The document discusses a technology and security class. It provides an agenda that covers IT news, an exam follow-up, and a focus on security. Under security news, it lists several recent computer virus and hacking incidents. It then discusses common security myths and holds a quick security assessment activity. The rest of the document outlines various security topics like definitions of security concepts, security risks, protection methods, and ways to assess security risks. It emphasizes the importance of backups, strong passwords, and keeping systems updated with patches.

1. Technologies – LIS 3353
Security
Week 10
Week 9 – 2/24/12

2. Agenda
 IT News
 Exam Follow-up
 Security
 Tuesday & Thursday Lab

3. Security (week 10)
News

4. Security News
 Computer spyware is newest weapon in Syrian conflict
A U.S.-based antivirus software maker, which analyzed one of the viruses at
CNN's request, said that it was recently written for a specific cyberespionage
campaign and that it passes information it robs from computers to a server at a
government-owned telecommunications company in Syria.
 Virus infects computer at CCSU (Central CT State Univ.)
The virus, which perpetrated the infection, was a variant of the malevolent
software, ZBot said James Estrada, Spokesman of the university. According to
him, except for the Social Security Numbers, no other private detail was
compromised. Ctpost.com reported this on February 16, 2012.
 Computer Infections to Rise During #Oscars ?
 NORIS system shut down over virus
A critical computer network is down after falling victim to a sophisticated worm.
Friday, that system is down for the third day, impacting about 200 different
agencies, including police departments, jails and courts all over northwest Ohio.
 High School student blamed for uploading virus to school PC
 4-8% of computers in China have viruses

5. The List ….
Latest 5 virus alerts
2/27/12 W32/Autorun-BUY
2/27/12 Troj/ZBot-BNF
2/27/12 Troj/ZBot-BNE
2/27/12 Troj/JavaSMS-L
2/27/12 Mal/ZboCheman-A
Source: Sophos Anti-Virus
Top 5 viruses in October 2010
1 Troj/Invo-Zip
2 W32/Netsky
3 Mal/EncPk-EI
4 Troj/Pushdo-Gen
5 Troj/Agent-HFU
Source: Sophos Anti-Virus

6. Security Myths
 Why should I care? I have nothing to hide.
 There is nothing on my computer that
anyone would want.
 I have the best security set-up.
 I have a firewall/virus program.
 Hackers usually go after big companies.
 I use a MAC!

7. Quick Check!
On your own (5 minutes) – on the cards
1. Your name
2. What is computer security?
3. List 2 ways in which users put themselves at risk
4. On a scale of 1-10 (1=never safe, 10=totally secure), how safe do
you feel from computer threats (viruses, worms, hackers, etc.)?
5. On a scale of 1-10 (1=never, 10=always), how often do you
protect your computer from viruses?
6. On a scale of 1-10 (1=never, 10=always), how often do you
provide personal information on the web

8. What is the goal of
Computer Security?
To prevent and detect unauthorized actions by users of the
system
How do you achieve Computer Security?
– Security principles/concepts: explore general
principles/concepts that can be used as a guide to design
secure information processing systems
– Security mechanisms: explore some of the security
mechanisms that can be used to secure information
processing systems
– Physical/Organizational security: consider physical &
organizational security measures (policies)
 Take a class in SECURITY 
 Get certified – CISSP

9. Security Defined
 What is Computer Security (in reality)?
– Confidentiality: prevent unauthorized disclosure of information
– Integrity: prevent unauthorized modification of information
– Availability: prevent unauthorized withholding of information
 CIA model is the basis of Information
Assurance
 Additional criteria:
• Authenticity, accountability, reliability, safety,
dependability, survivability, currency, etc.

10. Security Defined (CIA)
 Confidentiality: prevent unauthorized disclosure of
information
• privacy: protection of private data
• secrecy: protection of organizational data
• https:// pgp ssh ipsec
 Integrity: prevent unauthorized modification of
information
• Preventing unauthorized writing or modifications
• Access control
 Availability: prevent unauthorized withholding of
information
• Services are accessible and useable (without undue delay) whenever
needed by an authorized entity
• 24/7 – no DOS

11. Security Defined (CIA)
Confidentiality
Secure
Integrity
Availability

12. Beyond CIA
 Accountability
– Actions affecting security must be traceable to the responsible party (audits)
– Audit information must be kept and protected (compliance with SOX)
– Access control is needed
 Reliability – deals with accidental damage (do you get consistent
performance)
 Dependability – reliance can be justifiably placed on the system
(similar to integrity)
 Survivability/Disaster Recovery/Business Continuity – deals with
the recovery of the system after massive failure (especially after
9/11)

13. Finding a Balance
• Security policies interfere with working patterns,
and can be very inconvenient
• Require a focus on new workflows
• Security mechanisms need additional computational
resources
• Security should be a forethought
• Managing security requires additional effort and
costs
• ROI is hard to determine
• Ideally, there should be a trade-off

14. Finding a Balance
Application Software
|
|
User ---------------------------|-------------------- Resource
(subject) | (object)
|
Hardware
The Dimensions of Computer Security

15. Asking the Right Questions
 Should protection focus on data, operations, or users? (See the
onion.)
 In which layer should we place security?
 Could we place it in all layers?
 Should security focus on simplicity (i.e., complexity, assurance, one
password entry, lots of passwords)?
 Should security control tasks be given to a central entity, or left to
individual components (i.e., people, departments, divisions, etc. )?
Who controls the security policy? Hardware
OS
Services
Applications

16. Asking the Right Questions

17. Hardware
 Hardware is more visible to criminals
 It is easier to add/remove/change hardware devices,
intercept traffic, flood devices with traffic, and in
general control hardware devices’ functionality
 Hardware is ignored in security training
 Hardware can also be removed – VA laptop, DOD
laptop, hard drives lost, etc.
 EX: UNC Since Jan. 1, the Chapel Hill Police Department has received reports of the theft of 45
laptops. Some were reportedly stolen in residential or business break-ins, others were taken
during armed robberies or when their owners left them unattended.

18. Software
 Interruption (deletion): surprisingly easy!
 Modification:
– Logic bomb – failure occurs when certain conditions are
met
– Buffer overflow – similar to logic or programming error
– Virus – a specific Trojan horse that can be used to spread its
“infection”
– Worm – self-reproducing program (usually spreads through
e-mails)
– Trapdoor – a program that has a specific entry point
 Interception (theft): unauthorized copying

19. Software
 Phishing
 Ex.: During the 12 months that ended in May 2005, 73 million American adults who use the
Internet said that they "definitely" received or "thought they received" an average of more
than 50 phishing e-mails. That number was 28 percent higher than the previous year.
Where do they originate?

20. Data
 Data are readily accessible
 Attacks on data are more widespread
 Data are everywhere …. We give it away
to everyone!
 Fill out a credit card application, get a
free water bottle/coffee cup/t-shirt
 What’s your zip code, your phone
number, etc?

21. Who is ptwhitelabel.com
Jonathan Harris, a UC Davis graduate who
runs the Web site Pooltracker.com from
his Placerville home

22. Defense-In-Depth
Schou & Trimmer

23. Attacks
 United States Department of Commerce has
compiled a list of the general categories of
computer attacks (Security Glossary):
•Remote or Local Penetration
•Remote or Local DOS
•Scanning (Ethereal)
•Password Crackers
•Sniffers

24. Protections
 Basics
– Firewall (Zone Alarm, Norton, hardware solutions)
– Anti-virus (McAfee, Norton, Symantec)
– Patches (automatic updates)
– Strong passwords (> 20 characters)
– Where is your data? How is it protected? Do you
have it backed up?

25. Looking for Security News
 Sans
 Pulse
 Shadow
 Cert

26. Risk Assessment
 A process of ………
– Including a Business Impact Analysis
– Identifying assets and ranking them
– Identifying risks and ranking them
– Associating specific risks with critical assets
– Recommending actions to be taken
 See http://security.fsu.edu

27. Risk Assessment
 Don’t assume physical security!!!!
 VA laptop, DOD laptop, Los Alamos HD
issue
 Why steal just the data when you can
steal the hardware?
 Faculty offices, student laptops in
libraries

28. Risk Assessment
 Use strong passwords on all accounts
– More than 20 characters
– Limited by keyboard
– Under 14 characters is “crackable”
 Your password is a very important secret
 Select one you can remember (new rules)
 You can remember a long password (Peter
Henry Thesis)

29. Risk Assessment
 Passwords
– Change yours often!
– Dont leave yours lying around!
– The longer the better!
– Dont share yours with friends!
– FYI – in healthcare, people write down passwords all
the time
– CHECK! (# passwords 1, 2, 3, 4, 5, 6, recycle)

30. Technology Approaches
 Operating system software
– Keep it updated with necessary patches
 Patching
– Make sure your computer has the latest
operating system release
– Auto setting is the best!
– New security bugs are discovered all the time
– Remember the CERT website

31. Technology Approaches
 Firewall (hardware or software) – permits
passage of data based on security policies
 Virtual private Network (VPN) – private
communications over public networks
(secured through authentication,
cryptography, tunneling protocols) using
Ipsec (IP Security), SSL (tunneling), and
others …

32. Technology Approaches
• Hardware can be replaced - Keep serial numbers in a secure location
•
Application software can be reloaded - Know what you have installed
• Data could be gone forever
• Data could be gone forever
• Data could be gone forever
• Data could be gone forever
• Ensure that adequate backups for your systems are done on a regular basis

33. REMINDER!
DATA COULD BE GONE FOREVER!
DON'T BE ME!

34. Web Sites
 Understand that e-mail is not secure.
 KaZaA, etc. turned your computer into a distributor so that
people can download from your machine!
– NOTE: 45% of free files collected by KaZaA contained viruses,
Trojan horse programs and backdoors.
 Sometimes you dont even know you are responsible for
security violations
– your computer gets hacked and is used to hack others (you have
no idea its being done).

35. E-mail & Social Engineering
 E-mail:
– A day-to-day necessity in our educational
environment
– We take it for granted
 Social Engineering
– “Smooth-talking your way into a system”
– Common types of social engineering:
• Impersonation / Important user / Pre-texting
• You can find out information on Facebook /
MySpace
• Surplus equipment, Tallahassee (Cash for Trash)
• War-driving & dumpster diving

36. E-mail & Social Engineering

37. Solutions
None! (Well, none that are completely secure.)
Assume you will be compromised.
The task is to get back up and running.
http://security.fsu.edu/
Reporting
Setting up VPN at FSU
Subscribe to CERT
Subscribe to US-CERT

38. CERT
 http://www.cert.org/stats/cert_stats.ht
ml
 http://www.us-cert.gov/

39. Getting a JOB
 Computer Security (Network Security)
 Information Assurance
– The technical and managerial measures
designed to ensure the confidentiality,
possession/control, integrity, authenticity,
availability, and utility of information and
information systems. This term originated with
government usage and is sometimes
synonymous with information security.
– Become a CISSP

40. Questions?