Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Law

EE579T-Class 11 - Electrical & Computer Engineering

advertisement 
EE579T
Network Security
11: Law, Ethics, Intrusions
Prof. Richard A. Stanley
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #1
Thought for the Day
“Any sufficiently developed technology
is indistinguishable from magic.”
?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #2
Overview of Tonight’s Class
• Review last week’s lesson
• Look at network security in the news
• Legal and ethical issues
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #3
Last Week in Review
• Running a network makes it necessary to be
familiar with the law
• There is both civil and criminal law
• Knowing what is illegal is key to tracking and
deterring unauthorized users
• Protecting intellectual property is an important
responsibility of network managers
• Building a relationship with law enforcement
before an problem is usually wise
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #4
Network Security Last Week- 1
• Social engineering gets hackers and their
viruses inside a network with more success
than a complicated, technical method
• More security flaws are found in wireless
LAN protocol 802.11 by UMd researchers
• One in three UK companies have been
hacked
• eBay finds holes in privacy policy
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #5
Network Security Last Week- 2
• Online security key to health care venture
• Too much security holds back e-commerce
– So say 40% of blue chip companies surveyed
• ADDR.com customer database stolen
• Cloaked code sneaks by corporate security
• Security industry slams virus reward
• Microsoft updates Windows to combat
VeriSign glitch
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #6
Network Security Last Week- 3
• War driving -- the latest hacker fad
• KPMG survey
– 90 percent of CEOs and CIOs believe most
security breaches will come via the Internet or
other external means
– KPMG confirms most breaches are internal, by
disgruntled employees and others with
immediate knowledge of a company's system
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #7
Tonight:
The Odds and Ends That Tie it All
Together
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #8
More About Copyrights
• Fair use of a copyrighted work, including
such use by reproduction in copies or
phonorecords or by any other means :
–
–
–
–
criticism
comment
news reporting
teaching (including multiple copies for
classroom use)
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #9
Remember...
• A copyright protects the tangible
expression of an idea, not the idea itself
– Copyright infringement is a crime
• A patent protects an idea (sort of -- more
later), not merely its expression
– Patent infringement must be contested
– Patent infringement is a civil matter, not a
crime
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #10
What Can Be Patented?
“Whoever invents or discovers any new and useful process,
machine, manufacture, or composition of matter, or any new
and useful improvement thereof, may obtain a patent therefor,
subject to the conditions and requirements of this title.”
35 USC § 101
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #11
More to Think About
• Censorship
• Privacy
• Liability
– Actions of others
• Responsibility to report crimes
• Public approbation vs. legal action
• Whose laws apply?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #12
Negligence
•
•
•
•
•
Simple
Gross
Contributory
“The prudent man”
Due diligence
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #13
More Legal Considerations
• What if…
– One of your employees is using your network
to do something illegal?
– Someone outside the organization is using your
network resources for illicit purposes?
– Your system is broken into and important
information goes missing or becomes public?
Are You Liable?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #14
What Is Your Responsibility?
•
•
•
•
For intellectual property?
For personal data?
For financial data?
For proper operation of the network?
• How and where are these things defined?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #15
The Other “P” Word
• Privacy
–
–
–
–
–
What is it?
How to protect it?
What do customers and employees expect?
What do they have a right to expect?
Where is the Constitutional right to privacy
found?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #16
Ethics
Not a Simple Subject
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #17
Ethics Concerns
• Information Management
– Data acquisition
– Access
– Stewardship
• Information Security
– Ownership of intellectual property
– Crime
– Liability and reliability
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #18
Ethical Issues
• Ethics and the law are not the same
• Ethic is an objectively defined standard of
right or wrong
• Ethical standards tend to be idealistic
• Set of ethical principles is an ethical system
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #19
Law Versus Ethics
LAW
• Formal, written
• Interpreted by courts
• Established by
legislature
• Applies to everyone
• Conflict, “right”
resolved by courts
• Enforceable
Spring 2001
© 2000, 2001, Richard A. Stanley
ETHICS
• Unwritten principles
• Interpreted by indiv.
• Presented by religions,
philosophers, etc.
• Personal choice
• No external arbiter of
“right” or conflict
• Limited enforcement
WPI
EE579T/11 #20
Ethics Overview
•
•
•
•
Complex
Ethics and religion
Ethics not universal
Ethics does not provide unique, immutable
answers
– Ethical pluralism
– Very unlike scientific view of “truth”
– Rarely a higher authority
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #21
Ethical Reasoning
• How to approach an ethical issue?
–
–
–
–
Understand the situation
Know several theories of ethical reasoning
List the ethical principles involved
Determine which principles outweigh the others
• First and third are key
• Easy to go off at half cock
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #22
Ethical Principles--Examples
• Teleology
– Focus on consequences
– Egoism: benefits to person taking the action
– Utilitarianism: benefits to entire world
• Deontology
–
–
–
–
Focus on sense of duty
Some things are just intrinsically good
Rule-deontology
Act-deontology situation ethics
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #23
Some Values Issues
•
•
•
•
•
•
Ownership of resources
Effect on others
Universalism principle
Possibility of detection, punishment
Other issues?
Which are more important than others?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #24
Some Principles Involved
•
•
•
•
•
•
•
Job responsibility
Use
Possible misuse
Confidentiality
Tacit permission
Propriety
Law
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #25
General Moral Imperatives
(ACM Code of Ethics and Professional Conduct)
•
•
•
•
•
Contribute to society and human well-being
Avoid harm to others
Be honest and trustworthy
Be fair and take action not to discriminate
Honor property rights including copyrights and
patents
• Give proper credit for intellectual property
• Respect the privacy of others
• Honor confidentiality
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #26
The “P” Word
• Can or should you have an ethics policy?
• Why or why not?
• Are you aware of organizations that do have
ethics policies?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #27
Ethics Case 1
Donald works for the county health department as a
computer records clerk, where he has access to files of
patient records. For a scientific study, a researcher -- Ethel -has been granted access to the medical portion, but the
corresponding names, of some records.
Ethel finds some information that she would like to
use, but she needs the names and addresses in order to
contact these people for more information and for permission
to do further study.
Should Donald give Ethel the names and addresses?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #28
Ethics Case 2
The school computer center
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #29
Intrusion Detection
What Is It? How Does It Work?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #30
What is Intrusion Detection?
• Process
• Identify and respond to malicious activity
• Targeted at
– Computing resources
– Networking resources
Edward Amoroso
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #31
Process
•
•
•
•
•
Technology
People
Tools
Much interaction among these
Not amenable to “black-box” solutions
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #32
Identify
• Before
• During
• After
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #33
Respond
• Must first identify
• Nature
• Automatic
– Liability--civil and criminal
– Casus belli if government?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #34
Malicious Activity
• Actions by those who intend harm
– Includes so-called “innocent” intrusions
– Malicious may be in the eye of the beholder
• What about low-probability vulnerabilities?
– Don’t worry about them
– Worry, but give very low probability
– What if the intruder can establish the
conditions that enable these vulnerabilities?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #35
IDS Methods
•
•
•
•
•
Audit trail processing
Normal behavior profiling
Abnormal behavior signatures
Parameter pattern matching
Neural network and other approaches to
inferring abnormal behavior
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #36
IDS Organization
•
•
•
•
•
•
•
Sensor
System management
Processing engine and algorithms
Knowledge base(s)
Auditing
Alarms
User interface
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #37
What is an Intrusion?
• Becomes a philosophical question
• Intrusions = attacks ?
• Stanley’s working definition:
– An intrusion is any entry or attempted into a
protected network that is unplanned,
unauthorized, or which exceeds the
authorization granted to the perpetrator of the
entry, even if the entry is without conscious
malicious intent.
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #38
How Can Perpetrators
Hide?
• We have spent the entire semester dealing
with aspects of this question
• In-band techniques
• Out-of-band techniques
• Anonymity muddies authentication
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #39
IDS Information Correlation
•
•
•
•
Single vs. multiple session
Real time vs. after the fact
In-band vs. all-band
The basic problem of intelligence analysis
obtains:
– Is this a new tank that is being reported by the
soldier in his foxhole, or is he seeing the same
tank that I already know about?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #40
Intruder Trapping
• Not a major topic of IDS research
• Problematic
– Can trap suspicious users in a dedicated system
– What if you are wrong?
• Liability?
• Bad press?
– Worse problem: often, the signature of your
best customers and the signature of intruders
are frighteningly similar
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #41
Incident response
•
•
•
•
•
•
•
•
•
Critical assets involved?
Has this happened before?
Is it still happening?
Damage, compromise, or DoS?
Laws broken?
Policies violated?
Should we break the connection?
Any traps available?
Should we involve law enforcement?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #42
Some IDS Thoughts
• This is still an immature area
• Technology cannot solve all problems
• People have problems, too
– e.g. humans found only about 1.4% of entries in
audit logs that represented intrusions
– People’s loyalties are mobile
• Beware automated responses
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #43
Some IDS’s Out There
• Black Ice Defender (www.networkice.com)
• CyberCop (www.cybercop.co.uk)
• Emerald
(www.sdl.sri.com/projects/emerald/index.html)
• NetRanger
(www.cisco.com/univercd/cc/td/doc/product/iaabu
/netrangr/)
• RealSecure (www.hallogram.com/realsecure/)
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #44
Summary
• Legalities involve much more than what is
illegal
• Often, your largest concern is for liability
and how to limit it.
• Intrusion detection is a process, not a
product, and it is still immature
• We have only scratched the network
security surface, as weekly reviews show
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #45
Th…th…that’s all, folks!
Any questions on the overall course?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #46
Exam Overview
• Roughly 1 1/2 hours long
• Please be on time; it is your time you waste
• Essay-type exam, involving application of what
you have learned (homework is a good example)
• Open book and notes
• Please bring pen and/or pencil, and paper on
which to write. A paperclip is also helpful.
• Any other questions?
Spring 2001
© 2000, 2001, Richard A. Stanley
WPI
EE579T/11 #47
Related documents
EXPERIENCE “THE STANLEY TRADITION”
EXPERIENCE “THE STANLEY TRADITION”
Heritage Wealth inse.. - Solutions Website Design
Heritage Wealth inse.. - Solutions Website Design
Flat Stanley Project Letter 2015
Flat Stanley Project Letter 2015
Strategic Plan for Extended Education
Strategic Plan for Extended Education
Friends Membership Form
Friends Membership Form
Administration - Computer Science
Administration - Computer Science
Download
advertisement