Topic #17
IT Security
IT Security Incidents: A Worsening Problem
Security of informa:on technology is cri:cal
§ protect confiden+al business data, including customer and
employee data
§ protect against malicious acts of the5 or disrup6on
Security concerns must be balanced against other business needs
(ethical decision regarding IT security):
§ Pursue prosecu6on at all costs or maintain low profile : to avoid
nega6ve publicity!!
§ how much effort and money should be devoted to security?
§ if firm produces SW with security flaws, what ac6ons should it
take?
§ what if security safeguards make life more difficult for
customers and employees: will it result in lost sales and
increased costs?
2
Number of IT Security Incidents Are Increasing
Computer Emergency Response Team Coordina6on Center
(CERT/CC)
§ Established in 1988 at the So5ware Engineering Ins6tute (SEI)
§ SEI: federally funded R&D center at CMU
§ Charged with
§ coordina6ng communica6on among experts during
computer security emergencies
§ helping to prevent future incidents
§ study Internet security vulnerabili6es
§ publish security alerts
§ develop informa6on and training for organiza6ons
3
Increasing Complexity Increases Vulnerability
Compu6ng environment is enormously complex
Con6nues to increase in complexity:
§ networks, computers, OSes
§ apps, Web sites
§ switches, routers, gateways
§ all interconnected and driven by 100s of millions of LoC
(Lines of Code).
Number of possible entry points to a network expands
con6nuously as more devices added,
§ This increases possibility of security breaches
4
Increased Reliance on Commercial SoDware with
Known Vulnerabili:es
Exploit: An a\ack on an informa6on system that takes advantage of a
par6cular system vulnerability. Typically due to poor system design or
implementa6on SW developers quickly create and issue patch:
§ a “fix” to eliminate the problem
§ users are responsible for obtaining and installing patches
-which they can download from the Web
§ delays in installing patches expose users to security breaches
Zero-day aIack: Takes place before a vulnerability is discovered or fixed
U.S. companies rely on commercial so5ware with known vulnerabili6es.
IT orgs con6nue to use installed So5ware “as is” (e.g. IE, RealPlayer, JRE)
§ Since security fixes could make SW harder to use or eliminate
“nice to have features.”
5
Number of Vulnerabili:es Reported to CERT/CC
6
Rate of
discovering
So5ware
vulnerabili6es
Exceeds 10/day
AIack of the Giant Worm
• On November 2, 1988, a worm began to thread its way
through the Internet. Once installed, it mul6plied, clogging
available space, un6l computers ground to a halt. The worm
exploited UNIX holes in sendmail and fingerd. Around 2500
computers were infected.
Within 12 hours, the Computer Systems Research Group at
Berkeley developed ...
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Topic #17 IT Security ITSecurityIncidentsA.docx
1. Topic #17
IT Security
IT Security Incidents: A Worsening Problem
Security of informa:on technology is cri:cal
§ protect confiden+al business data, including customer
and
employee data
§ protect against malicious acts of the5 or disrup6on
Security concerns must be balanced against other
business needs
(ethical decision regarding IT security):
§ Pursue prosecu6on at all costsor maintain low
profile : to avoid
nega6ve publicity!!
§ how much effort and money should be
devoted to security?
§ if firm produces SW with security flaws, what ac6ons
should it
take?
§ what if security safeguards make life more
2. difficult for
customers and employees: will it result in lost
sales and
increased costs?
2
Number of IT Security Incidents Are Increasing
Computer Emergency Response Team Coordina6on
Center
(CERT/CC)
§ Established in 1988 at the So5ware Engineering
Ins6tute (SEI)
§ SEI: federally funded R&Dcenter at CMU
§ Charged with
§ coordina6ng communica6on among experts during
computer security emergencies
§ helping to prevent future incidents
§ study Internet security vulnerabili6es
§ publish security alerts
§ developinforma6on and training for organiza6ons
3
Increasing Complexity Increases Vulnerability
3. Compu6ng environment is enormously complex
Con6nues to increase in complexity:
§ networks, computers, OSes
§ apps, Web sites
§ switches, routers, gateways
§ allinterconnected and driven by 100s of millions of
LoC
(Lines of Code).
Number of possible entrypoints to a network
expands
con6nuously as more devices added,
§ This increases possibility of security breaches
4
Increased Reliance on Commercial SoDware with
Known Vulnerabili:es
Exploit: An aack on an informa6on system
that takesadvantage of a
par6cular system vulnerability. Typically due to poor
system design or
implementa6on SW developers quickly create and
issuepatch:
§ a “fix”to eliminate the problem
§ users are responsible for obtaining and installing
patches
4. -which they can download from the Web
§ delays in installing patches expose usersto
security breaches
Zero-day aIack: Takes place before a
vulnerability is discovered or fixed
U.S. companies rely on commercial so5ware with
known vulnerabili6es.
IT orgs con6nue to use installed So5ware “as is”
(e.g. IE, RealPlayer, JRE)
§ Since security fixes could make SW harder to
use or eliminate
“nice to have features.”
5
Number of Vulnerabili:es Reported to CERT/CC
6
Rate of
discovering
So5ware
vulnerabili6es
Exceeds 10/day
AIack of the Giant Worm
• On November2, 1988, a worm began to
thread its way
through the Internet. Onceinstalled, it mul6plied,
5. clogging
available space, un6l computersground to a halt.
The worm
exploited UNIX holes in sendmail and fingerd.
Around 2500
computerswere infected.
Within 12 hours, the Computer Systems Research
Group at
Berkeley developed a way of stopping the spread of
this
worm.
Total Cost? Although no data were destroyed,
the 6me
involved in fixing and tes6ng was es6mated to be
between
$1,000,000 and $100,000,000.
7
The Culprit?
• Robert J. Morris, a
Cornell graduate
student in computer
science, was convicted
on May 4, 1990 to 3-
year proba6on and a
$10,000 fine.
• “I'm at the MIT
Computer Science and
Ar6ficial Intelligence
Laboratory (CSAIL) in
the PDOS group.
6. 8
First Na6onal Aack
• For the first 6me, a na6onal aack on the
Internet was exposed.
• As a result, the Computer Emergency
Response Team (CERT), at the So5ware
Engineering Ins6tute of Carnegie Mellon
University was developed.
9
Other Examples
• HBO: In April of 1986, an HBO channel
was taken over by an
intruder known as Captain Midnight, who overpowered
the
HBO uplink transmier signal with a stronger signal,
and sent
out his own messages to eightmillion viewers.
• Friday the 13th:A student at Hebrew University
in Jerusalem
discovered that thousands of university computerswere
infected with a virus. The virusslowed down
processing on
certain Fridays the 13th and was scheduled to erase
the hard
7. disksof many computerson May 13, 1988.
10
Computer Crime
• According to the FBI, computer crime is the
most expensive
form of crime, at $450,000 per the5. The es6mated
total
volume of computer crime is $5,000,000,000per
year.
• Some reports es6mate that 90% of computer crime
goes
unreported.
• (See
h9p://www.usdoj.gov/criminal/cybercrime/cccases.html,
the
Computer Crime & Intellectual Property SecEon of
the US Department of
JusEce, Computer Crime Cases.)
11
Types of A9acks
Mostfrequent aIack: on a networked
computer from an outside source
Types of aIacks are many:
8. Virus:
§ malicious piece of code; requires usersto
spread infected files
§ Does not spread itselffrom computer to computer
§ must be passed on to otherusersthrough
infected e-mail document
aachments, programs on diskees or shared
files
Macro viruses:
§ most common and easily created viruses
§ created in an applica6on macro language (e.g.
Visual Basic or VBScript)
§ infect documents: insert unwanted words,
numbers or phrases
§ infect applica6on templates (embedding itselfin all
future docs)
12
Types of A9acks (Cont.)
Worm: harmful programs that reside in ac6ve
memory
§ Duplicate themselves: can propagate without human
interven6on
§ Send Copies of themselves to othercomputers
via:
§ Email (e.g. Zip file aachment)
§ InternetRelay Chat (IRC)
§ Nega6ve Impact of virusor worm aack
§ Lost data and programs
9. § Lost produc6vity (workers aemp6ng to recover
data and
programs)
§ Effort for IT workers (cleaning up mess)
Trojan horse: a program a hacker secretly
installs on a computer
§ Used to steal passwords, SSNs or spy on
usersby recording keystrokes
§ Users are tricked into installing (e.g. disguised as
iTunes file or malicious
web site) 13
Types of A9acks (Cont.)
Logic bomb – another type of Trojan Horse,
executes under specific
condi6ons, triggered e.g. by
§ change in a par6cular file
§ typing a specific series of keystrokes
§ specificdate/6me
Denial of service: malicious hacker takesover
computerson Internet and
causes them to flood a target site with
demands for data
§ the computersthat are taken over are called
zombies
Does not involve a break-in at the target
computer
10. § target machine is busy responding to a stream
of automatedrequests
§ thus legi6mate userscannot get in
Spoofing generates false return address on packets
§ therefore, sources of aack cannot be
iden6fied and turned off
14
Denial-of-Service (DoS) A9acks Defense
Ingress filtering
§ when Internet service providers (ISPs) prevent
incoming
packets with false IP addresses from being passed on
Egress filtering
§ ensuring spoofed packets don’t leave a
network
Overhead:
§ may prevent legi6mate usersfrom geung in
§ companies need to deploy faster and more
powerful routers
and switches to check IP address on each packet
15
11. What is Computer (IT) Security?
• Computer security is designed to protect your
computer and everything
associatedwith it --- the building, the worksta6ons
and printers, cabling, and
disksand otherstorage media. Mostimportantly,
computer security protects
the informa6on stored in your system.
• Computer security is not only designed to protect
against outside intruders
who break into systems, but also dangers arising
from sharing a password
with a friend, failing to back up a disk, spilling
a soda on a keyboard.
There are threedis6nct aspects of security:
secrecy, accuracy, and availability.
• Having said this, we should emphasize that
“Informa6on Security” or
“Cybersecurity” is more up-to-dateterminology, since
rarely are we
concerned with the protec6on of a single computer
system.
• A secure computer system must not allow
informa6on to be disclosed to
anyone who is not authorized to access it. In
highly secure government
systems, secrecy ensures that usersaccess only
informa6on they’re allowed
to access.
12. • In business environments, confiden6ality ensures the
protec6on of private
informa6on such as payroll data.
16
17
What is IT Security?
Security is the protec6on of assets.
The threemain aspects are:
• preven6on
• detec6on
• re-ac6on/response
Preven:on
Implement a layered security soluEon
§ Make computer break-ins harder: if hacker breaks
through one
layer, thereis another layerto overcome
Firewall: any Internet traffic not explicitly permied
into intranet
denied entry; can also block access to certain
Web sites, IM, etc.
An:virus SoDware:
13. § scans for a specific sequence of bytes known
as virus
signature, may clean, delete or quaran6neaffected
files
§ Con6nually update with the latest virusdetec6on
info called
definiEons
§ Do not leave accounts ac:ve aDer employees
leave company:
promptly delete computer accounts, loginIDs, and
passwords
18
Preven:on (Cont.)
§ Carefully define employee roles: e.g. do not
allow a single
employee to ini6ate a PO and approve invoice
for its payment
§ Create roles and user accounts: so employees have
authority to
perform their responsibili6es and no more
§ Keep Track of Well-Known Vulnerabili6es and
patch them:
§ SANS (System Administra6on,Networking and
Security)
Ins6tute
§ CERT/CC
14. § Backup cri6cal applica6ons and data regularly
§ Perform a Security auditto ensure organiza6on
has well-
considered security policy in place and that is
being followed:
§ e.g. usersmust change their password every 30
days
19
Detec:on
Detec:on systems:
§ catch intruders in the act but preven6vemeasures
are not fail-proof
Intrusion detecEon system:
§ monitors system and network resources and
ac6vi6es
§ no6fies the proper authority when it iden6fies
-possible intrusions from outside the organiza6on
-misuse from within the organiza6on
2 fundamental approaches: Knowledge-based and
Behavior-based
Knowledge-based approaches
§ U6lize informa6on about specific a:acks and
system vulnerabili+es
and watch for aempts to exploit these
15. § examples include repeated failed loginaempts,
aempts to
download a program to a server, or other
symptoms of possible
mischief
20
Detec:on (Cont.)
Behavior-based approaches:
§ model normal behavior of a system and its
usersfrom reference source
§ compare current ac6vity to this model and
generate alarm if devia6on
§ examples include unusual traffic at odd hours
or a user in HR department who
accesses accoun6ng program he never used before
Intrusion PrevenEon Systems (IPSs):
§ Prevent aacks by blocking: viruses, malformed
packets & otherthreats
§ Sits directly behind the firewall and examines all
traffic passed by it
§ Firewall and network IPS are complementary:
§ firewallblocks everything except what you
explicitly allow through;
§ IPS lets everything through except what it is
told to block
16. Honeypot: provides would-be hackers with fake
informa+on about the network
§ Decoy server: goal is to confuse hackers,
trace/keepa record for prosecu6on
§ keeps hackers well-isolated from the rest of the
network
§ can extensively log ac6vi6es of intruders
§ honeypot can iden6fy aacker reconnaissance probes
-used by aackers to obtain info about
network resources he wants to aack
21
Response
Response plan:
§ prepare for the worst
§ developwell in advance of any incident
§ should be approved by legal department and senior
management
Primary goals:
§ regain control: technical and emo6onal
§ limit damage, restore data and informa6on systems
to normal
Incident no6fica6on defines:
§ who to no6fy: within company, customers,
suppliers?
§ who not to no6fy
17. Security experts recommend against releasing specific
info about a security
compromise in public forums (news reports,
conferences, online groups)
22
Response (Cont.)
Document all details of a security incident
§ do for future prosecu6on and to help with
incident eradica6on and
follow-up
§ allsystem events
§ specificac6ons taken
§ allexternal conversa6ons
Act quickly to contain an aack: may need to
shut down or disconnect
cri6cal system from network
EradicaEon effort
§ collect and log all possible criminal evidence from
the system
§ verify necessary backups are current and complete
-create disk image of all compromised systems
for later study and
evidence
§ create new backups, a5er virushas been eradicated
23
18. Response (Cont.)
Follow-up(the ‘a5ermath’)
§ determine how security was compromised
-prevent it from happeningagain
-was a so5ware fix not installed?
Review
§ determine exactly what happened
§ evaluate how the organiza6on responded
§ write formal incident report
Capture the perpetrator
But consider the poten6al for nega6ve publicity
§ brokerage firm might lose customers who thinktheir
money or records
not secure
Legal precedent
§ hold organiza6ons accountable for their own IT
security weaknesses
§ par6cularly true for ISPs
24
Fundamental Goals for Computer Security
• Data Confiden6ality
• Data Integrity
• System Availability
19. • Related issue– Privacy
• A legal and ethic ques6on
• Implemented by Confiden6ality goal
25
In Business Terms
Asset
Threat Cost
Risk
26
27
Some differences between tradi6onal
security and informa6on security
• Informa6on can be stolen - but you s6ll
have it
• Confiden6al informa6on may be copied
and sold - but the the5 might not be
detected
• The criminals may be on the otherside of
the world
20. 28
Confiden6ality
• The preven6on of unauthorised disclosure of
informa6on.
• Confiden6ality is keeping informa6on secret
or private.
• Confiden6ality might be important for
military, business or personal reasons.
29
Integrity
• Integrity is the unauthorised wri6ng or
modifica6on of informa6on.
• Integrity means that thereis an external
consistency in the system - everything is as
it
is expected to be.
• Data integrity means that the data stored on a
computer is the same as the source
documents.
21. 30
Availability
• A secure computer system must keep informa6on
available to its
users. Availability means that the computer
system’s hardware and
so5ware keeps working efficiently and that the
system is able to
recover quickly and completely if a disaster
occurs.
• Informa6on should be accessible and useable upon
appropriate
demand by an authorized user.
• Availability is the preven6on of unauthorized
withholding of
informa6on.
• The opposite of availability is denial of
service. Denial of service
aacks are a common form of aack. Denial of
service can be every
bit as disrup6ve as actual informa6on the5.
31
Non-repudia6on
22. • Non-repudia6on is the preven6on of either
the sender or the receiver denying a
transmied message.
• A system must be able to prove that certain
messages were sent and received.
• Non-repudia6on is o5en implemented by
using digital signatures.
32
Authen6ca6on
• Proving that you are who you say you are,
where you say you are, at the 6me you say it
is.
• Authen6ca6on may be obtained by the
provision of a password or a scan of your
re6na.
33
Access Controls
• The limita6on and control of access through
iden6fica6on and authen6ca6on.
• A system needs to be able to inden6fy and
authen6cate usersfor access to data,
applica6ons and hardware.
23. • In a largesystem theremay be a complex
structure determining which usersand
applica6ons have access to which objects.
34
Accountability
• The system managers are accountable to
scru6ny from outside.
• Audit trailsmust be selec6vely kept and
protected so that ac6ons affec6ng security
can be traced back to the responsible party
35
Security systems
• A security system is not just a computer
package. It also requires security conscious
personnel who respect the procedures and
their role in the system.
• Conversely, a good security system should not
rely on personnel having security exper6se.
36
24. Risk Analysis
• The disadvantages of a security system
are
that they are 6me-consuming, costly, o5en
clumsy, and impede management and smooth
running of the organisa6on.
• Risk analysis is the study of the cost of a
par6cular system against the benefits of the
system.
37
Designing a Security System
There are a number of design considera6ons:
• Does the system focus on the data, opera6ons or
the
usersof the system?
• What level should the security system operate
from?
Should it be at the level of hardware, opera6ng
system or
applica6ons package?
• Should it be simple or sophis6cated?
• In a distributed system, should the security be
centralised
25. or spread?
• How do you secure the levels below the
level of the
security system?
38
Security Models
A security model is a means for
formally expressing
the rules of the security policy in an abstract
detached way.
The model should be:
• easy to comprehend
• without ambigui6es
• possible to implement
• a reflec6on of the policies of the organisa6on.
Accuracy, Integrity, and AuthenEcity
• A secure computer system must maintain the
con6nuing
integrity of the informa6on stored in it.
Accuracy or integrity
means that the system must not corrupt the
informa6on or
allow any unauthorized malicious or accidental
26. changes to it.
• In network communica6ons, a related variant of
accuracy
known as authen6city provides a way to verify
the origin of
data by determining who entered or sent it, and by
recording
when it was sent and received.
39
Threats to Security
• There are threekey words that come up in
discussions of computer
security:
– vulnerabili6es,
– threats, and
– countermeasures.
• A vulnerability is a pointwhere a system is
suscep6ble to aack.
• A threat is a possible danger to the system:
e.g. a person, a thing(a faulty
piece of equipment), or an event (a fire or
a flood).
• Techniques for protec6ng your system are called
countermeasures.
27. 40
VulnerabiliEes
• Examples:
physical vulnerabili6es
natural vulnerabili6es
hardware and so5ware vulnerabili6es
media vulnerabili6es
emana6on vulnerabili6es
communica6ons vulnerabili6es
human vulnerabili6es
• There is a lot of varia6on in how easy it is
to exploit different types of
vulnerabili6es. For example, tapping a cordless
telephone or a cellular
mobile phone requires only a $199 scanner from
Radio Shack.
41
Threats
• Threats fall into threemain categories:
natural threats
uninten6onal threats
inten6onal threats
The inten6onal threats can come from insiders or
outsiders.
Outsiders can include:
28. foreign intelligence agents
terrorists
criminals
corporate raiders
crackers
42
Inside or Outside?
• Although most security mechanisms protect
best against outside intruders, survey a5er
survey indicates that most aacks are by
insiders. Es6mates are that as many as 80% of
system penetra6ons are by fully authorized
users.
43
The Insider
• There are a number of different types of
insiders:
disgruntled employee,the coerced employee,and
the greedy employee.One of the most dangerous
types of insiders may simply be lazy or
untrained. He
or she doesn’t bother changing passwords, doesn’t
learnhow to encrypt files,doesn’t get around to
erasing old disks, and leaves sensi6ve printout in
29. piles on the floor.
44
Countermeasures
• There are many different types of
countermeasures ,methods of protec6ng
informa6on. In the next several lectures, we
will survey thesemethods:
computer security
communica6ons security
physical security
45
InformaEon and Its Controls
• Informa6on security is almost as old as
informa6on itself.
• innova6ons are inevitably followed by methods of
harnessing the new
technologies and protec6ng the informa6on they
process.
– within five years of the introduc6on of the
telephone in 1881, a patent
applica6ons was filed for a voice scrambler;
30. – in the 1920s, the use of telephone wiretaps by
government and criminals
resulted in a public outcry, leading to
legisla6onbanning most wiretapping;
– in the 1940s, concerns about controlling the
prolifera6on of informa6on
about atomic energy led to the Atomic Energy
Act of 1946. This act created a
Restricted Data category of informa6on requiring special
protec6on.
46
Debates
– One ongoing debate in the computer security
world is over the
government’s restric6on of technological informa6on.
– The government needs to protect certain
kinds of informa6on, such as
na6onal defense data.
– Par6cular security technologies, for example,
cryptology, are very
effec6ve at safeguarding such informa6on. Should
the government be
able to control who can and cannot buy such
technologies?
31. – Another debate concerns the involvement of
the government in
manda6ng the protec6ng of nongovernmentinforma6on.
47
Computer Security: Then and Now
• In the earlydays of compu6ng, computer systems
were large,
rare, and very expensive. Those organiza6ons lucky
enough to
have a computer tried their best to protect it.
Computer
security was just one aspect of general plant
security.
• Security concerns focused on physical break-ins,
the5 of
computer equipment, and the5 or destruc6on of
disk packs,
tape reels, and othermedia.
• Insiders were also kept at bay. Few people knew
how to use
computers, and thus the userscould be carefully
screened.
48
Later On
• By the 1970s, technology was transformed, and
32. with it the ways in which
usersrelated to computersand data. Mul6-programaming,
6me-sharing,
and networking changed the rules.
• Telecommunica6ons --- the ability to access
computersfrom remote
loca6ons --- radically changed computer usage.
Businesses began to store
informa6on online. Networks linked minicomputers
together and with
mainframes containing largeonline databases.
Banking and the transfer of
assets became an electronic business.
49
New Abuses
• The increased availability of online systems
and informa6on led to abuses.
Instead of worrying only about intrusions by
outsiders into computer
facili6es and equipment, organiza6ons now had to
worry about
– computers that were vulnerable to sneak aacks
over telephone lines, and
– informa6on that could be stolen or changed by
intruders who didn’t leave a
trace.
33. • Individuals and government agencies expressed
concerns about the
invasion of privacy posed by the availability
individual financial, legal, and
medical records on shared online databases.
50
The PC World
• The 1980s saw a new dawn in compu6ng.
With the
introduc6on of the PC, individuals of all ages
and occupa6ons
became computer users. This technology introduced
new
risks. Precious and irreplaceable corporate data were
now
stored on diskees, which could now be lost or
stolen.
• As PCs proliferated, so too did PC networks,
electronic mail,
chat rooms, and bulle6n boards, vastly raising
the security
stakes. The 1980s also saw systems under aack.
51
34. The Future
• The challenge of the next decade will be to
consolidate what we’ve learned --- to build
computer security into our products and our daily
rou6nes ,to protect data without unnecessarily
impeding our access to it, and to make sure
that
both products and standards growto meet the ever-
increasingscope of challenge of technology.
52
What is Cyberspace?
Cyberspace is a worldwide network of computers and
the equipment that connects them, which by its very
design is free and open to the public (the Internet)
As Stanley Konter, CEO of Savannah's Sabre
Technologies, notes, "The problem has gotten more
prevalent with always-on, high-speed internet access.
Attackers are always out there looking for that type of
computer."
35. 54
Viruses
Viruses infect computers through email
attachments and file sharing. They delete
files, attack other computers, and make
your computer run slowly. One infected
computer can cause problems for all
computers on a network.
Hackers
Hackers are people who “trespass” into
your computer from a remote location.
They may use your computer to send
spam or viruses, host a Web site, or do
other activities that cause computer
malfunctions.
Identity Thieves
People who obtain unauthorized access
to your personal information, such as
Social Security and financial account
numbers. They then use this information
to commit crimes such as fraud or theft.
Spyware
Spyware is software that “piggybacks” on
36. programs you download, gathers
information about your online habits, and
transmits personal information without
your knowledge. It may also cause a
wide range of other computer
malfunctions.
Cyber-safety is a common term used to describe a set of
practices, measures
and/or actions you can take to protect personal information and
your computer
from attacks. First, let’s talk about some common cyber-safety
threats and the
problems they can cause . . .
Cyber-safety & Threats
TOP SEVEN CYBER-SAFETY ACTIONS
55
1. Install OS/Software Updates
2. Run Anti-virus Software
3. Prevent Identity Theft
4. Turn on Personal Firewalls
5. Avoid Spyware/Adware
37. 7. Back up Important Files
Additional information about each of the actions below is
provided on slides 8-14. Faculty
and staff should work with their technical support coordinator
before implementing these
measures.
6. Protect Passwords
§ Updates-sometimes called patches-fix problems with your
operating system (OS) (e.g., Windows XP,
Windows Vista, Mac OS X) and software programs (e.g.,
Microsoft Office applications).
§ Most new operating systems are set to download updates by
default. After updates are downloaded,
you will be asked to install them. Click yes!
§ To download patches for your system and software, visit:
§ Windows Update: hp://windowsupdate.microso5.com to
get or ensure you have all the latest
opera6ng system updates only.Newer Windows systems
are set to download theseupdates by
default.
§ Microso5 Update:
hp://www.update.microso5.com/microso5update/ to
get or ensure you
have all the latest OS and Microso5 Office
so5ware updates. You must sign up for this service.
38. § Apple: hp://www.apple.com/support
§ Unix: Consult documentation or online help for system
update information and
instructions.
§ Be sure to restart your computer after updates are installed so
that the patches can be applied
immediately.
I N S TA L L O S / S O F T WA R E
U P D AT E S
56
R U N A N T I - V I R U S S O F T WA R E
57
§ To avoid computer problems caused by viruses, install and
run
an anti-virus program like Sophos.
§ Periodically, check to see if your anti-virus is up to date by
opening your anti-virus program and checking the Last updated:
date.
§ Anti-virus software removes viruses, quarantines and repairs
39. infected files, and can help prevent future viruses.
P R E V E N T I D E N T I T Y T H E F T
58
§ Don't give out financial account numbers, Social Security
numbers, driver’s license
numbers or other personal identity information unless you know
exactly who's receiving
it. Protect others people’s information as you would your own.
§ Never send personal or confidential information via email or
instant messages as these
can be easily intercepted.
§ Beware of phishing scams - a form of fraud that uses email
messages that appear to be
from a reputable business (often a financial institution) in an
attempt to gain personal or
account information. These often do not include a personal
salutation. Never enter
personal information into an online form you accessed via a link
in an email you were
not expecting. Legitimate businesses will not ask for personal
information online.
§ Order a copy of your credit report from each of the three
major credit bureaus-Equifax,
40. Experian, and Trans Union. Reports can be ordered online at
each of the bureaus’ Web
sites. Make sure reports are accurate and include only those
activities you have
authorized.
T U R N O N P E R S O N A L
F I R E WA L L S
§ Check your computer's security settings for a built-in
personal firewall. If you have
one, turn it on. Microsoft Vista and Mac OSX have built-in
firewalls. For more
information, see:
• Mac Firewall
(docs.info.apple.com/ar6cle.html?path=Mac/10.4/en/mh1042.ht
ml)
• Microsoft Firewall (
www.microso5.com/windowsxp/using/networking/security/winfi
rewall.mspx)
• Unix users should consult system documentation or online
help for personal
firewall instructions and/or recommendations.
§ Once your firewall is turned on, test your firewall for open
ports that could allow in
41. viruses and hackers. Firewall scanners like the one on
hp://www.auditmypc.com/firewall-test.asp simplify this
process.
§ Firewalls act as protective barriers between computers and
the internet.
§ Hackers search the Internet by sending out pings (calls) to
random computers and
wait for responses. Firewalls prevent your computer from
responding to these calls.
59
A V O I D S P Y WA R E / A D WA R E
60
§ Spyware and adware take up memory and can slow down your
computer or cause other problems.
§ Use Spybot and Ad-Aware to remove spyware/adware from
your computer.
§ Watch for allusions to spyware and adware in user
agreements
before installing free software programs.
42. § Be wary of invitations to download software from unknown
internet sources.
P R O T E C T P A S S W O R D S
61
§ Do not share your passwords, and always make new
passwords difficult to guess by
avoiding dictionary words, and mixing letters, numbers and
punctuation.
§ Do not use one of these common passwords or any variation
of them: qwerty1, abc123,
letmein, password1, iloveyou1, (yourname1), baseball1.
§ Change your passwords periodically.
§ When choosing a password:
o Mix upper and lower case letters
o Use a minimum of 8 characters
o Use mnemonics to help you remember a difficult password
§ Store passwords in a safe place. Consider using KeePass
Password Safe (
hp://keepass.info/), Keychain (Mac) or an encrypted USB drive
to store passwords.
Avoid keeping passwords on a Post-it under your keyboard, on
your monitor or in a
drawer near your computer!
43. B A C K U P I M P O R TA N T F I L E S
§ Reduce your risk of losing important files to a virus,
computer
crash, theft or disaster by creating back-up copies.
§ Keep your critical files in one place on your computer’s hard
drive so you can easily create a back up copy.
§ Save copies of your important documents and files to a CD,
online back up service, flash or USB drive, or a server.
§ Store your back-up media in a secure place away from your
computer, in case of fire or theft.
§ Test your back up media periodically to make sure the files
are
accessible and readable.
62
CYBER-SAFETY AT HOME
§ Physically secure your computer by using security cables and
locking doors
and windows in the dorms and off-campus housing.
44. § Avoid leaving your laptop unsupervised and in plain view in
the library or
coffee house, or in your car, dorm room or home.
§ Set up a user account and password to prevent unauthorized
access to your
computer files.
§ Do not install unnecessary programs on your computer.
§ Microsoft users can download the free Secunia Personal
Software Inspector
(hps://psi.secunia.com/), which lets you scan your computer for
any missing
operating system or software patches and provides instructions
for getting all
the latest updates.
63
CYBER-SAFETY AT WORK
§ Be sure to work with your technical support coordinator
before implementing
new cyber-safety measures.
§ Talk with your technical support coordinator about what
45. cyber-safety
measures are in place in your department.
§ Report to your supervisor any cyber-safety policy violations,
security flaws/
weaknesses you discover or any suspicious activity by
unauthorized
individuals in your work area.
§ Physically secure your computer by using security cables and
locking
building/office doors and windows.
§ Do not install unnecessary programs on your work computer.
64
CYBER-SAFETY BASICS QUICK QUIZ
1. True or False? Viruses can be transmitted via email, email
attachments or IM.
2. People who seek out your personal information and then use
it to commit crimes are
called:_____________________
3. Which of the following are ways to help prevent identity
theft. (Check all that apply.)
__A. Never send personal information via email or instant
46. messages.
__B. Always send personal information via email or instant
messages.
__C. Lock my office door.
__D. Don’t tell anybody my name.
4. True or False? Iloveyou2 is a good password. Why or why
not?
5. Which anti-virus program is available to all UC Davis
students, faculty and staff for free?
________________________
6. I just downloaded a free program online and now my
computer is running very, very slowly. Which of the following
most likely happened?
__A. I didn’t install the program properly.
__B. I didn’t have enough space on my hard drive for the new
program.
__C. I downloaded spyware and/or adware, too.
__D. Someone snuck in while the program was downloading and
changed my password.
7. ___________________help prevent your computer from
responding to pings (calls) from hackers.
8. To fix problems with my operating system and/or application
software, I should install __________________.
Answers on next slide . . .
65
47. QUICK QUIZ ANSWERS
1. True
2. Identity thieves
3. A and C are correct. D would probably help too, but seems a
bit extreme!
4. False. Iloveyou2 is a very common password.
5. Sophos Anti-Virus is free to UC Davis students, faculty and
staff.
6. C. It’s most likely that you downloaded spyware and/or
adware.
7. Firewalls
8. OS and/or software updates (patches)
66
How did you do?
8-7 correct: Fantastic! You can help write the next quiz!
6-5 correct: Good. You can help write the next quiz, but we’ll
check it for accuracy . . . just in case.
4-3 correct: You might want to review the material for the
questions you missed.
67
Summary
By now you should have someidea about
• Why we need computer security
48. (preven6on, detec6on and re-ac6on)
• What a computer security system does
(confiden6ality, integrity, availability, non-
repudia6on, authen6ca6on, access control,
accountability)
• What computer security exerts do (design,
implement and evaluate security systems)
68
Summary (Cont.)
Ethical decisions regarding IT security include
determining which
informa6on systems and data most need protec6on 65-fold
increase
in the number of reported IT security incidents
from 1997 to 2003
Mostincidents involve a:
• Virus
• Worm
• Trojan horse
• Denial-of-service
Key elements of a mul6layer process for managing
security
vulnerabili6es include:
• Threat assessment: to organiza6on’s computersand
network
• User educa6on: of risks and preventa6ve ac6ons
• Response plan
49. Resources
• Network World Security Newsleer
– hp://www.nwsubscribe.com
– Prac6cal advice, not a virusalert newsleer.
Especially good for the
links to othersecurity resources at the boom of
each ar6cle
• CERT Coordina6on Center at CMU
– hp://www.cert.org
• News about system threats, including viruses
and other
problems. Source for OCTAVE papers and process
• Norton An6Virus Site (Symantec)
– hp://securityresponse.symantec.com/avcenter/
• McAfee Security (Network Associates)
– hp://us.mcafee.com/virusinfo/
69
Topic #12
Risk Management in a Project
50. Reference: Chapter 11, Information Technology Project
Management
• Understand risk and the importance of good project
risk
management
• Discuss the elements of planning risk management
and the
contents of a risk management plan
• List common sources of risks on informa8on
technology (IT)
projects
• Describe the process of iden8fying risks and
create a risk
register
• Discuss qualita8ve risk analysis and explain how to
calculate
risk factors, create probability/impact matrixes, and
apply the
Top Ten Risk Item Tracking technique to rank risks
Learning Objec8ves
2
• Explain quan8ta8ve risk analysis and how to
apply decision trees, simula8on, and sensi8vity
analysis to quan8fy risks
51. • Provide examples of using different risk
response planning strategies to address both
nega8ve and posi8ve risks
• Discuss how to control risks
• Describe how soJware can assist in project
risk
management
Learning Objec8ves (cont’d)
3
• Project risk management is the art and science
of iden8fying, analyzing, and responding to
risk
throughout the life of a project and in the
best
interests of mee8ng project objec8ves
• Risk management is oJen overlooked in
projects, but it can help improve project
success by helping select good projects,
determining project scope, and developing
realis8c es8mates
The Importance of Project Risk
Management
4
52. Benefits from SoJware Risk
Management Prac8ces*
5
*Source: Kulik and Weber, KLCI Research Group
• Many people around the world suffered from
financial losses
as various financial markets dropped in the fall of
2008, even
aJer the $700 billion bailout bill was passed by
the U.S.
Congress
• According to a global survey of 316
financial services
execu8ves, over 70 percent of respondents
believed that the
losses stemming from the credit crisis were largely
due to
failures to address risk management issues
• They iden8fied several challenges in
implemen8ng risk
management, including data and company culture issues
Global Issues
6
• A dic8onary defini8on of risk is “the possibility
53. of loss or injury”
• Nega8ve risk involves understanding poten8al
problems that might occur in the project and
how they might impede project success
• Nega8ve risk management is like a form of
insurance;it is an investment
Nega8ve Risk
7
• Posi8ve risks are risks that result in good things
happening; some8mescalled opportuni8es
• A general defini8on of project risk is an
uncertainty that can have a nega8ve or posi8ve
effect on mee8ng project objec8ves
• The goal of project risk management is to
minimize poten8al nega8ve risks while
maximizing poten8al posi8ve risks
Risk Can Be Posi8ve
8
• Risk u'lity or risk tolerance is the amount of
sa8sfac8on or pleasure received from a
poten8al payoff
54. – U8lity rises at a decreasing rate for people
who
are risk-averse
– Those who are risk-seeking have a higher
tolerance for risk and their sa8sfac8on increases
when more payoff is at stake
– The risk-neutral approach achieves a balance
between risk and payoff
Risk U8lity
9
Risk U8lity Func8on and Risk
Preference
10
• Planning risk management : Deciding how to
approach and plan the risk management
ac8vi8es for the project
• Iden'fying risks: Determining which risks are
likely to affect a project and documen8ng
the
characteris8cs of each
• Performing qualita've risk analysis: Priori8zing
risks based on their probability and impact of
occurrence
55. Project Risk Management Processes
11
• Performing quan'ta've risk analysis: Numerically
es8ma8ng the effects of risks on project objec8ves
• Planning risk responses: Taking stepsto
enhance
opportuni8es and reduce threats to mee8ng project
objec8ves
• Controlling risk: Monitoring iden8fied and residual
risks,
iden8fying new risks, carrying out risk response
plans,
and evalua8ng the effec8veness of risk strategies
throughout the life of the project
Project Risk Management Processes
(cont’d)
12
Project Risk Management Summary
13
56. • The main output of this process is a risk
management plan—a plan that documents the
procedures for managing risk throughout a project
• The project team should review project
documents
and understand the organiza8on’s and the sponsor’s
approaches to risk
• The level of detail will vary with the needs of
the
project
Planning Risk Management
14
• Methodology
• Roles and responsibili8es
• Budget and schedule
• Risk categories
• Risk probability and impact
• Revised stakeholders’ tolerances
• Tracking
• Risk documenta8on
Topics Addressed in a Risk
Management Plan
15
57. • Con'ngency plans are predefined ac8ons that
the
project team will take if an iden8fied risk event
occurs
• Fallback plans are developed for risks that have a
high
impact on mee8ng project objec8ves, and are
put into
effect if afempts to reduce the risk are not
effec8ve
• Con'ngency reserves or allowances are provisions
held by the project sponsor or organiza8on to
reduce
the risk of cost or schedule overruns to an
acceptable
level; management reserves are funds held for
unknown risks
Con8ngency and Fallback Plans,
Con8ngency Reserves
16
• Several studies showthat IT projects share
somecommon sources of risk
• The Standish Group developed an IT success
poten8al scoring sheetbased on poten8al risks
• Other broad categories of risk help iden8fy
poten8al risks
58. Common Sources of Risk in
Informa8on Technology Projects
17
IT Success Poten8al Scoring Sheet
18
Success Criterion Relative Importance
User Involvement 19
Executive Management support 16
Clear Statement of Requirements 15
Proper Planning 11
Realistic Expectations 10
Smaller Project Milestones 9
Competent Staff 8
Ownership 6
Clear Visions and Objectives 3
Hard-Working, Focused Staff 3
Total 100
59. • Market risk
• Financial risk
• Technology risk
• People risk
• Structure/process risk
Broad Categories of Risk
19
• A risk breakdown structure is a hierarchy of
poten8al risk categories for a project
• Similar to a work breakdown structure but
used to iden8fy and categorizerisks
Risk Breakdown Structure
20
Sample Risk Breakdown Structure
21
60. Poten8al Nega8ve Risk Condi8ons Associated With
Each Knowledge Area
22
• Iden8fying risks is the process of understanding
what
poten8al events might hurt or enhance a
par8cular
project
• Anotherconsidera8on is the likelihood of advanced
discovery
• Risk iden8fica8on tools and techniques include:
– Brainstorming
– The Delphi Technique
– Interviewing
– SWOT analysis
Iden8fying Risks
23
• Brainstorming is a technique by which a
group
afempts to generate ideasor find a solu8on for a
specific problem by amassing ideasspontaneously
and without judgment
61. • Anexperienced facilitator should run the
brainstorming session
• Be careful not to overuse or misuse
brainstorming.
– Psychology literature shows that individuals
produce a
greater number of ideasworking alone than they do
through brainstorming in small, face-to-face groups
– Group effects oJen inhibit idea genera8on
Brainstorming
24
• The Delphi Technique is used to derive a
consensus among a panel of experts who make
predic8ons about future developments
• Provides independent and anonymous input
regarding future events
• Uses repeated rounds of ques8oning and wrifen
responses and avoids the biasing effects possible
in oral methods, such as brainstorming
Delphi Technique
62. 25
• Interviewing is a fact-finding technique for
collec8ng informa8on in face-to-face, phone,
e-mail, or instant-messaging discussions
• Interviewing people with similar project
experience is an important tool for iden8fying
poten8al risks
Interviewing
26
• SWOT analysis (strengths, weaknesses,
opportuni8es, and threats) can also be used
during risk iden8fica8on
• Helps iden8fy the broad nega8ve and posi8ve
risks that apply to a project
SWOT Analysis
27
• The main output of the risk iden8fica8on process
is a list of
iden8fied risks and otherinforma8on needed to begin
63. crea8ng a risk register
• A risk register is:
– A document that contains the results of various
risk
management processes and that is oJen displayed in a
table or
spreadsheet format
– A tool for documen8ng poten8al risk events and
related
informa8on
• Risk events refer to specific, uncertain events
that may occur
to the detriment or enhancement of the project
Risk Register
28
• Aniden8fica8on number for each risk event
• A rank for each risk event
• The name of each risk event
• A descrip8on of each risk event
• The category under which each risk event
falls
• The root cause of each risk
Risk Register Contents
29
64. • Triggers for each risk; triggers are indicators
or symptoms of actual risk events
• Poten8al responses to each risk
• The risk owner or person who will own or
take responsibility for each risk
• The probability and impact of each risk
occurring.
• The status of each risk
Risk Register Contents (cont’d)
30
Sample Risk Register
31
• No.: R44
• Rank: 1
• Risk: New customer
• Description: We have never done a project for this
organization
before and don’t know too much about them. One of our
company’s
strengths is building good customer relationships, which often
leads
to further projects with that customer. We might have trouble
working
with this customer because they are new to us.
• Category: People risk
65. • Etc.
• Assess the likelihood and impact of
iden8fied risks to determine their
magnitude and priority
• Risk quan8fica8on tools and techniques
include:
– Probability/impact matrixes
– The Top Ten Risk Item Tracking
– Expert judgment
Performing Qualita8ve Risk Analysis
32
• A probability/impact matrix or chartlists the
rela8ve probability of a risk occurring on one
side
of a matrix or axis on a chartand the rela8ve
impact of the risk occurring on the other
• List the risks and then label each one as high,
medium, or low in terms of its probability of
occurrence and its impact if it did occur
• Can also calculate risk factors:
– Numbers that represent the overall risk of specific
events based on their probability of occurring
66. and the
consequences to the project if they do occur
Probability/Impact Matrix
33
Sample Probability/Impact Matrix
34
Chart Showing High-, Medium-, and Low-Risk
Technologies
35
• Top Ten Risk Item Tracking is a qualita8ve
risk
analysis tool that helps to iden8fy risks and
maintain an awareness of risks throughout
the life of a project
• Establish a periodic review of the top ten
project risk items
• List the current ranking, previous ranking,
number of 8mesthe risk appears on the list
over a period of 8me, and a summary of
progress made in resolving the risk item
67. Top Ten Risk Item Tracking
36
Example of Top Ten Risk Item Tracking
37
• A watch list is a list of risks that are low
priority, but are s8ll iden8fied as poten8al
risks
• Qualita8ve analysis can also iden8fy risks that
should be evaluated on a quan8ta8ve basis
Watch List
38
• OJen follows qualita8ve risk analysis, but
both can be done together
• Large, complex projects involving leading edge
technologies oJen require extensive
quan8ta8ve risk analysis
• Main techniques include:
– Decision tree analysis
– Simula8on
– Sensi8vity analysis
68. Performing Quan8ta8ve Risk Analysis
39
• A decision tree is a diagramming analysis
technique used to help select the best course of
ac8on in situa8ons in which future outcomes
are uncertain
• Es'mated monetary value (EMV) is the
product of a risk event probability and the
risk
event’s monetary value
• You can draw a decision tree to help find the
EMV
Decision Trees and Expected Monetary
Value (EMV)
40
Expected Monetary Value (EMV) Example
41
• Simula8on uses a representa8on or model of a
system to analyze the expected behavior or
69. performance of the system
• Monte Carlo analysis simulates a model’s
outcome
many 8mesto provide a sta8s8cal distribu8on of
the calculated results
• To use a Monte Carlo simula8on, you must
have
threees8mates (most likely, pessimis8c, and
op8mis8c) plus an es8mate of the likelihood of
the
es8mate being between the most likely and
op8mis8c values
Simula8on
42
1. Assess the range for the variables being
considered
2. Determine the probability distribu8on of each
variable
3. For each variable, select a random value
based on
the probability distribu8on
4. Run a determinis8c analysis or one pass through
the model
70. 5. Repeat steps3 and 4 many 8mesto obtain
the
probability distribu8on of the model’s results
Steps of a Monte Carlo Analysis
43
Sample Monte Carlo Simula8on Results for
Project Schedule
44
• Sensi'vity analysis is a technique used to show
the effects of changing one or more variables on
an outcome
• For example, many people use it to
determine
what the monthly payments for a loan will be
given different interest rates or periods of the
loan, or for determining break-even points
based on different assump8ons
• Spreadsheet soJware, such as Excel, is a
common tool for performing sensi8vity analysis
Sensi8vity Analysis
45
71. Sample Sensi8vity Analysis for Determining
Break-Even Point
46
• AJer iden8fying and quan8fying risks, you
must
decide how to respond to them
• Four main response strategies for nega8ve
risks:
– Risk avoidance
– Risk acceptance
– Risk transference
– Risk mi8ga8on
Planning Risk Responses
47
General Risk Mi8ga8on Strategies for Technical,
Cost, and Schedule Risks
48
• Risk exploita8on
• Risk sharing
• Risk enhancement
72. • Risk acceptance
Response Strategies for Posi8ve Risks
49
• It’s also important to iden8fy residual and
secondary risks
• Residual risks are risks that remain aJer all of
the response strategies have been
implemented
• Secondary risks are a direct result of
implemen8ng a risk response
Residual and Secondary Risks
50
• Involves execu8ng the risk management process to
respond to risk events and ensuring that risk
awareness is an ongoing ac8vity performedby the
en8re project team throughout the en8re project
• Workaroundsare unplannedresponses to risk events
that must be done when thereare no con8ngency
plans
• Main outputs of risk control are:
73. – Work performance informa8on
– change requests
– updates to the project management plan, otherproject
documents,
and organiza8onal process assets
Controlling Risks
51
• Risk registers can be created in a simple
Word
or Excel file or as part of a database
• More sophis8cated risk management soJware,
such as Monte Carlo simula8ontools, help in
analyzing project risks
• You can purchase add-ons for Excel and Project
2010 to perform simula8ons
Using SoJware to Assist in Project Risk
Management
52
• Unlike crisis management, good project risk
management oJen goes unno8ced
• Well-run projects appear to be almost
effortless, but a lot of work goes into running a
74. project well
• Project managers should strive to make their
jobs look easy to reflect the results of well-run
projects
Results of Good Project Risk
Management
53
• Project risk management is the art and science of
iden8fying, analyzing, and responding to risk
throughout the life of a project and in the
best
interests of mee8ng project objec8ves
• Main processes include:
– Plan risk management
– Iden8fyrisks
– Perform qualita8ve risk analysis
– Perform quan8ta8ve risk analysis
– Plan risk responses
– Control risks
Summary
54
Reference Details