Transcript Managing Information Technology

MANAGING IT
SYSTEMS
Protecting People
and Information
One of the lessons learned from
9/11 is that with careful and
thorough protection of important
information, not even a calamity
like the one that occurred in New
York can put you out of business.
Three components of an IT system are
• Handling information responsibly means
understanding the following issues
–
–
–
–
Ethics
Personal privacy
Threats against information
Protection of information
ETHICS
• Ethics –
– Ethics are rooted in history, culture, and religion
– Each person’s set of ethics are different
• How will you act or react when you are faced with an
ethical dilemma?
–
–
–
–
–
What is the harm or benefit of my actions?
How long will it take for the effects to be felt?
What is the probability that harm or benefit will occur?
How many people will be impacted by your actions?
What does society think about your intended actions?
– Your set of ethics will/should
cases, what to do will not be crystal clear
. In some
Document Retention Policies
• Provide for the systematic
and
of
in
the course of business. What documents will be
?
– Must
– Having the right documents can protect you during
litigation.
– Lots of business communications now occur
electronically (
).
• How long will you keep that information on the server?
Because it is not gone just because you hit DELETE.
Enron and Arthur Anderson
• The accounting firm Arthur Anderson was the Enron
auditor
– The details on this slide can be found on page 49 of your
textbook (and that is why they are not listed here)
– End Result: both Enron and Arthur Anderson are out of
business
– Destruction of files after a federal investigation has begun is both
– Comply, and you participate in
you
a
. Refuse, and
.
Major Ethical Issues in Business Today
• Privacy – the right to be
observed without your consent
and not to be
– Your organization is storing information about someone in
its database. Who has access to that information? How will
it be used? Can it be sold?
– Is the information valid? Is it accurate?
– Was confidentiality assumed?
• Customers, partners or suppliers may not
• Pizza Video
• Advances in technology make it easier and easier to
copy everything from music to pictures and other
people’s work.
– In some cases, it is ok to use someone’s intellectual material
or copyrighted material, but in most cases, those are
form the
of an IT system
Information does not care how it is used
Information will not stop itself from sending spam, viruses, or
highly-sensitive information
Information cannot delete or preserve itself
Intellectual Property: Computer Software
• Intellectual property – intangible creative work that is embodied in
physical form
– Art, books, music all have copyright protection.
– Computer software also has
• Copyright – legal protection afforded an expression of an idea. No one can
.
• When you buy software, you are
In a legal sense,
the software. You just have
.
• Fair Use Doctrine – may use copyrighted material in certain
situations, such as in the creation of a new work or in teaching
situations. There are limits on the amount of copyrighted material
that you can use.
• Using copyrighted software without permission violates copyright
law: considered copyright infringement.
Copyrighted Software
You MUST have
of the software or
for each machine that is running a
particular piece of software.
• In the US, you may always make one copy of copyrighted software to
keep for backup purposes—remember, when you buy copyrighted
software, you are
: that’s all.
• Software Piracy: the unauthorized use, duplication, distribution, or
sale of copyrighted software
– Did you buy the software or did a friend simply allow you to install a copy on
your machine as well?
Video
– Software Publisher’s Association: The Software Police
– Most
of computer crime. In some parts of the world, more than
of business software is thought to be pirated.
Identity Theft
• Identity Theft Video
• Identity theft – the forging or
for the purpose of fraud
– The fraud is usually for
gain
• A common way to steal identities online is called
.
– Phishing: a technique used to con people into
information.
Identity Theft: Phishing
• One way is to send out a “legitimate-looking
email message, asking you to
. Because it looks legitimate,
you respond.
• A newer technique is to send an email
message to you asking you to
to a web site, where you will then supply
personal information
http://www.identitytheftsecrets.com/videos/wamu.html
Identity Theft
• Facts on phishing…
– February 2005 – 2,625 phishing sites
– Consumers lost $500 million to phishers in 2004
– 70% people report visiting a fake site
• NEVER
– Reply without question to an e-mail asking for personal
information
– Click directly on a Web site provided in such an e-mail
• What to do if you suspect you’re at risk
– Close your credit card accounts (use ID theft affidavit form)
– Place a fraud alert on your credit reports
– Ask government to flag your files
PRIVACY
• Privacy – the right to be
and
without your consent
• Your actions can be monitored
– Key logger (key trapper) software & hardware –
. Can be installed by a
hacker or even your employer.
–S
– capture screen from video card:
periodically take a snapshot of what is on the screen
– E-mail is
Employee Monitoring
E-Mail: Hardly Private
• Each e-mail you send results in at least
copies
being stored on different computers as it travels from
sender to recipient (it may even be backed up several
times as well)
Federal law permits employers to monitor
by employees. Deleted email can
and
“The email I receive is personal”
vs “Protecting the Company”
• Companies
for the email that
using their systems. They are also liable for the
email they store.
– Chevron Corporation and Microsoft settled sexual
harassment lawsuits for $2.2 million each because
employees sent offensive email to other employees and
management did not intervene.
– The Microsoft Antitrust Trial
– People write things in email that they would never say in
public. Offensive remarks can leave a company
defenseless.
– Company time and equipment are being used
Privacy and Employees
• Companies need information about their employees
to run their business effectively
• As of March 2005, 60% of employers monitored
employee e-mails
– 70% of Web traffic occurs during work hours
– 78% of employers reported employee Internet abuse
– 60% employees admitted abusing Internet privileges at
work.
• Since misuse of company resources has become so
widespread, employers are tightening their policies
on the use of company computers, e-mail, and
Internet access
Privacy and Employees
• Cyberslacking –
• Visiting inappropriate sites or sites not related to the work
that is being performed
• Gaming, chatting, stock trading, etc.
• Example of cost of misuse
– Watching an online fashion show uses as much bandwidth as
downloading the entire Encyclopedia Britannica: tied up
telecommunications lines for many companies at 3pm one
afternoon a few years ago.
• Reasons for monitoring
– Ensure
– Avoid
on the job
for employee misconduct
Ways You Can Be Monitored
• C
the Internet.
can be used to track your movements on
– A small record deposited on your hard drive by a web site
containing information about you and your web activities.
• Web logs are also created, consisting of one line for every
visitor to a web site. Contains
such as your IP
address and your Clickstream. Stored on a web server.
• C
–
about you during a web
surfing session, such as what sites you visited, how long
you were there, what ads you looked at, what you bought,
and what links that you clicked on.
• Cell phone calls, satellite transmissions, and email
Ways You Can Be Monitored
• Adware - software to generate ads that installs itself
on your computer when you download some other
(usually free) program from the Web.
Adware
• Spyware (also called
sneakware or stealthware)software that comes
in
software and
tracks your online movements,
mines the information stored
on your computer, or uses your
computer’s CPU and storage
for some task you know
nothing about.
Adware in Free Version of Eudora
Trojan Horse Software
• T
software – software you don’t want
(adware, virus, key logger software, spyware) inside software
you do want
• When you download “free” software, you usually
have to agree to terms of usage, and somewhere
embedded in those terms, you are agreeing to
download and let run this “extra software.”
– You can’t download the software without agreeing to the
terms of usage, so you usually don’t read them, but
instead click the “I Accept” button.
Spam
• Spam – unsolicited e-mail from businesses
advertising goods and services
• Gets past spam filters by
– Inserting characters
– Inserting HTML tags that do nothing
– Replying usually increases, rather than decreases,
amount of spam
• Typically sent out in bulk
Information Security
• Information security – a broad term
encompassing the protection of information from
or
by persons
inside or outside an organization
• Lines of Defense
– First Line of Defense:
– Second Line of Defense:
The First Line of Defense - People
• The biggest issue surrounding information security
is not a technical issue, but a
• 38% of security incidents originate
organization
the
–I
: legitimate users who purposely or
accidentally misuse their access (fraud, embezzlement, harassment)
–S
: using one’s social skills to trick people
into revealing access credentials or other information
• Many people
or write them on sticky
notes next to their computers, leaving the door wide open to intruders
The First Line of Defense People
• The first line of defense an organization should
follow to help combat insider issues is to develop
information security policies and an information
security plan
1.
2.
3.
4.
5.
Develop the information security policies
Communicate the information security policies
Identify critical information assets and risks
Test and reevaluate risks
Obtain stakeholder support
The Second Line of Defense Technology
•
Three primary information security areas
1. A
and authorization
2. P
and resistance
3. Detection and response
AUTHENTICATION AND
AUTHORIZATION
•
Authentication – a method for
identities
•
Authorization – the process of
to do or have something
•
The most secure type of authentication involves a
combination of the following:
1. Something the user
2. Something the user
3. Something that is
signature: biometrics
users’
such as a user
and
such as a smart card or token
such as a fingerprint or voice
Something the User Knows such
as a User ID and Password
•
User ID and passwords are the
individual users, and are the most
ineffective form of authentication
– Passwords are considered the
security.
of computer
– Sometimes id numbers and passwords can be guessed by just
randomly trying different combinations.
– Over 50 percent of help-desk calls are password related
– Password Sniffer
• A small program hidden in a network or a computer system that
records identification numbers and passwords.
Something the User Has such as a
Smart Card or Token
•
Smart cards and tokens are
user ID and a password
–
Token – small electronic devices that change user
passwords automatically
•
–
than a
You enter in your user id and then pull out the token to see
what the new password is.
Smart card – a device that is around the same size as a
credit card, containing embedded technologies that can
store information and small amounts of software to
perform some limited processing. Having the card
serves as your identification (
).
Something That Is Part of the User such
as a Fingerprint or Voice Signature
•
This is by far the
to manage authentication
–
Biometrics – the identification of a user based on a
• Finger prints
• Iris/Retinal scan
•
Hand prints
Voice prints
Appearance of your face
Unfortunately, this method can be costly and
intrusive
–
–
Eye scans are expensive and people consider them intrusive.
Finger prints are cheaper and less intrusive, but also not 100%
accurate.
PREVENTION AND
RESISTANCE
•
Downtime can cost an organization anywhere
from $100 to $1 million per hour
–
•
A 22-hour outage in June 2000 caused eBay’s
market cap to plunge $5.7 billion
Technologies available to help prevent and
build resistance to attacks include:
1. Content
2. E
3. F
Content Filtering
•
Organizations can use content filtering technologies
to
e-mail and
e-mails
containing sensitive information from transmitting
and stop spam and viruses from spreading
–
Content filtering – occurs when organizations use
software that filters content to prevent the transmission
of unauthorized information: stops outgoing data.
–
Spam – a form of unsolicited e-mail
•
How much spam do you receive each day?
–
Antivirus software: Is yours up-to-date and actively
running ?
–
Organizations can also
to certain
ENCRYPTION
•
•
Who can read your email?
If there is an information security breach and the
information was encrypted, the person stealing the
information would be unable to read it
–
–
Encryption –
into an alternative form
that requires a
t the information
Public key encryption – uses two keys: a public key
that everyone can have and a private key for only the
recipient
• Data transmitted wirelessly also needs to be
encrypted.
Out in the Open Video
FIREWALLS
•
One of the most common defenses for
preventing a security breach is a
–
Firewall – hardware and/or software that guards a
private network by analyzing the information
leaving and entering the network
–
Firewall software also provides basic protection to
computers where it is installed
•
Basic firewall software incorporated into
of
FIREWALLS
•
Sample firewall architecture connecting
systems located in Chicago, New York, and
Boston
Notice the placement of the firewalls
between the
and the
DETECTION AND RESPONSE
•
If prevention and resistance strategies fail and there is
a security breach, an organization can use detection
and response technologies to mitigate the damage
•
A
is the most common type of
detection and response technology
•
Intrusion Detection software (IDS) searches for
to indicate attacks (compares current
network traffic against a “listing” of attack
characteristics.
–
Looks for
or who are acting
on the network who
Hackers: people very knowledgeable about computers
who use their knowledge to invade other people’s computers
•
White-hat hacker: work at the
find system vulnerabilities and plug the holes.
to
hackers
•
Black-hat hacker: break into other people’s computer systems and
may just look around or may steal and destroy information
•
Hactivist: have
and
for breaking
into systems. Will often deface a Web site as a political protest.
•
Script kiddies/script bunnies:
hackers. Have
that does all the hacking for them. Don’t have much technical
expertise. Often used as a shield by the “real” hackers.
•
Cracker:
•
C
: seek to cause harm to people, destroy critical
systems or info and use the Internet as a weapon of mass destruction
-a hacker with criminal intent
Virus - software written with malicious intent to cause
annoyance or damage
•
Worm: a type of virus that spreads itself via email from computer to
computer. The primary difference between a virus and a worm is
that a virus must attach to something, such as an executable file, in
order to spread. Worms do not need to attach to anything to spread
and can tunnel themselves into computers.
•
Denial-of-service attack (DoS) flood a Web site with so many
requests for service that it slows down or crashes. Quite often,
multiple computers are used in DoS attacks.
•
Trojan-horse virus: something you don’t want hidden inside
something you do want.
•
Backdoor program: viruses that open a way into the network for
future attacks
•
Polymorphic virus and worm: change their form as they
propagate/spread
The Love Bug
• Starts working
immediately:
– It uses your address
book to email itself to
others.
– It destroys files
• .mp3 music files,
.jpg picture files,
.doc Word files,
.xls Excel files,
.wav sound files,
.html files
– It can also change
your IE start page
SoBig Virus
•
•
•
•
Arrived as e-mail attachment
Searched hard disk for e-mail addresses
Sent out huge numbers of useless e-mails
At its height, SoBig constituted 1 in 17 e-mails
worldwide
Slammer Worm
• Flooded the victim server to fill the buffer
• Sent out 55 million bursts of information per second
• Found all vulnerable servers in 10 minutes
Denial-of-Service Attacks
• Denial-of-service
(DoS) attacks flood a Web site
with so many
requests for
service that it
slows down or
crashes. Quite
often, multiple
computers are
used in DoS
attacks.
Security threats to e-business include:
• Elevation of privilege: a process by which a user misleads a system
into granting unauthorized rights, usually for the purpose of
compromising or destroying the system. For example, an attacker
might log on to a network by using a guest account, and then exploit a
weakness in the software that lets the attacker change the guest
privileges to administrative privileges.
• Hoaxes attack computer systems by transmitting a virus hoax, with a
real virus attached. By masking the attack in a seemingly legitimate
message, unsuspecting users more readily distribute the message and
send the attack on to their co-workers and friends, infecting many
users along the way.
• Malicious code includes a variety of threats such as viruses, worms,
and Trojan horses
• Spoofing is the forging of the return address on an e-mail so that the
e-mail message appears to come from someone other than the actual
sender. This is not a virus but rather a way by which virus authors
conceal their identities as they send out viruses.
Security threats to e-business include:
• Spyware is software that comes hidden in free downloadable software
and tracks online movements, mines the information stored on a
computer, or uses a computer’s CPU and storage for some task the
user knows nothing about. In a recent study, 91% of the participants
had spyware on their computers that can cause extremely slow
performance, excessive pop-up ads, or hijacked home pages.
• A sniffer is a program or device that can monitor data traveling over a
network. Sniffers can show all the data being transmitted over a
network, including passwords and sensitive information. Sniffers tend
to be a favorite weapon in the hacker’s arsenal.
• Packet tampering consists of altering the contents of packets as the
travel over the Internet or altering data on computer disks after
penetrating a network. For example, an attacker might place a tap on a
network line to intercept packets as they leave the computer. The
attacker could eavesdrop or alter the information as it leaves the
network.
Information-Related Laws
Information-Related Laws
How to Protect Corporate Data
From Hackers
Establish better controls
Examples of Computer Crimes
Common Methods Used to Commit
Computer Crime
49
What You Can Do To Protect
Yourself
1. Backup important files and store them away from your
computer.
2. Don’t respond to emails asking for you to visit a web
site or supply personal data.
3. Regularly run and update your antivirus software.
4. Enable all of your computer’s software security
features.
5. Encrypt data being transmitted (or use software with
encryption enabled)