Upon completion of this lesson, the successful participant will be able to understand: How do you store and retrieve the vast amount of data collected in a modern company? Why is the database management approach so important to business? How do you write questions for the DBMS to obtain data?,...
Trang 1Introduction to MIS
Chapter 4 Security, Privacy, Anonymity
Trang 2 Threats to Information
Physical Security and Disaster Planning
Logical Security and Data Protection
Virus Threats
User Identification and Biometrics
Access controls
Encryption and Authentication
Internet Security Issues
Trang 3Security, Privacy, and Anonymity
Server Attacks
Data interception
The Internet
Monitoring
Trang 4Employees & Consultants
Links to businesspartners
Outside
hackers
Threats to Information
Accidents & Disasters
Employees & Consultants
Trang 6Horror Stories
Security Pacific Oct 1978
Stanley Mark Rifkin
Electronic Funds Transfer
Unix account not balance
Monitor, false information
Track to East German spy
Trang 7Manual v Automated Data
Trang 8SunGard is a premier provider of computer backup facilities and disaster planning services Its fleet of Mobile Data Centers can be outfitted with a variety of distributed systems hardware and delivered at a disaster site within 48 hours.
Disaster Planning
Trang 9Data Backup
Backup is critical
Offsite backup is critical
Levels
RAID (multiple drives)
Real time replication
Scheduled backups
Trang 10Data Backup
Offsite backups are critical.
Frequent backups enable you to recover from disasters and mistakes.
Use the network to backup PC data.
Use duplicate mirrored servers for extreme reliability.
UPS
Power
company
Trang 1101 23 05 06 77 03 3A 7F 3C 5D 83 94
Trang 12Dataquest, Inc; Computerworld 12/2/91
National Computer Security Association; Computerworld 5/6/96
Trang 13Stopping a Virus
Backup your data!
Never run applications unless you are certain they are safe.
Never open executable attachments sent over the
Internet regardless of who mailed them.
Antivirus software
Needs constant updating
Rarely catches current viruses
Can interfere with other programs
Ultimately, viruses sent over the Internet can be traced back to the original source.
Trang 14User Identification
Passwords
Dial up service found 30% of
people used same word
People choose obvious
Post-It notes
Hints
Don’t use real words
Don’t use personal names
Trang 15Airport.
Trang 16Several methods exist to identify a person based on biological characteristics Common techniques include fingerprint, handprint readers, and retinal
scanners More exotic devices include body shape sensors and this thermal
facial reader which uses infrared imaging to identify the user.
Biometrics: Thermal
Trang 17Access Controls: Permissions in Windows
Find the folder or directory in explorer
Right-click to set properties
On the Security tab,assign
permissions
Trang 20Encryption: Single Key
Encrypt and decrypt with the
same key
How do you get the key
safely to the other party?
What if there are many
Triple DES - old but slightly
harder to break with brute force.
AES - new standard
Plain text message
Encrypted text
Key: 9837362
Key: 9837362
AES
Encrypted text
Plain text message
AES
Single key: e.g., AES
Trang 21UseBob’sPrivate key
Alice sends message to Bob that only he can read
Encryption: Dual Key
Trang 22Bob
Public Keys
Alice 29Bob 17
Private Key
13
Private Key
37Use
Bob’sPublic key
UseBob’sPrivate key
Bob sends message to Alice:
His key guarantees it came from him
Her key prevents anyone else from reading message
MessageMessage
Encrypt+T
Encrypt+T+M
Encrypt+M
UseAlice’sPublic key
UseAlice’sPrivate key
Transmission
Dual Key: Authentication
Trang 23Certificate Authority
Public key
Imposter could sign up for a
public key.
Need trusted organization.
Only Verisign today, a public
company with no regulation.
Verisign mistakenly issued a
certificate to an imposter claiming to work for Microsoft
in 2001.
Alice
Public Keys
Alice 29Bob 17
UseBob’s
How does Alice know that it is really Bob’s key?
Trust the C.A
C.A validate applicants
Trang 24Internet Data Transmission
Start
DestinationEavesdropper
Intermediate Machines
Trang 25Clipper Chip: Key Escrow
Trang 26Denial Of Service
Zombie PCs at homes, schools, and businesses Weak security
Break in
Flood program
Coordinated flood attack
Targeted server
Trang 27Securing E-Commerce Servers
1 Install and maintain a working network firewall to protect data
accessible via the Internet
2 Keep security patches up-to-date
3 Encrypt stored data
4 Encrypt data sent across networks
5 Use and regularly update anti-virus software
6 Restrict access to data by business "need to know."
7 Assign a unique ID to each person with computer access to data
8 Don't use vendor-supplied defaults for system passwords and other
security parameters
9 Track access to data by unique ID
10 Regularly test security systems and processes
11 Maintain a policy that addresses information security for employees
and contractors
12 Restrict physical access to cardholder information
Trang 28discards some types of requests.
Keeps local data from going
to Web servers
Trang 29credit cardsorganizations
financialpermitscensus
transportation data
financialregulatoryemploymentenvironmental
purchases phone
criminal recordcomplaints
finger printsmedical
records
Privacy
grocery store
scanner data
Trang 30Display page, store cookie.
Find page.
Request new page and send cookie.
Use cookie to identify user.
Send customized page.
Trang 31Misuse of Cookies: Third Party Ads
Useful Web site
Useful Web Page Text and graphics
Ads, and cookie
Request
page Hidden prior
cookie
Trang 32Wireless Privacy
Cell phones require connections to towers
E-911 laws require location capability
Many now come with integrated GPS units
Business could market to customers “in the
neighborhood”
Tracking of employees is already common
Trang 33 Got fake Kentucky ID
Wrote $6000 in bad checks
Kalin spent 2 days in jail
Sued McFadden, won $10,000
San Francisco Chronicle 1991
Person found 12 others using her SSN
Someone got 16 credit cards from another’s SSN, charged
$10,000
Someone discovered unemployment benefits had already been collected by 5
Trang 34Privacy Laws
Minimal in US
Credit reports
Right to add comments
1994 disputes settled in 30 days
1994 some limits on access to data
Bork Bill can’t release video rental data
Educational data limited availability
1994 limits on selling state/local data
2001 rules on medical data
France and some other controls
1995 EU Privacy Controls
Trang 35Primary U.S Privacy Laws
Freedom of Information Act
Family Educational Rights and Privacy Act
Fair Credit Reporting Act
Privacy Act of 1974
Privacy Protection Act of 1980
Electronic Communications Privacy Act of 1986
Video Privacy Act of 1988
Driver’s Privacy Protection Act of 1994
2001 Federal Medical Privacy rules (not a law)
Trang 36 Dianetics church (L Ron Hubbard) officials in the U.S.
Sued a former employee for leaking confidential documents
over the Internet
He posted them through a Danish anonymous server
The church pressured police to obtain the name of the poster
Zero knowledge server is more secure
Should we allow anonymity on the Internet?
Trang 37Cases: Healthcare
Trang 38What is the company’s current status?
What is the Internet strategy?
How does the company use information technology?
What are the prospects for the industry?
www.lilly.com
www.owensminor.com
Cases: Eli Lilly Owens & Minor, Inc.
Trang 39Appendix: Digital Security Certificates
Digital security certificates are used to encrypt e-mail
and to authenticate the sender.
Obtain a certificate from a certificate authority
Verisign
Thawte (owned by Verisign)
Microsoft
Your own company or agency
Install the certificate in Outlook
Select option boxes to encrypt or decrypt messages
Install certificates sent by your friends and co-workers.
Trang 40Obtaining a Certificate
Trang 41Installing a Certificate
1 Tools + Options + Security
tab
2 Choose your certificate
3 Check these boxes to add
your digital signature and to encrypt messages
4 These boxes set the default
choices For each message, you can use the options to
Trang 42Encrypting and Signing Messages
Use the Options button and the Security Settings button to make sure the Encrypt and Signature boxes are
checked Then the encryption and decryption are automatic.