MANAGING IT SYSTEMS Top Things to Keep in Mind to Protect Yourself and Others 1. Passwords are one of the WORST forms of security • Your password can be easily guessed or found. • Biometrics is one of the best forms of authentication. – Biometrics – the identification of a user based on a physical characteristic • Finger prints • Iris/Retinal scan Hand prints Voice prints Appearance of your face – It may be expensive and intrusive (some feel this way) , but it is worth it. 2. Privacy of Your Customers • If you gather or store information about someone, you have the RESPONSIBILITY and OBLIGATION to protect that information from misuse and abuse. • You also have the obligation to ensure that it is accurate, especially because that information may be used to make decisions that may affect someone (deny them something they should get or give them something they shouldn’t get) • If confidentiality was assumed, others (customers, partners, suppliers) may not trust your business. • Pizza Video 3. Use of Copyrighted Software • When you buy software, you are purchasing a license to use it. In a legal sense, you don’t own the software. You just have a right to use it. You MUST have one copy of the software or one site license for each machine that is running a particular piece of software. • In the US, you may always make one copy of copyrighted software to keep for backup purposes—remember, when you buy copyrighted software, you are paying for the right to use it: that’s all. • Software Piracy: the unauthorized use, duplication, distribution, or sale of copyrighted software – Did you buy the software or did a friend simply allow you to install a copy on your machine as well? Video – Software Publisher’s Association: The Software Police – Most common type of computer crime. In some parts of the world, more than 90% of business software is thought to be pirated. 4. While you should be concerned about hackers, they are not your primary concern. • 38% of security incidents originate within the organization (Employees are the concern) – Insiders: legitimate users who purposely or accidentally misuse their access (fraud, embezzlement, harassment) – Social engineering: using one’s social skills to trick people into revealing access credentials or other information • Many people freely give up their passwords or write them on sticky notes next to their computers, leaving the door wide open to intruders • Protect company assets during employee departures http://video.techrepublic.com.com/2422-14075_11-295937.html • Protect your personal privacy at work http://video.techrepublic.com.com/2422-14075_11-301228.html 5. Protect Your Identity • A common way to steal identities online is called phishing. – Phishing: a technique used to con people into supplying personal information – Watch Bob Video • One way is to send out a “legitimate-looking email message, asking you to verify important information. Because it looks legitimate, you respond. • A newer technique is to send an email message to you asking you to click on a link to a web site, where you will then supply personal information http://www.identitytheftsecrets.com/videos/wamu.html 6. Ways Organizations Can Protect Themselves • Use content filtering software to: – Filter email and prevent sensitive info from being transmitted outside the organization. – Filter for spam. – Filter for viruses (anti-virus software) – Block user access to certain web sites. • Encrypt data so that someone can’t read it if it is intercepted/stolen (can only be read if someone has the encryption key). – Data transmitted wirelessly is EXTREMELY vulnerable and needs to be encrypted. – Out in the Open Video FIREWALLS • One of the most common defenses for preventing a security breach is a firewall – Firewall – hardware and/or software that guards a private network by analyzing the information leaving and entering the network – Firewall software also provides basic protection to computers where it is installed • Basic firewall software incorporated into recent versions of Windows and Mac. FIREWALLS • Sample firewall architecture connecting systems located in Chicago, New York, and Boston Notice the placement of the firewalls between the servers and the Internet 7. You can be monitored at work • Why does monitoring happen? – Your employer pays you money to do a job. – To ensure appropriate behavior on the job. – To avoid litigation for employee misconduct • Employers can/do monitor – The email you send and receive using company resources. – Screen capture programs – Key logger (key trapper) software to capture your keystrokes and/or mouse clicks Ways You Can Be Monitored • Cookie files can be used to track your movements on the Internet. – A small record deposited on your hard drive by a web site containing information about you and your web activities. • Web logs are also created, consisting of one line for every visitor to a web site. Contains identifying info such as your IP address and your Clickstream. Stored on a web server. • Clickstream – records information about you during a web surfing session, such as what sites you visited, how long you were there, what ads you looked at, what you bought, and what links that you clicked on. • Cell phone calls, satellite transmissions, and email can all be monitored. Ways You Can Be Monitored • Adware - software to generate ads that installs itself on your computer when you download some other (usually free) program from the Web. Adware • Spyware (also called sneakware or stealthware)software that comes hidden in free downloadable software and tracks your online movements, mines the information stored on your computer, or uses your computer’s CPU and storage for some task you know nothing about. E-Mail: Hardly Private • Each e-mail you send results in at least 3 or 4 copies being stored on different computers as it travels from sender to recipient (it may even be backed up several times as well) Federal law permits employers to monitor all email sent and received by employees. Deleted email can be retrieved. “The email I receive is personal” vs “Protecting the Company” • Companies are liable for the email that is sent using their systems. They are also liable for the email they store. – Chevron Corporation and Microsoft settled sexual harassment lawsuits for $2.2 million each because employees sent offensive email to other employees and management did not intervene. – The Microsoft Antitrust Trial – People write things in email that they would never say in public. Offensive remarks can leave a company defenseless. – Company time and equipment are being used Employee Monitoring (image is link to web site PRIVACY • Privacy – the right to be left alone and not to be observed without your consent • Your actions can be monitored – Key logger (key trapper) software & hardware – capture keystrokes and mouse clicks. Can be installed by a hacker or even your employer. – Screen capture programs – capture screen from video card: periodically take a snapshot of what is on the screen – E-mail is completely insecure. Privacy and Employees • Companies need information about their employees to run their business effectively • As of March 2005, 60% of employers monitored employee e-mails – 70% of Web traffic occurs during work hours – 78% of employers reported employee Internet abuse – 60% employees admitted abusing Internet privileges at work. • Since misuse of company resources has become so widespread, employers are tightening their policies on the use of company computers, e-mail, and Internet access Privacy and Employees • Cyberslacking – misuse of company resources • Visiting inappropriate sites or sites not related to the work that is being performed • Gaming, chatting, stock trading, etc. • Example of cost of misuse – Watching an online fashion show uses as much bandwidth as downloading the entire Encyclopedia Britannica: tied up telecommunications lines for many companies at 3pm one afternoon a few years ago. • Reasons for monitoring – Ensure appropriate behavior on the job – Avoid litigation for employee misconduct So, what can organizations do to protect themselves? Information Security • Information security – a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization • Lines of Defense – First Line of Defense: People – Second Line of Defense: Technology The First Line of Defense - People • The biggest issue surrounding information security is not a technical issue, but a people issue • 38% of security incidents originate within the organization The Second Line of Defense Technology • Three primary information security areas 1. Authentication and authorization 2. Prevention and resistance 3. Detection and response AUTHENTICATION AND AUTHORIZATION • Authentication – a method for confirming users’ identities • Authorization – the process of giving someone permission to do or have something • The most secure type of authentication involves a combination of the following: 1. Something the user knows such as a user ID and password 2. Something the user has such as a smart card or token 3. Something that is part of the user such as a fingerprint or voice signature: biometrics Something the User Knows such as a User ID and Password • User ID and passwords are the most common way to identify individual users, and are the most ineffective form of authentication – Passwords are considered the WORST form of computer security. – Sometimes id numbers and passwords can be guessed by just randomly trying different combinations. – Over 50 percent of help-desk calls are password related – Password Sniffer • A small program hidden in a network or a computer system that records identification numbers and passwords. Something the User Has such as a Smart Card or Token • Smart cards and tokens are more effective than a user ID and a password – Token – small electronic devices that change user passwords automatically • – You enter in your user id and then pull out the token to see what the new password is. Smart card – a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing. Having the card serves as your identification (may even be used like RFID). Something That Is Part of the User such as a Fingerprint or Voice Signature • This is by far the best and most effective way to manage authentication – Biometrics – the identification of a user based on a physical characteristic • Finger prints • Iris/Retinal scan • Hand prints Voice prints Appearance of your face Unfortunately, this method can be costly and intrusive – – Eye scans are expensive and people consider them intrusive. Finger prints are cheaper and less intrusive, but also not 100% accurate. DETECTION AND RESPONSE • If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage • Antivirus software is the most common type of detection and response technology • Intrusion Detection software (IDS) searches for patterns in network traffic to indicate attacks (compares current network traffic against a “listing” of attack characteristics. – Looks for people on the network who shouldn’t be there or who are acting suspiciously. Hackers: people very knowledgeable about computers who use their knowledge to invade other people’s computers • White-hat hacker: work at the request of system owners to find system vulnerabilities and plug the holes. Ethical hackers • Black-hat hacker: break into other people’s computer systems and may just look around or may steal and destroy information • Hactivist: have philosophical and political reasons for breaking into systems. Will often deface a Web site as a political protest. • Script kiddies/script bunnies: Wanabe hackers. Have downloaded a program that does all the hacking for them. Don’t have much technical expertise. Often used as a shield by the “real” hackers. • Cracker: criminal hacker-a hacker with criminal intent • Cyberterrorist: seek to cause harm to people, destroy critical systems or info and use the Internet as a weapon of mass destruction Virus - software written with malicious intent to cause annoyance or damage • Worm: a type of virus that spreads itself via email from computer to computer. The primary difference between a virus and a worm is that a virus must attach to something, such as an executable file, in order to spread. Worms do not need to attach to anything to spread and can tunnel themselves into computers. • Denial-of-service attack (DoS) flood a Web site with so many requests for service that it slows down or crashes. Quite often, multiple computers are used in DoS attacks. • Trojan-horse virus: something you don’t want hidden inside something you do want. • Backdoor program: viruses that open a way into the network for future attacks • Polymorphic virus and worm: change their form as they propagate/spread The Love Bug • Starts working immediately: – It uses your address book to email itself to others. – It destroys files • .mp3 music files, .jpg picture files, .doc Word files, .xls Excel files, .wav sound files, .html files – It can also change your IE start page SoBig Virus • • • • Arrived as e-mail attachment Searched hard disk for e-mail addresses Sent out huge numbers of useless e-mails At its height, SoBig constituted 1 in 17 e-mails worldwide Slammer Worm • Flooded the victim server to fill the buffer • Sent out 55 million bursts of information per second • Found all vulnerable servers in 10 minutes Denial-of-Service Attacks • Denial-of-service (DoS) attacks flood a Web site with so many requests for service that it slows down or crashes. Quite often, multiple computers are used in DoS attacks. Security threats to e-business include: • Elevation of privilege: a process by which a user misleads a system into granting unauthorized rights, usually for the purpose of compromising or destroying the system. For example, an attacker might log on to a network by using a guest account, and then exploit a weakness in the software that lets the attacker change the guest privileges to administrative privileges. • Hoaxes attack computer systems by transmitting a virus hoax, with a real virus attached. By masking the attack in a seemingly legitimate message, unsuspecting users more readily distribute the message and send the attack on to their co-workers and friends, infecting many users along the way. • Malicious code includes a variety of threats such as viruses, worms, and Trojan horses • Spoofing is the forging of the return address on an e-mail so that the e-mail message appears to come from someone other than the actual sender. This is not a virus but rather a way by which virus authors conceal their identities as they send out viruses. Security threats to e-business include: • Spyware is software that comes hidden in free downloadable software and tracks online movements, mines the information stored on a computer, or uses a computer’s CPU and storage for some task the user knows nothing about. In a recent study, 91% of the participants had spyware on their computers that can cause extremely slow performance, excessive pop-up ads, or hijacked home pages. • A sniffer is a program or device that can monitor data traveling over a network. Sniffers can show all the data being transmitted over a network, including passwords and sensitive information. Sniffers tend to be a favorite weapon in the hacker’s arsenal. • Packet tampering consists of altering the contents of packets as the travel over the Internet or altering data on computer disks after penetrating a network. For example, an attacker might place a tap on a network line to intercept packets as they leave the computer. The attacker could eavesdrop or alter the information as it leaves the network.