Introduction to MIS
Chapter 4
Security, Privacy, Anonymity

Copyright © 1998-2002 by Jerry Post

Introduction to MIS

1


Outline













 

Threats to Information
Physical Security and Disaster Planning
Logical Security and Data Protection
Virus Threats

User Identification and Biometrics
Access controls
Encryption and Authentication
Internet Security Issues
Privacy
Anonymity
Cases: Healthcare
Appendix: Server Security Certificates

Introduction to MIS

 

2


Security, Privacy, and Anonymity
Server Attacks

The Internet

Data interception
Monitoring

 

Introduction to MIS

 


3








Accidents & Disasters
Employees & Consultants
Business Partnerships
Outsiders
Viruses

Threats to Information

Links to
business
partners

Outside
hackers

Employees & Consultants

 

Introduction to MIS


 

Virus hiding
in e-mail
attachment.

4


Security Categories


Physical attack & disasters






Backup--off-site
Cold/Shell site
Hot site
Disaster tests
Personal computers!



Logical





Unauthorized disclosure
Unauthorized modification
Unauthorized withholding


Denial of Service

$$

 

Introduction to MIS

 

5


Horror Stories


Security Pacific--Oct. 1978










Stanley Mark Rifkin
Electronic Funds Transfer
$10.2 million
Switzerland
Soviet Diamonds
Came back to U.S.















The Impossible Dream
Stock Manipulation





Insurance
Loans
Fake computer records











Introduction to MIS

 

The Cuckoo’s Egg
Berkeley Labs
Unix--account not balance
Monitor, false information
Track to East German spy

Old Techniques



 


Graduate Student
Unix “Worm”
Internet--tied up for 3 days

Clifford Stoll--1989


Equity Funding--1973


Robert Morris--1989

Salami slice
Bank deposit slips
Trojan Horse
Virus

6


Manual v Automated Data





Amount of data
Identification of users
Difficult to detect changes
Speed







 

Search
Copy

Statistical Inference
Communication Lines

Introduction to MIS

 

7


Disaster Planning

SunGard is a premier
provider of computer
backup facilities and
disaster planning
services. Its fleet of
Mobile Data Centers
can be outfitted with a

variety of distributed
systems hardware
and delivered at a
disaster site within 48
hours.

 

Introduction to MIS

 

8


Data Backup




Backup is critical
Offsite backup is critical
Levels




 

RAID (multiple drives)

Real time replication
Scheduled backups

Introduction to MIS

 

9


Power
company

Data Backup
Use the network to
backup PC data.
Use duplicate mirrored
servers for extreme
reliability.

UPS
Frequent
backups enable
you to recover
from disasters
and mistakes.

 

Introduction to MIS


Offsite backups
are critical.

 

10


Virus
From: afriend
To: victim
Message: Open
the attachment
for some
excitement.

2

3

1
1. User opens an attached program
that contains hidden virus
2. Virus copies itself into other
programs on the computer

Attachment
01
3A

19
02
54

 

Introduction to MIS

23
7F
2C
8E
29

05
3C
2E
FA
3F

06
5D
A2
EA
4F

 

77
83

87
12
73

03
94
62
79
9F

3. Virus spreads until a certain date,
then it deletes files.
Virus code

11


Virus Damage
Attacks
Viruses/Trojans/Worms

1991 1996 2000 2001
62

80

80

89


Attacks on Web servers

24

48

Denial of Service

37

39

Insider physical theft or damage of
equipment

49

42

Insider electronic theft, destruction,
or disclosure of data

24

22

Fraud

13


9

Dataquest, Inc; Computerworld 12/2/91
National Computer Security Association; Computerworld 5/6/96
/>
 

Introduction to MIS

1999
  virus costs in the U.S.: $7.6 billion.

12


Stopping a Virus







Backup your data!
Never run applications unless you are certain they are
safe.
Never open executable attachments sent over the
Internet--regardless of who mailed them.
Antivirus software







 

Needs constant updating
Rarely catches current viruses
Can interfere with other programs

Ultimately, viruses sent over the Internet can be traced
back to the original source.

Introduction to MIS

 

13


User Identification


Passwords








Dial up service found 30% of
people used same word
People choose obvious
Post-It notes

Alternatives: Biometrics








Hints






 



Don’t use real words
Don’t use personal names
Include non-alphabetic

Change often
Use at least 6 characters

Introduction to MIS

 



Finger/hand print
Voice recognition
Retina/blood vessels
Iris scanner
DNA ?

Password generator cards
Comments





Don’t have to remember
Reasonably accurate
Price is dropping
Nothing is perfect

14



Iris Scan

EyePass™ System at
Charlotte/Douglas International
Airport.

/>questions/q2/features.html

/>eyepass/index.html
Algorithm patents by JOHN DAUGMAN 1994
/>
 

Introduction to MIS

 

15


Biometrics: Thermal

Several methods exist to identify a person based on biological characteristics.
Common techniques include fingerprint, handprint readers, and retinal
scanners. More exotic devices include body shape sensors and this thermal
facial reader which uses infrared imaging to identify the user.

 

Introduction to MIS


 

16


Access Controls: Permissions in Windows
Find the folder or
directory in explorer.
Right-click to set
properties.
On the Security
tab,assign
permissions.

 

Introduction to MIS

 

17


Security Controls


Access Control






Security Monitoring




 

Ownership of data
Read, Write, Execute, Delete, Change Permission, Take
Ownership
Access logs
Violations
Lock-outs

Introduction to MIS

 

18


Additional Controls




Audits

Monitoring
Background checks:

/> /> />
 

Introduction to MIS

 

19


Encryption: Single Key


Encrypt and decrypt with the
same key






How do you get the key
safely to the other party?
What if there are many
people involved?

Plain text

message

AES
Key: 9837362

Fast encryption and
decryption






DES - old and falls to brute
force attacks
Triple DES - old but slightly
harder to break with brute
force.
AES - new standard

Encrypted
text

Single key: e.g., AES
Encrypted
text

Key: 9837362

AES

Plain text
message

 

Introduction to MIS

 

20


Encryption: Dual Key
Message

Message

Alice
Private Key
13

Encrypted
Public Keys
Use
Bob’s
Public key

Alice 29
Bob 17


Bob
Use
Private Key
Bob’s
37
Private key

Alice sends message to Bob that only he can read.

 

Introduction to MIS

 

21


Dual Key: Authentication

Message

Transmission

Message

Encrypt+T+M

Alice


Encrypt+M

Private Key
13
Use
Alice’s
Private key

Encrypt+T
Public Keys

Alice 29
Use Bob 17
Use
Bob’s
Alice’s
Public key
Public key

Bob
Private Key
37
Use
Bob’s
Private key

Bob sends message to Alice:
His key guarantees it came from him.
Her key prevents anyone else from reading message.


 

Introduction to MIS

 

22


Certificate Authority


Public key







How does Alice
know that it is
really Bob’s key?

Imposter could sign up for a
public key.
Need trusted organization.
Only Verisign today, a public
company with no regulation.
Verisign mistakenly issued a

certificate to an imposter
claiming to work for Microsoft
in 2001.

Trust the C.A.
C.A. validate
applicants
Public Keys

Alice

Alice 29
Bob 17

Use
Bob’s
Public key

 

Introduction to MIS

 

23


Internet Data Transmission
Eavesdropper


Destination
Intermediate
Machines

Start

 

Introduction to MIS

 

24


Clipper Chip: Key Escrow

Decrypted conversation

Escrow keys
Judicial or
government office

Intercept
Encrypted conversation
Clipper chip
in phones

 


Introduction to MIS

 

25