LIS3353 SP12 Week 9


Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Please remain consistent with slide titling – title is larger than other slides’ titles. Change “Secure” to “Security.”
  • LIS3353 SP12 Week 9

    1. 1. Technologies – LIS 3353Security Week 10Week 9 – 2/24/12
    2. 2. Agenda IT News Exam Follow-up Security Tuesday & Thursday Lab
    3. 3. Security (week 10)News
    4. 4. Security News Computer spyware is newest weapon in Syrian conflict A U.S.-based antivirus software maker, which analyzed one of the viruses at CNNs request, said that it was recently written for a specific cyberespionage campaign and that it passes information it robs from computers to a server at a government-owned telecommunications company in Syria. Virus infects computer at CCSU (Central CT State Univ.) The virus, which perpetrated the infection, was a variant of the malevolent software, ZBot said James Estrada, Spokesman of the university. According to him, except for the Social Security Numbers, no other private detail was compromised. reported this on February 16, 2012. Computer Infections to Rise During #Oscars ? NORIS system shut down over virus A critical computer network is down after falling victim to a sophisticated worm. Friday, that system is down for the third day, impacting about 200 different agencies, including police departments, jails and courts all over northwest Ohio. High School student blamed for uploading virus to school PC 4-8% of computers in China have viruses
    5. 5. The List ….Latest 5 virus alerts2/27/12 W32/Autorun-BUY2/27/12 Troj/ZBot-BNF2/27/12 Troj/ZBot-BNE2/27/12 Troj/JavaSMS-L2/27/12 Mal/ZboCheman-ASource: Sophos Anti-Virus Top 5 viruses in October 2010 1 Troj/Invo-Zip 2 W32/Netsky 3 Mal/EncPk-EI 4 Troj/Pushdo-Gen 5 Troj/Agent-HFU Source: Sophos Anti-Virus
    6. 6. Security Myths Why should I care? I have nothing to hide. There is nothing on my computer that anyone would want. I have the best security set-up. I have a firewall/virus program. Hackers usually go after big companies. I use a MAC!
    7. 7. Quick Check!On your own (5 minutes) – on the cards1. Your name2. What is computer security?3. List 2 ways in which users put themselves at risk4. On a scale of 1-10 (1=never safe, 10=totally secure), how safe do you feel from computer threats (viruses, worms, hackers, etc.)?5. On a scale of 1-10 (1=never, 10=always), how often do you protect your computer from viruses?6. On a scale of 1-10 (1=never, 10=always), how often do you provide personal information on the web
    8. 8. What is the goal of Computer Security? To prevent and detect unauthorized actions by users of the system How do you achieve Computer Security? – Security principles/concepts: explore general principles/concepts that can be used as a guide to design secure information processing systems – Security mechanisms: explore some of the security mechanisms that can be used to secure information processing systems – Physical/Organizational security: consider physical & organizational security measures (policies) Take a class in SECURITY  Get certified – CISSP
    9. 9. Security Defined What is Computer Security (in reality)? – Confidentiality: prevent unauthorized disclosure of information – Integrity: prevent unauthorized modification of information – Availability: prevent unauthorized withholding of information CIA model is the basis of Information Assurance Additional criteria: • Authenticity, accountability, reliability, safety, dependability, survivability, currency, etc.
    10. 10. Security Defined (CIA) Confidentiality: prevent unauthorized disclosure of information • privacy: protection of private data • secrecy: protection of organizational data • https:// pgp ssh ipsec Integrity: prevent unauthorized modification of information • Preventing unauthorized writing or modifications • Access control Availability: prevent unauthorized withholding of information • Services are accessible and useable (without undue delay) whenever needed by an authorized entity • 24/7 – no DOS
    11. 11. Security Defined (CIA) Confidentiality Secure Integrity Availability
    12. 12. Beyond CIA Accountability – Actions affecting security must be traceable to the responsible party (audits) – Audit information must be kept and protected (compliance with SOX) – Access control is needed Reliability – deals with accidental damage (do you get consistent performance) Dependability – reliance can be justifiably placed on the system (similar to integrity) Survivability/Disaster Recovery/Business Continuity – deals with the recovery of the system after massive failure (especially after 9/11)
    13. 13. Finding a Balance• Security policies interfere with working patterns, and can be very inconvenient• Require a focus on new workflows• Security mechanisms need additional computational resources• Security should be a forethought• Managing security requires additional effort and costs• ROI is hard to determine• Ideally, there should be a trade-off
    14. 14. Finding a Balance Application Software | |User ---------------------------|-------------------- Resource(subject) | (object) | Hardware The Dimensions of Computer Security
    15. 15. Asking the Right Questions Should protection focus on data, operations, or users? (See the onion.) In which layer should we place security? Could we place it in all layers? Should security focus on simplicity (i.e., complexity, assurance, one password entry, lots of passwords)? Should security control tasks be given to a central entity, or left to individual components (i.e., people, departments, divisions, etc. )? Who controls the security policy? Hardware OS Services Applications
    16. 16. Asking the Right Questions
    17. 17. Hardware Hardware is more visible to criminals It is easier to add/remove/change hardware devices, intercept traffic, flood devices with traffic, and in general control hardware devices’ functionality Hardware is ignored in security training Hardware can also be removed – VA laptop, DOD laptop, hard drives lost, etc. EX: UNC Since Jan. 1, the Chapel Hill Police Department has received reports of the theft of 45 laptops. Some were reportedly stolen in residential or business break-ins, others were taken during armed robberies or when their owners left them unattended.
    18. 18. Software Interruption (deletion): surprisingly easy! Modification: – Logic bomb – failure occurs when certain conditions are met – Buffer overflow – similar to logic or programming error – Virus – a specific Trojan horse that can be used to spread its “infection” – Worm – self-reproducing program (usually spreads through e-mails) – Trapdoor – a program that has a specific entry point Interception (theft): unauthorized copying
    19. 19. Software Phishing Ex.: During the 12 months that ended in May 2005, 73 million American adults who use the Internet said that they "definitely" received or "thought they received" an average of more than 50 phishing e-mails. That number was 28 percent higher than the previous year. Where do they originate?
    20. 20. Data Data are readily accessible Attacks on data are more widespread Data are everywhere …. We give it away to everyone! Fill out a credit card application, get a free water bottle/coffee cup/t-shirt What’s your zip code, your phone number, etc?
    21. 21. Who is ptwhitelabel.comJonathan Harris, a UC Davis graduate whoruns the Web site fromhis Placerville home
    22. 22. Defense-In-Depth Schou & Trimmer
    23. 23. Attacks United States Department of Commerce has compiled a list of the general categories of computer attacks (Security Glossary): •Remote or Local Penetration •Remote or Local DOS •Scanning (Ethereal) •Password Crackers •Sniffers
    24. 24. Protections Basics – Firewall (Zone Alarm, Norton, hardware solutions) – Anti-virus (McAfee, Norton, Symantec) – Patches (automatic updates) – Strong passwords (> 20 characters) – Where is your data? How is it protected? Do you have it backed up?
    25. 25. Looking for Security News  Sans  Pulse  Shadow  Cert
    26. 26. Risk Assessment A process of ……… – Including a Business Impact Analysis – Identifying assets and ranking them – Identifying risks and ranking them – Associating specific risks with critical assets – Recommending actions to be taken See
    27. 27. Risk Assessment Don’t assume physical security!!!! VA laptop, DOD laptop, Los Alamos HD issue Why steal just the data when you can steal the hardware? Faculty offices, student laptops in libraries
    28. 28. Risk Assessment Use strong passwords on all accounts – More than 20 characters – Limited by keyboard – Under 14 characters is “crackable” Your password is a very important secret Select one you can remember (new rules) You can remember a long password (Peter Henry Thesis)
    29. 29. Risk Assessment Passwords – Change yours often! – Dont leave yours lying around! – The longer the better! – Dont share yours with friends! – FYI – in healthcare, people write down passwords all the time – CHECK! (# passwords 1, 2, 3, 4, 5, 6, recycle)
    30. 30. Technology Approaches Operating system software – Keep it updated with necessary patches Patching – Make sure your computer has the latest operating system release – Auto setting is the best! – New security bugs are discovered all the time – Remember the CERT website
    31. 31. Technology Approaches Firewall (hardware or software) – permits passage of data based on security policies Virtual private Network (VPN) – private communications over public networks (secured through authentication, cryptography, tunneling protocols) using Ipsec (IP Security), SSL (tunneling), and others …
    32. 32. Technology Approaches• Hardware can be replaced - Keep serial numbers in a secure location• Application software can be reloaded - Know what you have installed• Data could be gone forever• Data could be gone forever• Data could be gone forever• Data could be gone forever• Ensure that adequate backups for your systems are done on a regular basis
    34. 34. Web Sites Understand that e-mail is not secure. KaZaA, etc. turned your computer into a distributor so that people can download from your machine! – NOTE: 45% of free files collected by KaZaA contained viruses, Trojan horse programs and backdoors. Sometimes you dont even know you are responsible for security violations – your computer gets hacked and is used to hack others (you have no idea its being done).
    35. 35. E-mail & Social Engineering E-mail: – A day-to-day necessity in our educational environment – We take it for granted Social Engineering – “Smooth-talking your way into a system” – Common types of social engineering: • Impersonation / Important user / Pre-texting • You can find out information on Facebook / MySpace • Surplus equipment, Tallahassee (Cash for Trash) • War-driving & dumpster diving
    36. 36. E-mail & Social Engineering
    37. 37. Solutions None! (Well, none that are completely secure.) Assume you will be compromised. The task is to get back up and running. Reporting Setting up VPN at FSU Subscribe to CERT Subscribe to US-CERT
    38. 38. CERT ml
    39. 39. Getting a JOB Computer Security (Network Security) Information Assurance – The technical and managerial measures designed to ensure the confidentiality, possession/control, integrity, authenticity, availability, and utility of information and information systems. This term originated with government usage and is sometimes synonymous with information security. – Become a CISSP
    40. 40. Questions?