420 likes | 555 Views
Introduction to MIS. Chapter 4 Security, Privacy, Anonymity. Outline. Threats to Information Physical Security and Disaster Planning Logical Security and Data Protection Virus Threats User Identification and Biometrics Access controls Encryption and Authentication
E N D
Introduction to MIS Chapter 4 Security, Privacy, Anonymity
Outline • Threats to Information • Physical Security and Disaster Planning • Logical Security and Data Protection • Virus Threats • User Identification and Biometrics • Access controls • Encryption and Authentication • Internet Security Issues • Privacy • Anonymity • Cases: Healthcare • Appendix: Server Security Certificates
Security, Privacy, and Anonymity Server Attacks The Internet Data interception Monitoring
Threats to Information • Accidents & Disasters • Employees & Consultants • Business Partnerships • Outsiders • Viruses Links to business partners Outside hackers Virus hiding in e-mail attachment. Employees & Consultants
Physical attack & disasters Backup--off-site Cold/Shell site Hot site Disaster tests Personal computers! Logical Unauthorized disclosure Unauthorized modification Unauthorized withholding Denial of Service Security Categories $$
Security Pacific--Oct. 1978 Stanley Mark Rifkin Electronic Funds Transfer $10.2 million Switzerland Soviet Diamonds Came back to U.S. Equity Funding--1973 The Impossible Dream Stock Manipulation Insurance Loans Fake computer records Robert Morris--1989 Graduate Student Unix “Worm” Internet--tied up for 3 days Clifford Stoll--1989 The Cuckoo’s Egg Berkeley Labs Unix--account not balance Monitor, false information Track to East German spy Old Techniques Salami slice Bank deposit slips Trojan Horse Virus Horror Stories
Manual v Automated Data • Amount of data • Identification of users • Difficult to detect changes • Speed • Search • Copy • Statistical Inference • Communication Lines
Disaster Planning SunGard is a premier provider of computer backup facilities and disaster planning services. Its fleet of Mobile Data Centers can be outfitted with a variety of distributed systems hardware and delivered at a disaster site within 48 hours.
Backup is critical Offsite backup is critical Levels RAID (multiple drives) Real time replication Scheduled backups Data Backup
Power company Data Backup Use the network to backup PC data. Use duplicate mirrored servers for extreme reliability. UPS Frequent backups enable you to recover from disasters and mistakes. Offsite backups are critical.
Virus From: afriend To: victim Message: Open the attachment for some excitement. 2 3 1 1. User opens an attached program that contains hidden virus 2. Virus copies itself into other programs on the computer 3. Virus spreads until a certain date, then it deletes files. Attachment 01 23 05 06 77 03 3A 7F 3C 5D 83 94 19 2C 2E A2 87 62 02 8E FA EA 12 79 54 29 3F 4F 73 9F Virus code
Virus Damage Dataquest, Inc; Computerworld 12/2/91 National Computer Security Association; Computerworld 5/6/96 http://www.info-ec.com/viruses/99/viruses_062299a_j.shtml) 1999 virus costs in the U.S.: $7.6 billion.
Stopping a Virus • Backup your data! • Never run applications unless you are certain they are safe. • Never open executable attachments sent over the Internet--regardless of who mailed them. • Antivirus software • Needs constant updating • Rarely catches current viruses • Can interfere with other programs • Ultimately, viruses sent over the Internet can be traced back to the original source.
Passwords Dial up service found 30% of people used same word People choose obvious Post-It notes Hints Don’t use real words Don’t use personal names Include non-alphabetic Change often Use at least 6 characters Alternatives: Biometrics Finger/hand print Voice recognition Retina/blood vessels Iris scanner DNA ? Password generator cards Comments Don’t have to remember Reasonably accurate Price is dropping Nothing is perfect User Identification
Iris Scan EyePass™ System at Charlotte/Douglas International Airport. http://www.iridiantech.com/ questions/q2/features.html http://www.eyeticket.com/ eyepass/index.html Algorithm patents by JOHN DAUGMAN 1994 http://www.cl.cam.ac.uk/~jgd1000/
Biometrics: Thermal Several methods exist to identify a person based on biological characteristics. Common techniques include fingerprint, handprint readers, and retinal scanners. More exotic devices include body shape sensors and this thermal facial reader which uses infrared imaging to identify the user.
Access Controls: Permissions in Windows Find the folder or directory in explorer. Right-click to set properties. On the Security tab,assign permissions.
Security Controls • Access Control • Ownership of data • Read, Write, Execute, Delete, Change Permission, Take Ownership • Security Monitoring • Access logs • Violations • Lock-outs
Audits Monitoring Background checks: Additional Controls http://www.casebreakers.com/ http://www.knowx.com/ http://www.publicdata.com/
Encrypt and decrypt with the same key How do you get the key safely to the other party? What if there are many people involved? Fast encryption and decryption DES - old and falls to brute force attacks Triple DES - old but slightly harder to break with brute force. AES - new standard Encryption: Single Key Plain text message AES Key: 9837362 Encrypted text Single key: e.g., AES Encrypted text AES Key: 9837362 Plain text message
Encryption: Dual Key Message Message Encrypted Alice Bob Public Keys Alice 29 Bob 17 Private Key 13 Use Bob’s Private key Private Key 37 Use Bob’s Public key Alice sends message to Bob that only he can read.
Dual Key: Authentication Message Transmission Message Encrypt+T+M Alice Encrypt+M Encrypt+T Private Key 13 Bob Use Alice’s Private key Public Keys Alice 29 Bob 17 Private Key 37 Use Bob’s Private key Use Bob’s Public key Use Alice’s Public key Bob sends message to Alice: His key guarantees it came from him. Her key prevents anyone else from reading message.
Public key Imposter could sign up for a public key. Need trusted organization. Only Verisign today, a public company with no regulation. Verisign mistakenly issued a certificate to an imposter claiming to work for Microsoft in 2001. Certificate Authority How does Alice know that it is really Bob’s key? Trust the C.A. C.A. validate applicants Public Keys Alice 29 Bob 17 Alice Use Bob’s Public key
Internet Data Transmission Eavesdropper Destination Intermediate Machines Start
Clipper Chip: Key Escrow Decrypted conversation Escrow keys Judicial or government office Intercept Encrypted conversation Clipper chip in phones
Denial Of Service Coordinated flood attack. Targeted server. Break in. Flood program. Zombie PCs at homes, schools, and businesses. Weak security.
Securing E-Commerce Servers 1. Install and maintain a working network firewall to protect data accessible via the Internet. 2. Keep security patches up-to-date. 3. Encrypt stored data. 4. Encrypt data sent across networks. 5. Use and regularly update anti-virus software. 6. Restrict access to data by business "need to know." 7. Assign a unique ID to each person with computer access to data. 8. Don't use vendor-supplied defaults for system passwords and other security parameters. 9. Track access to data by unique ID. 10. Regularly test security systems and processes. 11. Maintain a policy that addresses information security for employees and contractors. 12. Restrict physical access to cardholder information. http://www.visabrc.com/doc.phtml?2,64,932,932a_cisp.html
Internet Firewall Internal company data servers Firewall router Keeps local data from going to Web servers. Company PCs Firewall router Examines each packet and discards some types of requests. Internet
Privacy criminal record complaints finger prints transportation data medical records financial regulatory employment environmental financial permits census credit cards organizations grocery store scanner data purchases phone subscriptions education loans & licenses
Cookies Web server Send page and cookie. Use cookie to identify user. Send customized page. Find page. time Request page. Display page, store cookie. Request new page and send cookie. User PC
Misuse of Cookies: Third Party Ads Useful Web site National ad Web site Doubleclick.com Link to ads Requested page Request page Ads, and cookie Hidden prior cookie Useful Web Page Text and graphics [Advertisements] User PC
Cell phones require connections to towers E-911 laws require location capability Many now come with integrated GPS units Business could market to customers “in the neighborhood” Tracking of employees is already common Wireless Privacy
TRW--1991 Norwich, VT Listed everyone delinquent on property taxes Terry Dean Rogan Lost wallet Impersonator, 2 murders and 2 robberies NCIC database Rogan arrested 5 times in 14 months Sued and won $55,000 from LA Employees 26 million monitored electronically 10 million pay based on statistics Jeffrey McFadden--1989 SSN and DoB for William Kalin from military records Got fake Kentucky ID Wrote $6000 in bad checks Kalin spent 2 days in jail Sued McFadden, won $10,000 San Francisco Chronicle--1991 Person found 12 others using her SSN Someone got 16 credit cards from another’s SSN, charged $10,000 Someone discovered unemployment benefits had already been collected by 5 others Privacy Problems
Privacy Laws • Minimal in US • Credit reports • Right to add comments • 1994 disputes settled in 30 days • 1994 some limits on access to data • Bork Bill--can’t release video rental data • Educational data--limited availability • 1994 limits on selling state/local data • 2001 rules on medical data • Europe • France and some other controls • 1995 EU Privacy Controls
Primary U.S. Privacy Laws • Freedom of Information Act • Family Educational Rights and Privacy Act • Fair Credit Reporting Act • Privacy Act of 1974 • Privacy Protection Act of 1980 • Electronic Communications Privacy Act of 1986 • Video Privacy Act of 1988 • Driver’s Privacy Protection Act of 1994 • 2001 Federal Medical Privacy rules (not a law)
Anonymity • Anonymous servers: http://www.zeroknowledge.com • Dianetics church (L. Ron Hubbard) officials in the U.S. • Sued a former employee for leaking confidential documents over the Internet. • He posted them through a Danish anonymous server. • The church pressured police to obtain the name of the poster. • Zero knowledge server is more secure • Should we allow anonymity on the Internet? • Protects privacy • Can encourage flow of information • Chinese dissenters • Government whistleblowers • Can be used for criminal activity
Cases: Eli LillyOwens & Minor, Inc. www.lilly.com www.owens-minor.com What is the company’s current status? What is the Internet strategy? How does the company use information technology? What are the prospects for the industry?
Appendix: Digital Security Certificates • Digital security certificates are used to encrypt e-mail and to authenticate the sender. • Obtain a certificate from a certificate authority • Verisign • Thawte (owned by Verisign) • Microsoft • Your own company or agency • Install the certificate in Outlook • Select option boxes to encrypt or decrypt messages • Install certificates sent by your friends and co-workers.
Installing a Certificate • Tools + Options + Security tab • Choose your certificate • Check these boxes to add your digital signature and to encrypt messages. • These boxes set the default choices. For each message, you can use the options to check or uncheck these boxes.
Encrypting and Signing Messages Use the Options button and the Security Settings button to make sure the Encrypt and Signature boxes are checked. Then the encryption and decryption are automatic.