Post on 11-Jan-2016
Lecture 7: Data Security and Copyright (38 slides)
Lecturer:
Prof. Anatoly Sachenko
Information Technology
2
Lecture Overview
Information Security Password Policy
Computer Viruses Protection
Copyright and the Law
3
Information Security – Definitions
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
Governments, military, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status
Should confidential information about a businesses customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business
4
Information Security – Proactive Policy A proactive information security policy anticipates problems and
attempts to guard against future problems, as opposed to discovering a problem and then trying to deal with the
problem 'on the fly‘ In any organisation there should be clearly defined policies for
the detection of security problems, and what to do if a problem is noticed
Security problems may range from the physical presence of unauthorised persons in an office, through
to suspicion of attempted unauthorised electronic entry to your computer networks
In all cases you should know whom to contact, and how to contact the relevant person, so that the matter can
be investigated further
5
Information Security (continued)
If you are reporting a security problem you should do so without delay, to the relevant person within your organisation
If you are responsible for dealing with reports of security incidents
you should always take action immediately, and follow the correct procedure within your
organisation for investigating any problems
If you are working for a large organisation you have both rights and obligations to the organisation
For instance does an employer have the right to video film and record employees without their permission?
Can an employer read all email sent and received by employees?
Can an employer monitor what Internet sites an employee is accessing?
6
Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset)
A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset
A threat is anything (man made or act of nature) that has the potential to cause harm
Identification is an assertion of who someone is or what something is
Authentication is the act of verifying a claim of identity
Information Security (continued)
7
After a person, program or computer has successfully been identified and authenticated then
it must be determined what informational resources they are permitted to access and
what actions they will be allowed to perform (run, view, create, delete, or change)
this is called authorization Information security uses cryptography to transform
usable information into a form that renders it unusable by anyone other than an authorized user
This process is called encryption
Information Security - Authorization
8
Information that has been encrypted (rendered unusable) can be transformed back into its original usable form by an authorized user, who possesses the cryptographic key, through the process of decryption
Cryptography is used in information security to protect information from unauthorized or accidental discloser
while the information is in transit (either electronically or physically), and while information is in storage
Cryptography provides information security with other useful applications as well including:
improved authentication methods message digests digital signatures non-repudiation, and encrypted network communications
Information Security – Authorization (cont-d)
9
Public key encryption is a refined and practical way of
doing encryption. It allows for example anyone to
write a message for a list of recipients, and only those
recipients will be able to read that message
Intrusion-detection systems can scan a network for
people that are on the network but who should not be
there or are doing things that they should not be
doing, for example trying a lot of passwords to gain
access to the network
Information Security (continued)
10
Firewalls are systems which help protect computers and computer networks from attack and subsequent intrusion by restricting the network traffic which can pass through them, based on a set of system administrator defined rules
Access authorization restricts access to a computer to group of users through the use of authentication systems
These systems can protect either the whole computer - such as through an interactive logon screen - or individual services, such as an FTP server
There are many methods for identifying and authenticating users, such as passwords, identification cards, and, more recently, smart cards and biometric systems
Information Security (continued)
11
Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information
Social engineering awareness – It is need to keep employees aware of the dangers of social engineering and/or having a policy in place to prevent social engineering can reduce successful breaches of the network and servers
Information Security (continued)
12
Information Security – User ID & Password & Access Rights
A User ID is normally used to logon to a computer, or computer network
It uniquely identifies you to the network. In addition you use a password which is only known to you The password guarantees that no one can access the network
and impersonate you (in theory) Once you have logged on (i.e. connected) to the rest of your
computer network you will have been assigned access rights to the network
Your network administrator will have defined these access rights
The idea of access rights is that you only have the ability to: connect to or share
devices which you have authority to use
13
Information Security – Access Rights & Password
In other words, the network administrators often have access rights to just about every computer, printer, modem etc on the network
You on the other hand may have access rights to print to only certain, specified printers, and you may be able to access only certain data
held on the networkA password is a form of secret authentication data that
is used to control access to a resource The password is kept secret from those not
allowed access, and those wishing to gain access are tested on
whether or not they know the password, and are granted or denied access accordingly
14
A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly
A password policy is often part of an organization's official regulations and may be taught as part of security awareness training
Password formation. Some policies suggest or impose requirements on what type of password a user can choose, such as: The use of both upper- and lower-case letters (case
sensitivity) Inclusion of one or more numerical digits
(continued on the next slide)
Information Security – Password Policy
15
Inclusion of special characters Prohibition of words found in a dictionary or
crackers list Prohibition of passwords that are:
valid calendar dates or license plate numbers
Password duration - some policies require users to change passwords periodically, e.g. every 90 or 180 days
Ideally a password should be at least 8 characters long & contain a mixture of words and numbers
It is also recommended that you change your password regularly
Information Security - Password Policy (continued)
16
Good password practice. Password policies often include advice on proper password management such as: Never sharing a computer account Never using the same password for more than one
account Never telling a password to anyone, including
people who claim to be from customer service or security
Never writing down a password Never communicating a password by telephone, e-
mail or instant messaging Being careful to log off before leaving a computer
unattended Changing passwords whenever there is suspicion
they may have been compromised
Information Security - Password Policy (continued)
17
A smart card, chip card, or integrated circuit card (ICC), is defined as any pocket-sized card with embedded integrated circuits which can process information
The card is made of plasticThe card may embed a hologram to avoid
counterfeitingBiometric methods promise authentication based on
unalterable personal characteristics, but currently have high error rates and require additional hardware to scan, for example, fingerprints, irises
Information Security (continued)
18
Information Security – Backup
The most important thingwhich you store on your computer
is information Often the contents of a hard disk can
represent years of workIf the hard disk stops working one day
you could lose all those years of work For this reason it is
VITAL that you take regular backups of the information which is stored on the computer
19
Backups are a way of securing informationThey are another copy of all the important
computer files kept in another locationThese files are kept on hard disks, CD-Rs,
CD-RWs, and tapesSuggested locations for backups are:
fireproof, waterproof, and heat proof safe, or in a separate, offsite location where the
original files are containedSome individuals and companies also keep
their backups in safe deposit boxes inside bank vaults
Information Security – Backup (cont-d)
20
Information Security (continued)
What if your laptop is stolen? If there was no start-up password then all the data
on the computer could be at risk The same goes for important/sensitive documents;
if these were not individually password protected they could also be vulnerable
If you work within a large organisation, always report an incident of this type immediately to your technical support department
What if your mobile phone is stolen? Call your technical support department if working
for a large organisation If you work alone, then call the phone network
operator and report the phone as stolen
21
Computer Viruses
A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user
The original virus may modify the copies, or the copies may modify themselves, as occurs in a
metamorphic virus A virus can only spread from one computer to another
when its host is taken to the uninfected computer for instance by a user sending it over a network or
the Internet, or by carrying it on a removable medium such as a
floppy disk, CD, or USB drive
22
Additionally, viruses can spread to other computers by infecting:
files on a network file system, or a file system that is accessed by another computer
Some viruses are programmed to damage the computer by damaging programs deleting files, or reformatting the hard disk
Others are not designed to do any damage, but simply replicate themselves, and
perhaps make their presence known by presenting text, video, or audio messages
Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, and file sharing systems to spread, blurring the line between viruses and worms
Computer Viruses (continued)
23
A computer worm is a self-replicating computer programIt uses a network to send copies of itself to
other nodes (computer terminals on the network), and
it may do so without any user interventionUnlike a virus, it does not need to attach
itself to an existing programWorms almost always cause harm to the
network, if only by consuming bandwidth whereas viruses almost always corrupt or
modify files on a targeted computer
Computer Viruses - Computer Worm
24
Trojan horse, or simply trojan, is a piece of software which appears to perform a certain action, but in fact, performs another Contrary to popular belief, this action, usually encoded in a
hidden payload, may or may not be acutely malicious but Trojan horses are notorious today for
their use in the installation of backdoor programs
A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication securing remote access to a computer obtaining access to plaintext, and so on while attempting to remain undetected
The backdoor may take the form of an installed program, or could be a modification to an existing program or hardware device
Computer Viruses – Trojan Horse
25
Unlike viruses, it does not propagate by self-replication but relies heavily on the exploitation of an end-user (see Social engineering above)
In the field of computer architecture, Trojan Horse can also refer to security loopholes that allow kernel code to access anything for which it is not authorized
A simple example of a Trojan horse would be a program named "waterfalls.scr" which claimed to be a free waterfall screensaver When run, it would instead open computer
ports and allow hackers to access the user's computer remotely
Computer Viruses – Trojan Horse (continued)
26
Erasing or overwriting data on a computer Upload and download files Spreading other malware, such as viruses: this type of Trojan
horse is called a 'dropper' or 'vector‘ Setting up networks of zombie computers in order to launch
DDoS attacks or send spam Spying on the user of a computer and covertly reporting data
like browsing habits to other people Logging keystrokes to steal information such as passwords
and credit card numbers Installing a backdoor on a computer system Deactivating or interfering with anti-virus and firewall
programs
Trojan Horse – Damage Examples
27
The majority of Trojan horse infections occur because the user was tricked into running an infected program This is why it is advised to not open unexpected attachments
on emailsthe program is often a cute animation or
an image but behind the scenes it infects the computer with a
Trojan or worm The infected program doesn't have to arrive via email
it can be sent in an Instant Message, downloaded from a Web site or by FTP, or
even delivered on a CD or floppy disk Furthermore, an infected program could come from someone
who sits down at a computer and loads it manually
Computer Viruses (cont-d)
28
Computer Viruses - Backdoor
A backdoor in a computer system, or cryptosystem, oralgorithm
is a method of bypassing normal authentication, securing remote access to a computer obtaining access to plaintext, and so on
while attempting to remain undetectedThe backdoor may take the form of
an installed program, or could be a modification to an existing program
or hardware device
29
Computer Viruses (continued)
30
Computer Viruses - Protection
The safest way to use a computer is to not connect it to a Local Area network or the Internet This is called a 'stand-alone' computer
providing that you do not use floppy disks on that PC which have been used in other computers this type of computer is virtually immune from any
form of intrusion Unfortunately it is the ability to connect to other computers or
indeed the Internet which makes the modern computer so versatile and so
useful Always make sure that all computers require an ID and
password to access them Make sure that all relevant 'security patches' from Microsoft
have been applied
31
Computer Viruses – Protection (cont-d) If you discover a virus on your computer don’t panic If your virus checker alerts you to a virus
then the chances are that it has caught the virus before the virus could infect your computer and cause damage
For instance you may insert a diskette into your computer and the virus checker should automatically scan the diskette
If the diskette contains a virus, a message will be displayed telling you that the diskette is infected, and it should automatically remove the virus
The other common method of infection is via emails If you work within a larger company, you
should have a company IT support group which will come and rid your computer of viruses
Be sure that you are familiar with your company’s policy regarding viruses
32
Computer Viruses – Protection (cont-d)
Anti virus software can only detect viruses (or types of viruses) which the software knows about
As such it is vital that you keep your anti virus software up to date so
that it can detect new viruses which are constantly appearing
Running a virus checker on a machine which contains a virus is known as disinfecting the PC, as the virus program will detect, and then eliminate the virus
Make sure that your virus checker is configured so that as well as scanning your computer for viruses when you first switch on your PC
It remains active in the computer’s background memory, constantly looking for signs of virus attack
This is very important when connecting to the Internet
33
Computer Viruses – Protection (cont-d)
Be very cautious about opening unsolicited emails, especially if they contain file attachments
A good anti-virus program should detect most threats from virus-infected emails
Any file which you download from the Internet may in theory contain a virus
Be especially careful about downloading program files (files with a file name extension of .COM or .EXE)
Microsoft Word or Excel files can contain macro viruses
Basically trust no one when it comes to downloading filesDo not connect to the Internet unless you have a good
anti-virus program installed on your computer
34
Copyright - Software License
A software license comprises the permissions, rights and restrictions
imposed on software whether a component or a free-standing program
Use of software without a license could constitute infringement of the owner's exclusive rights under copyright, or
occasionally, patent law and allow the owner to sue the infringer
Software license agreement is a memorandum of contract between a producer and a user of computer software which grants the user a software license
35
Copyright - License Agreement
Software license agreement indicates the terms under which an end-user may
utilize the licensed software, and in which case the agreement is called an
end-user license agreement or EULAA free software license grants
the right to modify, and redistribute the licensed software
both of which would ordinarily be forbidden by copyright
law
36
Copyright - License Agreement (cont-d)Shareware software is software that can be obtained by a
user, often by downloading from the Internet or on magazine cover-disks free of charge to try out a program before you buy the full version of that program. If the "tryout" program is already the full
version, it is available for a short amount of time, or it does not have updates, help, and other extras that buying the added programs has
Shareware has also been known as "try before you buy“
A shareware program is accompanied by a request for payment, and the software's distribution license often requires such a payment
37
Data protection legislation The most important piece of legislation in the area is the
European Data Protection Directive 1995 that has been implemented in all European Union (EU)
member states and with which companies have to comply in order not to misuse personal data
The directive deals with the protection of individuals with regard to the processing of personal data and on the free movement of such data
Objective of the directive: data-processing systems are designed to serve man whereas they must, whatever the nationality or residence of
natural persons respect their fundamental rights and freedoms notably the right to privacy, and contribute to economic and social progress, trade expansion
and the well-being of individuals
38
References
European Computer Driven Licence, Syllabus version 4.0, 2006.
http://www.roz6.polsl.pl/asachenko/sutaa.html
J. Glenn Brookshear. Computer science an overview, Sixth edition, Addison Wesley, 2001, 688 p.
Brookshear J.G.: Informatyka w ogólnym zarysie, Wydawnictwo WNT, Warszawa 2003.