Managing IT Systems

Top Things to
Keep in Mind to
Protect Yourself
and Others
1. P
are one of the
forms of security
• Your password can be easily guessed or found.
• B
is one of the best forms
of authentication.
Biometrics – the
• Finger prints
• Iris/Retinal scan
Hand prints
Voice prints
Appearance of your face
– It may be expensive and intrusive (some feel this way) ,
but it is worth it.
2. Privacy of Your Customers
• If you gather or store information about someone, you have
• You also have the obligation to ensure that it is
especially because that information may be
used to make decisions that may affect someone (deny them
something they should get or give them something they shouldn’t get)
• If confidentiality was assumed, others (customers, partners,
suppliers) may not trust your business.
• Pizza Video
3. Use of Copyrighted Software
• When you buy software, you are purchasing a license to
use it. In a legal sense, you
. You
just have a right to
You MUST have
of the software or
for each machine that is running a
particular piece of software.
• In the US, you may always make one copy of copyrighted software to keep for
backup purposes—remember, when you buy copyrighted software, you are
paying for the right to use it: that’s all.
• Software Piracy: the unauthorized use, duplication, distribution, or sale of
copyrighted software
– Did you buy the software or did a friend simply allow you to install a copy on your machine
as well?
– Software Publisher’s Association: The Software Police
– Most common type of computer crime. In some parts of the world, more than 90% of
business software is thought to be pirated.
4. While you should be concerned
about hackers, they are not your
primary concern.
• 38% of security incidents originate
are the concern)
: legitimate users who purposely or
accidentally misuse their access (fraud, embezzlement, harassment)
: using one’s social skills
to trick people into revealing access credentials or
other information
• Many people freely give up their passwords or write them on
sticky notes next to their computers, leaving the door wide open
to intruders
• Protect company assets during employee
• Protect your personal privacy at work
5. Protect Your Identity
• A common way to steal identities online is called
– Phishing: a technique used to
– Watch Bob Video
• One way is to send out a “legitimate-looking email
message, asking you to
Because it looks legitimate, you respond.
• A newer technique is to send an email message to you
asking you to
, where you
will then supply personal information
6. Ways Organizations Can Protect
• Use
– Filter email and prevent sensitive info from being
transmitted outside the organization.
– Filter for spam.
– Filter for viruses (anti-virus software)
– Block user access to certain web sites.
• E
so that someone can’t read it if
it is intercepted/stolen (can only be read if someone has
the encryption key).
– Data transmitted wirelessly is
to be encrypted.
– Out in the Open Video
and needs
One of the most common defenses for
preventing a security breach is a
Firewall – hardware and/or software that guards a
private network by analyzing the information
leaving and entering the network
Firewall software also provides basic protection to
computers where it is installed
Basic firewall software incorporated into recent versions
of Windows and Mac.
Sample firewall architecture connecting
systems located in Chicago, New York, and
Notice the placement of the firewalls
7. You can be monitored at work
• Why does monitoring happen?
– Your employer pays you money to do a job.
– To ensure appropriate behavior on the job.
– To avoid litigation for employee misconduct
• Employers can/do monitor
– The
company resources.
– Key logger (key trapper) software to
Ways You Can Be Monitored
• C
movements on the Internet.
can be used to track your
– A small record deposited on your hard drive by a web site
containing information about you and your web activities.
• W
are also created, consisting of one line for every
visitor to a web site. Contains identifying info such as your
and your
. Stored on a web server.
• Clickstream – records
, such as what sites you
visited, how long you were there, what ads you looked at,
what you bought, and what links that you clicked on.
• Cell phone calls, satellite transmissions, and email can all be
Ways You Can Be Monitored
• Adware - software to generate ads that installs itself
on your computer when you download some other
(usually free) program from the Web.
• Spyware (also called
sneakware or stealthware)software that comes hidden in
free downloadable software and
tracks your online movements,
mines the information stored
on your computer, or uses your
computer’s CPU and storage
for some task you know
nothing about.
E-Mail: Hardly Private
• Each e-mail you send results in at
as it travels from sender to
recipient (it may even be backed up several times as well)
Federal law permits employers to monitor all email sent and
received by employees. Deleted email can be retrieved.
“The email I receive is personal”
vs “Protecting the Company”
• Companies
for the email that
using their systems. They are also
liable for the email
– Chevron Corporation and Microsoft settled sexual
harassment lawsuits for $2.2 million each because
employees sent offensive email to other employees and
management did not intervene.
– The Microsoft Antitrust Trial
– People write things in email that they would never say in
public. Offensive remarks can leave a company
– Company time and equipment are being used
Employee Monitoring (image is link to web site
• Privacy – the right to be left alone and not to be
observed without your consent
• Your actions can be monitored
– Key logger (key trapper) software & hardware –
capture keystrokes and mouse clicks. Can be installed
by a hacker or even your employer.
– Screen capture programs – capture screen from video
card: periodically take a snapshot of what is on the
– E-mail is completely insecure.
Privacy and Employees
• Companies need information about their employees
to run their business effectively
• As of March 2005, 60% of employers monitored
employee e-mails
– 70% of Web traffic occurs during work hours
– 78% of employers reported employee Internet abuse
– 60% employees admitted abusing Internet privileges at
• Since misuse of company resources has become so
widespread, employers are tightening their policies
on the use of company computers, e-mail, and
Internet access
Privacy and Employees
• Cyberslacking – misuse of company resources
• Visiting inappropriate sites or sites not related to the work
that is being performed
• Gaming, chatting, stock trading, etc.
• Example of cost of misuse
– Watching an online fashion show uses as much bandwidth as
downloading the entire Encyclopedia Britannica: tied up
telecommunications lines for many companies at 3pm one
afternoon a few years ago.
• Reasons for monitoring
– Ensure appropriate behavior on the job
– Avoid litigation for employee misconduct
So, what can
organizations do
to protect
Information Security
• Information security – a broad term
encompassing the protection of information from
accidental or intentional misuse by persons
inside or outside an organization
• Lines of Defense
– First Line of Defense:
– Second Line of Defense:
The First Line of Defense - People
• The biggest issue surrounding information security
is not a technical issue, but a people issue
of security incidents originate
The Second Line of Defense Technology
Three primary information security areas
1. Authentication and authorization
2. Prevention and resistance
3. Detection and response
Authentication – a method for confirming users’
Authorization – the process of giving someone
permission to do or have something
The most secure type of authentication involves a
combination of the following:
1. Something the user knows such as a user ID and password
2. Something the user has such as a smart card or token
3. Something that is part of the user such as a fingerprint or
voice signature: biometrics
Something the User Knows such
as a User ID and Password
User ID and passwords are the most common
way to identify individual users, and are the
most ineffective form of authentication
– Passwords are considered the WORST form of computer
– Sometimes id numbers and passwords can be guessed by just
randomly trying different combinations.
– Over 50 percent of help-desk calls are password related
– Password Sniffer
• A small program hidden in a network or a computer system that
records identification numbers and passwords.
Something the User Has such as a
Smart Card or Token
Smart cards and tokens are more effective than a
user ID and a password
Token – small electronic devices that change user
passwords automatically
You enter in your user id and then pull out the token to see
what the new password is.
Smart card – a device that is around the same size as a
credit card, containing embedded technologies that can
store information and small amounts of software to
perform some limited processing. Having the card
serves as your identification (may even be used like RFID).
Something That Is Part of the User such
as a Fingerprint or Voice Signature
This is by far the best and most effective way to
manage authentication
Biometrics – the identification of a user based on a
physical characteristic
• Finger prints
• Iris/Retinal scan
Hand prints
Voice prints
Appearance of your face
Unfortunately, this method can be costly and
Eye scans are expensive and people consider them intrusive.
Finger prints are cheaper and less intrusive, but also not 100%
If prevention and resistance strategies fail and there is
a security breach, an organization can use detection
and response technologies to mitigate the damage
Antivirus software is the most common type of
detection and response technology
Intrusion Detection software (IDS) searches for
patterns in network traffic to indicate attacks
(compares current network traffic against a “listing”
of attack characteristics.
Looks for people on the network who shouldn’t be there or
who are acting suspiciously.
Hackers: people very knowledgeable about computers
who use their knowledge to invade other people’s computers
White-hat hacker: work at the request of system owners to find
system vulnerabilities and plug the holes. Ethical hackers
Black-hat hacker: break into other people’s computer systems and
may just look around or may steal and destroy information
Hactivist: have philosophical and political reasons for breaking into
systems. Will often deface a Web site as a political protest.
Script kiddies/script bunnies: Wanabe hackers. Have downloaded a
program that does all the hacking for them. Don’t have much
technical expertise. Often used as a shield by the “real” hackers.
Cracker: criminal hacker-a hacker with criminal intent
Cyberterrorist: seek to cause harm to people, destroy critical
systems or info and use the Internet as a weapon of mass destruction
Virus - software written with malicious intent to cause
annoyance or damage
Worm: a type of virus that spreads itself via email from computer to
computer. The primary difference between a virus and a worm is
that a virus must attach to something, such as an executable file, in
order to spread. Worms do not need to attach to anything to spread
and can tunnel themselves into computers.
Denial-of-service attack (DoS) flood a Web site with so many
requests for service that it slows down or crashes. Quite often,
multiple computers are used in DoS attacks.
Trojan-horse virus: something you don’t want hidden inside
something you do want.
Backdoor program: viruses that open a way into the network for
future attacks
Polymorphic virus and worm: change their form as they
Security threats to e-business include:
• Elevation of privilege: a process by which a user misleads a system
into granting unauthorized rights, usually for the purpose of
compromising or destroying the system. For example, an attacker
might log on to a network by using a guest account, and then exploit a
weakness in the software that lets the attacker change the guest
privileges to administrative privileges.
• Hoaxes attack computer systems by transmitting a virus hoax, with a
real virus attached. By masking the attack in a seemingly legitimate
message, unsuspecting users more readily distribute the message and
send the attack on to their co-workers and friends, infecting many
users along the way.
• Malicious code includes a variety of threats such as viruses, worms,
and Trojan horses
• Spoofing is the forging of the return address on an e-mail so that the
e-mail message appears to come from someone other than the actual
sender. This is not a virus but rather a way by which virus authors
conceal their identities as they send out viruses.
Security threats to e-business include:
• Spyware is software that comes hidden in free downloadable software
and tracks online movements, mines the information stored on a
computer, or uses a computer’s CPU and storage for some task the
user knows nothing about. In a recent study, 91% of the participants
had spyware on their computers that can cause extremely slow
performance, excessive pop-up ads, or hijacked home pages.
• A sniffer is a program or device that can monitor data traveling over a
network. Sniffers can show all the data being transmitted over a
network, including passwords and sensitive information. Sniffers tend
to be a favorite weapon in the hacker’s arsenal.
• Packet tampering consists of altering the contents of packets as the
travel over the Internet or altering data on computer disks after
penetrating a network. For example, an attacker might place a tap on a
network line to intercept packets as they leave the computer. The
attacker could eavesdrop or alter the information as it leaves the
Denial-of-Service Attacks
• Denial-of-service
(DoS) attacks flood a Web site
with so many
requests for
service that it
slows down or
crashes. Quite
often, multiple
computers are
used in DoS
The Love Bug
• Starts working
– It uses your address
book to email itself to
– It destroys files
• .mp3 music files,
.jpg picture files,
.doc Word files,
.xls Excel files,
.wav sound files,
.html files
– It can also change
your IE start page
SoBig Virus
Arrived as e-mail attachment
Searched hard disk for e-mail addresses
Sent out huge numbers of useless e-mails
At its height, SoBig constituted 1 in 17 e-mails
Slammer Worm
• Flooded the victim server to fill the buffer
• Sent out 55 million bursts of information per second
• Found all vulnerable servers in 10 minutes
Issues Related to Global
Information Systems
A business can’t just worry about its homecountry laws, rules and regulations. If a business
has global operations, it must also take into
account the laws, rules and regulations of the
country (countries) where it conducts business.
• Businesses must have the appropriate levels of
authentication, access control, and encryption in
place, to ensure…
1. That only
individuals can gain access to the
2. That they have access to
for which they are
3. That information cannot be understood or altered while
in transit
• Deperimeterization - occurs when an
organization moves employees outside its
firewall, a growing movement to change the
way corporations address technology security
• Companies should focus on beefing up
security in
and an
organization's critical information assets
– Your technology can’t always sit behind a firewall.
End-users need to
Information Privacy
• Transborder data flows (TDF) occur when
business data flows across international
boundaries over the telecommunications
networks of global information systems
• Many countries view TDF as
– China, North Korea, Syria, Libya and others limit
Internet access.
– The
has some of the strictest
regulations regarding transborder data flows.
European Union Privacy Directives
• Any organization processing personal data of a person living in the EU must
comply with key principles:
Data must be fairly and lawfully processed
Processed for limited purposes
Adequate, relevant, and not excessive
than necessary
Processed in accordance with the data subject’s rights
Not transferred to countries without
In the European Union, you have the right to:
Know the
of personal data processing and the
of that processing.
Access and/or
in one’s own personal information.
Disallow the use of personal data (collected about you)
A “safe harbor” program has been created where US companies
their compliance with EU directives so that they can conduct business with EU
nations without worrying about being sued by EU citizens.