Mis05

• 1. Introduction to MIS Chapter 5 Computer Security Jerry PostTechnology Toolbox: Assigning Security PermissionsTechnology Toolbox: Encrypting E-Mail??Cases: Professional Sports

2. Outline How do you protect your informationresources? What are the primary threats to an informationsystem? What primary options are used to providecomputer security? What non-computer-based tools can be used toprovide additional security? How do you protect data when unknown peoplemight be able to find it or intercept it? Whatadditional benefits can be provided byencryption? How do you prove the allegations in acomputer crime? What special security problems arise in e-commerce? 3. Server AttacksComputer Security+ Physical Dangers The InternetData interception+ external attackers Monitoring/Internal + Privacy Spyware 4. Threats to Information Accidents & Disasters Employees & Consultants Business Partnerships Outside Attackers Viruses & Spyware Direct attacks & ScriptsLinks to business partnersVirus hidingin e-mail orWeb site.Employees & Consultants Outsidehackers 5. Security Categories Physical attack & Logicaldisasters Unauthorized disclosure Backup--off-site Unauthorized modification Physical facilities Unauthorized Cold/Shell sitewithholding, Denial of Hot site Service Disaster tests Personal computers Confidentiality, Continuous backupIntegrity, Accessibility (CIA) Behavioral Users give awaypasswords Users can makemistakes Employees can go bad 6. Horror Stories Security Pacific--Oct. 1978 Robert Morris--1989 Stanley Mark Rifkin Graduate Student Electronic Funds Transfer Unix Worm $10.2 million Internet--tied up for 3 days Switzerland Clifford Stoll--1989 Soviet Diamonds The Cuckoos Egg Came back to U.S. Berkeley Labs Hacker/youngster: Seattle Unix--account not balance Physically stole some computers and Monitor, false informationwas arrested Track to East German spy: Marcus Sentenced to prison, scheduled to Hessbegin in 2 months Old Techniques Decides to hack the computer systemand change sentence to probation Salami slice Hacks Boeing computers to launch Bank deposit slipsattack on court house Trojan Horse Mistakenly attacks Federal court Virusinstead of State court Gets caught again, causes $75,000damages at Boeing 7. More Horror Stories TJ Max (TJX) 2007 Alaska State Fund 2007 A hacker gained access to Technician accidentally the retailers transaction deleted Alaska oil-revenue system and stole credit card dividend data file. data on millions of And deleted all backups. customers. 70 people worked overtime The hacker gained access tofor 6 weeks to re-enter the unencrypted card data. data at a cost of $220,000. The hacker most likely also Terry Childs, San Francisco had obtained the decryption key. Network Engineer TJX was sued by dozens of In 2008 refused to tell banks for the costs incurred anyone the administrative in replacing the stolen cards. passwords for the citynetwork (2011) Hackers were arrested and sentenced. One The networks remained (Albert Gonzalez) had been running, but could not be working as a consultant to monitored or altered. federal law enforcement. He eventually gave them tothe Mayor, but wasNY TimesRolling StonesGovt Techconvicted. 8. Disaster Planning (older) Backup dataBackup/Safe storage Recovery Facility Recovery facility A detailed plan Test the planMIS Employees NetworkBusiness/Operations 9. Data Backup (in-house/old style)PowercompanyUse the network toback up PC data. Use duplicate mirrored servers for extreme reliability.UPS Frequent backups enableDiesel generator you to recoverOffsite backups from disasters are critical. and mistakes. 10. Disaster Planning (continuous) How long can company survive without computers? Backup is critical Offsite backup is critical Levels RAID (multiple drives) Real time replication Scheduled backups and versions Not just data but processing Offsite, duplicate facilities Cloud computing Still challenges with personal computer data 11. Continuous BackupSecure Internetconnection Storage area Off-site or cloud network with computingServer cluster redundancy processing and datawith built-inand RAIDUse both sitesredundancycontinuously or switchDNS entries to transferusers in a disaster. Users connect to the servers 12. Threats to Users Attacker takes over computer Virus/Trojan Phishing Unpatched computer/known holes Intercepted wireless data Bad outcomes Lost passwords, impersonation, lostmoney Stolen credit cards, lost money Zombie machine, attacks others Commits crimes blamed on you 13. Virus/Trojan HorseFrom: afriendTo: victim 2 3Message: Open 1the attachmentfor someexcitement. 1. User opens an attached program that contains hidden virus Attachment 2. Virus copies itself into other programs on the computer 01 23 05 06 77 033. Virus spreads to other files and 3A 7F 3C 5D 83 94 other computers. 19 2C 2E A2 87 62 02 8E FA EA 12 79 54 29 3F 4F 73 9F Virus code 14. SpywarehackerCapturekeystrokes PasswordViruses used to delete your files. Now they become Credit card spyware and steal your data, passwords, and credit cards. Password 15. Stopping a Virus/Trojan Horse Backup your data! Never run applications unless you are certainthey are safe. Never open executable attachments sentover the Internet--regardless of who mailedthem. Antivirus software Scans every file looking for known badsignatures Needs constant updating Rarely catches current viruses Can interfere with other programs Can be expensive Can usually remove a known virus 16. Phishing: Fake Web SitesE-mailReally good fake ofBankaccount is your banks Weboverdrawn.site.Please clickhere to login.Sent to hacker who steals yourUsername money.PasswordYou are tired and click the link and enter username/password. 17. Avoiding Phishing Attacks Never give your login username andpassword to anyone. Systems peopledo not need it. Be extremely cautious about banksites and avoid clicking any links thatare sent by e-mail. Always double-check the URL of thesite and the browser security settings. 18. Two-step Process often used byBanksReal bank siteUsername URL Security indicatorsPassword Image or phrase you created earlier After checking the URL, Password: security indicators, and the image or phrase you entered when you opened the account, it is safe to enter your password. 19. Patching SoftwareVendorHacker attacks your Researchersannounces computer when you go find bug patch to a Web site timeYou shouldupdateimmediatelyZero-day attack.Hacker finds bug/hole first.Everyone is vulnerable. 20. Unpatched Computer/Known HolesResearchers andBugs enable attackers Attackers learn aboutvendors find bugs in to create files and holes and write scriptsprograms.Web sites thatthat automatically overwrite memory andsearch for unpatchedVendors fix thelet them take over acomputers.programs and release computer. Even withupdates. images and PDF files. Thousands of people run these scripts against every computer they can findYou forget to update on the Internet.your computer. Someone takes over your computer.2008, SFGate, 95% of computers need updates (online)2011, RSA/Computerworld, 80% of browsers need updates (online) 21. Update Your Software O/S: Microsoft (and Apple) Set security system to auto-update. But laptops are often turned off. Microsoft patch Tuesday so manually check on Wednesday orThursday. Browsers Some patched with operating system. Others use Help/About. Check add-ins: Java, Flash, Acrobat, Applications Check with vendor Web site. Try Help/About. Monitor your network usage. Botnet software and viruses can flood your network. Slowing down traffic. Exceeding your Internet data caps. 22. Internet Data Transmission EavesdropperDestinationIntermediateRoutersStart 23. Intercepted WirelessCommunicationsHacker installssoftware tocapture all datatraffic on thewireless network.(e.g., Firesheep)Browser cookies from the server are rarelyencrypted and can be captured to impersonateyou on your Web service accounts. 24. Protect Wireless Transmissions Never use public wireless for anything other thansimple Web surfing? Use virtual private network (VPN) software whichencrypts all transmissions from your computer totheir server? Encourage Web sites to encrypt alltransmissions? Most options have drawbacks today (2011). Warning: Firesheep is extremely easy to use andit is highly likely someone is running it on anypublic network you use. Eventually, it is likely that all Internet connectionswill have to use end-to-end encryption for allcommunication. (Which is the point of the authorof Firesheep.) 25. Common Web Encryption: Login onlyInitial page, encryption keysUsername/password(encrypted)ServerCookie/identifier(Not encrypted)Session and additional pages Hijackednot encrypted. Withsessionunencrypted cookie/identifier.InterceptedUserEavesdropperhacker 26. Fundamental Issue: UserIdentification Passwords Alternatives: Biometrics Dial up service found 30% of Finger/hand printpeople used same word Voice recognition People choose obvious Retina/blood vessels Post-It notes Iris scanner DNA ? Hints Password generator cards Dont use real words Comments Dont use personal names Dont have to remember Include non-alphabetic Reasonably accurate Change often Price is dropping Use at least 8 characters Nothing is perfect Dont use the samepassword everywhere But then you cannotremember the passwords! 27. Bad PasswordsSome hackers have released stolen and cracked password files. Analysis reveals the most common passwordswhich are also in a list used by hackers. Do not use these as your password! Example source: Ashlee Vance, If Your Password Is 123456, Just Make It HackMe, The New York Times, January 20, 2010.1.12345611. nicole21. Iloveu2.12345 12. daniel22. michelle3.123456789 13. babygirl23. 1111114.password14. monkey24. 05.iloveyou15. jessica 25. Tigger6.princess16. lovely26. password17.rockyou 17. michael 27. sunshine8.1234567 18. ashley28. chocolate9.1234567819. 65432129. anthony10. abc12320. qwerty30. Angel31. FRIENDS32. soccer 28. Iris ScanPanasonic http://www.eyeticket.com/http://www.iridiantech.com/eyepass/index.htmlquestions/q2/features.html Algorithm patents by JOHN DAUGMAN 1994 http://www.cl.cam.ac.uk/~jgd1000/ 29. Biometrics: ThermalSeveral methods exist to identify a person based on biological characteristics.Common techniques include fingerprint, handprint readers, and retinalscanners. More exotic devices include body shape sensors and this thermalfacial reader which uses infrared imaging to identify the user. 30. Lack of Biometric Standards Biometrics can be used for locallogins. Which can be used within a company. But, no standards exist for sharingbiometric data or using them on Websites. And do you really want every minorWeb site to store your biometricfingerprints? 31. Access Controls: Permissions inWindows Find the folder or directory in explorer. Right-click to set properties. On the Security tab,assign permissions. 32. Security Controls Access Control Ownership of data Read, Write, Execute, Delete, Change Permission, TakeOwnership Security Monitoring Access logs Violations Lock-outs Resou rce/F ilesUsers Ba la n ce Sh eet Ma rketin g Foreca stAccou n tin g Read/writeReadMa rketin g ReadRead/WriteE xecu tive ReadRead 33. Single sign-onvalidatevalidate DatabaseWeb server Security Server Kerberos RADIUSRequest Useraccesslogin Request access 34. Encryption: Single KeyPlain textmessage Encrypt and decrypt withthe same key AES How do you get the keysafely to the other party?Key: 9837362Encrypted What if there are manytextpeople involved? Fast encryption and Single key: e.g., AESdecryptionEncryptedtext DES - old and falls to bruteforce attacksAES Triple DES - old but slightlyKey: 9837362harder to break with bruteforce.Plain text AES - new standardmessage 35. Encryption: Dual KeyMessageMessageEncrypted AliceBobPrivate Key Public Keys13Use Private Key UseAlice 29Bobs 37 BobsBob 17Private key Public keyAlice sends message to Bob that only he can read. 36. Dual Key: AuthenticationMessageTransmission MessageMessage+AMessage+B AliceMessage+A+BPrivate Key13Bob Use Public KeysAlices Private Key Private key Alice 29 Use 37 Use Bob 17UseBobs BobsAlices Private key Public keyPublic key Alice sends a message to Bob Her private key guarantees it came from her. His public key prevents anyone else from reading message. 37. How does BobCertificate Authority know that it isreally Alices key? Public keyTrust the C.A. Imposter could sign up fora public key. C.A. validate Need trusted organization.applicants Several publiccompanies, with noPublic Keys Aliceregulation. Verisign mistakenly issuedAlice 29a certificate to an imposterBob 17claiming to work forMicrosoft in 2001. Browser has list of trustedEve could impersonateroot authorities.Alice to obtain a digital Eve key and send false messages that seem to come from Alice. 38. Encryption Summary Encryption prevents people from reading or changingdata. Dual-key encryption can be used to digitally signdocuments and authenticate users. Encryption does not solve all problems. Data can still be deleted. Hackers might get data while it is unencrypted. People can lose or withhold keys or passwords. Brute force can decrypt data with enough processingpower. Difficult if the keys are long enough. But computers keep getting faster. Connecting a few million together is massive timereduction. Quantum computing if developed could crack existingencryption methods. 39. Clipper Chip: Key EscrowDecrypted conversation Escrow keys Judicial or government officeInterceptEncrypted conversation Clipper chip in phones 40. Additional Controls Audits http://www.lexisnexis.com/risk Monitoring (bought ChoicePoint) Background checks: http://www.knowx.com/ (also lexis nexis) http://www.casebreakers.com/ http://www.publicdata.com/ 41. Computer Forensics Software: Verify copy.Original Exact Tag/identify files.drivecopy Scan for key words. Recover deleted files. Identify photos. Attempt to decrypt files.Write blocker: Time sequencePhysically prevent Browser historydata from being File activityaltered on the Logsoriginal drive. 42. Securing E-Commerce Servers1.Install and maintain a firewall configuration to protect cardholderdata.2. Do not use vendor-supplied defaults for passwords.3. Protect stored cardholder data.4. Encrypt transmission of cardholder data across open, publicnetworks.5. Use and regularly update anti-virus software.6. Develop and maintain secure systems and applications.7. Restrict access to cardholder data by business need to know.8. Assign a unique id to each person with computer access.9. Restrict physical access to cardholder data.10. Track and monitor all access to network resources and cardholderdata.11. Regularly test security systems and processes.12. Maintain a policy that addresses information security.https://www.pcisecuritystandards.org/ 43. Internet FirewallInternal company data servers Firewall routerKeeps localdata from goingCompany PCs to Web servers.Firewall router Examines eachInternet packet and discards some types of requests. 44. Firewalls: RulesIP source address Allowed packetsIP destination addressPort source and destinationProtocol (TCP, UDP, ICMP)Rules based on packet attributesAllow: all IP source, Port 80 (Web server)Disallow: Port 25 (e-mail), all destinationsexcept e-mail server.Internet by default allows almost all traffic.Firewalls usually configured to block all traffic,and allow only connections to specific serversassigned to individual tasks. 45. Intrusion Detection System (IDS) Intrusion Prevention System (IPS)Collect packetinfo fromeverywhereIDS/IPSAnalyze packet data in real time.Rules to evaluate potential threats. Company PCsIPS: Reconfigure firewalls to block IPaddresses evaluated as threats. 46. Denial Of Service Coordinated flood attack.Targeted server.Break in.Flood program. Zombie PCs at homes, schools, and businesses. Weak security. 47. Denial of Service Actions Hard for an individual company to stopDoS Can add servers and bandwidth. Use distributed cloud (e.g., Amazon EC2) But servers and bandwidth cost money Push ISPs to monitor client computers At one time, asked them to block someusers. Increasingly, ISPs impose data capssousers have a financial incentive to keep theircomputers clean. Microsoft Windows has anti-spyware tools toremove some of the known big threats. 48. Cloud Computing and Security Cloud providers can afford to hiresecurity experts. Distributed servers and databasesprovide real-time continuous backup. Web-based applications might needincreased use of encryption. But, if you want ultimate security, youwould have to run your own cloud. 49. Privacy Tradeoff between security and privacy Security requires the ability to track manyactivities and users. People want to be secure but they also donot want every company (or governmentagency) prying into their lives Businesses have an obligation to keepdata confidential More details in Chapter 14 50. Technology Toolbox: SecurityPermissions1. If Windows XP, Tools/Folder Options, Advanced, uncheck Use simple file sharing2. Create groups and users (or pull from network definitions when available)3. Start menu/All Programs/Administrative Tools/Computer Management or Start/Run: compmgmt.msc /s4. Add users and groups5. Find folder, right-click, Sharing and Security, Permissions, remove Everyone, Add the new group with Read permission 51. Quick Quiz: Assigning SecurityPermissions1. Why is it important to define groups of users?2. Why is it important to delete this test group and users when you are finished? 52. Technology Toolbox: EncryptingFiles1. Microsoft Office: Save with a Password: File/Info/Save with Password. Single key.2. Install security certificates to encrypt e-mail (challenging).3. Laptop and USB drives: Windows 7: BitLocker complete encryption. Best if the computer has a TPM: Trusted Platform Module to hold the encryption keys. 53. Quick Quiz: Encryption1. Why would a business want to use encryption?2. When would it be useful to set up dual-key encryption for e-mail?3. In a typical company, which drives should use drive- level encryption? 54. Cases: Professional Sports Football Basketball BaseballHow do you keep data secure?Imagine the problems if one team steals playbook data from another.