Session 7 LBSC 690 Information Technology Security.
-
Upload
primrose-cunningham -
Category
Documents
-
view
213 -
download
0
Transcript of Session 7 LBSC 690 Information Technology Security.
Session 7
LBSC 690
Information Technology
Security
Agenda
• Questions
• Complex systems
• Security
• Midterm exam review
Complex System Issues
• Critical system availability– Who needs warfare - we do it to ourselves!
• Understandability– Why can’t we predict what systems will do?
• Nature of bugs– Why can’t we get rid of them?
• Auditability– How can we learn to do better in the future?
Crisis Management
• Computer Emergency Response Team– Issues advisories about known problems– Need to make sure these reach the right people
• Information Warfare– We depend on our information infrastructure– How can we prevent attacks against it?
• Hacking is individual, this would be organized
– Policy for this is still being worked out
Ownership
• Who has the right to use a computer?
• Who establishes this policy? How?– What equity considerations are raised?
• Can someone else deny access?– Denial of service attacks
• How can denial of service be prevented?– Who can gain access and what can they do?
Denial of Service Attacks
• Viruses– Platform dependent– Typically binary– Virus checkers need frequent updates
• Flooding– The Internet worm– Chain letters
Identity
• Establishing identity permits access control
• What is identity in cyberspace?– Attribution
• When is it desirable?
– Impersonation• How can it be prevented?
• Forgery is really easy– Just set up your mailer with bogus name and email
Authentication
• Used to establish identity• Two types
– Physical (Keys, badges, cardkeys, thumbprints)
– Electronic (Passwords, digital signatures)
• Protected with social structures– Report lost keys
– Don’t tell anyone your password
• Password sniffers will eventually find it
Good Passwords
• Long enough not to be guessed– Programs can try every combination of 4 letters
• Not in the dictionary– Programs can try every word in a dictionary
– And every date, and every proper name, ...
– And even every pair of words
• Mix upper case, lower case, numbers, etc.• Change it often and use one for each account
Other Access Control Issues
• Protect system administrator access– Greater potential for damaging acts– What about nefarious system administrators?
• Trojan horses– Intentionally undocumented access techniques
• Firewalls– Prevent unfamiliar packets from passing through– Makes it harder for hackers to hurt your system
Privacy
• What privacy rights do computer users have?– On email?– When using computers at work? At school?– What about your home computer?
• What about data about you?– In government computers?– Collected by companies and organizations?
• Does obscurity offer any privacy?
Cookies
• Web servers know a little about you– Machine, prior URL, browser,
• From this they can guess a little more– Path you followed, who is on that machine
• Cookies allow them to remember things– They send you a string and your browser stores it– If they ask for the string, your browser provides it– The string can represent identity and/or information
Integrety
• How do you know what’s there is correct?– Attribution is invalid if the contents can change
• Access control would be one solution– No system with people has perfect access control
• Risks digest provides plenty of examples!
• Encryption offers an alternative
Encryption
• Separate keys for writing and reading– Pretty Good Privacy (PGP) is one “standard”
• Identity– “Digital signature” from a private write key
• Integrety– Public read key will decode only one write key
• Privacy– Either write key or read key can be kept secret
Policy Solutions
• Five guidelines– Establish policies– Authenticate– Authorize– Audit– Supervise
• CSC Acceptable Use Policy
Exam Structure
• One hour and 15 minutes• Approximately 4 questions
– Each may have multiple parts
• Open Book (Oakman only)– You may hand write anything in your Oakman– No extra pages of notes
• The software you may use will be specified• You may bring a calculator
Exam Advice
• The only goal is to get points!– Spend each minute in the best place
• Develop a strategy for each question type– Guessing can’t hurt on multiple choice
• This is a change from prior exams
– Don’t write a page when a sentence will do
• Study concepts, not details– Grading rewards conceptual understanding
– Don’t expect a clone of the sample exams
Questions
??????