Bài giảng Introduction to MIS - Chapter 5: Computer Security

Introduction to MISChapter 5Computer SecurityJerry PostTechnology Toolbox: Assigning Security PermissionsTechnology Toolbox: Encrypting E-Mail??Cases: Professional SportsOutlineHow do you protect your information resources? What are the primary threats to an information system?What primary options are used to provide computer security?What non-computer-based tools can be used to provide additional security? How do you protect data when unknown people might be able to find it or intercept it? What additional benefits can be provided by encryption?How do you prove the allegations in a computer crime?What special security problems arise in e-commerce?Computer SecurityServer Attacks+ Physical DangersData interception+ external attackersThe InternetMonitoring/SpywareInternal + PrivacyEmployees & ConsultantsLinks to businesspartnersOutsidehackersThreats to InformationAccidents & DisastersEmployees & ConsultantsBusiness PartnershipsOutside AttackersViruses & SpywareDirect attacks & ScriptsVirus hiding in e-mail or Web site.Security CategoriesLogicalUnauthorized disclosureUnauthorized modificationUnauthorized withholding, Denial of ServiceConfidentiality, Integrity, Accessibility (CIA)Physical attack & disastersBackup--off-sitePhysical facilitiesCold/Shell siteHot siteDisaster testsPersonal computersContinuous backupBehavioralUsers give away passwordsUsers can make mistakesEmployees can go badRobert Morris--1989Graduate StudentUnix “Worm”Internet--tied up for 3 daysClifford Stoll--1989The Cuckoo’s EggBerkeley LabsUnix--account not balanceMonitor, false informationTrack to East German spy: Marcus HessOld TechniquesSalami sliceBank deposit slipsTrojan HorseVirusSecurity Pacific--Oct. 1978Stanley Mark RifkinElectronic Funds Transfer$10.2 millionSwitzerlandSoviet DiamondsCame back to U.S.Hacker/youngster: SeattlePhysically stole some computers and was arrestedSentenced to prison, scheduled to begin in 2 monthsDecides to hack the computer system and change sentence to probationHacks Boeing computers to launch attack on court houseMistakenly attacks Federal court instead of State courtGets caught again, causes $75,000 damages at BoeingHorror StoriesMore Horror StoriesTJ Max (TJX) 2007A hacker gained access to the retailer’s transaction system and stole credit card data on millions of customers.The hacker gained access to unencrypted card data.The hacker most likely also had obtained the decryption key.TJX was sued by dozens of banks for the costs incurred in replacing the stolen cards.(2011) Hackers were arrested and sentenced. One (Albert Gonzalez) had been working as a “consultant” to federal law enforcement.Alaska State Fund 2007Technician accidentally deleted Alaska oil-revenue dividend data file.And deleted all backups.70 people worked overtime for 6 weeks to re-enter the data at a cost of $220,000.Terry Childs, San Francisco Network EngineerIn 2008 refused to tell anyone the administrative passwords for the city networkThe networks remained running, but could not be monitored or altered.He eventually gave them to the Mayor, but was convicted.NY TimesRolling StonesGovt TechDisaster Planning (older)Backup dataRecovery facilityA detailed planTest the planBusiness/OperationsNetworkBackup/Safe storageRecovery FacilityMIS EmployeesData Backup (in-house/old style)Offsite backups are critical.Frequent backups enable you to recover from disasters and mistakes.Use the network to back up PC data.Use duplicate mirrored servers for extreme reliability.UPSPower companyDiesel generatorDisaster Planning (continuous)How long can company survive without computers?Backup is criticalOffsite backup is criticalLevelsRAID (multiple drives)Real time replicationScheduled backups and versionsNot just data but processingOffsite, duplicate facilitiesCloud computingStill challenges with personal computer dataContinuous BackupServer cluster with built-in redundancyStorage area network with redundancy and RAIDOff-site or cloud computing processing and dataUsers connect to the serversUse both sites continuously or switch DNS entries to transfer users in a disaster.Secure Internet connectionThreats to UsersAttacker takes over computerVirus/TrojanPhishingUnpatched computer/known holesIntercepted wireless dataBad outcomesLost passwords, impersonation, lost moneyStolen credit cards, lost moneyZombie machine, attacks othersCommits crimes blamed on youAttachment01 23 05 06 77 033A 7F 3C 5D 83 9419 2C 2E A2 87 6202 8E FA EA 12 7954 29 3F 4F 73 9F1231. User opens an attached program that contains hidden virus2. Virus copies itself into other programs on the computer3. Virus spreads to other files and other computers.Virus codeVirus/Trojan HorseFrom: afriendTo: victimMessage: Open the attachment for some excitement. PasswordCredit cardPasswordCapture keystrokeshackerSpywareViruses used to delete your files. Now they become spyware and steal your data, passwords, and credit cards.Stopping a Virus/Trojan HorseBackup your data!Never run applications unless you are certain they are safe.Never open executable attachments sent over the Internet--regardless of who mailed them.Antivirus softwareScans every file looking for known bad signaturesNeeds constant updatingRarely catches current virusesCan interfere with other programsCan be expensiveCan usually remove a known virusPhishing: Fake Web SitesBank account is overdrawn. Please click here to log in.E-mailReally good fake of your bank’s Web site.You are tired and click the link and enter username/password.UsernamePasswordSent to hackerwho steals your money.Avoiding Phishing AttacksNever give your login username and password to anyone. Systems people do not need it.Be extremely cautious about bank sites and avoid clicking any links that are sent by e-mail.Always double-check the URL of the site and the browser security settings.Two-step Process often used by BanksUsernameReal bank siteURLSecurity indicatorsImage or phrase you created earlierPassword:After checking the URL, security indicators, and the image or phrase you entered when you opened the account, it is safe to enter your password.PasswordPatching SoftwaretimeResearchers find bugVendor announces patchHacker attacks your computer when you go to a Web siteYou should update immediatelyZero-day attack.Hacker finds bug/hole first.Everyone is vulnerable.Unpatched Computer/Known HolesResearchers and vendors find bugs in programs.Vendors fix the programs and release updates.Bugs enable attackers to create files and Web sites that overwrite memory and let them take over a computer. Even with images and PDF files.Attackers learn about holes and write scripts that automatically search for unpatched computers.Thousands of people run these scripts against every computer they can find on the Internet.Someone takes over your computer.You forget to update your computer. 2008, SFGate, 95% of computers need updates (online)2011, RSA/Computerworld, 80% of browsers need updates (online)Update Your SoftwareO/S: Microsoft (and Apple)Set security system to auto-update.But laptops are often turned off.Microsoft “patch Tuesday” so manually check on Wednesday or Thursday.BrowsersSome patched with operating system.Others use Help/About.Check add-ins: Java, Flash, Acrobat, ApplicationsCheck with vendor Web site.Try Help/About.Monitor your network usage.Botnet software and viruses can flood your network.Slowing down traffic.Exceeding your Internet data caps.Internet Data TransmissionStartDestinationEavesdropperIntermediate RoutersIntercepted Wireless CommunicationsHacker installs software to capture all data traffic on the wireless network. (e.g., Firesheep)Most passwords are encrypted and are safe.Browser cookies from the server are rarely encrypted and can be captured to impersonate you on your Web service accounts.Protect Wireless TransmissionsNever use public wireless for anything other than simple Web surfing?Use virtual private network (VPN) software which encrypts all transmissions from your computer to their server?Encourage Web sites to encrypt all transmissions?Most options have drawbacks today (2011).Warning: Firesheep is extremely easy to use and it is highly likely someone is running it on any public network you use.Eventually, it is likely that all Internet connections will have to use end-to-end encryption for all communication. (Which is the point of the author of Firesheep.)Common Web Encryption: Login onlyInitial page, encryption keysUsername/password(encrypted)Cookie/identifier(Not encrypted)Session and additional pages not encrypted. With unencrypted cookie/identifier.UserServerInterceptedEavesdropperhackerHijacked sessionFundamental Issue: User IdentificationPasswordsDial up service found 30% of people used same wordPeople choose obviousPost-It notesHintsDon’t use real wordsDon’t use personal namesInclude non-alphabeticChange oftenUse at least 8 charactersDon’t use the same password everywhere But then you cannot remember the passwords!Alternatives: BiometricsFinger/hand printVoice recognitionRetina/blood vesselsIris scannerDNA ?Password generator cardsCommentsDon’t have to rememberReasonably accuratePrice is droppingNothing is perfectBad PasswordsSome hackers have released stolen and cracked password files. Analysis reveals the most common passwords—which are also in a list used by hackers. Do not use these as your password! Example source: Ashlee Vance, “If Your Password Is 123456, Just Make It HackMe,” The New York Times, January 20, 2010.12345612345123456789passwordiloveyouprincessrockyou123456712345678abc123nicoledanielbabygirlmonkeyjessicalovelymichaelashley654321qwertyIloveumichelle1111110Tiggerpassword1sunshinechocolateanthonyAngelFRIENDSsoccerIris Scan patents by JOHN DAUGMAN 1994 methods exist to identify a person based on biological characteristics. Common techniques include fingerprint, handprint readers, and retinal scanners. More exotic devices include body shape sensors and this thermal facial reader which uses infrared imaging to identify the user.Biometrics: ThermalLack of Biometric StandardsBiometrics can be used for local logins.Which can be used within a company.But, no standards exist for sharing biometric data or using them on Web sites.And do you really want every minor Web site to store your biometric fingerprints?Access Controls: Permissions in WindowsFind the folder or directory in explorer.Right-click to set properties.On the Security tab,assign permissions.Security ControlsAccess ControlOwnership of dataRead, Write, Execute, Delete, Change Permission, Take OwnershipSecurity MonitoringAccess logsViolationsLock-outsSingle sign-onUser loginSecurity ServerKerberosRADIUSRequest accessWeb serverDatabaseRequest accessvalidatevalidateEncryption: Single KeyEncrypt and decrypt with the same keyHow do you get the key safely to the other party?What if there are many people involved?Fast encryption and decryptionDES - old and falls to brute force attacksTriple DES - old but slightly harder to break with brute force.AES - new standardPlain textmessageEncryptedtextKey: 9837362Key: 9837362AESEncryptedtextPlain textmessageAESSingle key: e.g., AESAliceBobMessagePublic KeysAlice 29Bob 17MessageEncryptedPrivate Key13Private Key37UseBob’sPublic keyUseBob’sPrivate keyAlice sends message to Bob that only he can read.Encryption: Dual KeyAliceBobPublic KeysAlice 29Bob 17Private Key13Private Key37UseBob’sPublic keyUseBob’sPrivate keyAlice sends a message to Bob Her private key guarantees it came from her. His public key prevents anyone else from reading message.MessageMessageUseAlice’sPublic keyUseAlice’sPrivate keyTransmissionDual Key: AuthenticationMessage+AMessage+A+BMessage+BCertificate AuthorityPublic keyImposter could sign up for a public key.Need trusted organization.Several public companies, with no regulation.Verisign mistakenly issued a certificate to an imposter claiming to work for Microsoft in 2001.Browser has list of trusted root authorities.AlicePublic KeysAlice 29Bob 17How does Bob know that it is really Alice’s key?Trust the C.A.C.A. validate applicantsEveEve could impersonate Alice to obtain a digital key and send false messages that seem to come from Alice.Encryption SummaryEncryption prevents people from reading or changing data.Dual-key encryption can be used to digitally sign documents and authenticate users.Encryption does not solve all problems.Data can still be deleted.Hackers might get data while it is unencrypted.People can lose or withhold keys or passwords.Brute force can decrypt data with enough processing power.Difficult if the keys are long enough.But computers keep getting faster.Connecting a few million together is massive time reduction.Quantum computing if developed could crack existing encryption methods.Encrypted conversationEscrow keysClipper chipin phonesInterceptDecrypted conversationJudicial orgovernment officeClipper Chip: Key EscrowAdditional ControlsAuditsMonitoringBackground checks: (bought ChoicePoint) lexis nexis) Computer ForensicsOriginal driveExact copyWrite blocker:Physically prevent data from being altered on the original drive.Software:Verify copy.Tag/identify files.Scan for key words.Recover deleted files.Identify photos.Attempt to decrypt files.Time sequenceBrowser historyFile activityLogsSecuring E-Commerce Servershttps://www.pcisecuritystandards.org/ Install and maintain a firewall configuration to protect cardholder data.Do not use vendor-supplied defaults for passwords.Protect stored cardholder data.Encrypt transmission of cardholder data across open, public networks.Use and regularly update anti-virus software.Develop and maintain secure systems and applications.Restrict access to cardholder data by business need to know.Assign a unique id to each person with computer access.Restrict physical access to cardholder data.Track and monitor all access to network resources and cardholder data.Regularly test security systems and processes.Maintain a policy that addresses information security.Internet FirewallCompany PCsInternal company data serversInternetFirewall routerFirewall routerExamines each packet and discards some types of requests.Keeps local data from going to Web servers.Firewalls: RulesIP source addressIP destination addressPort source and destinationProtocol (TCP, UDP, ICMP)Allowed packetsRules based on packet attributesAllow: all IP source, Port 80 (Web server)Disallow: Port 25 (e-mail), all destinations except e-mail server.Internet by default allows almost all traffic.Firewalls usually configured to block all traffic, and allow only connections to specific servers assigned to individual tasks.Intrusion Detection System (IDS)Intrusion Prevention System (IPS)IDS/IPSCompany PCsCollect packet info from everywhereAnalyze packet data in real time.Rules to evaluate potential threats.IPS: Reconfigure firewalls to block IP addresses evaluated as threats.Denial Of ServiceZombie PCs at homes, schools, and businesses. Weak security.Break in.Flood program.Coordinated flood attack.Targeted server.Denial of Service ActionsHard for an individual company to stop DoSCan add servers and bandwidth.Use distributed cloud (e.g., Amazon EC2)But servers and bandwidth cost moneyPush ISPs to monitor client computersAt one time, asked them to block some users.Increasingly, ISPs impose data caps—so users have a financial incentive to keep their computers clean.Microsoft Windows has anti-spyware tools to remove some of the known big threats.Cloud Computing and SecurityCloud providers can afford to hire security experts.Distributed servers and databases provide real-time continuous backup.Web-based applications might need increased use of encryption.But, if you want ultimate security, you would have to run your own cloud.PrivacyTradeoff between security and privacySecurity requires the ability to track many activities and users.People want to be secure but they also do not want every company (or government agency) prying into their livesBusinesses have an obligation to keep data confidentialMore details in Chapter 14Technology Toolbox: Security PermissionsIf Windows XP, Tools/Folder Options, Advanced, uncheck “Use simple file sharing”Create groups and users (or pull from network definitions when available)Start menu/All Programs/Administrative Tools/Computer Management or Start/Run: compmgmt.msc /sAdd users and groupsFind folder, right-click, Sharing and Security, Permissions, remove “Everyone,” Add the new group with Read permissionQuick Quiz: Assigning Security Permissions1. Why is it important to define groups of users?2. Why is it important to delete this test group and users when you are finished?Technology Toolbox: Encrypting FilesMicrosoft Office: Save with a Password: File/Info/Save with Password. Single key.Install security certificates to encrypt e-mail (challenging).Laptop and USB drives: Windows 7: BitLocker complete encryption. Best if the computer has a TPM: Trusted Platform Module to hold the encryption keys.Quick Quiz: Encryption1. Why would a business want to use encryption?2. When would it be useful to set up dual-key encryption for e-mail?3. In a typical company, which drives should use drive-level encryption?Cases: Professional SportsFootballBasketballBaseballHow do you keep data secure?Imagine the problems if one team steals playbook data from another.