Computer Security aka: Information Assurance IA

1
Computer Security (aka Information Assurance IA)
2
Computer Security

• Those safeguards taken to protect computer
  systems and data from unauthorized access or
  damage either by intentional or accidental means.

3
3 Myths about Computer Security

• Possible to make a system 100 fool-proof
• Computer security problems can only be prevented
  by someone who is technically sophisticated
• Most computer crimes are committed by outside
  hackers (most are by insiders)!

4
Most Frequently Stolen Data

• Strategic Plans
• Research Development (RD)
• Customer
• Financial

5
A Couple of Useful Sources

• Computer Security Institute (CSI)
• (www.gocsi.com)
• CERT alerts (www.cert.org)
• Yahoo search on Computer Security

6
3 Major Vulnerability Points in E-Commerce

• Client-side Computers
• Communication channels (networks)
• Commerce Server-side

7
Client Protection Measures I TakeSoftware

• 1. McAffee Virus Scan
• 2. Zonealarm.com Personal Firewall
• OPTIONAL
• 3. Run Ad-aware weekly (link on classes123)
• 4. Cookie Washer (anonymizer.coms Window
  Washer program)
• 5. Smart Card Visa Reader Software

8
Client Protection Procedural Measures I Take

• 5. Change passwords and store logins and
  passwords on smart card, not on websites (I dont
  want any site to remember me)
• 6. One credit card exclusively for web
  purchasing and review online statement often
• 7. Personally, I dont allow automatic
  deductions from chking. Acct. for any website

9
Final Word on Client Side Measures

• There is NO WAY to bullet-proof your
  computer.all you can do is to create enough
  barriers to frustrate would-be hackers who then
  go elsewhere where the pickens are easier
  (lots of unsecured personal computers) !

10
E-Commerce Channels (network measures)

• Encryption (PKI)
• Digital Signatures
• Legal Cornerstones attribution, integrity,
  non-repudiation

11
Protecting the Commerce (Web) Server

• The Web server, responds to requests from Web
  browsers through the HTTP protocol
• Security solutions for commerce servers
• Access control and authentication
• Operating system controls
• Firewall

12
Access Control and Authentication

• The server can authenticate a user in several
  ways
• First, the digital certificate represents the
  users admittance voucher
• Second, the sever checks the timestamp on the
  certificate to ensure that the certificate has
  not expired.
• Third, a sever can use a callback system to check
  the users client computer address and name.
• An access control list (ACL) is a list or
  database of people who can access the files and
  resources.

13
Operating System Controls

• Most operating systems have a username and
  password user authentication system in place.
• Access control lists and username/password
  protections are probably the best known of the
  UNIX security features.

14
Firewalls

• A firewall is a computer and software combination
  that is installed at the entry point of a
  networked system.
• The firewall provides the first line of defense
  to network that could pose a threat.
• Acting as a filter, firewalls permit selected
  message to flow into and out of the protected
  network.

15
Disaster Recovery Plan

• Aka Business Resumption Plan
• A plan detailing what has to be done, by
  whom, and in what order to restore systems or
  data that have been compromised
• Eg. WA State Plan (link on Classes123)
• Dianes Handout Plan template
• Begins with Risk Assessment (80/20 principle)
• Plan must be tested by unannounced firedrills