Top Banner

Click here to load reader

of 54


Nov 29, 2014




  • 1. Introduction to MIS Chapter 5 Computer Security Jerry PostTechnology Toolbox: Assigning Security PermissionsTechnology Toolbox: Encrypting E-Mail??Cases: Professional Sports

2. Outline How do you protect your informationresources? What are the primary threats to an informationsystem? What primary options are used to providecomputer security? What non-computer-based tools can be used toprovide additional security? How do you protect data when unknown peoplemight be able to find it or intercept it? Whatadditional benefits can be provided byencryption? How do you prove the allegations in acomputer crime? What special security problems arise in e-commerce? 3. Server AttacksComputer Security+ Physical Dangers The InternetData interception+ external attackers Monitoring/Internal + Privacy Spyware 4. Threats to Information Accidents & Disasters Employees & Consultants Business Partnerships Outside Attackers Viruses & Spyware Direct attacks & ScriptsLinks to business partnersVirus hidingin e-mail orWeb site.Employees & Consultants Outsidehackers 5. Security Categories Physical attack & Logicaldisasters Unauthorized disclosure Backup--off-site Unauthorized modification Physical facilities Unauthorized Cold/Shell sitewithholding, Denial of Hot site Service Disaster tests Personal computers Confidentiality, Continuous backupIntegrity, Accessibility (CIA) Behavioral Users give awaypasswords Users can makemistakes Employees can go bad 6. Horror Stories Security Pacific--Oct. 1978 Robert Morris--1989 Stanley Mark Rifkin Graduate Student Electronic Funds Transfer Unix Worm $10.2 million Internet--tied up for 3 days Switzerland Clifford Stoll--1989 Soviet Diamonds The Cuckoos Egg Came back to U.S. Berkeley Labs Hacker/youngster: Seattle Unix--account not balance Physically stole some computers and Monitor, false informationwas arrested Track to East German spy: Marcus Sentenced to prison, scheduled to Hessbegin in 2 months Old Techniques Decides to hack the computer systemand change sentence to probation Salami slice Hacks Boeing computers to launch Bank deposit slipsattack on court house Trojan Horse Mistakenly attacks Federal court Virusinstead of State court Gets caught again, causes $75,000damages at Boeing 7. More Horror Stories TJ Max (TJX) 2007 Alaska State Fund 2007 A hacker gained access to Technician accidentally the retailers transaction deleted Alaska oil-revenue system and stole credit card dividend data file. data on millions of And deleted all backups. customers. 70 people worked overtime The hacker gained access tofor 6 weeks to re-enter the unencrypted card data. data at a cost of $220,000. The hacker most likely also Terry Childs, San Francisco had obtained the decryption key. Network Engineer TJX was sued by dozens of In 2008 refused to tell banks for the costs incurred anyone the administrative in replacing the stolen cards. passwords for the citynetwork (2011) Hackers were arrested and sentenced. One The networks remained (Albert Gonzalez) had been running, but could not be working as a consultant to monitored or altered. federal law enforcement. He eventually gave them tothe Mayor, but wasNY TimesRolling StonesGovt Techconvicted. 8. Disaster Planning (older) Backup dataBackup/Safe storage Recovery Facility Recovery facility A detailed plan Test the planMIS Employees NetworkBusiness/Operations 9. Data Backup (in-house/old style)PowercompanyUse the network toback up PC data. Use duplicate mirrored servers for extreme reliability.UPS Frequent backups enableDiesel generator you to recoverOffsite backups from disasters are critical. and mistakes. 10. Disaster Planning (continuous) How long can company survive without computers? Backup is critical Offsite backup is critical Levels RAID (multiple drives) Real time replication Scheduled backups and versions Not just data but processing Offsite, duplicate facilities Cloud computing Still challenges with personal computer data 11. Continuous BackupSecure Internetconnection Storage area Off-site or cloud network with computingServer cluster redundancy processing and datawith built-inand RAIDUse both sitesredundancycontinuously or switchDNS entries to transferusers in a disaster. Users connect to the servers 12. Threats to Users Attacker takes over computer Virus/Trojan Phishing Unpatched computer/known holes Intercepted wireless data Bad outcomes Lost passwords, impersonation, lostmoney Stolen credit cards, lost money Zombie machine, attacks others Commits crimes blamed on you 13. Virus/Trojan HorseFrom: afriendTo: victim 2 3Message: Open 1the attachmentfor someexcitement. 1. User opens an attached program that contains hidden virus Attachment 2. Virus copies itself into other programs on the computer 01 23 05 06 77 033. Virus spreads to other files and 3A 7F 3C 5D 83 94 other computers. 19 2C 2E A2 87 62 02 8E FA EA 12 79 54 29 3F 4F 73 9F Virus code 14. SpywarehackerCapturekeystrokes PasswordViruses used to delete your files. Now they become Credit card spyware and steal your data, passwords, and credit cards. Password 15. Stopping a Virus/Trojan Horse Backup your data! Never run applications unless you are certainthey are safe. Never open executable attachments sentover the Internet--regardless of who mailedthem. Antivirus software Scans every file looking for known badsignatures Needs constant updating Rarely catches current viruses Can interfere with other programs Can be expensive Can usually remove a known virus 16. Phishing: Fake Web SitesE-mailReally good fake ofBankaccount is your banks clickhere to login.Sent to hacker who steals yourUsername money.PasswordYou are tired and click the link and enter username/password. 17. Avoiding Phishing Attacks Never give your login username andpassword to anyone. Systems peopledo not need it. Be extremely cautious about banksites and avoid clicking any links thatare sent by e-mail. Always double-check the URL of thesite and the browser security settings. 18. Two-step Process often used byBanksReal bank siteUsername URL Security indicatorsPassword Image or phrase you created earlier After checking the URL, Password: security indicators, and the image or phrase you entered when you opened the account, it is safe to enter your password. 19. Patching SoftwareVendorHacker attacks your Researchersannounces computer when you go find bug patch to a Web site timeYou shouldupdateimmediatelyZero-day attack.Hacker finds bug/hole first.Everyone is vulnerable. 20. Unpatched Computer/Known HolesResearchers andBugs enable attackers Attackers learn aboutvendors find bugs in to create files and holes and write scriptsprograms.Web sites thatthat automatically overwrite memory andsearch for unpatchedVendors fix thelet them take over acomputers.programs and release computer. Even withupdates. images and PDF files. Thousands of people run these scripts against every computer they can findYou forget to update on the Internet.your computer. Someone takes over your computer.2008, SFGate, 95% of computers need updates (online)2011, RSA/Computerworld, 80% of browsers need updates (online) 21. Update Your Software O/S: Microsoft (and Apple) Set security system to auto-update. But laptops are often turned off. Microsoft patch Tuesday so manually check on Wednesday orThursday. Browsers Some patched with operating system. Others use Help/About. Check add-ins: Java, Flash, Acrobat, Applications Check with vendor Web site. Try Help/About. Monitor your network usage. Botnet software and viruses can flood your network. Slowing down traffic. Exceeding your Internet data caps. 22. Internet Data Transmission EavesdropperDestinationIntermediateRoutersStart 23. Intercepted WirelessCommunicationsHacker installssoftware tocapture all datatraffic on thewireless network.(e.g., Firesheep)Browser cookies from the server are rarelyencrypted and can be captured to impersonateyou on your Web service accounts. 24. Protect Wireless Transmissions Never use public wireless for anything other thansimple Web surfing? Use virtual private network (VPN) software whichencrypts all transmissions from your computer totheir server? Encourage Web sites to encrypt alltransmissions? Most options have drawbacks today (2011). Warning: Firesheep is extremely easy to use andit is highly likely someone is running it on anypublic network you use. Eventually, it is likely that all Internet connectionswill have to use end-to-end encryption for allcommunication. (Which is the point of the authorof Firesheep.) 25. Common Web Encryption: Login onlyInitial page, encryption keysUsername/password(encrypted)ServerCookie/identifier(Not encrypted)Session and additional pages Hijackednot encrypted. Withsessionunencrypted cookie/identifier.InterceptedUserEavesdropperhacker 26. Fundamental Issue: UserIdentification Passwords Alternatives: Biometrics Dial up service found 30% of Finger/hand printpeople used same word Voice recognition People choose obvious Retina/blood vessels Post-It notes Iris scanner DNA ? Hints Password generator cards Dont use real words Comments Dont use personal names Dont have to remember Include non-alphabetic Reasonably accurate Change often Price is dropping Use at least 8 characters Nothing is perfect Dont use the samepassword everywhere But then you cannotremember the passwords! 27. Bad PasswordsSome hackers have released stolen and cracked password files. Analysis reveals the most common passwordswhich are also in a list used by hackers. Do not use these as your password! Example source: Ashlee Vance, If Your Password Is 123456, Just Make It HackMe, The New York Times, January 20, 2010.1.12345611. nicole21. Iloveu2.12345 12. daniel22. michelle3.123456789 13. babygirl23. 1111114.password14. monkey24. 05.iloveyou15. jessica 25. Tigger6.princess16. lovely26. password17.rockyou 17. michael 27. sunshine8.1234567 18. a