Professional Documents
Culture Documents
Fundamentals of e-Security
Goal
To help you understand some basics about information security To give you some resources that will help you when you need to expand on this base
Fundamentals of e-Security
Agenda
What and who are we worried about, and why? What can you do about it? How are incidents detected and handled?
Fundamentals of e-Security
C.I.A.
The Universitys entire information processing environment rests on the assumption that we have: Confidentiality-prevent unauthorized disclosure (Threat: unauthorized access) Integrity-ensure accuracy and authenticity (Threat: altered, deleted, or added data) Availability-ensure that information and systems are there when we need them (Threat: Denial of service)
Fundamentals of e-Security
Other Concerns
Liability: someone can use our computers to do bad things that leave us with the liability Reputation: security issues can make us look bad, affecting parental trust, recruiting Legal: a growing body of law requires that we do certain things to secure our systems (FERPA, HIPAA) Financial: security issues cost money, directly or indirectly Traceability, auditability: bad things happen, and you need to find out what and why (and sometimes who)
Fundamentals of e-Security
Exercise
A bad day at the Wild West University Two press releases describing the loss of private information from a universitys system:
Fundamentals of e-Security
Initial Report -- March 5, 2003, 10:00p.m. On Sunday, March 2 at 7:20 p.m., computer systems personnel at WWU discovered a computer malfunction. The affected computer system was immediately shut down, and detailed analysis was begun. What happened? The malfunction was assessed to be the result of a deliberate attack from the Internet. Subsequent analysis revealed that a security weakness in an administrative data reporting system was exploited by writing a program to input millions of Social Security numbers. Those SSNs that matched selected individuals in a WWU database were captured, together with e-mail address, title, department name, department address, department phone number, and names/dates of employee training programs attended. It is important to note that no student grade or academic records, or personal health or insurance information was disclosed. Is there evidence that the stolen data have been misused or disseminated? WWU, in conjunction with the U.S. Attorney's Office, the U.S. Secret Service, and other law enforcement agencies, has focused its efforts since Sunday evening on identifying the perpetrator(s) of the break-in and recapturing the stolen data.. To date there is no evidence that the stolen data have been distributed beyond the computer(s) of the perpetrator(s).
What is WWU doing about this? WWU's highest priority has been to identify the source of the attack and to cooperate with law enforcement authorities to capture the perpetrator(s), and any associated computers and data. Our second priority will be to assess the extent of further data exposure - if any - and to establish a proactive communication program with affected individuals and the WWU community. How many individual records were exposed? Approximately 55,200 individuals had some of the above data exposed. This group includes current and former students, current and former faculty and staff, and job applicants. How will affected individuals be notified? The University is currently developing a communication plan and will contact affected individuals as soon as possible. At this juncture, there is no evidence that the data have been further exposed or misused. To send a comment or question to the WWU Incident Response Team, please e-mail datatheft@its.wwu.edu (do not send your Social Security number in any e-mail message). WWU regrets this incident and commits to do whatever is required to ensure the integrity of the data of all our past and present colleagues. <signed> Vice President for Information Technology, Wild West University
Data Theft Update (October 2003) The Wild West University regrets that one of its administrative databases was breached in March by a deliberate attack through the Internet. Thousands of names and Social Security numbers were illegally accessed and downloaded to a personal computer. Fortunately, it appears that prompt action by the Travis County District Attorney's Office, the U. S. Attorney's Office, and the U. S. Secret Service has secured the stolen data before they could be misused or further disseminated. A WWU undergraduate student suspected of the crime was arrested by the U.S. Secret Service on March 14. His computer and related paraphernalia were seized and are being analyzed by the Secret Service. Although the security breach and related charges facing the suspect are indeed serious, the U.S. Attorney's Office has stated officially, "At this point, there is no indication that the stolen data was further disseminated or used to anyone's detriment. As of October 2003, the University has successfully contacted 92 percent of the individuals known to be affected by the data theft incident, and continues its efforts to reach the remaining affected population. The University is doing everything it can to ensure the security of personal information. An underlying issue that has received attention is the University's use of the Social Security number as the unique identifier for students, faculty, staff, and other affiliates, a practice that is widespread in universities and elsewhere. The University launched a project in 2001 to migrate database systems and services to a different identifier, and important progress has been made, but the breached system continued to rely upon SSN inputs.
Questions to Discuss
1) What CIA principles were violated? 2) What other concerns did this attack raise? 3) If your information had been exposed, what would you do? 4) How much would this incident concern you if you were not affected? Would your relationship to the university matter? 5) Based on this information how would you evaluate WWU's communications to users? 6) Can you think of any similar lurking time bombs at OSU?
Terminology
Scan: probing through the network to find vulnerable systems Vulnerability: a weakness that might be exploited to do something bad Exploit: using a vulnerability to gain access to a system
Fundamentals of e-Security
Terminology, continued
Backdoor: hidden entrances to your system Rootkit: tools used to hide an intruders presence Virus, worm, trojan: old names for different sorts of bad software.
Fundamentals of e-Security
Terminology, continued
Malware: new name for viruses, worms, trojans, adware, spyware. MALicious softWARE Adware, spyware: commercial software that invades your privacy, displays popups, and undermines your security.
Fundamentals of e-Security
Terminology, continued
Bot: (short for robot) a computer running software that makes it part of a botnet, and allows others to control it remotely. Botnet: a network of tens, hundreds, thousands, or tens of thousands of bots that can be used for scanning, exploiting, denial of service attacks, spamming, file sharing, and so on
Fundamentals of e-Security
Terminology, continued
Encryption: a way to make data unreadable by everyone except the intended recipients Authentication: the act of identifying yourself to the computer Two-factor authentication: authentication that uses something you have (a key, a token card) and something you know (a password, PIN) Three-factor authentication: authentication that uses something you are (biometric scan, fingerprint, retina scan, voice print) something you have (a key, a token card) and something you know (password, PIN)
Fundamentals of e-Security
Terminology, continued
Authorization: rights granted to a person (or a program, computer, etc) for some object (such as data in a database, login to a network)
Jkerr is authorized to login on this computer, but not on that one. Jkerr is authorized to read this data, but not modify or delete it.
Fundamentals of e-Security
Teenagers
A large number of attacks are perpetrated by teenagers They have high interest in computers They have lots of free time Their morals arent quite fully developed No perceived danger to themselves script kiddies Goals include
Just playing around; learning Gaining social stature in the computer underground Support their passion (file sharing, denial of service, see social stature)
Fundamentals of e-Security
Organized Criminals
Goals: $$$ for spam, denial of service, identity theft, espionage, harassment Botnets are a real business now-for spam, denial of service attacks, and building other botnets They are high-risk operations, and more motivated to use sophisticated tools and techniques to hide their tracks
Fundamentals of e-Security
Unorganized criminals
Disgruntled employees (are the rest of us gruntled?) Other individuals doing criminal things Feb. 5, 2005 (Sophos news) a 24-year old former AOL employee has pleaded guilty to stealing a list of 92 million email addresses of the ISPs customers and selling it to spammers for $28,000 (=$0.0003 per address)
Fundamentals of e-Security
Legitimate users
People doing things that unintentionally put systems at risk, typically through experimenting with game servers, file sharing, web servers, instant messaging, etc. People who carelessly click on email attachments, approving dialogue boxes that ask whether its OK to install extra software, respond to phishing attacks, and so on
Fundamentals of e-Security
C.Y.A.
Because we are concerned about C.I.A. (and the other issues) we need to secure our systems, networks, and data. Step 1: identify assets (data, services, etc) Step 2: identify threats (C.I.A.) for each asset Step 3: identify controls to protect our assets from these threats
Fundamentals of e-Security
Physical Security
Provides for the protection of property, personnel, and facilities from illegal or criminal acts, and/or environmental disruptions Physical security plan should be created that deals with control of access to the building or office Plan should also address responses to environmental problems
Fundamentals of e-Security
Fundamentals of e-Security
Fundamentals of e-Security
Laptop/PDA Security
Fundamentals of e-Security
Apple Mac OS X supports the file vault, which automatically encrypts files. This should be turned on (off by default). Windows 2000 and XP support EFS, the Encrypting File System. This should be turned on (off by default).
Fundamentals of e-Security
Account Security
Dont share your accounts or passwords Use good passwords Use different passwords on different systems Change your passwords Lock your screen
Fundamentals of e-Security
Fundamentals of e-Security
Data Security
Essential to Confidentiality and Integrity Regulatory environment-FERPA and student information Involves protecting data in transit, as well as in storage Often requires encryption of the data
Fundamentals of e-Security
People Security
Background screening as part of the hiring process Termination best practices:
Remove their access Dispossess them of sensitive materials Repossess important materials (latest version of their projects)
Fundamentals of e-Security
Fundamentals of e-Security
Social engineering-techniques that rely on weaknesses in humans rather than software; the aim is to trick people into revealing passwords or other information that compromises a target systems security
Modified from The Jargon File, version 4.7.7
Fundamentals of e-Security
Phishing example
Mis-spelled words
F.U.D.
Fundamentals of e-Security
Phishing example
<a href= "http://www.paypallk.com:680/paypal.php" style="font-family: monospace; font-size: 10pt;">Click here to confirm your account</a>
How could a person get tricked into giving out a password over the phone? Much easier than you think!
Fundamentals of e-Security
Hi-this is Jim from Tech Services. We noticed that your network segment is down, and wed like to try your login to verify it. Whats your password? This is Andrew from Technology Services. Your mail spool on the server is blocked, and we need your password to clear it.
Fundamentals of e-Security
Fundamentals of e-Security
Fundamentals of e-Security
Lima OTS and Columbus Network Security (division of OIT) actively scan network hosts for vulnerabilities Lima OTS and Columbus Net Security actively monitor network traffic for suspicious activity
Fundamentals of e-Security
Fundamentals of e-Security
Firewall
Fundamentals of e-Security
F.A.Q.
What do I do?
Turn it off! Report it to Technology Services Dont try to backup now, its too late. You may spread contamination.
Fundamentals of e-Security
F.A.Q.
Fundamentals of e-Security
Useful Resources
CIO Policies
http://cio.osu.edu/policies/policies.html
Network Policies
http://www.net.ohiostate.edu/OSUNet/policies.html
Fundamentals of e-Security
Useful Resources
OSU Site Licensed Software Spybot Search & Destroy General Spyware Information FERPA and OSU
http://www.getnetwise.org
http://www.registrar.ohiostate.edu/ourweb/more/Content/ferpa.pg1.html http://www.antiphishing.org/phishing_archive.html
Fundamentals of e-Security
http://osusls.osu.edu
http://www.spybot.info
Phishing