1 / 22

CHAPTER 3

CHAPTER 3. Information Privacy and Security. CHAPTER OUTLINE. Ethical Issues in Information Systems Threats to Information Security Protecting Information Resources. Ethical Issues in Information Systems. Issues and standards of conduct pertaining to the use of information systems

elie
Download Presentation

CHAPTER 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CHAPTER 3 Information Privacy and Security

  2. CHAPTER OUTLINE • Ethical Issues in Information Systems • Threats to Information Security • Protecting Information Resources

  3. Ethical Issues in Information Systems • Issues and standards of conduct pertaining to the use of information systems • 1986 – Richard O. Mason article

  4. Threats to Information Privacy • Data aggregators and digital dossiers (linking personal information in multiple databases) • Could this happen to you? • Electronic Surveillance • Information on Internet Bulletin Boards, Blog Sites, and Social Networking Sites

  5. Threats to Information Security • Issues: • Confidentiality, Integrity, Availability (CIA) • Natural causes vs. human causes • Outsider threats vs. insider threats • e.g., the Gucci case, the FDA case • Protection vs. convenience

  6. Major Categories of IS Security Threats • Accidents and natural disasters • Unauthorized Access • Thefts, eavesdropping, masquerading, etc. • Computer Malware • Viruses, worms, Trojan horses, spyware, adware, etc. • Spamming and phishing • Cyber warfare • Denial of service (DoS) attacks, online vandalism, etc.

  7. Example: Password Security • Calculated guessing • Brute force attacks • Exhaustive search until a match is found • How long would it take? • Shoulder surfing • Social engineering

  8. Example: Denial of Service (DoS) Attacks • Attackers prevent legitimate users from accessing services • Targets include servers and communication circuits • The Estonian Attack • Distributed DoS attacks • Use compromised computers (zombies or botnets) to launch massive attacks

  9. Protecting Information Resources • IS Security Audits (Risk Analysis) • Indentify information assets • Prioritize assets to be protected And then there is real risk! There is always risk!

  10. Risk Mitigation Strategies • Risk limitation – Implement countermeasures (controls) • Risk acceptance – Prepared to absorb damages • Risk transfer – Transfer risks to a third party

  11. Unauthorized Access External Internal Eavesdrop Intruder Intruder Disruption and Disaster Fire Flood Power Circuit Virus Loss Failure Threats Assets (w/ priority) (92) Mail Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10 (90) Web Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10 (90) DNS Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10 (50) Computers on 6th floor 1,2 1,3 7, 8 10, 11 10 (50) 6th floor LAN circuits 1,2 1,3 (80) Building A Backbone 1,2 1,3 6 (100) Database Server 9 9 … … … … … … … … … Sample Risk Limitation Worksheet 1,2 1,3 4 5, 6 7, 8 Countermeasures 1. Disaster recovery plan 2. Halon fire system/sprinklers 3. Not on or below ground level 4. UPS on servers 5. Contract guarantees from IXCs 6. Extra backbone fiber laid between servers 7. Virus checking software present 8. Extensive user training on viruses 9. Strong password software 10. Extensive user training on security 11. Application Layer firewall

  12. Access Control Mechanisms • Physical Controls • Chain and locks • Network Controls • Firewalls • Virtual Private Networks (VPNs) • Employee monitoring systems • Authentication and Encryption techniques

  13. Firewall Architecture for Large Organizations

  14. Virtual Private Network and Tunneling

  15. Employee Monitoring System

  16. Authentication Techniques • Something you know • Strong password • CAPTCHA • Something you have • Smart cards / keys • Hardware authentication • Something you are or you do • Biometrics

  17. Encryption Techniques • Mathematical manipulation of digital data to provide • Confidentiality – only intended recipient can read a message • Authentication – proving one’s identity • Information Integrity – assurance of unaltered message • Nonrepudiation – using digital signatures to prevent disputes between parties exchanging messages

  18. The Encryption Concept • Every encryption method has two parts: a mathematical procedure and a key • Example procedure — shift in alphabetical order by N letters • Example key — N = 4 “TAKEOVER” “XEOISZIV” “TAKEOVER” Plaintext Encryption Ciphertext Decryption Plaintext Procedure + Key Transmitted Procedure + Key

  19. Encryption: Key Length • The key is a value that may be “guessed” by exhaustive search (brute force attacks) • A large key makes exhaustive search very difficult or virtually impossible • If key length is n bits, 2n tries may be needed • Weak key: up to 56 bits • Strong key: 128 bits or longer

  20. Common Encryption Techniques • Symmetric (private) key encryption system • Sender and recipient use the same key • Key distribution and management problems • Asymmetric (public) key encryption system • Each individual has a pair of keys • Public key – freely distributed • Private key – kept secret

  21. How Public Key Encryption Works Encrypt Decrypt

  22. E-Commerce Security • Certificate Authority • Third party – trusted middleman • Verifies trustworthiness of a Web site • Checks for identity of a computer • Provides public keys • Secure Sockets Layer (SSL) • Developed by Netscape • Standard technique for secure e-commerce transactions (https)

More Related