320 likes | 576 Views
Ethical & Social Implications. Information Security. Overview. The security environment in which the information systems will operate includes assets, threats, and security measures.
E N D
Ethical & Social Implications Information Security
Overview • The security environment in which the information systems will operate includes assets, threats, and security measures. • There are four basic categories of corporate assets: physical, intellectual (software), personnel, transactions and services.
What is Security? • Authentication • Is someone who he or she says he or she is? • Is some object (such as a program) what it says it is? • Does a message come from where it says it comes from? • Can someone deny something he or she did (nonrepudiation)?
What is Security? • Authorization • What is a specific person or group of people allowed to do? • What is a specific program allowed to do?
What is Security? • Encryption • Who is allowed to see what information?
What is Security? • System Protection • Virus protection • Firewalls and proxies • DOS • Minimize accidental failures
Industry with most threats • Database software developers in the banking and finance industries reported more security breaches than database developers in any other industry polled in a recent survey.
Most vulnerable industries: • 27 percent of the developers surveyed in the banking and financial services industries said they had experienced a security breach in the past year. • 18 percent in the medical and health care industry and telecommunications database developers said they had experienced a security breach. • 12% in electronic commerce and other internet companies experienced breaches. • 9% in the government and military sector.
Top Vulnerabilities That Affect All Systems • Default installs of operating systems and applications • Accounts with No Passwords or Weak Passwords • Non-existent or Incomplete Backups • Large number of open ports • Not filtering packets for correct incoming and outgoing addresses • Non-existent or incomplete logging
Types of security breaches • Security breaches are classified under three general definitions: a computer virus, a human error, or an unauthorized break-in.
Types of Security Breaches • Theft of assets • Improper use of assets • Use of assets for other than business purposes • Unauthorized disclosure of information • Intentional corruption of intellectual assets
Computer viruses • Computer viruses caused companies an average of $61,729 last year, according to the Computer Security Institute. Denial of service attacks cost companies an average of $108,717. The total annual loss last year for all forms of computer crime? More than $265 million.
Types of Threats • Internal • Intentional • Unintentional • External • Most people believe that the origin of security events and loss comes from evil hackers, but by far the largest number and impact of security-related events originate within the organization.
Human threats are caused by: • careless people who leave the password to peer or use easy-to-crack passwords, insert incorrect data to a database or programs • dishonest people who insert false, incorrect information to the information system and computer programs, take advantage of flaws in manual or computerized procedures, take advantage of access to privileged information, infect the information infrastructure with viruses. • disgruntled employees who destroy computer programs, pass user password to strangers, corrupt system information. • hackers who read sensitive information through remote access to information, replicate and disseminate sensitive information, intercept sensitive information and infect information with viruses.
Example: Theft and distribution to unauthorized persons According to court document, Turner and Williams each admitted that while employed by Chase Financial Corporation they knowingly and with the intent to further a scheme to defraud Chase Manhattan Bank and Chase Financial Corporation, accessed one or more computer systems without authorization or in excess of their authorized access on said computer systems, thereby obtaining credit card account numbers and other customer account information pertaining to approximately 68 accounts, which they were not authorized to access in connection with their duties at Chase Financial Corporation. They admitted that the aggregate credit limits for the targeted accounts totaled approximately $580,700.00.They further admitted that after fraudulently obtaining said information, they distributed and transmitted it to one or more individuals via facsimile transmission, who, in turn, used the credit card accounts and other financial information to fraudulently obtain goods and services valued at approximately $99,636.08, without the knowledge or consent of the account holders, Chase Manhattan Bank or Chase Financial Corporation.
Example: Intentional corruption On February 1, 2002, EITELBERG stopped working at MP. On April 11, 2002, an MP employee accessed the MP database containing customer orders, and found that the records of all of MP's orders had disappeared. The computer records at MP allegedly indicated that an individual accessed the MP computer system using a password from at or about 9:21 P.M. until at or about 9:46 P.M. on April 10, 2002, and that orders in the database were deleted during this computer session. Phone records indicated that between February 27, 2002, more than three weeks after EITELBERG stopped work at MP, and April 10, 2002, the phone line registered to the wife of EITELBERG, and located at the EITELBERG residence was used to call MP's modem connection approximately 13 times, including the call made at or about 9:24 P.M. on April 10, 2002.
Example: Disgruntled Employee As CTO, BLUM had access to all computer system passwords and information necessary to operate Askit's computer networks. Shortly after BLUM's departure from the company, Askit began to experience computer and telephone voicemail problems. In addition, the President received an e-greeting card containing an image of a box which displayed a voodoo doll with skeleton-like features. The doll had pins stuck through the doll's body and was wearing a name tag which identified the doll as being the President. In April 2002, messages were posted on the portion of Askit's web site devoted to answering customer questions containing statements such as "You are doomed!" and "die." The message "die" was posted from an e-mail address associated with the defendant. On April 29, 2002, Askit's President received an e-mail message from a person not known to him telling the President to "say goodbye to anyone who pretends to care about you” and this message was traced to a computer at BLUM's present place of employment.
Example: “Melissa” creator David L. Smith, 34,was ordered to serve three years of supervised release after completion of his prison sentence and was fined $5,000. U.S. District Judge Greenaway further ordered that, upon release, Smith not be involved with computer networks, the Internet or Internet bulletin boards unless authorized by the Court and he must serve 100 hours of community service that would somehow put Smith's technology experience to beneficial use.
Example: Program corruption NEWARK - A former computer network administrator was sentenced to 41 months in prison for unleashing a $10 million "time bomb" that deleted all the production programs of a New Jersey-based high-tech measurement and control instruments manufacturer. At the time of conviction, the case was believed to be one of the most expensive computer sabotage cases in U.S. Secret Service history.
Software issues: Buffer overflow • The security holes exploited by Code Red and Nimda, worms that experts said had the potential to knock the entire Internet offline, attacked long-standing vulnerabilities in Microsoft IIS Web Server caused by an error made through poor code writing: the buffer overflow. • Buffer overflow occurs when the amount of memory assigned to a specific application or task is flooded, often with unpredictable results.
Application Security • Database security is critical, but strong application security is equally important. • Application security flaws are usually introduced early in the design cycle.
Top 10 application security defects: • Session replay/hijacking • Password Controls • Buffer overflows • File/application enumeration • Weak encryption • Password sniffing • Cookie manipulation • Administrative Channels • Log storage/retrieval issues • Error Codes
Solutions for application security • Stop depending solely on firewalls • Education of application developers. • Engage management. • Get outside help, outsourcing.
Solutions for security: • Vulnerability testing • Track changes • Security Policy • Security Infrastructure investment • Protect against internal threats • Government resources • Control physical access to your server room
Vulnerability testing • Seeks to identify potential threats by discovering weak areas in the existing controls. • Once identified, the controls can be tightened and the potential threat averted.
Track changes • Tracking innocent mistakes can give you an early warning that more user training is required or that the new software applications themselves need to be reviewed and possibly revised. • Audit Trail • Event Log
Security Policy • Acceptable Use Policy • Anti-Virus Process • Audit Policy • Database Credentials Coding Policy • Dial-in Access Policy • Extranet Policy • Password Protection Policy • Risk Assessment Policy
Security Infrastructure investment • Risk assessment • Passive network sniffer • Attack your network from the outside • Regular briefings • Hire an outside consulting firm to perform a vulnerability assessment on key areas
Protect against internal threats • Valuation of protected information • Background checks • Security education • Separate servers • PGP encryption • A temporary accounts • Eliminate opportunities for inside hackers
Control physical access to your server room • Physical access to the server room should be monitored and controlled. • Keyless lock or electronic code entrances • Access control cards
Government resources • Cybercrime.gov
Closing Remarks • Data and people are two of an organization’s most important assets • YOU ARE TRUSTED with these assets