Transcript Thursday 1/27/2011 - University of Washington

Thursday 2/24/2011
Agenda:
1) Student security topics
2) Computer / Network security & fraud
3) Quiz 3
4) Last short paper: Cloud Computing
5) Final similar to midterm, over 2d half of
course only.
Foster School of Business Acctg 420
1
NETWORK (COMPUTER)
SECURITY
Security:
prevent unauthorized access.
recovery from temporary service problems.
recovery from disasters.
protect organization’s data & application
software.
Foster School of Business Acctg 420
2
The problem
Computer security problem are wide spread.
The average case of computer fraud causes a
loss of about $1,000,000. Computer fraud is
under reported. Why?
Employee fraud is the most common type of
fraud.
Economic espionage (theft of information and
intellectual property) is growing very fast.
Foster School of Business Acctg 420
3
Viruses
Viruses: several new viruses are created by
twisted individuals every day (update antivirus software frequently). Attachments to email present a high risk for virus infection.
Newer viruses are able to mutate (change their
appearance as they replicate and spread).
Foster School of Business Acctg 420
4
Fraud (all types)
Fraud: (3-legged stool)
1) Motivation (pressure)—financial, workrelated, other.
2) Opportunity—lack of internal controls
(prevent, detect, and correct).
3) Rationalization—excuse.
Foster School of Business Acctg 420
5
Risk Assessment
Risk Assessment—starting point for security,
identify and rate each risk. This allows for
resource allocation and setting of security
priorities. A control spreadsheet is used to
organize this process.
Foster School of Business Acctg 420
6
RECOVERY
• Mitigate disruption, destruction, and disaster
by redundancy in both hardware and software.
Fault-tolerant servers, automatic disk copy,
duplicate main network components at
different location and decentralize data.
• Hot, cold, & warm sites for business
continuity.
• Disaster recovery plan: most important part is
backup and recovery controls. Plan
Foster School of Business Acctg 420
7
Access
Unauthorized access:
• casual cruisers,
• security experts,
• professional hackers.
• Detecting— looking for the unusual, repeat tries, entrapment
(fake server = honey pot to bait intruder)
• Correcting—depends how the breach occurred, civil and/or
criminal action
• Latest (Mar. 2010) way to keep PCs Safe—InZero Systems
XB technology, a better sandbox!
Foster School of Business Acctg 420
8
Preventing unauthorized access:
• Have a security policy—social engineering
• Develop user profiles—need to know access basis, smart
cards, biometric access systems. Delete user accounts when
user leaves organization.
• Plug security holes—delete preset accounts, keep up to date
and “patch” holes. (Microsoft servers)
• Secure access points—terminal, modem, network. Call-back
modems, firewalls, proxy servers (application firewall of
choice but slows message transfer from internal to Internet.
• Prevent eavesdropping—network cabling & devices. Control
physical access, use special cables & hubs.
Foster School of Business Acctg 420
9
Cryption
• Cryption—encrypt & decrypt, plain text and
ciphertext. Algorithms and keys. Keys make the
transformation of data unique. Need a key to encrypt
and one to decrypt information. The longer the key,
the harder it is to guess (56 bits is one standard). It
takes 1 week to break a 56-bit key, 1 yr for 64-bit,
and billions of years for 128-bit key.
• Key escrow—a good or bad idea?
Foster School of Business Acctg 420
10
Cryption
Data encryption standard (DES) is a symmetric
algorithm—key to encrypt is the same as the
one to decrypt.
Public key encryption—RSA, asymmetric
algorithm, public key to encrypt and private
key to decrypt. This allows for authentication
(digital signatures). SHTTP is encryption for
the web.
Foster School of Business Acctg 420
11
Asymmetric Key
Public key algorithms are invertable—text
encrypted with either key can be decrypted
with the other. Normally, we encrypt with
public and decrypt with private, but we can do
the reverse!
Foster School of Business Acctg 420
12
Who sent the message?
How would you prove legally who actually sent the message?
(This is needed for transfer of funds, buy/sell orders, etc.)
• Assume that A wants to send a message to B and also wants to
prove it came from A. A encrypts key part of message with its
private key, then encrypts the whole message with B’s public
key. Then sends message to B. B then decodes with its
private key and sees that part of the message is still encoded.
B then decodes the encoded part with A’s public key. Only A
has the private key that allows message to be decoded with As
public key! Therefore, B knows that the message was from A.
Foster School of Business Acctg 420
13
QUESTIONS????
Foster School of Business Acctg 420
14