Docstoc

MIS 320.ppt

Document Sample
MIS 320.ppt Powered By Docstoc
					      Information Systems Security

                                                MIS 320
                                               Kraig Pencil
                                               Winter 2011

PPT Slides by Dr. Craig Tyran & Kraig Pencil
          IS Security in the Headlines
                                       Business Week




PPT Slides by Dr. Craig Tyran & Kraig Pencil
                                    Overview
•   Introduction
•   Crimes
•   Players
•   Ways to cause trouble
•   Ways to enhance security



PPT Slides by Dr. Craig Tyran & Kraig Pencil
               A. IS Security - Introduction
1.       Networked age  Good news/bad news
     •      Good news  Easy, fast information
            sharing (supports linkages!!!)
     •      Bad news  Easier for bad guys to get to your data


2.       IS break-ins are common … and expensive
     •      2006 survey for Computer Security Institute/FBI
            (www.gocsi.com)
           •     616 respondents
           •     Virtually all reported some form of attack(s)
           •     52% of organizations reported “unauthorized use” of IS
                 in past year
           •     Perpetrators of incidents:
                 •    Crackers, disgruntled employees, competitors, foreign
                      governments
     PPT Slides by Dr. Craig Tyran & Kraig Pencil
CERT: Reported IS Vulnerabilities
                                                                            Security Vulnerabilities vs. Time

                                                                  10,000


                                                                   8,000




                                                Vulnerabilities
                                                                   6,000



                                                                   4,000



                                                                   2,000



                                                                      0
                                                                           2000   2001   2002   2003   2004     2005   2006
                                                                                                Year




 PPT Slides by Dr. Craig Tyran & Kraig Pencil
    Internet Crime Complaint Center (IC3)

2009 Report                   http://www.ic3.gov/media/annualreport/2009_IC3Report.pdf

•   Department of Justice up 22%
•   Median dollar loss on complaints: $575
•   Total dollar loss: $559,700,000.
•   Many crime categories, including: auction fraud, non-
    delivery of merchangdise, credit card fraud, computer
    intrusions, spam, child pornography




PPT Slides by Dr. Craig Tyran & Kraig Pencil
          A. IS Security - Introduction
3. Published reports
   •      Tip of the iceberg
   •      Most break-ins are unreported to
          law enforcement … or undetected
         –     Companies are afraid that customers –
               and potential intruders – know about
               problems
         –     CSI/FBI survey – 30% did not report
               their intrusions. Of these:
               –    48% are concerned with negative
                    publicity
               –    36% are concerned that competitors will
                    take advantage
  PPT Slides by Dr. Craig Tyran & Kraig Pencil
     B. IS Security – Cyber Crimes
 1. What types of activities do the bad guys do?
       •      Viruses/worms (65% of survey group reported this problem)
             • e.g. “Macro” viruses (e.g., Love Bug), Worms (e.g., Slammer)
       •      Laptop/mobile theft (47%)
             • Steal information, Gain access to other systems
       •      Unauthorized access: Hacking and physical access (32%)
             • Change documents and files
                 – Steal $, modify credit ratings
                 – e.g., Citibank robbery -- $11 million
             • Steal information (e.g., classified info, info for identity theft)
       •      Denial of service attacks (25%)
       •      Phishing
             • e.g., An “official” company e-mail used to gather personal
                 information, passwords, SSN, etc.


PPT Slides by Dr. Craig Tyran & Kraig Pencil
 Macro Virus Example:
 The Love Bug




PPT Slides by Dr. Craig Tyran & Kraig Pencil
                Warnings at the Workplace -
                   Worms and Viruses


http://computer.
howstuffworks.
com/worst-
computer-
viruses.htm




  PPT Slides by Dr. Craig Tyran & Kraig Pencil
Theft of unauthorized information: Identity Theft?
                                               Average identity theft victim
                                                Spends 600 hrs and $16,000 to
                                               recover
                                               (www.idtheftcenter.org)




PPT Slides by Dr. Craig Tyran & Kraig Pencil
                 Denial of Service Attack
                                 A hacker’s virus installs a program on many computers.
                                 On command, they become zombies
                                 They all ping* the “target” again and again –
                                 The overload crowds out legitimate page requests,
                                 creating a Denial of Service to customers.




            Bon jour

                                                            Gut’n Tag

PPT Slides by Dr. Craig Tyran & Kraig Pencil
                 Denial of Service Attack
                                 Cloud Computing to the rescue???
                                 Cloud services are usually “scalable”  providers can
                                 instantly add more servers to handle the increased
                                 greetings from the zombie computers.
                                 http://www.smartertechnology.com/c/a/Smarter-Strategies/3-Reasons-
                                 Clouds-Prevent-CyberAttacks/?kc=EWKNLSTE12232010BESTOF4




            Bon jour

                                                                 Gut’n Tag

PPT Slides by Dr. Craig Tyran & Kraig Pencil
                          Phishing Example




PPT Slides by Dr. Craig Tyran & Kraig Pencil
                       Phishing Example 2




PPT Slides by Dr. Craig Tyran & Kraig Pencil
                                          Insiders
• You have to trust someone, but …
      – Insiders account for much of “lost” data
            • “stolen credentials have become the most common way
              attackers gain access to enterprises. But the credentials were
              rarely stolen using sophisticated methods. Instead, malicious
              insiders were involved in 48% of cases -- a 26% increase vs.
              last year -- and in some cases, freely revealed their
              administrative passwords, enabling attackers easy access to
              sensitive data”
               (SearchSecurity.com:
               http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1517422,00.html)




PPT Slides by Dr. Craig Tyran & Kraig Pencil
           C. IS Security – The Players
Hackers: people who break into computers and computer networks
1.   White-hat hackers
       … hobbyists who follow “hacker code”; curious, not malicious
       … or professional consultants who find security holes
             in the client’s own systems: perform penetration tests and
             vulnerability assessments
2.   Black-hat hackers // Crackers
   •     Cyber vandals; cause trouble for fun
   •     Commit premeditated cyber crime,
         steal information, $$, etc.




   PPT Slides by Dr. Craig Tyran & Kraig Pencil
            C. IS Security – The Players
Hackers: people who break into computers and computer networks
3.   Hacktivist – Politically or socially motivated hacker
   –     Site defacing
   –     Denial-of-Service (DoS) attack
4.   Cyberterrorist – deliberate, large-scale disruption of computer networks


Hacker Conventions
• DEF CON
     –      World’s Largest
• Black Hat
Hacker Films
•        Wargames
•        Takedown
    PPT Slides by Dr. Craig Tyran & Kraig Pencil
        Well-known Cyber Crooks*
Kevin Mitnick – superstar of hacking
• Active 1980 – 1995
• Never profited or caused damage
• 5 years in prison (8 months in solitary confinement)
• “Social engineering” specialist: “no patch for stupidy”
• Now a well-paid security consultant, speaker, writer




                                                                                     Kevin Mitnick



PPT Slides by Dr. Craig Tyran & Kraig Pencil * http://www.itsecurity.com/features/top-10-famous-hackers-042407/
        Well-known Cyber Crooks*
Vladimir Levin – Russian
• Transferred $10.7 million from Citibank accounts
• Captured in London, transferred to US, convicted/sentenced to 3 years
• Citibank managed to recover 95% of the funds

Adrian Lamo 2002-2004
• Victims: Yahoo!, Citigroup, Cingular, NY Times
• “Homeless hacker” was also helpful. Unauthorized penetration testing.
  Voluntarily informed some victims of their security weaknesses.
• Arrested/Convicted/Ordered to pay $65,000 to NY Times

 Robert Alan Soloway – the “Spam King”
• 2008 47 months in federal prison, and $700,000 restitution
• $7.8 million civil judgment awarded to Microsoft.                                         Adrian Lamo


Others: Stephen Wozniak (blue boxes), Tim Berners-Lee (Oxford)
PPT Slides by Dr. Craig Tyran & Kraig Pencil * http://www.itsecurity.com/features/top-10-famous-hackers-042407/
                     D. Examples of hacker
                        tools/techniques
1.         Password cracker programs
       •      Example approaches: Use “reverse encryption”, Look for
              “dictionary” words & common names

2.         Sniffers
       •      “Eavesdropping” program/device
       •      Use to capture usernames and passwords for people doing
              remote computer logins
       •      Place program on node of Internet and “sniff” for usernames and
              passwords

3.         Social engineering
       •      Hacker poses as a “good guy” and asks unsuspecting people for
              information
       •      Often done via phone
             •     E.g., “What kind of computer system are you using?”

     PPT Slides by Dr. Craig Tyran & Kraig Pencil
           A Hacker Tool: “Password cracker”
                available on the Internet




PPT Slides by Dr. Craig Tyran & Kraig Pencil
               E. IS Security – Ways to
             address/combat security risks
1.    Password management
     • Do not use dictionary words
     • Create new combinations of
           letters and digits
         • Combine letters, numbers, special characters, and both
                upper and lower case
                e.g., gaRDen+493
         • Use mnemonic tricks to remember odd combinations letters
                of words in an expression
                – e.g., tbontbtitq (or even better: 2b*o02b*t1tq)
                     “To be or not to be, that is the question”
     • PPT Change Craig Tyran & Kraig Pencil
           Slides by Dr. passwords frequently
                  E. IS Security – Ways to
                address/combat security risks
2. Use firewalls
   •        HW/SW that acts a buffer between a network and the rest of the
            World
   •        Can keep out … unauthorized traffic
   •        Can keep in … corporate secrets



3. Encryption
   •        Scramble a message/data so that others can not understand it

4. Advisory organizations
   •        Post warnings and “patches” for reported security problems
   •        e.g., Computer Emergency Response Team (CERT)

       Image source: http://computer.howstuffworks.com/firewall.htm
        PPT Slides by Dr. Craig Tyran & Kraig Pencil
 Vulnerability Alert from CERT




PPT Slides by Dr. Craig Tyran & Kraig Pencil
         E. IS Security – Ways to
       address/combat security risks
5. Security software
      •      Antivirus software
      •      Intrusion detection software




PPT Slides by Dr. Craig Tyran & Kraig Pencil
         E. IS Security – Ways to
       address/combat security risks
6. Hire a good hacker
      •      Break into your system and/or provide advice
      •      Help you identify security holes
   U.S. HIRED HACKER TO DETECT DIGITAL SPYING BY EMPLOYEES
     WASHINGTON, D.C. –              is in charge of Cyber       that the Pentagon failed
   In the cyber age, there           Insider Threat program at   to take basic steps to
   are few things so                 the Defense Advanced        protect sensitive
   damaging as a                     Research Projects           information, such as
   determined insider with           Agency, or DARPA. “I’ve     detecting and preventing
   the right passwords.              played both offense and     unauthorized downloads.
     The Defense                     defense.”
   Department hired a                  His program is years      MCCLATCHY
   former hacker to lead a           away from any               November 30, 2010
   research program to               deployable solutions. In
   detect digital spying by          the meantime, the           Redacted by Kraig Pencil
   employees. Peiter Zatko           WikiLeaks releases show


PPT Slides by Dr. Craig Tyran & Kraig Pencil
         E. IS Security – Ways to
       address/combat security risks
6. Hire a good hacker




Kevin Mitnick – a                              Emerges from prison and begins career as
busted hacker …                                an IS Security consultant, writes a book

PPT Slides by Dr. Craig Tyran & Kraig Pencil

				
yanyan yan yanyan yan
About