Introduction to MIS1 Copyright © 1998-2002 by Jerry Post Introduction to MIS Chapter 4 Security, Privacy, Anonymity.

Introduction to MIS 1

Copyright © 1998-2002 by Jerry Post

Introduction to MIS

Chapter 4

Security, Privacy, Anonymity


Outline Threats to Information Physical Security and Disaster Planning Logical Security and Data Protection Virus Threats User Identification and Biometrics Access controls Encryption and Authentication Internet Security Issues Privacy Anonymity Cases: Healthcare Appendix: Server Security Certificates


Security, Privacy, and AnonymityServer Attacks

Data interception

The Internet

Monitoring


Employees & Consultants

Links to businesspartnersOutside

hackers

Threats to Information Accidents & Disasters Employees & Consultants Business Partnerships Outsiders Viruses

Virus hiding in e-mail attachment.


$$

Security Categories Physical attack & disasters

Backup--off-site Cold/Shell site Hot site Disaster tests Personal computers!

Logical Unauthorized disclosure Unauthorized modification Unauthorized withholding

Denial of Service


Horror Stories Security Pacific--Oct. 1978

Stanley Mark Rifkin Electronic Funds Transfer $10.2 million Switzerland Soviet Diamonds Came back to U.S.

Equity Funding--1973 The Impossible Dream Stock Manipulation

Insurance Loans Fake computer records

Robert Morris--1989 Graduate Student Unix “Worm” Internet--tied up for 3 days

Clifford Stoll--1989 The Cuckoo’s Egg Berkeley Labs Unix--account not balance Monitor, false information Track to East German spy

Old Techniques Salami slice Bank deposit slips Trojan Horse Virus


Manual v Automated Data Amount of data Identification of users Difficult to detect changes Speed

Search Copy

Statistical Inference Communication Lines


SunGard is a premier provider of computer backup facilities and disaster planning services. Its fleet of Mobile Data Centers can be outfitted with a variety of distributed systems hardware and delivered at a disaster site within 48 hours.

Disaster Planning


Data Backup Backup is critical Offsite backup is critical Levels

RAID (multiple drives) Real time replication Scheduled backups


Data Backup

Offsite backups are critical.

Frequent backups enable you to recover from disasters and mistakes.

Use the network to backup PC data.

Use duplicate mirrored servers for extreme reliability.

UPS

Power company


Attachment

01 23 05 06 77 033A 7F 3C 5D 83 9419 2C 2E A2 87 6202 8E FA EA 12 7954 29 3F 4F 73 9F

1

2 3

1. User opens an attached program that contains hidden virus

2. Virus copies itself into other programs on the computer

3. Virus spreads until a certain date, then it deletes files.

Virus code

Virus

From: afriend

To: victim

Message: Open the attachment for some excitement.


Dataquest, Inc; Computerworld 12/2/91National Computer Security Association; Computerworld 5/6/96http://www.info-ec.com/viruses/99/viruses_062299a_j.shtml)

Virus Damage

1999 virus costs in the U.S.: $7.6 billion.

Attacks 1991 1996 2000 2001

Viruses/Trojans/Worms 62 80 80 89

Attacks on Web servers 24 48

Denial of Service 37 39

Insider physical theft or damage of equipment

49 42

Insider electronic theft, destruction, or disclosure of data

24 22

Fraud 13 9


Stopping a Virus Backup your data! Never run applications unless you are certain they are

safe. Never open executable attachments sent over the

Internet--regardless of who mailed them. Antivirus software

Needs constant updating Rarely catches current viruses Can interfere with other programs

Ultimately, viruses sent over the Internet can be traced back to the original source.


User Identification Passwords

Dial up service found 30% of people used same word

People choose obvious Post-It notes

Hints Don’t use real words Don’t use personal names Include non-alphabetic Change often Use at least 6 characters

Alternatives: Biometrics Finger/hand print Voice recognition Retina/blood vessels Iris scanner DNA ?

Password generator cards Comments

Don’t have to remember Reasonably accurate Price is dropping Nothing is perfect


Iris Scan

http://www.iridiantech.com/questions/q2/features.html

Algorithm patents by JOHN DAUGMAN 1994 http://www.cl.cam.ac.uk/~jgd1000/

http://www.eyeticket.com/eyepass/index.html

EyePass™ System at Charlotte/Douglas International

Airport.


Several methods exist to identify a person based on biological characteristics. Common techniques include fingerprint, handprint readers, and retinal scanners. More exotic devices include body shape sensors and this thermal facial reader which uses infrared imaging to identify the user.

Biometrics: Thermal


Access Controls: Permissions in Windows

Find the folder or directory in explorer.

Right-click to set properties.

On the Security tab,assign permissions.


Security Controls Access Control

Ownership of data Read, Write, Execute, Delete, Change Permission, Take

Ownership

Security Monitoring Access logs Violations Lock-outs


Additional Controls Audits Monitoring Background checks:

http://www.casebreakers.com/

http://www.knowx.com/

http://www.publicdata.com/


Encryption: Single Key Encrypt and decrypt with the

same key How do you get the key

safely to the other party? What if there are many

people involved? Fast encryption and

decryption DES - old and falls to brute

force attacks Triple DES - old but slightly

harder to break with brute force.

AES - new standard

Plain textmessage

Encryptedtext

Key: 9837362

Key: 9837362

AES

Encryptedtext

Plain textmessage

AES

Single key: e.g., AES


AliceBob

Message

Public Keys

Alice 29Bob 17

Message

Encrypted

Private Key13 Private Key

37UseBob’sPublic key

UseBob’sPrivate key

Alice sends message to Bob that only he can read.

Encryption: Dual Key


Alice

BobPublic Keys

Alice 29Bob 17

Private Key13

Private Key37

UseBob’sPublic key

UseBob’sPrivate key

Bob sends message to Alice:His key guarantees it came from him.Her key prevents anyone else from reading message.

Message

Message

Encrypt+T

Encrypt+T+M

Encrypt+M

UseAlice’s

Public key

UseAlice’s

Private key

Transmission

Dual Key: Authentication


Certificate Authority Public key

Imposter could sign up for a public key.

Need trusted organization. Only Verisign today, a public

company with no regulation. Verisign mistakenly issued a

certificate to an imposter claiming to work for Microsoft in 2001.

AlicePublic Keys

Alice 29Bob 17Use

Bob’sPublic key

How does Alice know that it is really Bob’s key?

Trust the C.A.

C.A. validate applicants


Internet Data Transmission

Start

Destination

Eavesdropper

Intermediate Machines


Encrypted conversation

Escrow keys

Clipper chipin phones

Intercept

Decrypted conversation

Judicial orgovernment office

Clipper Chip: Key Escrow


Denial Of Service

Zombie PCs at homes, schools, and businesses. Weak security.

Break in.Flood program.

Coordinated flood attack.

Targeted server.


Securing E-Commerce Servers

http://www.visabrc.com/doc.phtml?2,64,932,932a_cisp.html

1. Install and maintain a working network firewall to protect data accessible via the Internet.

2. Keep security patches up-to-date. 3. Encrypt stored data. 4. Encrypt data sent across networks. 5. Use and regularly update anti-virus software. 6. Restrict access to data by business "need to know." 7. Assign a unique ID to each person with computer access to data. 8. Don't use vendor-supplied defaults for system passwords and other

security parameters. 9. Track access to data by unique ID. 10. Regularly test security systems and processes. 11. Maintain a policy that addresses information security for employees

and contractors. 12. Restrict physical access to cardholder information.


Internet Firewall

Company PCs

Internal company data servers

Internet

Firewall router

Firewall router

Examines each packet and discards some types of requests.

Keeps local data from going to Web servers.


credit cardsorganizations

loans & licenses

financialpermitscensus

transportation data

financialregulatoryemploymentenvironmental

subscriptionseducation

purchases phone

criminal recordcomplaintsfinger prints

medicalrecords

Privacy

grocery store scanner data


CookiesWeb server

User PC

time

Request page.

Send page and cookie.

Display page, store cookie.

Find page.

Request new page and send cookie.

Use cookie to identify user.

Send customized page.


Misuse of Cookies: Third Party AdsUseful Web site

User PC

Useful Web Page

Text and graphics

[Advertisements]

National ad Web siteDoubleclick.com

Link to ads

Requested page

Ads, and cookie

Request page

Hidden prior cookie


Wireless Privacy Cell phones require connections to towers E-911 laws require location capability Many now come with integrated GPS units Business could market to customers “in the

neighborhood” Tracking of employees is already common


Privacy Problems TRW--1991

Norwich, VT Listed everyone delinquent on

property taxes Terry Dean Rogan

Lost wallet Impersonator, 2 murders and 2

robberies NCIC database Rogan arrested 5 times in 14

months Sued and won $55,000 from LA

Employees 26 million monitored

electronically 10 million pay based on

statistics

Jeffrey McFadden--1989 SSN and DoB for William Kalin

from military records Got fake Kentucky ID Wrote $6000 in bad checks Kalin spent 2 days in jail Sued McFadden, won $10,000

San Francisco Chronicle--1991 Person found 12 others using

her SSN Someone got 16 credit cards

from another’s SSN, charged $10,000

Someone discovered unemployment benefits had already been collected by 5 others


Privacy Laws Minimal in US

Credit reports Right to add comments 1994 disputes settled in 30 days 1994 some limits on access to data

Bork Bill--can’t release video rental data Educational data--limited availability 1994 limits on selling state/local data 2001 rules on medical data

Europe France and some other controls 1995 EU Privacy Controls


Primary U.S. Privacy Laws Freedom of Information Act Family Educational Rights and Privacy Act Fair Credit Reporting Act Privacy Act of 1974 Privacy Protection Act of 1980 Electronic Communications Privacy Act of 1986 Video Privacy Act of 1988 Driver’s Privacy Protection Act of 1994

2001 Federal Medical Privacy rules (not a law)


Anonymity Anonymous servers: http://www.zeroknowledge.com Dianetics church (L. Ron Hubbard) officials in the U.S.

Sued a former employee for leaking confidential documents over the Internet.

He posted them through a Danish anonymous server. The church pressured police to obtain the name of the poster. Zero knowledge server is more secure

Should we allow anonymity on the Internet? Protects privacy Can encourage flow of information

Chinese dissenters Government whistleblowers

Can be used for criminal activity


Cases: Healthcare


What is the company’s current status?

What is the Internet strategy?

How does the company use information technology?

What are the prospects for the industry?

www.lilly.com

www.owens-minor.com

Cases: Eli LillyOwens & Minor, Inc.


Appendix: Digital Security Certificates Digital security certificates are used to encrypt e-mail

and to authenticate the sender. Obtain a certificate from a certificate authority

Verisign Thawte (owned by Verisign) Microsoft Your own company or agency

Install the certificate in Outlook Select option boxes to encrypt or decrypt messages Install certificates sent by your friends and co-workers.


Obtaining a Certificate


Installing a Certificate

1. Tools + Options + Security tab

2. Choose your certificate

3. Check these boxes to add your digital signature and to encrypt messages.

4. These boxes set the default choices. For each message, you can use the options to check or uncheck these boxes.


Encrypting and Signing Messages

Use the Options button and the Security Settings button to make sure the Encrypt and Signature boxes are checked. Then the encryption and decryption are automatic.

Introduction to MIS1 Copyright © 1998-2002 by Jerry Post Introduction to MIS Chapter 4 Security, Privacy, Anonymity.

Documents

anonymity slide

thermal slide

virus backup

perfect slide

fraud139 slide

internet monitoring

trojan horse virus slide

virus code virus