MIS 320 - Western Washington University
Download
Report
Transcript MIS 320 - Western Washington University
Quotable
“Maybe we should have given him a bicycle.”
--Ed Darden, of Atlanta, who gave his son Frank, 16 a
computer for Christmas. Frank [Legion of Doom] later was
arrested for hacking into a phone system, threatening service
through out the Southeast.
http://neil.franklin.ch/Jokes_and_Fun/Computer_Quotes
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Information Systems Security
MIS 320
Kraig Pencil
Summer 2014
PPT Slides by Dr. Craig Tyran & Kraig Pencil
IS Security in the Headlines
Business Week
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Overview
•
•
•
•
•
Introduction
Crimes
Players
Ways to cause trouble
Ways to enhance security
PPT Slides by Dr. Craig Tyran & Kraig Pencil
A. IS Security - Introduction
Networked age Good news/bad news
1.
•
•
Good news Easy, fast information
sharing (supports linkages!!!)
Bad news Easier for bad guys to get to your data
IS break-ins are common … and expensive
2.
•
2006 survey for Computer Security Institute/FBI
(www.gocsi.com)
•
•
•
•
616 respondents
Virtually all reported some form of attack(s)
52% of organizations reported “unauthorized use” of IS
in past year
Perpetrators of incidents:
•
Crackers, disgruntled employees, competitors, foreign
governments
PPT Slides by Dr. Craig Tyran & Kraig Pencil
CERT: Reported IS Vulnerabilities
Security Vulnerabilities vs. Time
10,000
Vulnerabilities
8,000
6,000
4,000
2,000
0
2000
2001
2002
2003
Year
PPT Slides by Dr. Craig Tyran & Kraig Pencil
2004
2005
2006
Internet Crime Complaint Center (IC3)
2009 Report
•
•
•
•
http://www.ic3.gov/media/annualreport/2009_IC3Report.pdf
Department of Justice up 22%
Median dollar loss on complaints: $575
Total dollar loss: $559,700,000.
Many crime categories, including: auction fraud, nondelivery of merchangdise, credit card fraud, computer
intrusions, spam, child pornography
PPT Slides by Dr. Craig Tyran & Kraig Pencil
A. IS Security - Introduction
3. Published reports
•
•
Tip of the iceberg
Most break-ins are unreported to
law enforcement … or undetected
–
–
Companies are afraid that customers –
and potential intruders – know about
problems
CSI/FBI survey – 30% did not report
their intrusions. Of these:
–
–
48% are concerned with negative
publicity
36% are concerned that competitors will
take advantage
PPT Slides by Dr. Craig Tyran & Kraig Pencil
B. IS Security – Cyber Crimes
1. What types of activities do the bad guys do?
•
•
•
•
•
Viruses/worms (65% of survey group reported this problem)
• e.g. “Macro” viruses (e.g., Love Bug), Worms (e.g., Slammer)
Laptop/mobile theft (47%)
• Steal information, Gain access to other systems
Unauthorized access: Hacking and physical access (32%)
• Change documents and files
– Steal $, modify credit ratings
– e.g., Citibank robbery -- $11 million
• Steal information (e.g., classified info, info for identity theft)
Denial of service attacks (25%)
Phishing
• e.g., An “official” company e-mail used to gather personal
information, passwords, SSN, etc.
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Macro Virus Example:
The Love Bug
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Warnings at the Workplace Worms and Viruses
http://computer.
howstuffworks.
com/worstcomputerviruses.htm
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Theft of unauthorized information: Identity Theft?
Average identity theft victim
Spends 600 hrs and $16,000 to
recover
(www.idtheftcenter.org)
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Denial of Service Attack
A hacker’s virus installs a program on many computers.
On command, they become zombies
They all ping* the “target” again and again –
The overload crowds out legitimate page requests,
creating a Denial of Service to customers.
Bon jour
Gut’n Tag
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Denial of Service Attack
A hacker’s virus installs a program on many computers.
On command, they become zombies
They all ping* the “target” again and again –
The overload crowds out legitimate page requests,
creating a Denial of Service to customers.
Bon jour
Gut’n Tag
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Denial of Service Attack
Cloud Computing to the rescue???
Cloud services are usually “scalable” providers can
instantly add more servers to handle the increased
greetings from the zombie computers.
http://www.smartertechnology.com/c/a/Smarter-Strategies/3-ReasonsClouds-Prevent-CyberAttacks/?kc=EWKNLSTE12232010BESTOF4
Bon jour
Gut’n Tag
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Phishing Example
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Phishing Example 2
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Insiders
• You have to trust someone, but …
– Insiders account for much of “lost” data
• “stolen credentials have become the most common way
attackers gain access to enterprises. But the credentials were
rarely stolen using sophisticated methods. Instead, malicious
insiders were involved in 48% of cases -- a 26% increase vs.
last year -- and in some cases, freely revealed their
administrative passwords, enabling attackers easy access to
sensitive data”
(SearchSecurity.com:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1517422,00.html)
PPT Slides by Dr. Craig Tyran & Kraig Pencil
C. IS Security – The Players
Hackers: people who break into computers and computer networks
1.
White-hat hackers
… hobbyists who follow “hacker code”; curious, not malicious
… or professional consultants who find security holes
in the client’s own systems: perform penetration tests and
vulnerability assessments
2.
Black-hat hackers // Crackers
•
Cyber vandals; cause trouble for fun
•
Commit premeditated cyber crime,
steal information, $$, etc.
PPT Slides by Dr. Craig Tyran & Kraig Pencil
C. IS Security – The Players
Hackers: people who break into computers and computer networks
3.
Hacktivist – Politically or socially motivated hacker
–
Site defacing
–
Denial-of-Service (DoS) attack
4.
Cyberterrorist – deliberate, large-scale disruption of computer networks
Hacker Conventions
• DEF CON
–
World’s Largest
• Black Hat
Hacker Films
•
•
Wargames
Takedown
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Well-known Cyber Crooks*
Kevin Mitnick – superstar of hacking
• Active 1980 – 1995
• Never profited or caused damage
• 5 years in prison (8 months in solitary confinement)
• “Social engineering” specialist: “no patch for stupidy”
• Now a well-paid security consultant, speaker, writer
Kevin Mitnick
PPT Slides by Dr. Craig Tyran & Kraig Pencil * http://www.itsecurity.com/features/top-10-famous-hackers-042407/
Well-known Cyber Crooks*
Vladimir Levin – Russian
• Transferred $10.7 million from Citibank accounts
• Captured in London, transferred to US, convicted/sentenced to 3 years
• Citibank managed to recover 95% of the funds
Adrian Lamo 2002-2004
• Victims: Yahoo!, Citigroup, Cingular, NY Times
• “Homeless hacker” was also helpful. Unauthorized penetration testing.
Voluntarily informed some victims of their security weaknesses.
• Arrested/Convicted/Ordered to pay $65,000 to NY Times
Robert Alan Soloway – the “Spam King”
• 2008 47 months in federal prison, and $700,000 restitution
• $7.8 million civil judgment awarded to Microsoft.
Adrian Lamo
Others: Stephen Wozniak (blue boxes), Tim Berners-Lee (Oxford)
PPT Slides by Dr. Craig Tyran & Kraig Pencil * http://www.itsecurity.com/features/top-10-famous-hackers-042407/
D. Examples of hacker
tools/techniques
1.
Password cracker programs
•
2.
Example approaches: Use “reverse encryption”, Look for
“dictionary” words & common names
Sniffers
•
•
•
3.
“Eavesdropping” program/device
Use to capture usernames and passwords for people doing
remote computer logins
Place program on node of Internet and “sniff” for usernames and
passwords
Social engineering
•
•
Hacker poses as a “good guy” and asks unsuspecting people for
information
Often done via phone
•
E.g., “What kind of computer system are you using?”
PPT Slides by Dr. Craig Tyran & Kraig Pencil
A Hacker Tool: “Password cracker”
available on the Internet
PPT Slides by Dr. Craig Tyran & Kraig Pencil
E. IS Security – Ways to
address/combat security risks
1.
Password management
• Do not use dictionary words
• Create new combinations of
letters and digits
• Combine letters, numbers, special characters, and both
upper and lower case
e.g., gaRDen+493
• Use mnemonic tricks to remember odd combinations letters
of words in an expression
– e.g., tbontbtitq (or even better: 2b*o02b*t1tq)
“To be or not to be, that is the question”
• PPT Change
passwords
frequently
Slides by Dr. Craig
Tyran & Kraig
Pencil
E. IS Security – Ways to
address/combat security risks
2. Use firewalls
•
•
•
HW/SW that acts a buffer between a network and the rest of the
World
Can keep out … unauthorized traffic
Can keep in … corporate secrets
3. Encryption
•
Scramble a message/data so that others can not understand it
4. Advisory organizations
•
•
Post warnings and “patches” for reported security problems
e.g., Computer Emergency Response Team (CERT)
Image source: http://computer.howstuffworks.com/firewall.htm
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Vulnerability Alert from CERT
PPT Slides by Dr. Craig Tyran & Kraig Pencil
E. IS Security – Ways to
address/combat security risks
5. Security software
•
•
Antivirus software
Intrusion detection software
PPT Slides by Dr. Craig Tyran & Kraig Pencil
E. IS Security – Ways to
address/combat security risks
6. Hire a good hacker
•
•
Break into your system and/or provide advice
Help you identify security holes
U.S. HIRED HACKER TO DETECT DIGITAL SPYING BY EMPLOYEES
WASHINGTON, D.C. –
In the cyber age, there
are few things so
damaging as a
determined insider with
the right passwords.
The Defense
Department hired a
former hacker to lead a
research program to
detect digital spying by
employees. Peiter Zatko
is in charge of Cyber
Insider Threat program at
the Defense Advanced
Research Projects
Agency, or DARPA. “I’ve
played both offense and
defense.”
His program is years
away from any
deployable solutions. In
the meantime, the
WikiLeaks releases show
PPT Slides by Dr. Craig Tyran & Kraig Pencil
that the Pentagon failed
to take basic steps to
protect sensitive
information, such as
detecting and preventing
unauthorized downloads.
MCCLATCHY
November 30, 2010
Redacted by Kraig Pencil
E. IS Security – Ways to
address/combat security risks
6. Hire a good hacker
Kevin Mitnick – a
busted hacker …
PPT Slides by Dr. Craig Tyran & Kraig Pencil
Emerges from prison and begins career as
an IS Security consultant, writes a book
A Parting Thought …
The most likely way for the world to be destroyed,
most experts agree, is by accident. That’s where we
come in; we’re computer professionals. We cause
accidents.
- Nathaniel Borenstein, co-creator of MIME
PPT Slides by Dr. Craig Tyran & Kraig Pencil