Class 7 LBSC 690 Information Technology Security
Agenda Questions Computing as a social process Complex systems
Limiting the Use of Computing/IT Variety of justifications –Parental control Web browsing software, time limits –Intellectual property protection Copyright, trade secrets –National security Classified material –Censorship
Techniques for Limiting Use Access control –Effective multilevel security is hard to achieve Copy protection –Hardware and software Licensing –Shrink-wrap, Shareware, GNU Public license Digital watermarks –Provide a basis for prosecution
Anonymity Serves several purposes –Sensitive issues on discussion groups –Brainstorming –Whistleblowers –Marketing (“Spam”) Common techniques –Anonymous r ers –Pseudonyms
Nettiquite Mailing lists and USENET News –“Emily Postnews” on comp.announce.newusers Some simple guidelines –Send private replies unless a public one is needed –Limit business uses to appropriate venues –Don’t send unsubscribe requests to the list –Read the FAQ before asking one –Avoid things that start “flames” unless you intend to
Computing/IT as a Social Process Programs must implement social norms –Ownership –Identity –Integrity –Privacy Two basic techniques are used –Authentication –Encryption
Ownership Who has the right to use a computer? Who establishes this policy? How? –What equity considerations are raised? Can someone else deny access? –Denial of service attacks How can denial of service be prevented? –Who can gain access and what can they do?
Identity Establishing identity permits access control What is identity in cyberspace? –Attribution When is it desirable? –Impersonation How can it be prevented? Forgery is really easy –Just set up your mailer with bogus name and
Authentication Used to establish identity Two types –Physical (Keys, badges, cardkeys, thumbprints) –Electronic (Passwords, digital signatures) Protected with social structures –Report lost keys –Don’t tell anyone your password Password sniffers will eventually find it
Good Passwords Long enough not to be guessed –Programs can try every combination of 4 letters Not in the dictionary –Programs can try every word in a dictionary –And every date, and every proper name,... –And even every pair of words Mix upper case, lower case, numbers, etc. Change it often and use one for each account
Integrity How do you know what’s there is correct? –Attribution is invalid if the contents can change Access control would be one solution –No system with people has perfect access control Risks digest provides plenty of examples! Encryption offers an alternative
Privacy What privacy rights do computer users have? –On ? –When using computers at work? At school? –What about your home computer? What about data about you? –In government computers? –Collected by companies and organizations? Does obscurity offer any privacy?
Encryption Separate keys for writing and reading –Pretty Good Privacy (PGP) is one “standard” Identity –“Digital signature” from a private write key Integrity –Public read key will decode only one write key Privacy –Either write key or read key can be kept secret
Cookies Web servers know a little about you –Machine, prior URL, browser, From this they can guess a little more –Path you followed, who is on that machine Cookies allow them to remember things –They send you a string and your browser stores it –If they ask for the string, your browser provides it –The string can represent identity and/or information
Access Control Issues Protect system administrator access –Greater potential for damaging acts –What about nefarious system administrators? Trojan horses –Intentionally undocumented access techniques Firewalls –Prevent unfamiliar packets from passing through –Makes it harder for hackers to hurt your system
Denial of Service Attacks Viruses –Platform dependent –Typically binary Virus checkers –Need frequent updates Flooding –The Internet worm –Chain letters
Policy Solutions Five guidelines –Establish policies –Authenticate –Authorize –Audit –Supervise CSC Acceptable Use Policy
Crisis Management Computer Emergency Response Team –Issues advisories about known problems –Need to make sure these reach the right people Information Warfare –We depend on our information infrastructure –How can we prevent attacks against it? Hacking is individual, this would be organized –Policy for this is still being worked out
Complex System Issues Critical system availability –Who needs warfare - we do it to ourselves! Understandability –Why can’t we predict what systems will do? Nature of bugs –Why can’t we get rid of them? Audit-ability –How can we learn to do better in the future?
Midterm Structure One hour and 15 minutes Approximately 4 questions –Each may have multiple parts Open Book (Oakman only) –You may hand write anything in your Oakman –No extra pages of notes The software you may use will be specified You may bring a calculator
Midterm Advice The only goal is to get points! –Spend each minute in the best place Develop a strategy for each question type –Guessing CAN hurt on multiple choice –Don’t write a page when a sentence will do Study concepts, not details –Grading rewards conceptual understanding –Don’t expect a clone of the sample exams
Questions ????????????