Introduction to MIS2 Outline Threats to Information Physical Security and Disaster Planning Logical Security and Data Protection Virus Threats User Identification and Biometrics Access controls Encryption and Authentication Internet Security Issues Privacy Anonymity Cases: Healthcare Appendix: Server Security Certificates
Introduction to MIS3 Security, Privacy, and Anonymity Server Attacks Data interception The Internet Monitoring
Introduction to MIS4 Employees & Consultants Links to business partners Outside hackers Threats to Information Accidents & Disasters Employees & Consultants Business Partnerships Outsiders Viruses Virus hiding in e-mail attachment.
Introduction to MIS5 $$ Security Categories Physical attack & disasters Backup--off-site Cold/Shell site Hot site Disaster tests Personal computers! Logical Unauthorized disclosure Unauthorized modification Unauthorized withholding Denial of Service
Introduction to MIS6 Horror Stories Security Pacific--Oct. 1978 Stanley Mark Rifkin Electronic Funds Transfer $10.2 million Switzerland Soviet Diamonds Came back to U.S. Equity Funding--1973 The Impossible Dream Stock Manipulation Insurance Loans Fake computer records Robert Morris--1989 Graduate Student Unix Worm Internet--tied up for 3 days Clifford Stoll--1989 The Cuckoos Egg Berkeley Labs Unix--account not balance Monitor, false information Track to East German spy Old Techniques Salami slice Bank deposit slips Trojan Horse Virus
Introduction to MIS7 Manual v Automated Data Amount of data Identification of users Difficult to detect changes Speed Search Copy Statistical Inference Communication Lines
Introduction to MIS8 SunGard is a premier provider of computer backup facilities and disaster planning services. Its fleet of Mobile Data Centers can be outfitted with a variety of distributed systems hardware and delivered at a disaster site within 48 hours. Disaster Planning
Introduction to MIS9 Data Backup Backup is critical Offsite backup is critical Levels RAID (multiple drives) Real time replication Scheduled backups
Introduction to MIS10 Data Backup Offsite backups are critical. Frequent backups enable you to recover from disasters and mistakes. Use the network to backup PC data. Use duplicate mirrored servers for extreme reliability. UPS Power company
Introduction to MIS11 Attachment 01 23 05 06 77 03 3A 7F 3C 5D 83 94 19 2C 2E A2 87 62 02 8E FA EA 12 79 54 29 3F 4F 73 9F 1 23 1.User opens an attached program that contains hidden virus 2.Virus copies itself into other programs on the computer 3.Virus spreads until a certain date, then it deletes files. Virus code Virus From: afriend To: victim Message: Open the attachment for some excitement.
Introduction to MIS12 Dataquest, Inc; Computerworld 12/2/91 National Computer Security Association; Computerworld 5/6/96 http://www.info-ec.com/viruses/99/viruses_062299a_j.shtml) Virus Damage 1999 virus costs in the U.S.: $7.6 billion. Attacks1991199620002001 Viruses/Trojans/Worms6280 89 Attacks on Web servers2448 Denial of Service3739 Insider physical theft or damage of equipment 4942 Insider electronic theft, destruction, or disclosure of data 2422 Fraud139
Introduction to MIS13 Stopping a Virus Backup your data! Never run applications unless you are certain they are safe. Never open executable attachments sent over the Internet--regardless of who mailed them. Antivirus software Needs constant updating Rarely catches current viruses Can interfere with other programs Ultimately, viruses sent over the Internet can be traced back to the original source.
Introduction to MIS14 User Identification Passwords Dial up service found 30% of people used same word People choose obvious Post-It notes Hints Dont use real words Dont use personal names Include non-alphabetic Change often Use at least 6 characters Alternatives: Biometrics Finger/hand print Voice recognition Retina/blood vessels Iris scanner DNA ? Password generator cards Comments Dont have to remember Reasonably accurate Price is dropping Nothing is perfect
Introduction to MIS15 Iris Scan http://www.iridiantech.com/ questions/q2/features.html Algorithm patents by JOHN DAUGMAN 1994 http://www.cl.cam.ac.uk/~jgd1000/ http://www.eyeticket.com/ eyepass/index.html EyePass System at Charlotte/Douglas International Airport.
Introduction to MIS16 Several methods exist to identify a person based on biological characteristics. Common techniques include fingerprint, handprint readers, and retinal scanners. More exotic devices include body shape sensors and this thermal facial reader which uses infrared imaging to identify the user. Biometrics: Thermal
Introduction to MIS17 Access Controls: Permissions in Windows Find the folder or directory in explorer. Right-click to set properties. On the Security tab,assign permissions.
Introduction to MIS18 Security Controls Access Control Ownership of data Read, Write, Execute, Delete, Change Permission, Take Ownership Security Monitoring Access logs Violations Lock-outs
Introduction to MIS20 Encryption: Single Key Encrypt and decrypt with the same key How do you get the key safely to the other party? What if there are many people involved? Fast encryption and decryption DES - old and falls to brute force attacks Triple DES - old but slightly harder to break with brute force. AES - new standard Plain text message Encrypted text Key: 9837362 AES Encrypted text Plain text message AES Single key: e.g., AES
Introduction to MIS21 Alice Bob Message Public Keys Alice 29 Bob 17 Message Encrypted Private Key 13 Private Key 37 Use Bobs Public key Use Bobs Private key Alice sends message to Bob that only he can read. Encryption: Dual Key
Introduction to MIS22 Alice Bob Public Keys Alice 29 Bob 17 Private Key 13 Private Key 37 Use Bobs Public key Use Bobs Private key Bob sends message to Alice: His key guarantees it came from him. Her key prevents anyone else from reading message. Message Encrypt+T Encrypt+T+M Encrypt+M Use Alices Public key Use Alices Private key Transmission Dual Key: Authentication
Introduction to MIS23 Certificate Authority Public key Imposter could sign up for a public key. Need trusted organization. Only Verisign today, a public company with no regulation. Verisign mistakenly issued a certificate to an imposter claiming to work for Microsoft in 2001. Alice Public Keys Alice 29 Bob 17 Use Bobs Public key How does Alice know that it is really Bobs key? Trust the C.A. C.A. validate applicants
Introduction to MIS24 Internet Data Transmission Start Destination Eavesdropper Intermediate Machines
Introduction to MIS25 Encrypted conversation Escrow keys Clipper chip in phones Intercept Decrypted conversation Judicial or government office Clipper Chip: Key Escrow
Introduction to MIS26 Denial Of Service Zombie PCs at homes, schools, and businesses. Weak security. Break in. Flood program. Coordinated flood attack. Targeted server.
Introduction to MIS27 Securing E-Commerce Servers http://www.visabrc.com/doc.phtml?2,64,932,932a_cisp.html 1. Install and maintain a working network firewall to protect data accessible via the Internet. 2. Keep security patches up-to-date. 3. Encrypt stored data. 4. Encrypt data sent across networks. 5. Use and regularly update anti-virus software. 6. Restrict access to data by business "need to know." 7. Assign a unique ID to each person with computer access to data. 8. Don't use vendor-supplied defaults for system passwords and other security parameters. 9. Track access to data by unique ID. 10. Regularly test security systems and processes. 11. Maintain a policy that addresses information security for employees and contractors. 12. Restrict physical access to cardholder information.
Introduction to MIS28 Internet Firewall Company PCs Internal company data servers Internet Firewall router Examines each packet and discards some types of requests. Keeps local data from going to Web servers.
Introduction to MIS29 credit cards organizations loans & licenses financial permits census transportation data financial regulatory employment environmental subscriptions education purchases phone criminal record complaints finger prints medical records Privacy grocery store scanner data
Introduction to MIS30 Cookies Web server User PC time Request page. Send page and cookie. Display page, store cookie. Find page. Request new page and send cookie. Use cookie to identify user. Send customized page.
Introduction to MIS32 Wireless Privacy Cell phones require connections to towers E-911 laws require location capability Many now come with integrated GPS units Business could market to customers in the neighborhood Tracking of employees is already common
Introduction to MIS33 Privacy Problems TRW--1991 Norwich, VT Listed everyone delinquent on property taxes Terry Dean Rogan Lost wallet Impersonator, 2 murders and 2 robberies NCIC database Rogan arrested 5 times in 14 months Sued and won $55,000 from LA Employees 26 million monitored electronically 10 million pay based on statistics Jeffrey McFadden--1989 SSN and DoB for William Kalin from military records Got fake Kentucky ID Wrote $6000 in bad checks Kalin spent 2 days in jail Sued McFadden, won $10,000 San Francisco Chronicle--1991 Person found 12 others using her SSN Someone got 16 credit cards from anothers SSN, charged $10,000 Someone discovered unemployment benefits had already been collected by 5 others
Introduction to MIS34 Privacy Laws Minimal in US Credit reports Right to add comments 1994 disputes settled in 30 days 1994 some limits on access to data Bork Bill--cant release video rental data Educational data--limited availability 1994 limits on selling state/local data 2001 rules on medical data Europe France and some other controls 1995 EU Privacy Controls
Introduction to MIS35 Primary U.S. Privacy Laws Freedom of Information Act Family Educational Rights and Privacy Act Fair Credit Reporting Act Privacy Act of 1974 Privacy Protection Act of 1980 Electronic Communications Privacy Act of 1986 Video Privacy Act of 1988 Drivers Privacy Protection Act of 1994 2001 Federal Medical Privacy rules (not a law)
Introduction to MIS36 Anonymity Anonymous servers: http://www.zeroknowledge.com Dianetics church (L. Ron Hubbard) officials in the U.S. Sued a former employee for leaking confidential documents over the Internet. He posted them through a Danish anonymous server. The church pressured police to obtain the name of the poster. Zero knowledge server is more secure Should we allow anonymity on the Internet? Protects privacy Can encourage flow of information Chinese dissenters Government whistleblowers Can be used for criminal activity
Introduction to MIS38 What is the companys current status? What is the Internet strategy? How does the company use information technology? What are the prospects for the industry? www.lilly.com www.owens-minor.com Cases: Eli Lilly Owens & Minor, Inc.
Introduction to MIS39 Appendix: Digital Security Certificates Digital security certificates are used to encrypt e-mail and to authenticate the sender. Obtain a certificate from a certificate authority Verisign Thawte (owned by Verisign) Microsoft Your own company or agency Install the certificate in Outlook Select option boxes to encrypt or decrypt messages Install certificates sent by your friends and co-workers.
Introduction to MIS41 Installing a Certificate 1.Tools + Options + Security tab 2.Choose your certificate 3.Check these boxes to add your digital signature and to encrypt messages. 4.These boxes set the default choices. For each message, you can use the options to check or uncheck these boxes.
Introduction to MIS42 Encrypting and Signing Messages Use the Options button and the Security Settings button to make sure the Encrypt and Signature boxes are checked. Then the encryption and decryption are automatic.