Introduction to Information and Computer Science Security Lecture a This material (Comp4_Unit8a) was developed by Oregon Health and Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015.
22
Embed
Introduction to Information and Computer Science Security Lecture a This material (Comp4_Unit8a) was developed by Oregon Health and Science University,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Introduction to Information and Computer Science
Security
Lecture a
This material (Comp4_Unit8a) was developed by Oregon Health and Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number
IU24OC000015.
SecurityLearning Objectives
• List and describe common security concerns (Lecture a)• Describe safeguards against common security concerns
(Lecture b)• Describe security concerns for wireless networks and
how to address them (Lecture b and c)• List security concerns/regulations for health care
applications (Lecture c)• Describe security safeguards used for health care
applications (Lecture c)
Health IT Workforce Curriculum Version 3.0/Spring 2012
2
Introduction to Information and Computer Science Security
Lecture a
Concerns About Security
• Loss, stolen, or compromised data• Identity theft and impersonation• Downtime for businesses
– Loss of revenue
• Blackmail– Threat to disclose medical information
Health IT Workforce Curriculum Version 3.0/Spring 2012
3
Introduction to Information and Computer Science Security
Lecture a
Common Threats to Security
• Wikipedia:– “Malware. . . (malicious software) is . . . designed to infiltrate a
computer system without the owner's informed consent.” (Wikipedia, 2007)
Health IT Workforce Curriculum Version 3.0/Spring 2012
4
Introduction to Information and Computer Science Security
Lecture a
Trojan Horse
• Trojan horse―malware program that usually impersonates a known good file installed on system by replacing (deleting) \good file Name comes from Greek Trojan Horse myth The Trojan then does its dirty work on certain date,
through user action or on command Trojans can destroy or copy data, install adware, or
install browser toolbar Trojans can record keystrokes and send this to
attacker and scan computer ports
Health IT Workforce Curriculum Version 3.0/Spring 2012
5
Introduction to Information and Computer Science Security
Lecture a
Viruses
• A virus is a computer program that can harm a computer and make it inoperable. Some viruses are only an annoyance. Viruses usually do not replicate (make copies of)
themselves on other computers Removing a virus usually cleans computer Sending a virus via email may replicate virus In 2008, Fun.exe virus spread itself via email
throughout the world and was very difficult to remove as it made many copies of itself on an infected computer
Health IT Workforce Curriculum Version 3.0/Spring 2012
6
Introduction to Information and Computer Science Security
Lecture a
Macro Viruses
• Macro viruses usually infect Microsoft Office files and install themselves when users click files. A macro is a small program, usually written in VBA
(Visual Basic for Applications) Macro viruses spread when users click files in which
the macro virus resides Macro viruses may also delete files, etc. on infected
system
Health IT Workforce Curriculum Version 3.0/Spring 2012
7
Introduction to Information and Computer Science Security
Lecture a
Personal Information Attacks
• Phishing Attempt to trick user into revealing personal
information to attacker so they can impersonate user Pronounced like “fishing”; attacker is fishing for
information about user User may receive email that appears to be from
financial institution, eBay, or Amazon, asking for login to verify transaction.
Health IT Workforce Curriculum Version 3.0/Spring 2012
8
Introduction to Information and Computer Science Security
Lecture a
Personal Information Attacks (continued)
Clicking link in email brings user to Web site that looks like real Web site
No reputable organization will ever ask for this Report attack to organization so they are aware and
can act• Most email software includes ability to monitor for
phishing and move suspected email to non-functional (junk email) folder
Health IT Workforce Curriculum Version 3.0/Spring 2012
9
Introduction to Information and Computer Science Security
Lecture a
Worms
• A worm is a program that works to create lots of network traffic Some worms are not malware as they crawl network
searching for reporting information Most worms replicate themselves, making network
unusable ILOVEYOU worm successfully attacked millions of
computers (users who clicked attachment) in May 2000
Health IT Workforce Curriculum Version 3.0/Spring 2012
10
Introduction to Information and Computer Science Security
Lecture a
False Information
• Hoaxes Hoaxes usually a harmless attempt to convince user of
something that is not true Usually come in form of an email Some hoaxes invite user to send money to someone in another
part of world or ask for contributions to find missing children Use search engine to determine whether email’s message is
true by entering email subject line in search engine Result will usually indicate whether email is hoax
Health IT Workforce Curriculum Version 3.0/Spring 2012
11
Introduction to Information and Computer Science Security
Lecture a
False Information (continued)
• Uncloak hoax Use trusted Internet sites to detect hoaxes Snopes.com - http://www.snopes.com/ Urban Legends Online -
http://urbanlegendsonline.com/
• Never forward email chains without verifying their source
Health IT Workforce Curriculum Version 3.0/Spring 2012
12
Introduction to Information and Computer Science Security
• According to Wikipedia:– “In the field of networking, the specialist area of network security
consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources.”
• In plain English:– Network security is about rules set up for use of equipment,
software, and data and how to follow these rules– Use of assets revolves around authentication, authorization, and
providing permissions to network assets.• If user can’t prove identity, he or she can’t gain access to network,
equipment, or data.
Health IT Workforce Curriculum Version 3.0/Spring 2012
14
Introduction to Information and Computer Science Security
Lecture a
Authentication
• User provides valid username and password– Referred to as “credential”
• Computer authenticates credentials against user account and password database– If user logs in successfully, user is authenticated!
• If credentials entered match what is in database, user is authenticated– Servers authenticate users using special type of database
known as directory– Directory stores information about all users, user groups,
computers, printers, and so on
Health IT Workforce Curriculum Version 3.0/Spring 2012
15
Introduction to Information and Computer Science Security
Lecture a
Authorization
• Next, authenticated users are authorized
• Authorization means that computer indicates precisely what user can do:
– Print files using specified printers
– Access specified network drives
– View and/or change documents in folders
– Use company email
• Actions are usually recorded for audit
Health IT Workforce Curriculum Version 3.0/Spring 2012
16
Introduction to Information and Computer Science Security
Lecture a
Permissions (Windows)
• Authorized objects are associated with permissions
– Part of authorizing object is determining permissions
• Permissions determine what object can or cannot do on computer or network
• Two types of permissions typically used:
– Sharing: Allows one object to connect to or use another object over network
– NTFS: Determines what one object can or cannot do to another object
• Permissions are a complex topic
Health IT Workforce Curriculum Version 3.0/Spring 2012
17
Introduction to Information and Computer Science Security
Lecture a
Permissions (Windows)
• Sharing and NTFS permissions work together– User creates folder on his computer so his sister can
copy pictures he took– Next, he shares folder and sets his permissions to
“read”– Lastly, he sets NTFS permissions to “read” so that she
can view and copy pictures– Without this configuration, his sister will not be able to
view or copy files from his computer• Non-Windows OS protect devices and files similarly
Health IT Workforce Curriculum Version 3.0/Spring 2012
18
Introduction to Information and Computer Science Security
Lecture a
Permissions Example
• Right-click folder and select Properties from menu
• Pictures folder is shared
• Click Advanced Sharing to configure sharing permissions for this folder
(2011, PD-US)
Health IT Workforce Curriculum Version 3.0/Spring 2012
19
Introduction to Information and Computer Science Security
Lecture a
Permissions Example (continued)
• Click Security tab to configure NTFS permissions
• Group or user names are listed in ACL
• Administrators have Full Control over this folder and its contents
– This means that a user who is a member of the Windows Administrator’s group can do anything to this folder and its contents
– Anything means view, add new files, delete existing files, change existing files, create new sub-folders, etc
(2011, PD-US)
Health IT Workforce Curriculum Version 3.0/Spring 2012
20
Introduction to Information and Computer Science Security
Lecture a
SecuritySummary – Lecture a
• List and describe common security concerns
Health IT Workforce Curriculum Version 3.0/Spring 2012
21
Introduction to Information and Computer Science Security
Lecture a
SecurityReferences – Lecture a
References • Wikipedia. Malware. [Internet]. 2011 Jun [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Malware.
Images • Slide 19: Screenshot of a shared folder's properties window. Image source: the creator of this presentation. (2011,
PD-US)• Slide 20: Screen shot of the folder named Picture properties dialog box. Image source: the creator of this
presentation. (2011, PD-US)
Health IT Workforce Curriculum Version 3.0/Spring 2012
22
Introduction to Information and Computer Science Security