Issues, Trends and Strategies for Computer Systems Management

1
Issues, Trends and Strategies for Computer
Systems Management
Chapter 4. Security, Privacy, and Anonymity

• UMUC Graduate School of
• Management and Technology

2
Agenda

• Threats to Information
• Physical Security and Disaster Planning
• Logical Security and Data Protection
• Virus Threats
• User Identification and Biometrics
• Access controls
• Encryption and Authentication
• Internet Security Issues
• Privacy
• Anonymity

3
Security, Privacy, and Anonymity
Server Attacks
The Internet
Data interception
Monitoring
4
Threats to Information

• Accidents Disasters
• Employees Consultants
• Business Partnerships
• Outsiders
• Viruses

Links to business partners
Outside hackers
Virus hiding in e-mail attachment.
Employees Consultants
5
Security Categories

• Physical attack disasters
• Backup--off-site
• Cold/Shell site
• Hot site
• Disaster tests
• Personal computers!

• Logical
• Unauthorized disclosure
• Unauthorized modification
• Unauthorized withholding
• Denial of Service

6
Horror Stories

• Security Pacific--Oct. 1978
• Stanley Mark Rifkin
• Electronic Funds Transfer
• 10.2 million
• Switzerland
• Soviet Diamonds
• Came back to U.S.
• Equity Funding--1973
• The Impossible Dream
• Stock Manipulation
• Insurance
• Loans
• Fake computer records

• Robert Morris--1989
• Graduate Student
• Unix Worm
• Internet--tied up for 3 days
• Clifford Stoll--1989
• The Cuckoos Egg
• Berkeley Labs
• Unix--account not balance
• Monitor, false information
• Track to East German spy
• Old Techniques
• Salami slice
• Bank deposit slips
• Trojan Horse
• Virus

7
Disaster Planning
SunGard is a premier provider of computer backup
facilities and disaster planning services. Its
fleet of Mobile Data Centers can be outfitted
with a variety of distributed systems hardware
and delivered at a disaster site within 48 hours.
8
Data Backup

• Backup is critical
• Offsite backup is critical
• Levels
• RAID (multiple drives)
• Real time replication
• Scheduled backups

9
Data Backup
Power company
Use the network to backup PC data.
Use duplicate mirrored servers for extreme
reliability.
UPS
Frequent backups enable you to recover from
disasters and mistakes.
Offsite backups are critical.
10
Virus
From afriend To victim Message Open the
attachment for some excitement.
2
3
1
1. User opens an attached program that contains
hidden virus 2. Virus copies itself into other
programs on the computer 3. Virus spreads until a
certain date, then it deletes files.
Attachment 01 23 05 06 77 03 3A 7F 3C 5D 83
94 19 2C 2E A2 87 62 02 8E FA EA 12 79 54 29 3F
4F 73 9F
Virus code
11
Virus Damage
Attacks 1991 1996 2000 2001
Viruses/Trojans/Worms 62 80 80 89
Attacks on Web servers 24 48
Denial of Service 37 39

Insider physical theft or damage of equipment 49 42
Insider electronic theft, destruction, or disclosure of data 24 22
Fraud 13 9
Dataquest, Inc Computerworld 12/2/91 National
Computer Security Association Computerworld
5/6/96 http//www.info-ec.com/viruses/99/viruses_0
62299a_j.shtml)
1999 virus costs in the U.S. 7.6 billion.
12
Stopping a Virus

• Backup your data!
• Never run applications unless you are certain
  they are safe.
• Never open executable attachments sent over the
  Internet--regardless of who mailed them.
• Antivirus software
• Needs constant updating
• Rarely catches current viruses
• Can interfere with other programs
• Ultimately, viruses sent over the Internet can be
  traced back to the original source.

13
User Identification

• Passwords
• Dial up service found 30 of people used same
  word
• People choose obvious
• Post-It notes
• Hints
• Dont use real words
• Dont use personal names
• Include non-alphabetic
• Change often
• Use at least 6 characters

• Alternatives Biometrics
• Finger/hand print
• Voice recognition
• Retina/blood vessels
• Iris scanner
• DNA ?
• Password generator cards
• Comments
• Dont have to remember
• Reasonably accurate
• Price is dropping
• Nothing is perfect

14
Iris Scan
EyePass System at Charlotte/Douglas
International Airport.
http//www.iridiantech.com/ questions/q2/features.
html
http//www.eyeticket.com/ eyepass/index.html
Algorithm patents by JOHN DAUGMAN 1994
http//www.cl.cam.ac.uk/jgd1000/
15
Biometrics Thermal
Several methods exist to identify a person based
on biological characteristics. Common techniques
include fingerprint, handprint readers, and
retinal scanners. More exotic devices include
body shape sensors and this thermal facial reader
which uses infrared imaging to identify the user.
16
Access Controls Permissions in Windows
Find the folder or directory in
explorer. Right-click to set properties. On the
Security tab,assign permissions.
17
Security Controls

• Access Control
• Ownership of data
• Read, Write, Execute, Delete, Change Permission,
  Take Ownership
• Security Monitoring
• Access logs
• Violations
• Lock-outs

18
Additional Controls

• Audits
• Monitoring
• Background checks

http//www.casebreakers.com/ http//www.knowx.com/
http//www.publicdata.com/
19
Encryption Single Key

• Encrypt and decrypt with the same key
• How do you get the key safely to the other party?
• What if there are many people involved?
• Fast encryption and decryption
• DES - old and falls to brute force attacks
• Triple DES - old but slightly harder to break
  with brute force.
• AES - new standard

Plain text message
AES
Key 9837362
Encrypted text
Single key e.g., AES
Encrypted text
AES
Key 9837362
Plain text message
20
Encryption Dual Key
Message
Message
Encrypted
Alice
Bob
Public Keys Alice 29 Bob 17
Private Key 13
Use Bobs Private key
Private Key 37
Use Bobs Public key
Alice sends message to Bob that only he can read.
21
Dual Key Authentication
Message
Transmission
Message
EncryptTM
Alice
EncryptT
EncryptM
Private Key 13
Bob
Use Alices Private key
Public Keys Alice 29 Bob 17
Private Key 37
Use Bobs Private key
Use Bobs Public key
Use Alices Public key
Bob sends message to Alice His key guarantees
it came from him. Her key prevents anyone else
from reading message.
22
Certificate Authority

• Public key
• Imposter could sign up for a public key.
• Need trusted organization.
• Only Verisign today, a public company with no
  regulation.
• Verisign mistakenly issued a certificate to an
  imposter claiming to work for Microsoft in 2001.

How does Alice know that it is really Bobs
key? Trust the C.A. C.A. validate applicants
Public Keys Alice 29 Bob 17
Alice
Use Bobs Public key
23
Internet Data Transmission
Eavesdropper
Destination
Intermediate Machines
Start
24
Clipper Chip Key Escrow
Decrypted conversation
Escrow keys
Judicial or government office
Intercept
Encrypted conversation
Clipper chip in phones
25
Denial Of Service
Coordinated flood attack.
Targeted server.
Break in. Flood program.
Zombie PCs at homes, schools, and businesses.
Weak security.
26
Securing E-Commerce Servers
1. Install and maintain a working network
firewall to protect data accessible via the
Internet. 2. Keep security patches up-to-date.
3. Encrypt stored data. 4. Encrypt data sent
across networks. 5. Use and regularly update
anti-virus software. 6. Restrict access to data
by business "need to know." 7. Assign a unique
ID to each person with computer access to data.
8. Don't use vendor-supplied defaults for system
passwords and other security parameters. 9.
Track access to data by unique ID. 10. Regularly
test security systems and processes. 11.
Maintain a policy that addresses information
security for employees and contractors. 12.
Restrict physical access to cardholder
information.
http//www.visabrc.com/doc.phtml?2,64,932,932a_cis
p.html
27
Internet Firewall
Internal company data servers
Firewall router
Keeps local data from going to Web servers.
Company PCs
Firewall router
Examines each packet and discards some types of
requests.
Internet
28
Privacy
criminal record complaints finger prints
transportation data
medical records
financial regulatory employment environmental
financial permits census
credit cards organizations
grocery store scanner data
purchases phone
subscriptions education
loans licenses
29
Cookies
Web server
Send page and cookie.
Use cookie to identify user.
Send customized page.
Find page.
time
Request page.
Display page, store cookie.
Request new page and send cookie.
User PC
30
Misuse of Cookies Third Party Ads
Useful Web site
National ad Web site Doubleclick.com
Link to ads
Requested page
Request page
Ads, and cookie
Useful Web Page Text and graphics Advertisements

Hidden prior cookie
User PC
31
Wireless Privacy

• Cell phones require connections to towers
• E-911 laws require location capability
• Many now come with integrated GPS units
• Business could market to customers in the
  neighborhood
• Tracking of employees is already common

32
Privacy Problems

• TRW--1991
• Norwich, VT
• Listed everyone delinquent on property taxes
• Terry Dean Rogan
• Lost wallet
• Impersonator, 2 murders and 2 robberies
• NCIC database
• Rogan arrested 5 times in 14 months
• Sued and won 55,000 from LA
• Employees
• 26 million monitored electronically
• 10 million pay based on statistics

• Jeffrey McFadden--1989
• SSN and DoB for William Kalin from military
  records
• Got fake Kentucky ID
• Wrote 6000 in bad checks
• Kalin spent 2 days in jail
• Sued McFadden, won 10,000
• San Francisco Chronicle--1991
• Person found 12 others using her SSN
• Someone got 16 credit cards from anothers SSN,
  charged 10,000
• Someone discovered unemployment benefits had
  already been collected by 5 others

33
Privacy Laws

• Minimal in US
• Credit reports
• Right to add comments
• 1994 disputes settled in 30 days
• 1994 some limits on access to data
• Bork Bill--cant release video rental data
• Educational data--limited availability
• 1994 limits on selling state/local data
• 2001 rules on medical data
• Europe
• France and some other controls
• 1995 EU Privacy Controls

34
Primary U.S. Privacy Laws

• Freedom of Information Act
• Family Educational Rights and Privacy Act
• Fair Credit Reporting Act
• Privacy Act of 1974
• Privacy Protection Act of 1980
• Electronic Communications Privacy Act of 1986
• Video Privacy Act of 1988
• Drivers Privacy Protection Act of 1994
• 2001 Federal Medical Privacy rules (not a law)

35
Anonymity

• Anonymous servers http//www.zeroknowledge.com
• Dianetics church (L. Ron Hubbard) officials in
  the U.S.
• Sued a former employee for leaking confidential
  documents over the Internet.
• He posted them through a Danish anonymous server.
• The church pressured police to obtain the name of
  the poster.
• Zero knowledge server is more secure
• Should we allow anonymity on the Internet?
• Protects privacy
• Can encourage flow of information
• Chinese dissenters
• Government whistleblowers
• Can be used for criminal activity