1 Business/Home Information Security Seminar Presented by: Jose R. Paloschavez Candidate for Master...

1

Business/Home Information Security SeminarPresented by:

Jose R. Paloschavez

Candidate for Master of Science in Network Security

E-mail: [email protected] Porter

Library,

April 2, 2003,

7:00 P.M.-9:00 P.M.

2

Disclaimer:-All information provided my Jose R. Paloschavez in this seminar or made available to the public is to provide information for interested persons. While Jose R. Paloschavez believes the information is reliable, human or mechanical error remains a possibility. Therefore, Jose R. Paloschavez does not guarantee the accuracy, completeness, timeliness, or correct sequencing of information. Neither Jose. R. Paloschavez, nor any of the sources of the information, shall be responsible for any error or omission or the use of, or the results obtained from the use of this information .

3

Information Security

• History (Internet)

• Why Should We Care About Security?

• Problem – In Large

• Methods of Attack

• Attacker’s Process

• Malicious Mobile Code

• Laws and Legal System

Agenda

4


• Privacy Issues and Civil Liberties

• Continuing Threats to Home Users

• Steps to Protect Personal Information– Security Knowledge in Practice

• Important Resources

Agenda (cont)

5


• 1845 – Morse, first telegraph model working New York

• 1881 – Telephone Scrambler

• 1920’s – Government Wiretap’s

• 1940’s – AEA Restricted Data Category

• 1980-s – Defense Authorization Act – Onset of the Personal Computer– More Corporate/Proprietary Data stored on

diskette in volatile space– VIRUSES

History

6


• 1990’s – Increased quality of shared applications

– Increasing dependence on resources

– International threats and risks

– Shrinking budgets forces less cut in Security spending

– OPEN Systems

– Challenge of the decade before Y2K

History (cont)

7


Definition

• Is a global network of networks enabling computers of all kinds to directly and transparently communicate and share services through much of the world

–Internet Society

Internet a.k.a. “the Net” “Web” dub…dub…dub

8


Internet

• Who does it work? (1 of 8)

9


Internet (cont)


10


Internet (cont)


11


Internet (cont)


12


Internet (cont)


13


Internet (cont)


14


Internet (cont)


15


Internet (cont)


16


The Internet has Become Indispensable to Home Users…

• Banking Transactions – Check financial records, pay bills, etc.

• On-line Shopping– Electronics, home improvement, etc.

• Electronic Mail (e-mail)

• Chat

• Access Information Rapidly (24X7)– News, Weather, etc.

Why Should We Care about Computer Security? (Home)

17

Information SecurityWhy Should We Care about Computer Security? (Home)

18

Information SecurityWhy Should We Care about Computer Security? (Home)

19


The Internet has Become Indispensable to Business…

• Conduct Electronic Commerce

• Provide Better Customer Service

• Collaborate with Partners

• Reduce Communication Costs

• Improve Internal Communications

• Access Critical Information Rapidly (24X7)

Why Should We Care about Computer Security? (Business)

20


Security Principles:

• Confidentiality

• Integrity

• Availability

• Authentication

• Non-Repudiation

Why Should We Care about Computer Security? (Business)

21


Statistics:• 90% of respondents to Computer Security

Institute/FBI 2002 survey reported security breaches (85% 2001, 70%, 2000; 62% 1999)*

– (223 organizations 44%) able to quantify financial loss reported $445.8M (2002 survey)

– (186 organizations 35%) able to quantify financial loss reported $377.8M (273 organizations [51%], $265.6M in 2000 survey)

• theft of proprietary information and financial fraud most serious

– 70% cited their Internet connection as a frequent point of attack (59% in 2000 survey)

– 90% acknowledge financial losses do to computer breaches

• *Computer Crime and Security Survey, Computer Security Institute and the FBI, 2002, http://www.gocsi.com/pdfs/fbi/FBI2002.pdf

• *Computer Crime and Security Survey, Computer Security Institute and the FBI, 2001, http://www.gocsi.com/prelea_000321.htm

The Problem – In Large

22


Methods of Attack

Methods used to bypass access controls and gain unauthorized access to information

• Brute Force - persistent series of attacks, trying multiple approaches, in an attempt to break into a computer system

• Denial of Service - overloading a system through an online connection to force it to shutdown

• Social Engineering - deception of system personnel in order to gain access

• Spoofing - masquerading an ID or data to gain access to data or a system

• Dictionary Attack – a file that contains most dictionary works that is used to guess a user’s password

23


Malicious Mobile Code

• Virus - persistent series of attacks, trying multiple approaches, in an attempt to break into a computer system

• Worm - overloading a system through an online connection to force it to shutdown

• Trojan Horse - deception of system personnel in order to gain access

• Logic Bomb - masquerading an ID or data to gain access to data or a system

24


The Attacker’s Process

Some ways an attacker can gain access or exploit a system

• Passive Reconnaissance – attacker must have some general information (i.e. sniffing)

• Active Reconnaissance – attacker has enough information to try active probing or scanning against a site (i.e. services running, ports, etc.)

• Exploiting the System – compromise a system/user’s account to gain access

• Uploading Programs – once attacker has gained access, uploading may take place

• Downloading Data – attacker is usually after information (i.e. personal, credit card)

25


Black Hats vs. White HatsTerms:

• Black Hat - hacker (noun), hackers are capable of finding flaws on their own; ultimately exploit system security breaches for their nefarious ends…– Dictionary.com

• White Hat - hacker (noun), who person who enjoys exploring the details of programmable systems and how strictly their capabilities, as opposed to most users who prefer to only learn the minimum necessity. persistent series of attacks, trying multiple approaches, in an attempt to break into a computer system

– www.whitehat.org

26


Laws and Legal System What You Need to Know…

• National Infrastructure Protection Center- Mission is to “serve as the government’s focal point for threat

assessment, warning, investigation, and response to threats or attacks against our nations critical infrastructures.”

• United States Code, Title 18- Defines the federal crimes, court systems, and punishments

of the United States.• Electronic Communications Privacy Act

- Makes it illegal to intercept or disclose private communications and provides victims of such conduct a right to sue anyone violating its mandate.

• The Computer Fraud and Abuse Act (as amended 1994 and 1996) - “…having knowingly accessed a computer without

authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data..”

27


Laws and Legal System (cont)

Computer Crime

• Breaches of physical security- dumpster diving- wiretapping- eavesdropping- denial or degradation of service

• Breaches of personnel security- masquerading- social engineering- harassment

28



Computer Crime

• Breaches of communications and data security- data attacks- software attacks

• Breaches of operating security - data diddling- IP spoofing- password sniffing- excess privileges

29



Computer Crime Laws and Regulations

• Common law systems- US, Canada, UK, Australia,

New Zealand

- Civil law systems- France, Germany, Quebec

30



Computer Crime

• Criminal law – individual conduct which violates state or federal laws which are enacted for the protection of the public

• Civil law (tort)- wrong against an individual or business

which results in damage or loss- no prison time- requires financial restitution

31



Computer Crime

• Civil law (continued) – Compensatory damages

- actual damages to victim- attorneys fees- lost profits- investigation costs

– Punitive damages- set by jury - punish offender

– Statutory damages- damages determined by law - violation entitles victim

32



Computer Crime

• Administrative/regulatory law - standards of performance and conduct from government agencies to organizations

• Intellectual property/information technology related laws (SRV Theory 903.3)- Patent

- grants owner a legally enforceable right to exclude others from practicing the invention covered

- protects novel, useful and non-obvious inventions

33



Computer Crime

• Trademark- any word, name, symbol, color, sound,

product shape or device or combination of these used to identify goods and distinguish them from those made or sold by others

- Copyright- covers the expression of ideas rather than

the ideas themselves “ original works of authorship”

- Trade secret- proprietary business or technical

information which is confidential and protected as long as owner takes certain security actions

34


Laws and Legal System

Computer Crime

• Computer crime laws- computer related crimes and abuses- viruses- software piracy (“ software police”)- internet crossing jurisdiction problems- illegal content issues (child

pornography)- wire fraud and mail fraud often used in

computer crime cases.- various economic or financial crime

laws

35

Information SecurityPrivacy and Civil Liberties (cont)

• The term privacy stems from the Latin word privatus, which literally means “apart from the public life.”

– Andrea Bacard Computer Privacy (1995)

• Over one hundred years ago, Justice Louis D. Brandeis called the right to privacy “the right to be alone.”

– Ellen Alderman The Right to Privacy (1995)

• American right to privacy is rooted in the Fourth Amendment to the United States Constitution. This Amendment, which was ratified in 1791, states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

36

Information SecurityContinuing Threats to Home Users

Topics:

• CERT/CC has observed a significant increase in activity resulting in compromises in home user machines

• Many home users DO NOT keep their machines up to date with security patches and workarounds, DO NOT run current anti-virus software, and exercise caution when handling email attachments

• Intruders are aware of these facts. Consequently, this has been marked by an increase in intruder specifically targeting home users who have Cable Modems or DSL (Digital Subscriber Line) connections

37


• Use Personal Router (if connected to Cable Modem or DSL) (i.e. Linksys, D-Link, etc.)

• Use Personal Firewall (i.e. Zone Alarm FREE)

– Software firewall – specialized software running on individual computer or network

– Network firewall – a dedicated device designed to protect one or more computers.

• Use Anti-Virus (i.e. McAfee, Norton or Micro Trends)

• Don't open unknown email

• Don't run programs of unknown origin

• Turn off your computer or disconnect from the network when not in use

• Make regular backups of critical data

Steps to Users can Take to Improve Computer Systems (Home)

38

Information SecuritySecurity Knowledge in Practice (Business)

Steps to Improve Your Systems Security

• Vender Provides - when you receive software from a vendor, it has default settings. This default configuration may leave you vulnerable to compromise persistent series of attacks, trying multiple approaches, in an attempt to break into a computer system

• Harding and Securing – identify hardware/software

• Prepare – files & directories, process, performance, network, procedures, contacts, test environments and disaster recovery

• Detect - analysis and monitor information sources and logs

• Respond – analysis, forensics, containment an PR

• Improve - patch, re-architect

39


Important Resources

• CERT®/CC Contact Information– http://www.cert.org– +1 412-268-7090 (24-hour hotline)

• SANS (System Adminstion, Audit, Network, Security) Org– http://www.cert.org– +1 866-570-9927 (8-5 EST hotline)

• Federal Bureau of Investigation, National Infrastructure Protection Center (NIPC)– http://www.nipe.gov– +1 888-585-9078 (24-hour hotline)

• Virus Bulletin (Independent Anti-Virus Advice)– http://www.virusbtn.com/

40


Important Resources (cont)

• Federal Trade Commission – http://www.ftc.gov – +1 877-FTC-HELP (24-hour hotline)

• Commonwealth of Virginia Cyber Cops, Office of the Attorney General, Technological Division, Computer Crime Unit– http://jcots.state.va.us– +1 804-786-6053 (24-hour hotline)

• Federal Bureau of Investigation (Online Child Pornography) Innocent Images National Initiative– http://www.fbi.gov/hq/cid/cac/innocent.htm– +1 800-843-5678 (24-hour hotline)

• Request That Your Name Be Removed From Marketing Lists To Reduce the Number of Pre-approved Credit Card Applications Received by U.S. Mail

– +1 800-567-8688

41

Business/Home Information Security Seminar

Presented by:

Jose R. Paloschavez

E-mail: [email protected]

Candidate for Master of Science in Network Security

Capitol College2003

1 Business/Home Information Security Seminar Presented by: Jose R. Paloschavez Candidate for Master...

Documents

Transcript of 1 Business/Home Information Security Seminar Presented by: Jose R. Paloschavez Candidate for Master...