970 likes | 1.29k Views
3. Protection of Information Assets (25%). Protecting Personal & Institutional Information Assets & Data Extra Credit Project Jack Mason & July James. 3. Protection of Information Assets (25%). 3. Protection of Information Assets (Content Area, Approximately 25% of exam)
E N D
3. Protection of Information Assets (25%) Protecting Personal & Institutional Information Assets & Data Extra Credit Project Jack Mason & July James 3. Protection of Information Assets (25%) 3. Protection of Information Assets
3. Protection of Information Assets (25%) • 3. Protection of Information Assets • (Content Area, Approximately 25% of exam) • 3.1 Evaluate the design, implementation, and monitoring of logical access controls to ensure the integrity, confidentiality, and availability of information assets. • 3.2 Evaluate network infrastructure security to ensure integrity, confidentiality, availability and authorized use of the network and the information transmitted. 3. Protection of Information Assets (25%)
3. Protection of Information Assets 2 • 3. Protection of Information Assets • 3.3 Evaluate the design, implementation, and monitoring of environmental controls to prevent and/or minimize potential loss. • 3.4 Evaluate the design, implementation, and monitoring of physical access controls to ensure that the level of protection for assets and facilities is sufficient to meet the organization's business objectives. 3. Protection of Information Assets (25%)
Knowledge Statements 1 • 3.01 Knowledge of the processes of design, implementation, and monitoring of security (e.g. gap analysis, baseline, tool selection) • 3.02 Knowledge of encryption techniques (e.g. DES, RSA) • 3.03 Knowledge of public key infrastructure (PKI) components (e.g. certification authorities (CA), registration authorities) • 3.04 Knowledge of digital signature techniques 3. Protection of Information Assets (25%)
Knowledge Statements 2 • 3.05 Knowledge of physical security practices (e.g. biometrics, card swipes) • 3.06 Knowledge of techniques for identification, authentication, and restriction of users to authorized functions and data (e.g. dynamic passwords, challenge/response, menus, profiles) 3. Protection of Information Assets (25%)
Knowledge Statements 3 • 3.07 Knowledge of security software (e.g. single sign-on, intrusion detection systems (IDS), automated permissioning, network address translation) • 3.08 Knowledge of security testing and assessment tools (e.g. penetration testing, vulnerability scanning) • 3.09 Knowledge of network and Internet security (e.g. SSL, SET, VPN, tunneling) 3. Protection of Information Assets (25%)
Some Possible Threats • Email Interception • Email Spoofing • Web Data Interception • Network & Volume Invasion • Marketing Data / Spam & Junk Mail • Viruses, Worms, Trojan Horses • Password Cracking 3. Protection of Information Assets (25%)
More Possible Threats • Mail bomb • Denial of Service (DoS) • Piracy of Intellectual Property 3. Protection of Information Assets (25%)
Methods Script Monitor Running a script on a server that receives email traffic, monitoring emails for certain keywords or number patterns. (I.E. “bomb + president” or credit card number patterns) Account Emulation Stealing someone’s user id and password to gain access to their email account. Defenses Digital Certificates Digital certificates authenticate you as the sender and are extremely difficult to forge. Allows very strong encryption of email communications. PGP “Pretty Good Privacy” allows strong encryption of your text. Can be incorporated easily into any text oriented program. Email Interception 3. Protection of Information Assets (25%)
Standard Encryption • Text is encrypted and sent by the originator • Ciphertext is decrypted by recipient • Same key is used for encryption and decryption • If key is intercepted or deciphered, encryption becomes useless • This is how WWII was won... 3. Protection of Information Assets (25%)
Strong Cryptography • “There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter.” -- Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C. • 40 bit cryptography is considered weak. This can be intercepted and deciphered in seconds using today’s tools. • By contrast, 128 bit cryptography is considered technically infeasible to crack. Most banks require a 128 bit browser for online banking. 3. Protection of Information Assets (25%)
Dual Key Cryptography • Key pair is generated - public and private key. • Public key is sent to server and exchanged with others • Private key is guarded by the user 3. Protection of Information Assets (25%)
Dual Keys Continued • Encrypted message is generated using recipients public key and your private key. • Only the intended recipient with the corresponding private key will be able to decrypt. • NSA hates this to be in the hands of the general public… but you have the right to privacy. 3. Protection of Information Assets (25%)
What is a Digital Certificate? (X.509) • Acts as a virtual signature • Very hard to forge • Can be used for encryption or authentication • Resides in the Browser/Email Client/OS • Free digital certificates are available • PGP Freeware is available 3. Protection of Information Assets (25%)
What is PGP? • Created by Phil Zimmerman • PGP is now a subsidiary of Network Associates • Secures e-mail and files • Based on “Public Key” Cryptography • Users whom have never met can exchange encrypted documents. • Freeware 3. Protection of Information Assets (25%)
How To Encrypt a Message (1) Clicking on the Security button in Netscape Communicator opens the Security Window below: This will describe how to encrypt a message using Digital Certificates with Netscape Communicator. • Obtain and install a certificate using the step by step instructions at the issuing website. 3. Protection of Information Assets (25%)
How To Encrypt a Message (2) An email that has a digital certificate attached will display this icon in Communicator. You can click on the icon to examine the cert. Certs emailed to you are automatically added to Communicator’s database. • Users must exchange “public keys”. • Can be done via LDAP directory or email exchange. You can search for certificates on public directories (LDAP) directly from within Communicator 3. Protection of Information Assets (25%)
How To Encrypt a Message (3) • Once keys have been exchanged, address an email to the other party. • Click on the Security button and select the option for encrypting message. • That’s it! 3. Protection of Information Assets (25%)
Certificate Fingerprint:E4:58:C8:8F:B5:90:4C:AC:AB:79:9C:6A:32:0C:3E:4E Email Spoofing • Happens when someone impersonates an email user, sending messages that appear to be from the victim’s email address. • Spoofing can be prevented by using your Digital Certificate or PGP to “Digitally Sign” your email message. • Even Certificates can be spoofed, although difficult. Check the “Certificate Fingerprint” of the message to be sure it’s authentic. 3. Protection of Information Assets (25%)
Shopping Securely • You should never input sensitive info such as Credit Card numbers into a non-secure website. • Make sure website is certified by a trusted Certificate Authority (CA) List of default trusted CA’s in Communicator 3. Protection of Information Assets (25%)
How to Shop Securely • When you enter a secure site, Communicator’s Security icon will change as shown: • Click on the Security button to examine which CA asserts that this site is safe. Note: Attempting to enter a secure site that is not signed by a valid or default CA will result in a cautionary error message. 3. Protection of Information Assets (25%)
Hacking In to Your Computer • DSL and Cable internet access means round the clock connections of home and small business computers to the Internet. • Greatly increases the chance of attack. • Physical access is always a danger, too. • Hackers can gain access to your personal files, Quicken data, etc. 3. Protection of Information Assets (25%)
Stopping Hackers • Set up a personal/home firewall. • Encrypt your sensitive files!!! • PGP, all platforms. • Mac OS 9 Built-In Encryption Feature • Don’t give out your passwords to anyone! • Use difficult passwords - not simple dictionary style words. 3. Protection of Information Assets (25%)
Password Strength • Simple words out of a dictionary make bad passwords. • Use mixed upper and lower case characters. • Use non-alphanumeric characters such as:~!@#$%^&*()_+=-{}[]|\:;”’/?.>,<` • Avoid sharing passwords, even with friends and family. 3. Protection of Information Assets (25%)
Password Strength Examples • Using a simple passphrase such as “coffee” is simple to hack, takes about 40 minutes to break. • Using random alphanumerics is significantly more difficult: A passphrase such as “bR1a9Az” takes about 22 years to crack. • Using the full range of the keyboard with truly random characters is totally infeasible to crack. A passphrase like “,ThX1pD<V+” would take 3.8 x 108 years to crack. 3. Protection of Information Assets (25%)
Key Strength Comparison • Most browsers ship with a default of 40 bit encryption capabilities. • You must upgrade to a 128 bit encryption capable browser for most online banking. 3. Protection of Information Assets (25%)
Strong Encryption Browsers • Netscape Communicator is freely available for all platforms with 128 bit encryption capability and full features. • 128 bit capable version of Microsoft Internet Explorer is available for Windows and Macintosh. (Mac version has limited features.) • You may have to install additional plug ins to get 128 bit capabilities out of MSIE. 3. Protection of Information Assets (25%)
Viruses • Computer viruses are 100% man made. • Can be transmitted via email, disk, network, etc… • Most are harmless experiments. • Some are intended to wreak havoc on individuals and networks. 3. Protection of Information Assets (25%)
Virus Protection • Get a virus protection package and install it on your computer. • Check the vendor’s website for downloadable updates and alerts on new viruses. • Don’t open email or attachments from unknown sources. 3. Protection of Information Assets (25%)
Safeguarding Customer InformationGramm-Leach-Bliley Act (GLBA) Compliance 3. Protection of Information Assets (25%)
Why was GLBA enacted? Section 501 of the Gramm-Leach-Bliley Act requires Financial Institutions to establish standards relating to administrative, technical and physical information safeguards to protect customer records and information. 3. Protection of Information Assets (25%)
Safeguard Objectives: • Ensure security and confidentially of customer records and information. • Protect against any anticipated threats or hazards to the security of the records. • Protect against unauthorized access or use of records or information which could result in harm or inconvenience to customer. 3. Protection of Information Assets (25%)
Information Security Plan • Written to insure security and confidentiality of non-public customer financial information (NPI). • Protect against any anticipated threats and hazards. • Protect against unauthorized access or use. 3. Protection of Information Assets (25%)
Non-public customer information(NPI) • Credit card numbers • Social Security numbers • Drivers license numbers • Student loan data • Income information • Credit histories • Customer files with NPI • NPI Consumer information • Bank Account data 3. Protection of Information Assets (25%)
Financial Institutions Including Colleges and Universities must ensure that their security programs provide adequate protection to customer information in whatever format – electronic or hardcopy. 3. Protection of Information Assets (25%)
FTC Ruling consumer’s information is not a privacy issue but is one of security. Compliance with FERPA does not exempt colleges and universities from GLBA safeguarding regulations. 3. Protection of Information Assets (25%)
FERPA vs.. GLBA • The Family Education Rights and Privacy Act addresses the privacy of student information. • Gramm- Leach-Bliley Act addresses the security of customer records and information. 3. Protection of Information Assets (25%)
University Actions • Has established a committee to insure compliance. • Committee meets regularly to review and insure compliance with the act. • Performs risk assessment and regular testing. • Oversees service providers and contracts. • Trains staff to maintain security and confidentially. 3. Protection of Information Assets (25%)
Why Protect your Identity? Identity Theft 3. Protection of Information Assets (25%)
Statistics on Identity Theft in New Jersey 4802 Complaints / year • 1. Credit Card Fraud 2,350 -- 49% • 2. Phone or Utilities Fraud 867--18% • 3. Bank Fraud 669 --14% • 4. Government Documents/Benefits Fraud 396 --8% • 5. Loan Fraud 356 --7% • 6. Employment-Related Fraud 260 -- 5% • 7. Attempted Identity Theft 477 --10% • 8. Other 710 -- 15% 3. Protection of Information Assets (25%)
What is Identity Theft? • Under ID Theft Act, identity theft is defined very broadly as: knowingly using, without authority, a means of identification of another person to commit any unlawful activity. (unlawful activity: a violation of Federal law, or a felony under State or local law). 3. Protection of Information Assets (25%)
Identity Theft When someone steals your identity, they are usually using your credit to obtain goods and services for themselves that “you” will have to pay for. 3. Protection of Information Assets (25%)
How Does an Identity Thief Get Your Information? • Stealing files from places where you work, go to school, shop, get medical services, bank, etc. • Stealing your wallet or purse. • Stealing information from your home or car. • Stealing from your mailbox or from mail in transit. • Sending a bogus email or calling with a false promise or fraudulent purpose. - For example: pretending to be from a bank, creating a false website, pretending to be a real company, fake auditing letters. 3. Protection of Information Assets (25%)
From: PNC Bank Sent: May 17, 2004 6:31 PM To: abuse@Miami.edu Subject: To All PNC bank users Dear PNC user, During our regular update and verification of the user data, you must confirm your credit card details. Please confirm you information by clicking link below. http://Cards.bank.com pncfeatures/cardmember access.shtml 3. Protection of Information Assets (25%)
How Does an Identity Thief Use Your Information? • Obtains Credit Cards in your name or makes charges on your existing accounts (42%). • Obtains Wireless or telephone equipment or services in your name (20%). • Forges checks, makes unauthorized EFTs, or open bank accounts in your name (13%). • Works in your name (9%). • Obtains personal, student, car and mortgage loans, or cashes convenience checks in your name (7%). • Other uses: obtains drivers license in your name. 3. Protection of Information Assets (25%)
Victims of Identity Theft • If your identity is stolen, do the following immediately: • Contact the fraud department of the three major credit bureaus (Equifax, Experian, Trans Union). • Contact your creditors and check your accounts. • File a police report. - File a complaint with the FTC. 3. Protection of Information Assets (25%)
Recovery • Take back control of your identity: • Close any fraudulent accounts. • Put passwords on your accounts. • Change old passwords and create new PIN codes. 3. Protection of Information Assets (25%)
Prevention • Protect yourself • Protect others • Guard against fraud: • Sign cards as soon as they arrive. • Keep records of account numbers and phone numbers. • Keep an eye on your card during transactions. Also be aware of who is around you, is anyone else listening? • Check your credit report and credit card monthly statements. 3. Protection of Information Assets (25%)
Annual credit bureau report • New Jersey residents are entitled to one free annual credit report. • If you are denied credit, you are allowed to request one free copy of your credit report. • Check your report for accurate information, open accounts, balance information, loan information, etc. 3. Protection of Information Assets (25%)
Credit Bureau Links • Equifax – www.equifax.com • To order a report, 1-800-685-1111 • To report fraud, 1-800-525-6285 • Experian – www.experian.com • To order a report, 1-888-397-3742 • To report fraud, 1-888-397-3742 Trans Union – www.tuc.com • To order a report, 1-800-916-8800 • To report fraud, 1-800-680-7289 3. Protection of Information Assets (25%)