Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Introduction to MIS Chapter 4

advertisement 
Introduction to MIS
Chapter 4
Security, Privacy, Anonymity
Copyright © 1998-2002 by Jerry Post
Introduction to MIS
1
Outline












Threats to Information
Physical Security and Disaster Planning
Logical Security and Data Protection
Virus Threats
User Identification and Biometrics
Access controls
Encryption and Authentication
Internet Security Issues
Privacy
Anonymity
Cases: Healthcare
Appendix: Server Security Certificates
Introduction to MIS
2
Security, Privacy, and Anonymity
Server Attacks
The Internet
Data interception
Monitoring
Introduction to MIS
3





Accidents & Disasters
Employees & Consultants
Business Partnerships
Outsiders
Viruses
Threats to Information
Links to
business
partners
Outside
hackers
Virus hiding
in e-mail
attachment.
Employees & Consultants
Introduction to MIS
4
Security Categories

Physical attack & disasters





Backup--off-site
Cold/Shell site
Hot site
Disaster tests
Personal computers!

Logical



Unauthorized disclosure
Unauthorized modification
Unauthorized withholding

Denial of Service
$$
Introduction to MIS
5
Horror Stories

Security Pacific--Oct. 1978







Stanley Mark Rifkin
Electronic Funds Transfer
$10.2 million
Switzerland
Soviet Diamonds
Came back to U.S.








The Impossible Dream
Stock Manipulation



Insurance
Loans
Fake computer records



The Cuckoo’s Egg
Berkeley Labs
Unix--account not balance
Monitor, false information
Track to East German spy
Old Techniques




Introduction to MIS
Graduate Student
Unix “Worm”
Internet--tied up for 3 days
Clifford Stoll--1989

Equity Funding--1973

Robert Morris--1989
Salami slice
Bank deposit slips
Trojan Horse
Virus
6
Manual v Automated Data




Amount of data
Identification of users
Difficult to detect changes
Speed




Search
Copy
Statistical Inference
Communication Lines
Introduction to MIS
7
Disaster Planning
SunGard is a premier
provider of computer
backup facilities and
disaster planning
services. Its fleet of
Mobile Data Centers
can be outfitted with a
variety of distributed
systems hardware and
delivered at a disaster
site within 48 hours.
Introduction to MIS
8
Data Backup



Backup is critical
Offsite backup is critical
Levels



RAID (multiple drives)
Real time replication
Scheduled backups
Introduction to MIS
9
Power
company
Data Backup
Use the network to
backup PC data.
Use duplicate mirrored
servers for extreme
reliability.
UPS
Frequent
backups enable
you to recover
from disasters
and mistakes.
Introduction to MIS
Offsite backups
are critical.
10
Virus
From: afriend
To: victim
Message: Open
the attachment
for some
excitement.
2
3
1
1. User opens an attached program
that contains hidden virus
2. Virus copies itself into other
programs on the computer
Attachment
01
3A
19
02
54
23
7F
2C
8E
29
Introduction to MIS
05
3C
2E
FA
3F
06
5D
A2
EA
4F
77
83
87
12
73
03
94
62
79
9F
3. Virus spreads until a certain date,
then it deletes files.
Virus code
11
Virus Damage
Attacks
Viruses/Trojans/Worms
1991 1996 2000 2001
62
80
80
89
Attacks on Web servers
24
48
Denial of Service
37
39
Insider physical theft or damage of
equipment
49
42
Insider electronic theft, destruction,
or disclosure of data
24
22
Fraud
13
9
Dataquest, Inc; Computerworld 12/2/91
National Computer Security Association; Computerworld 5/6/96
http://www.info-ec.com/viruses/99/viruses_062299a_j.shtml)
1999 virus costs in the U.S.: $7.6 billion.
Introduction to MIS
12
Stopping a Virus




Backup your data!
Never run applications unless you are certain they are
safe.
Never open executable attachments sent over the
Internet--regardless of who mailed them.
Antivirus software




Needs constant updating
Rarely catches current viruses
Can interfere with other programs
Ultimately, viruses sent over the Internet can be traced
back to the original source.
Introduction to MIS
13
User Identification

Passwords




Dial up service found 30% of
people used same word
People choose obvious
Post-It notes
Alternatives: Biometrics






Hints





Don’t use real words
Don’t use personal names
Include non-alphabetic
Change often
Use at least 6 characters
Introduction to MIS


Finger/hand print
Voice recognition
Retina/blood vessels
Iris scanner
DNA ?
Password generator cards
Comments




Don’t have to remember
Reasonably accurate
Price is dropping
Nothing is perfect
14
Iris Scan
http://www.iridiantech.com/
questions/q2/features.html
EyePass™ System at
Charlotte/Douglas International
Airport.
http://www.eyeticket.com/
eyepass/index.html
Algorithm patents by JOHN DAUGMAN 1994
http://www.cl.cam.ac.uk/~jgd1000/
Introduction to MIS
15
Biometrics: Thermal
Several methods exist to identify a person based on biological characteristics.
Common techniques include fingerprint, handprint readers, and retinal
scanners. More exotic devices include body shape sensors and this thermal
facial reader which uses infrared imaging to identify the user.
Introduction to MIS
16
Access Controls: Permissions in Windows
Find the folder or
directory in explorer.
Right-click to set
properties.
On the Security
tab,assign
permissions.
Introduction to MIS
17
Security Controls

Access Control



Ownership of data
Read, Write, Execute, Delete, Change Permission, Take
Ownership
Security Monitoring



Access logs
Violations
Lock-outs
Users
Accounting
Marketing
Executive
Introduction to MIS
Resource/Files
Balance Sheet
Marketing Forecast
Read/write
Read
Read
Read/Write
Read
Read
18
Additional Controls



Audits
Monitoring
Background checks:
http://www.casebreakers.com/
http://www.knowx.com/
http://www.publicdata.com/
Introduction to MIS
19
Encryption: Single Key

Encrypt and decrypt with the
same key



How do you get the key
safely to the other party?
What if there are many
people involved?
Plain text
message
AES
Key: 9837362
Fast encryption and
decryption



DES - old and falls to brute
force attacks
Triple DES - old but slightly
harder to break with brute
force.
AES - new standard
Encrypted
text
Single key: e.g., AES
Encrypted
text
Key: 9837362
AES
Plain text
message
Introduction to MIS
20
Encryption: Dual Key
Message
Message
Alice
Encrypted
Public Keys
Private Key
13
Use
Bob’s
Public key
Alice 29
Bob 17
Bob
Use
Private Key
Bob’s
37
Private key
Alice sends message to Bob that only he can read.
Introduction to MIS
21
Dual Key: Authentication
Message
Transmission
Message
Encrypt+T+M
Alice
Private Key
13
Use
Alice’s
Private key
Encrypt+M
Encrypt+T
Public Keys
Alice 29
Use Bob 17
Use
Bob’s
Alice’s
Public key
Public key
Bob
Private Key
37
Use
Bob’s
Private key
Bob sends message to Alice:
His key guarantees it came from him.
Her key prevents anyone else from reading message.
Introduction to MIS
22
Certificate Authority

Public key




How does Alice
know that it is
really Bob’s key?
Imposter could sign up for a
public key.
Need trusted organization.
Only Verisign today, a public
company with no regulation.
Verisign mistakenly issued a
certificate to an imposter
claiming to work for Microsoft
in 2001.
Trust the C.A.
C.A. validate
applicants
Public Keys
Alice
Alice 29
Bob 17
Use
Bob’s
Public key
Introduction to MIS
23
Internet Data Transmission
Eavesdropper
Destination
Intermediate
Machines
Start
Introduction to MIS
24
Clipper Chip: Key Escrow
Decrypted conversation
Escrow keys
Judicial or
government office
Intercept
Encrypted conversation
Clipper chip
in phones
Introduction to MIS
25
Denial Of Service
Coordinated flood attack.
Targeted server.
Break in.
Flood program.
Introduction to MIS
Zombie PCs at homes,
schools, and businesses.
Weak security.
26
Securing E-Commerce Servers
1. Install and maintain a working network firewall to protect data
accessible via the Internet.
2. Keep security patches up-to-date.
3. Encrypt stored data.
4. Encrypt data sent across networks.
5. Use and regularly update anti-virus software.
6. Restrict access to data by business "need to know."
7. Assign a unique ID to each person with computer access to data.
8. Don't use vendor-supplied defaults for system passwords and other
security parameters.
9. Track access to data by unique ID.
10. Regularly test security systems and processes.
11. Maintain a policy that addresses information security for employees
and contractors.
12. Restrict physical access to cardholder information.
http://www.visabrc.com/doc.phtml?2,64,932,932a_cisp.html
Introduction to MIS
27
Internet Firewall
Internal company data servers
Firewall router
Company PCs
Keeps local
data from going
to Web servers.
Firewall router
Internet
Introduction to MIS
Examines each
packet and
discards some
types of requests.
28
Privacy
criminal record
complaints
finger prints
transportation
data
medical
records
financial
regulatory
employment
environmental
grocery store
scanner data
credit cards
organizations
purchases
phone
subscriptions
education
Introduction to MIS
financial
permits
census
loans & licenses
29
Cookies
Web server
Send page
Find page. and cookie.
Use cookie to
identify user.
Send
customized
page.
time
Request page. Display page,
store cookie.
Request new
page and
send cookie.
User PC
Introduction to MIS
30
Misuse of Cookies: Third Party Ads
Useful Web site
National ad Web site
Doubleclick.com
Link to ads
Requested
page
Request
page
Hidden
prior
cookie
Useful Web Page
Text and graphics
Ads, and
cookie
[Advertisements]
User PC
Introduction to MIS
31
Wireless Privacy





Cell phones require connections to towers
E-911 laws require location capability
Many now come with integrated GPS units
Business could market to customers “in the
neighborhood”
Tracking of employees is already common
Introduction to MIS
32
Privacy Problems

TRW--1991



Norwich, VT
Listed everyone delinquent on
property taxes




Lost wallet
Impersonator, 2 murders and 2
robberies
NCIC database
Rogan arrested 5 times in 14
months
Sued and won $55,000 from LA
Jeffrey McFadden--1989



Terry Dean Rogan






San Francisco Chronicle--1991


Employees


26 million monitored
electronically
10 million pay based on
statistics
Introduction to MIS
SSN and DoB for William Kalin
from military records
Got fake Kentucky ID
Wrote $6000 in bad checks
Kalin spent 2 days in jail
Sued McFadden, won $10,000

Person found 12 others using
her SSN
Someone got 16 credit cards
from another’s SSN, charged
$10,000
Someone discovered
unemployment benefits had
already been collected by 5
others
33
Privacy Laws

Minimal in US

Credit reports








Right to add comments
1994 disputes settled in 30 days
1994 some limits on access to data
Bork Bill--can’t release video rental data
Educational data--limited availability
1994 limits on selling state/local data
2001 rules on medical data
Europe


France and some other controls
1995 EU Privacy Controls
Introduction to MIS
34
Primary U.S. Privacy Laws

Freedom of Information Act
Family Educational Rights and Privacy Act
Fair Credit Reporting Act
Privacy Act of 1974
Privacy Protection Act of 1980
Electronic Communications Privacy Act of 1986
Video Privacy Act of 1988
Driver’s Privacy Protection Act of 1994

2001 Federal Medical Privacy rules (not a law)







Introduction to MIS
35
Anonymity


Anonymous servers: http://www.zeroknowledge.com
Dianetics church (L. Ron Hubbard) officials in the U.S.





Sued a former employee for leaking confidential documents
over the Internet.
He posted them through a Danish anonymous server.
The church pressured police to obtain the name of the poster.
Zero knowledge server is more secure
Should we allow anonymity on the Internet?


Protects privacy
Can encourage flow of information



Chinese dissenters
Government whistleblowers
Can be used for criminal activity
Introduction to MIS
36
Cases: Healthcare
Introduction to MIS
37
Cases: Eli Lilly
Owens & Minor, Inc.
www.lilly.com
www.owens-minor.com
What is the company’s current status?
What is the Internet strategy?
How does the company use information technology?
What are the prospects for the industry?
Introduction to MIS
38
Appendix: Digital Security Certificates


Digital security certificates are used to encrypt e-mail
and to authenticate the sender.
Obtain a certificate from a certificate authority







Verisign
Thawte (owned by Verisign)
Microsoft
Your own company or agency
Install the certificate in Outlook
Select option boxes to encrypt or decrypt messages
Install certificates sent by your friends and co-workers.
Introduction to MIS
39
Obtaining a Certificate
Introduction to MIS
40
Installing a Certificate
1. Tools + Options + Security
tab
2. Choose your certificate
3. Check these boxes to add
your digital signature and to
encrypt messages.
4. These boxes set the default
choices. For each message,
you can use the options to
check or uncheck these
boxes.
Introduction to MIS
41
Encrypting and Signing Messages
Use the Options
button and the
Security Settings
button to make
sure the Encrypt
and Signature
boxes are
checked. Then
the encryption
and decryption
are automatic.
Introduction to MIS
42
Related documents
Making strategic decisions
Making strategic decisions
BU 486 MIS PROJECTS
BU 486 MIS PROJECTS
Essay questions for CHAPTER 1:
Essay questions for CHAPTER 1:
MIS
MIS
Open FileZilla Create FTP Site Connection to MIS Webserver 1
Open FileZilla Create FTP Site Connection to MIS Webserver 1
Root Words PowerPoint
Root Words PowerPoint
Download
advertisement