Upload
erik-ray
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
1
Business/Home Information Security SeminarPresented by:
Jose R. Paloschavez
Candidate for Master of Science in Network Security
E-mail: [email protected] Porter
Library,
April 2, 2003,
7:00 P.M.-9:00 P.M.
2
Disclaimer:-All information provided my Jose R. Paloschavez in this seminar or made available to the public is to provide information for interested persons. While Jose R. Paloschavez believes the information is reliable, human or mechanical error remains a possibility. Therefore, Jose R. Paloschavez does not guarantee the accuracy, completeness, timeliness, or correct sequencing of information. Neither Jose. R. Paloschavez, nor any of the sources of the information, shall be responsible for any error or omission or the use of, or the results obtained from the use of this information .
3
Information Security
• History (Internet)
• Why Should We Care About Security?
• Problem – In Large
• Methods of Attack
• Attacker’s Process
• Malicious Mobile Code
• Laws and Legal System
Agenda
4
Information Security
• Privacy Issues and Civil Liberties
• Continuing Threats to Home Users
• Steps to Protect Personal Information– Security Knowledge in Practice
• Important Resources
Agenda (cont)
5
Information Security
• 1845 – Morse, first telegraph model working New York
• 1881 – Telephone Scrambler
• 1920’s – Government Wiretap’s
• 1940’s – AEA Restricted Data Category
• 1980-s – Defense Authorization Act – Onset of the Personal Computer– More Corporate/Proprietary Data stored on
diskette in volatile space– VIRUSES
History
6
Information Security
• 1990’s – Increased quality of shared applications
– Increasing dependence on resources
– International threats and risks
– Shrinking budgets forces less cut in Security spending
– OPEN Systems
– Challenge of the decade before Y2K
History (cont)
7
Information Security
Definition
• Is a global network of networks enabling computers of all kinds to directly and transparently communicate and share services through much of the world
–Internet Society
Internet a.k.a. “the Net” “Web” dub…dub…dub
8
Information Security
Internet
• Who does it work? (1 of 8)
9
Information Security
Internet (cont)
• Who does it work? (2 of 8)
10
Information Security
Internet (cont)
• Who does it work? (3 of 8)
11
Information Security
Internet (cont)
• Who does it work? (4 of 8)
12
Information Security
Internet (cont)
• Who does it work? (5 of 8)
13
Information Security
Internet (cont)
• Who does it work? (6 of 8)
14
Information Security
Internet (cont)
• Who does it work? (7 of 8)
15
Information Security
Internet (cont)
• Who does it work? (8 of 8)
16
Information Security
The Internet has Become Indispensable to Home Users…
• Banking Transactions – Check financial records, pay bills, etc.
• On-line Shopping– Electronics, home improvement, etc.
• Electronic Mail (e-mail)
• Chat
• Access Information Rapidly (24X7)– News, Weather, etc.
Why Should We Care about Computer Security? (Home)
17
Information SecurityWhy Should We Care about Computer Security? (Home)
18
Information SecurityWhy Should We Care about Computer Security? (Home)
19
Information Security
The Internet has Become Indispensable to Business…
• Conduct Electronic Commerce
• Provide Better Customer Service
• Collaborate with Partners
• Reduce Communication Costs
• Improve Internal Communications
• Access Critical Information Rapidly (24X7)
Why Should We Care about Computer Security? (Business)
20
Information Security
Security Principles:
• Confidentiality
• Integrity
• Availability
• Authentication
• Non-Repudiation
Why Should We Care about Computer Security? (Business)
21
Information Security
Statistics:• 90% of respondents to Computer Security
Institute/FBI 2002 survey reported security breaches (85% 2001, 70%, 2000; 62% 1999)*
– (223 organizations 44%) able to quantify financial loss reported $445.8M (2002 survey)
– (186 organizations 35%) able to quantify financial loss reported $377.8M (273 organizations [51%], $265.6M in 2000 survey)
• theft of proprietary information and financial fraud most serious
– 70% cited their Internet connection as a frequent point of attack (59% in 2000 survey)
– 90% acknowledge financial losses do to computer breaches
• *Computer Crime and Security Survey, Computer Security Institute and the FBI, 2002, http://www.gocsi.com/pdfs/fbi/FBI2002.pdf
• *Computer Crime and Security Survey, Computer Security Institute and the FBI, 2001, http://www.gocsi.com/prelea_000321.htm
The Problem – In Large
22
Information Security
Methods of Attack
Methods used to bypass access controls and gain unauthorized access to information
• Brute Force - persistent series of attacks, trying multiple approaches, in an attempt to break into a computer system
• Denial of Service - overloading a system through an online connection to force it to shutdown
• Social Engineering - deception of system personnel in order to gain access
• Spoofing - masquerading an ID or data to gain access to data or a system
• Dictionary Attack – a file that contains most dictionary works that is used to guess a user’s password
23
Information Security
Malicious Mobile Code
• Virus - persistent series of attacks, trying multiple approaches, in an attempt to break into a computer system
• Worm - overloading a system through an online connection to force it to shutdown
• Trojan Horse - deception of system personnel in order to gain access
• Logic Bomb - masquerading an ID or data to gain access to data or a system
24
Information Security
The Attacker’s Process
Some ways an attacker can gain access or exploit a system
• Passive Reconnaissance – attacker must have some general information (i.e. sniffing)
• Active Reconnaissance – attacker has enough information to try active probing or scanning against a site (i.e. services running, ports, etc.)
• Exploiting the System – compromise a system/user’s account to gain access
• Uploading Programs – once attacker has gained access, uploading may take place
• Downloading Data – attacker is usually after information (i.e. personal, credit card)
25
Information Security
Black Hats vs. White HatsTerms:
• Black Hat - hacker (noun), hackers are capable of finding flaws on their own; ultimately exploit system security breaches for their nefarious ends…– Dictionary.com
• White Hat - hacker (noun), who person who enjoys exploring the details of programmable systems and how strictly their capabilities, as opposed to most users who prefer to only learn the minimum necessity. persistent series of attacks, trying multiple approaches, in an attempt to break into a computer system
– www.whitehat.org
26
Information Security
Laws and Legal System What You Need to Know…
• National Infrastructure Protection Center- Mission is to “serve as the government’s focal point for threat
assessment, warning, investigation, and response to threats or attacks against our nations critical infrastructures.”
• United States Code, Title 18- Defines the federal crimes, court systems, and punishments
of the United States.• Electronic Communications Privacy Act
- Makes it illegal to intercept or disclose private communications and provides victims of such conduct a right to sue anyone violating its mandate.
• The Computer Fraud and Abuse Act (as amended 1994 and 1996) - “…having knowingly accessed a computer without
authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data..”
27
Information Security
Laws and Legal System (cont)
Computer Crime
• Breaches of physical security- dumpster diving- wiretapping- eavesdropping- denial or degradation of service
• Breaches of personnel security- masquerading- social engineering- harassment
28
Information Security
Laws and Legal System (cont)
Computer Crime
• Breaches of communications and data security- data attacks- software attacks
• Breaches of operating security - data diddling- IP spoofing- password sniffing- excess privileges
29
Information Security
Laws and Legal System (cont)
Computer Crime Laws and Regulations
• Common law systems- US, Canada, UK, Australia,
New Zealand
- Civil law systems- France, Germany, Quebec
30
Information Security
Laws and Legal System (cont)
Computer Crime
• Criminal law – individual conduct which violates state or federal laws which are enacted for the protection of the public
• Civil law (tort)- wrong against an individual or business
which results in damage or loss- no prison time- requires financial restitution
31
Information Security
Laws and Legal System (cont)
Computer Crime
• Civil law (continued) – Compensatory damages
- actual damages to victim- attorneys fees- lost profits- investigation costs
– Punitive damages- set by jury - punish offender
– Statutory damages- damages determined by law - violation entitles victim
32
Information Security
Laws and Legal System (cont)
Computer Crime
• Administrative/regulatory law - standards of performance and conduct from government agencies to organizations
• Intellectual property/information technology related laws (SRV Theory 903.3)- Patent
- grants owner a legally enforceable right to exclude others from practicing the invention covered
- protects novel, useful and non-obvious inventions
33
Information Security
Laws and Legal System (cont)
Computer Crime
• Trademark- any word, name, symbol, color, sound,
product shape or device or combination of these used to identify goods and distinguish them from those made or sold by others
- Copyright- covers the expression of ideas rather than
the ideas themselves “ original works of authorship”
- Trade secret- proprietary business or technical
information which is confidential and protected as long as owner takes certain security actions
34
Information Security
Laws and Legal System
Computer Crime
• Computer crime laws- computer related crimes and abuses- viruses- software piracy (“ software police”)- internet crossing jurisdiction problems- illegal content issues (child
pornography)- wire fraud and mail fraud often used in
computer crime cases.- various economic or financial crime
laws
35
Information SecurityPrivacy and Civil Liberties (cont)
• The term privacy stems from the Latin word privatus, which literally means “apart from the public life.”
– Andrea Bacard Computer Privacy (1995)
• Over one hundred years ago, Justice Louis D. Brandeis called the right to privacy “the right to be alone.”
– Ellen Alderman The Right to Privacy (1995)
• American right to privacy is rooted in the Fourth Amendment to the United States Constitution. This Amendment, which was ratified in 1791, states:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
36
Information SecurityContinuing Threats to Home Users
Topics:
• CERT/CC has observed a significant increase in activity resulting in compromises in home user machines
• Many home users DO NOT keep their machines up to date with security patches and workarounds, DO NOT run current anti-virus software, and exercise caution when handling email attachments
• Intruders are aware of these facts. Consequently, this has been marked by an increase in intruder specifically targeting home users who have Cable Modems or DSL (Digital Subscriber Line) connections
37
Information Security
• Use Personal Router (if connected to Cable Modem or DSL) (i.e. Linksys, D-Link, etc.)
• Use Personal Firewall (i.e. Zone Alarm FREE)
– Software firewall – specialized software running on individual computer or network
– Network firewall – a dedicated device designed to protect one or more computers.
• Use Anti-Virus (i.e. McAfee, Norton or Micro Trends)
• Don't open unknown email
• Don't run programs of unknown origin
• Turn off your computer or disconnect from the network when not in use
• Make regular backups of critical data
Steps to Users can Take to Improve Computer Systems (Home)
38
Information SecuritySecurity Knowledge in Practice (Business)
Steps to Improve Your Systems Security
• Vender Provides - when you receive software from a vendor, it has default settings. This default configuration may leave you vulnerable to compromise persistent series of attacks, trying multiple approaches, in an attempt to break into a computer system
• Harding and Securing – identify hardware/software
• Prepare – files & directories, process, performance, network, procedures, contacts, test environments and disaster recovery
• Detect - analysis and monitor information sources and logs
• Respond – analysis, forensics, containment an PR
• Improve - patch, re-architect
39
Information Security
Important Resources
• CERT®/CC Contact Information– http://www.cert.org– +1 412-268-7090 (24-hour hotline)
• SANS (System Adminstion, Audit, Network, Security) Org– http://www.cert.org– +1 866-570-9927 (8-5 EST hotline)
• Federal Bureau of Investigation, National Infrastructure Protection Center (NIPC)– http://www.nipe.gov– +1 888-585-9078 (24-hour hotline)
• Virus Bulletin (Independent Anti-Virus Advice)– http://www.virusbtn.com/
40
Information Security
Important Resources (cont)
• Federal Trade Commission – http://www.ftc.gov – +1 877-FTC-HELP (24-hour hotline)
• Commonwealth of Virginia Cyber Cops, Office of the Attorney General, Technological Division, Computer Crime Unit– http://jcots.state.va.us– +1 804-786-6053 (24-hour hotline)
• Federal Bureau of Investigation (Online Child Pornography) Innocent Images National Initiative– http://www.fbi.gov/hq/cid/cac/innocent.htm– +1 800-843-5678 (24-hour hotline)
• Request That Your Name Be Removed From Marketing Lists To Reduce the Number of Pre-approved Credit Card Applications Received by U.S. Mail
– +1 800-567-8688
41
Business/Home Information Security Seminar
Presented by:
Jose R. Paloschavez
E-mail: [email protected]
Candidate for Master of Science in Network Security
Capitol College2003