Proactive Security Testing-Protecting Against Tomorrow's Threats Today
CHAPTER 8 PROTECTING PEOPLE AND INFORMATION Threats and Safeguards.
-
Upload
clyde-warner -
Category
Documents
-
view
227 -
download
0
Transcript of CHAPTER 8 PROTECTING PEOPLE AND INFORMATION Threats and Safeguards.
CHAPTER 8CHAPTER 8
PROTECTING PEOPLE AND PROTECTING PEOPLE AND INFORMATIONINFORMATION
Threats and SafeguardsThreats and Safeguards
Open surgery is on the decline while IT-supported surgery is on the increase.
Opening Case: Opening Case: Transformations in Medicine Transformations in Medicine
Mean Better LivesMean Better Lives
INTRODUCTIONINTRODUCTION
Handling information responsibly Handling information responsibly means understanding the following means understanding the following issuesissues EthicsEthics Personal privacyPersonal privacy Threats to informationThreats to information Protection of informationProtection of information
ETHICSETHICS
EthicsEthics the principles and standards that guide the principles and standards that guide
our behavior toward other peopleour behavior toward other peopleEthics are rooted in history, culture, Ethics are rooted in history, culture, and religionand religion
Factors the Determine How Factors the Determine How You Decide Ethical IssuesYou Decide Ethical Issues
Actions in Actions in ethical ethical dilemmas dilemmas determined bydetermined by
Your basic Your basic ethical ethical structurestructure
The The circumstanccircumstances of the es of the situationsituation
Intellectual PropertyIntellectual Property
Intellectual propertyIntellectual property CopyrightCopyright Fair Use DoctrineFair Use Doctrine Pirated softwarePirated software
Using copyrighted software without Using copyrighted software without permission violates copyright lawpermission violates copyright law
PRIVACYPRIVACY
PrivacyPrivacy the right to left alone when you want to the right to left alone when you want to
be, to have control over your own be, to have control over your own personal possessions, and not to be personal possessions, and not to be observed without your consentobserved without your consent
Dimensions of privacyDimensions of privacy Psychological: to have a sense of controlPsychological: to have a sense of control Legal: to be able to protect yourselfLegal: to be able to protect yourself
Privacy and Other Privacy and Other IndividualsIndividuals
Key logger (key trapper) softwareKey logger (key trapper) software a program that, when installed on a computer, records a program that, when installed on a computer, records
every keystroke and mouse clickevery keystroke and mouse click Screen capture programsScreen capture programs
capture screen from video cardcapture screen from video card Hardware key logger Hardware key logger
hardware device that captures keystrokes moving hardware device that captures keystrokes moving between keyboard and motherboard.between keyboard and motherboard.
Event Data Recorders (EDR)Event Data Recorders (EDR) located in the airbag control module and collects data located in the airbag control module and collects data
from your car as you are driving.from your car as you are driving.
An E-Mail is Stored on Many An E-Mail is Stored on Many ComputersComputers
E-mail is stored on many computers as it travels from sender to recipient
Identity TheftIdentity Theft Identity theftIdentity theft
the forging of someone’s identity for the purpose of the forging of someone’s identity for the purpose of fraudfraud
Identity TheftIdentity Theft
Phishing (carding, brand spoofing)Phishing (carding, brand spoofing) http://www.youtube.com/watch?v=7MtYVSGe1ME Spear PhishingSpear Phishing WhalingWhaling NEVERNEVER
Reply without question to an e-mail asking Reply without question to an e-mail asking for personal informationfor personal information
Click directly on a Web site provided in Click directly on a Web site provided in such an e-mailsuch an e-mail
Identify TheftIdentify Theft PharmingPharming
rerouting your request for a legitimate Web rerouting your request for a legitimate Web site site
sending it to a slightly different Web sending it to a slightly different Web addressaddress
or by redirecting you after you are already or by redirecting you after you are already on the legitimate siteon the legitimate site
Pharming is accomplished by gaining access Pharming is accomplished by gaining access to the giant databases that Internet providers to the giant databases that Internet providers use to route Web traffic. use to route Web traffic.
It often works because it’s hard to spot the It often works because it’s hard to spot the tiny difference in the Web site address.tiny difference in the Web site address.
Privacy and EmployeesPrivacy and Employees Companies need information about their Companies need information about their
employees to run their business effectivelyemployees to run their business effectively 60% of employers monitor employee e-mails60% of employers monitor employee e-mails 70% of Web traffic occurs during work hours70% of Web traffic occurs during work hours 78% of employers reported abuse78% of employers reported abuse 60% employees admitted abuse60% employees admitted abuse
Cyberslacking Cyberslacking Visiting inappropriate sitesVisiting inappropriate sites Gaming, chatting, stock trading, etc.Gaming, chatting, stock trading, etc.
Monitoring TechnologyMonitoring Technology
Example of cost of misuseExample of cost of misuse Watching an online fashion show uses Watching an online fashion show uses
as much bandwidth as downloading the as much bandwidth as downloading the entire entire Encyclopedia BritannicaEncyclopedia Britannica
Reasons for monitoringReasons for monitoring Hire the best people possibleHire the best people possible Ensure appropriate behavior on the jobEnsure appropriate behavior on the job Avoid litigation for employee misconductAvoid litigation for employee misconduct
Privacy and ConsumersPrivacy and Consumers
Consumers want businesses toConsumers want businesses to Know who they are, but not to know too Know who they are, but not to know too
muchmuch Provide what they want, but not gather Provide what they want, but not gather
information on theminformation on them Let them know about products, but not Let them know about products, but not
pester them with advertisingpester them with advertising
Consumer Privacy IssuesConsumer Privacy Issues
CookieCookie SpamSpam
Replying usually increases, rather than Replying usually increases, rather than decreases, amount of spamdecreases, amount of spam
Adware and Trojan horse softwareAdware and Trojan horse software Spyware (sneakware, Spyware (sneakware,
stealthware)stealthware)
Web logWeb log ClickstreamClickstream
Privacy and Government Privacy and Government AgenciesAgencies
About 2,000 government agencies About 2,000 government agencies have databases with information on have databases with information on peoplepeople
Government agencies need Government agencies need information to operate effectivelyinformation to operate effectively
Whenever you are in contact with Whenever you are in contact with government agency, you leave government agency, you leave behind information about yourselfbehind information about yourself
Government Agencies Government Agencies Storing Personal InformationStoring Personal InformationLaw enforcementLaw enforcement
NCIC (National Crime Information Center)NCIC (National Crime Information Center) FBIFBI
Electronic SurveillanceElectronic Surveillance Carnivore or DCS-1000Carnivore or DCS-1000 Magic Lantern (software key logger)Magic Lantern (software key logger) NSA (National Security Agency)NSA (National Security Agency) Echelon collect electronic information by Echelon collect electronic information by
satellitesatellite
Government Agencies Government Agencies Storing Personal InformationStoring Personal Information IRSIRSCensus BureauCensus BureauStudent loan servicesStudent loan servicesFICAFICASocial Security AdministrationSocial Security AdministrationSocial service agenciesSocial service agenciesDepartment of Motor VehiclesDepartment of Motor Vehicles
Laws on PrivacyLaws on Privacy
Health Insurance Portability and Health Insurance Portability and Accountability Act (HIPAA)Accountability Act (HIPAA) protects personal health informationprotects personal health information
Financial Services Modernization ActFinancial Services Modernization Act requires that financial institutions protect requires that financial institutions protect
personal customer informationpersonal customer informationOther laws in Figure 8.6 on page 243Other laws in Figure 8.6 on page 243
SECURITY AND EMPLOYEESSECURITY AND EMPLOYEES
Attacks on information and computer Attacks on information and computer resources come from inside and resources come from inside and outside the companyoutside the company
Computer sabotage costs about $400 Computer sabotage costs about $400 billion per yearbillion per year
In general, employee misconduct is In general, employee misconduct is more costly than assaults from more costly than assaults from outsideoutside
Security and EmployeesSecurity and Employees
Security and Outside Security and Outside ThreatsThreats
HackersHackers knowledgeable computer users who use their knowledgeable computer users who use their
knowledge to invade other people's computersknowledge to invade other people's computers Computer virus (virus)Computer virus (virus)
software that is written with malicious intent to software that is written with malicious intent to cause annoyance or damagecause annoyance or damage
WormWorm type of virus that spreads itself from computer type of virus that spreads itself from computer
to computer usually via e-mailto computer usually via e-mail Denial-of-service (DoS) attackDenial-of-service (DoS) attack
floods a Web site with so many requests for floods a Web site with so many requests for service that it slows down or crashesservice that it slows down or crashes
Security MeasuresSecurity Measures1.1. Anti-virus softwareAnti-virus software – detects and removes – detects and removes
or quarantines computer virusesor quarantines computer viruses
2.2. Anti-spyware and anti-adware softwareAnti-spyware and anti-adware software
3.3. Spam protection softwareSpam protection software – identifies and – identifies and marks and/or deletes Spammarks and/or deletes Spam
4.4. Anti-phishing software Anti-phishing software – – lets you know lets you know when phishing attempts are being madewhen phishing attempts are being made
5.5. FirewallFirewall – hardware and/or software that – hardware and/or software that protects a computer or network from protects a computer or network from intrudersintruders
Security MeasuresSecurity Measures6.6. EncryptionEncryption – scrambles the contents of a – scrambles the contents of a
file so that you can’t read it without the file so that you can’t read it without the decryption keydecryption key
7.7. Public Key Encryption (PKE)Public Key Encryption (PKE) – an – an encryption system with two keys: a public encryption system with two keys: a public for everyone and a private one for the for everyone and a private one for the recipientrecipient
8.8. BiometricsBiometrics – the use of physiological – the use of physiological characteristics for identification purposescharacteristics for identification purposes