Document

advertisement
MANAGING IT
SYSTEMS
Top Things to
Keep in Mind to
Protect Yourself
and Others
1. Passwords are one of the WORST
forms of security
• Your password can be easily guessed or found.
• Biometrics is one of the best forms of
authentication.
–
Biometrics – the identification of a user based on a
physical characteristic
• Finger prints
• Iris/Retinal scan
Hand prints
Voice prints
Appearance of your face
– It may be expensive and intrusive (some feel this way) ,
but it is worth it.
2. Privacy of Your Customers
• If you gather or store information about someone, you
have the RESPONSIBILITY and OBLIGATION to
protect that information from misuse and abuse.
• You also have the obligation to ensure that it is
accurate, especially because that information may be
used to make decisions that may affect someone (deny
them something they should get or give them something they shouldn’t get)
• If confidentiality was assumed, others (customers,
partners, suppliers) may not trust your business.
• Pizza Video
3. Use of Copyrighted Software
• When you buy software, you are purchasing a license
to use it. In a legal sense, you don’t own the software.
You just have a right to use it.
You MUST have one copy of the software or one site license
for each machine that is running a particular piece of
software.
• In the US, you may always make one copy of copyrighted software to keep for
backup purposes—remember, when you buy copyrighted software, you are
paying for the right to use it: that’s all.
• Software Piracy: the unauthorized use, duplication, distribution, or sale of
copyrighted software
– Did you buy the software or did a friend simply allow you to install a copy on your
machine as well?
Video
– Software Publisher’s Association: The Software Police
– Most common type of computer crime. In some parts of the world, more than 90% of
business software is thought to be pirated.
4. While you should be concerned
about hackers, they are not your
primary concern.
• 38% of security incidents originate within the
organization (Employees are the concern)
– Insiders: legitimate users who purposely or
accidentally misuse their access (fraud, embezzlement, harassment)
– Social engineering: using one’s social skills to trick
people into revealing access credentials or other
information
• Many people freely give up their passwords or write them on
sticky notes next to their computers, leaving the door wide open
to intruders
• Protect company assets during employee
departures
http://video.techrepublic.com.com/2422-14075_11-295937.html
• Protect your personal privacy at work
http://video.techrepublic.com.com/2422-14075_11-301228.html
5. Protect Your Identity
• A common way to steal identities online is called
phishing.
– Phishing: a technique used to con people into supplying
personal information
– Watch Bob Video
• One way is to send out a “legitimate-looking email
message, asking you to verify important information.
Because it looks legitimate, you respond.
• A newer technique is to send an email message to you
asking you to click on a link to a web site, where you will
then supply personal information
http://www.identitytheftsecrets.com/videos/wamu.html
6. Ways Organizations Can Protect
Themselves
• Use content filtering software to:
– Filter email and prevent sensitive info from being
transmitted outside the organization.
– Filter for spam.
– Filter for viruses (anti-virus software)
– Block user access to certain web sites.
• Encrypt data so that someone can’t read it if it is
intercepted/stolen (can only be read if someone has the
encryption key).
– Data transmitted wirelessly is EXTREMELY vulnerable and needs to
be encrypted.
– Out in the Open Video
FIREWALLS
•
One of the most common defenses for
preventing a security breach is a firewall
–
Firewall – hardware and/or software that guards a
private network by analyzing the information
leaving and entering the network
–
Firewall software also provides basic protection to
computers where it is installed
•
Basic firewall software incorporated into recent versions
of Windows and Mac.
FIREWALLS
•
Sample firewall architecture connecting
systems located in Chicago, New York, and
Boston
Notice the placement of the firewalls
between the servers and the Internet
7. You can be monitored at work
• Why does monitoring happen?
– Your employer pays you money to do a job.
– To ensure appropriate behavior on the job.
– To avoid litigation for employee misconduct
• Employers can/do monitor
– The email you send and receive using company
resources.
– Screen capture programs
– Key logger (key trapper) software to capture your
keystrokes and/or mouse clicks
Ways You Can Be Monitored
• Cookie files can be used to track your movements on the
Internet.
– A small record deposited on your hard drive by a web site
containing information about you and your web activities.
• Web logs are also created, consisting of one line for every
visitor to a web site. Contains identifying info such as your
IP address and your Clickstream. Stored on a web server.
• Clickstream – records information about you during a web
surfing session, such as what sites you visited, how long
you were there, what ads you looked at, what you bought,
and what links that you clicked on.
• Cell phone calls, satellite transmissions, and email can all be
monitored.
Ways You Can Be Monitored
• Adware - software to generate ads that installs itself
on your computer when you download some other
(usually free) program from the Web.
Adware
• Spyware (also called
sneakware or stealthware)software that comes hidden in
free downloadable software and
tracks your online movements,
mines the information stored
on your computer, or uses your
computer’s CPU and storage
for some task you know
nothing about.
E-Mail: Hardly Private
• Each e-mail you send results in at least 3 or 4 copies being
stored on different computers as it travels from sender to
recipient (it may even be backed up several times as well)
Federal law permits employers to monitor all email sent and
received by employees. Deleted email can be retrieved.
“The email I receive is personal”
vs “Protecting the Company”
• Companies are liable for the email that is sent using
their systems. They are also liable for the email they
store.
– Chevron Corporation and Microsoft settled sexual
harassment lawsuits for $2.2 million each because
employees sent offensive email to other employees and
management did not intervene.
– The Microsoft Antitrust Trial
– People write things in email that they would never say in
public. Offensive remarks can leave a company
defenseless.
– Company time and equipment are being used
Employee Monitoring (image is link to web site
PRIVACY
• Privacy – the right to be left alone and not to be
observed without your consent
• Your actions can be monitored
– Key logger (key trapper) software & hardware –
capture keystrokes and mouse clicks. Can be installed
by a hacker or even your employer.
– Screen capture programs – capture screen from video
card: periodically take a snapshot of what is on the
screen
– E-mail is completely insecure.
Privacy and Employees
• Companies need information about their employees
to run their business effectively
• As of March 2005, 60% of employers monitored
employee e-mails
– 70% of Web traffic occurs during work hours
– 78% of employers reported employee Internet abuse
– 60% employees admitted abusing Internet privileges at
work.
• Since misuse of company resources has become so
widespread, employers are tightening their policies
on the use of company computers, e-mail, and
Internet access
Privacy and Employees
• Cyberslacking – misuse of company resources
• Visiting inappropriate sites or sites not related to the work
that is being performed
• Gaming, chatting, stock trading, etc.
• Example of cost of misuse
– Watching an online fashion show uses as much bandwidth as
downloading the entire Encyclopedia Britannica: tied up
telecommunications lines for many companies at 3pm one
afternoon a few years ago.
• Reasons for monitoring
– Ensure appropriate behavior on the job
– Avoid litigation for employee misconduct
So, what can
organizations do
to protect
themselves?
Information Security
• Information security – a broad term
encompassing the protection of information from
accidental or intentional misuse by persons
inside or outside an organization
• Lines of Defense
– First Line of Defense: People
– Second Line of Defense: Technology
The First Line of Defense - People
• The biggest issue surrounding information security
is not a technical issue, but a people issue
• 38% of security incidents originate within the
organization
The Second Line of Defense Technology
•
Three primary information security areas
1. Authentication and authorization
2. Prevention and resistance
3. Detection and response
AUTHENTICATION AND
AUTHORIZATION
•
Authentication – a method for confirming users’
identities
•
Authorization – the process of giving someone
permission to do or have something
•
The most secure type of authentication involves a
combination of the following:
1. Something the user knows such as a user ID and password
2. Something the user has such as a smart card or token
3. Something that is part of the user such as a fingerprint or
voice signature: biometrics
Something the User Knows such
as a User ID and Password
•
User ID and passwords are the most common
way to identify individual users, and are the
most ineffective form of authentication
– Passwords are considered the WORST form of computer
security.
– Sometimes id numbers and passwords can be guessed by just
randomly trying different combinations.
– Over 50 percent of help-desk calls are password related
– Password Sniffer
• A small program hidden in a network or a computer system that
records identification numbers and passwords.
Something the User Has such as a
Smart Card or Token
•
Smart cards and tokens are more effective than a
user ID and a password
–
Token – small electronic devices that change user
passwords automatically
•
–
You enter in your user id and then pull out the token to see
what the new password is.
Smart card – a device that is around the same size as a
credit card, containing embedded technologies that can
store information and small amounts of software to
perform some limited processing. Having the card
serves as your identification (may even be used like RFID).
Something That Is Part of the User such
as a Fingerprint or Voice Signature
•
This is by far the best and most effective way to
manage authentication
–
Biometrics – the identification of a user based on a
physical characteristic
• Finger prints
• Iris/Retinal scan
•
Hand prints
Voice prints
Appearance of your face
Unfortunately, this method can be costly and
intrusive
–
–
Eye scans are expensive and people consider them intrusive.
Finger prints are cheaper and less intrusive, but also not 100%
accurate.
DETECTION AND RESPONSE
•
If prevention and resistance strategies fail and there is
a security breach, an organization can use detection
and response technologies to mitigate the damage
•
Antivirus software is the most common type of
detection and response technology
•
Intrusion Detection software (IDS) searches for
patterns in network traffic to indicate attacks
(compares current network traffic against a “listing”
of attack characteristics.
–
Looks for people on the network who shouldn’t be there or
who are acting suspiciously.
Hackers: people very knowledgeable about computers
who use their knowledge to invade other people’s computers
•
White-hat hacker: work at the request of system owners to find
system vulnerabilities and plug the holes. Ethical hackers
•
Black-hat hacker: break into other people’s computer systems and
may just look around or may steal and destroy information
•
Hactivist: have philosophical and political reasons for breaking into
systems. Will often deface a Web site as a political protest.
•
Script kiddies/script bunnies: Wanabe hackers. Have downloaded a
program that does all the hacking for them. Don’t have much
technical expertise. Often used as a shield by the “real” hackers.
•
Cracker: criminal hacker-a hacker with criminal intent
•
Cyberterrorist: seek to cause harm to people, destroy critical
systems or info and use the Internet as a weapon of mass destruction
Virus - software written with malicious intent to cause
annoyance or damage
•
Worm: a type of virus that spreads itself via email from computer to
computer. The primary difference between a virus and a worm is
that a virus must attach to something, such as an executable file, in
order to spread. Worms do not need to attach to anything to spread
and can tunnel themselves into computers.
•
Denial-of-service attack (DoS) flood a Web site with so many
requests for service that it slows down or crashes. Quite often,
multiple computers are used in DoS attacks.
•
Trojan-horse virus: something you don’t want hidden inside
something you do want.
•
Backdoor program: viruses that open a way into the network for
future attacks
•
Polymorphic virus and worm: change their form as they
propagate/spread
The Love Bug
• Starts working
immediately:
– It uses your address
book to email itself to
others.
– It destroys files
• .mp3 music files,
.jpg picture files,
.doc Word files,
.xls Excel files,
.wav sound files,
.html files
– It can also change
your IE start page
SoBig Virus
•
•
•
•
Arrived as e-mail attachment
Searched hard disk for e-mail addresses
Sent out huge numbers of useless e-mails
At its height, SoBig constituted 1 in 17 e-mails
worldwide
Slammer Worm
• Flooded the victim server to fill the buffer
• Sent out 55 million bursts of information per second
• Found all vulnerable servers in 10 minutes
Denial-of-Service Attacks
• Denial-of-service
(DoS) attacks flood a Web site
with so many
requests for
service that it
slows down or
crashes. Quite
often, multiple
computers are
used in DoS
attacks.
Security threats to e-business include:
• Elevation of privilege: a process by which a user misleads a system
into granting unauthorized rights, usually for the purpose of
compromising or destroying the system. For example, an attacker
might log on to a network by using a guest account, and then exploit a
weakness in the software that lets the attacker change the guest
privileges to administrative privileges.
• Hoaxes attack computer systems by transmitting a virus hoax, with a
real virus attached. By masking the attack in a seemingly legitimate
message, unsuspecting users more readily distribute the message and
send the attack on to their co-workers and friends, infecting many
users along the way.
• Malicious code includes a variety of threats such as viruses, worms,
and Trojan horses
• Spoofing is the forging of the return address on an e-mail so that the
e-mail message appears to come from someone other than the actual
sender. This is not a virus but rather a way by which virus authors
conceal their identities as they send out viruses.
Security threats to e-business include:
• Spyware is software that comes hidden in free downloadable software
and tracks online movements, mines the information stored on a
computer, or uses a computer’s CPU and storage for some task the
user knows nothing about. In a recent study, 91% of the participants
had spyware on their computers that can cause extremely slow
performance, excessive pop-up ads, or hijacked home pages.
• A sniffer is a program or device that can monitor data traveling over a
network. Sniffers can show all the data being transmitted over a
network, including passwords and sensitive information. Sniffers tend
to be a favorite weapon in the hacker’s arsenal.
• Packet tampering consists of altering the contents of packets as the
travel over the Internet or altering data on computer disks after
penetrating a network. For example, an attacker might place a tap on a
network line to intercept packets as they leave the computer. The
attacker could eavesdrop or alter the information as it leaves the
network.
Download