan horses, spyware, adware, etc. Spamming and phishing Cyber warfare

Denial of service (DoS) attacks, online vandalism, etc.

6

Example: Password Security

Calculated guessing

Brute force attacks Exhaustive search until a match is found How long would it take?

Shoulder surfing

Social engineering7

Example: Denial of Service (DoS) Attacks

Attackers prevent legitimate users from accessing services

Targets include servers and communication circuits

The Estonian Attack Distributed DoS attacksUse compromised computers (zombies or botnets) to launch massive attacks 8

Protecting Information Resources IS Security Audits (Risk Analysis)

Indentify information assets Prioritize assets to be protected

9

There is always risk!And then there is real risk!

Risk Mitigation Strategies

Risk limitation – Implement countermeasures (controls)

Risk acceptance – Prepared to absorb damages

Risk transfer – Transfer risks to a third party

Sample Risk Limitation Worksheet

1. Disaster recovery plan2. Halon fire system/sprinklers3. Not on or below ground level4. UPS on servers5. Contract guarantees from IXCs6. Extra backbone fiber laid between servers

7. Virus checking software present8. Extensive user training on viruses9. Strong password software10. Extensive user training on security11. Application Layer firewall

Threats Assets (w/ priority)

Disruption and DisasterFire Flood Power Circuit Virus Loss Failure

Unauthorized AccessExternal Internal EavesdropIntruder Intruder

(92) Mail Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10

(90) Web Server 1,2 1,3 4 5, 6 7, 8

9, 10, 11 9, 10

(90) DNS Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10

(50) Computers on 6th floor 1,2 1,3 7, 8 10, 11 10

(50) 6th floor LAN circuits 1,2 1,3

(80) Building A Backbone 1,2 1,3 6

(100) Database Server 9 9

… … … … … … … … …

Countermeasures

1,2 1,3 4 5, 6 7, 8

11

Access Control Mechanisms

Physical Controls Chain and locks

Network Controls Firewalls Virtual Private Networks (VPNs) Employee monitoring systems Authentication and Encryption techniques

12

Firewall Architecture for Large Organizations

13

Virtual Private Network and Tunneling

14

Employee Monitoring System

15

Authentication Techniques

Something you know Strong password CAPTCHA

Something you have Smart cards / keys Hardware authentication

Something you are or you do Biometrics

16

Encryption Techniques Mathematical manipulation of digital data to

provide Confidentiality – only intended recipient can

read a message Authentication – proving one’s identity Information Integrity – assurance of unaltered

message Nonrepudiation – using digital signatures to

prevent disputes between parties exchanging messages

17

Every encryption method has two parts: a mathematical procedure and a key Example procedure — shift in alphabetical order by N

letters Example key — N = 4

Plaintext Encryption Ciphertext Decryption Plaintext

“TAKEOVER” “XEOISZIV” “TAKEOVER”

Procedure +Key

Procedure +Key

Transmitted

The Encryption Concept

18

Encryption: Key Length

The key is a value that may be “guessed” by exhaustive search (brute force attacks)

A large key makes exhaustive search very difficult or virtually impossible If key length is n bits, 2n tries may be needed Weak key: up to 56 bits Strong key: 128 bits or longer

Key size(bits)

Number ofAlternative Keys

Time Required at106 tries/sec

Time Required at 1012 tries/sec

56 256 = 7.2 x 1016 1,142 years 10 hours

128 2128 = 3.4 x 1038 5.4 x 1024 years 5.4 x 1018 years19

Common Encryption Techniques

Symmetric (private) key encryption system Sender and recipient use the same key Key distribution and management problems

Asymmetric (public) key encryption system Each individual has a pair of keys

Public key – freely distributed Private key – kept secret

20

How Public Key Encryption Works

21

DecryptEncrypt

E-Commerce Security

Certificate Authority Third party – trusted middleman

Verifies trustworthiness of a Web site Checks for identity of a computer Provides public keys

Secure Sockets Layer (SSL) Developed by Netscape Standard technique for secure e-commerce

transactions (https)22