1. 22 November 2010

2. Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when it comes to handling his or her personal information

4. Consider  1994: Vladimir Levin breaks into Citibank's network and transfers $10 million dollars into his accounts  Mid 90’s: Phonemasters stole tens of thousands of phone card numbers found private White House telephone lines  1996: Tim Lloyd, disgruntled employee inserts time bomb that destroys all copies of Omega Engineering machining code. Estimated lost: $10 million.

5. Security “Gospel”  The Morris Internet worm of 1988 cost $98 million to clean up  The Melissa virus crashed email networks at 300 of the Fortune 500 companies  The Chernobyl virus destroyed up to a million PCs throughout Asia  The ExploreZip virus alone cost $7.6 billion to clean up

6. Security Reality  The Morris Internet worm of 1988 cost $98 under $1 million to clean up  The Melissa virus crashed scared executives into disconnecting email networks at 300 of the Fortune 500 companies  The Chernobyl virus destroyed caused replacement of up to a million PCs throughout Asia  The ExploreZip virus alone could have cost $7.6 billion to clean up

7. Information Systems Security  Deals with Security of (end) systems ○ Operating system, files, databases, accounting information, logs,... Security of information in transit over a network ○ e-commerce transactions, online banking, confidential e-mails, file transfers,...

8. Basic Components of Security  Confidentiality Keeping data and resources secret or hidden  Integrity Ensuring authorized modifications Refers to both data and origin integrity  Availability Ensuring authorized access to data and resources when desired  Accountability Ensuring that an entity’s action is traceable uniquely to that entity  Security assurance Assurance that all four objectives are met

9. Info Security 20 Years Ago  Physical security Information was primarily on paper Lock and key Safe transmission  Administrative security Control access to materials Personnel screening Auditing

10. Information Security Today  Emergence of the Internet and distributed systems Increasing system complexity  Digital information needs to be kept secure Competitive advantage Protection of assets Liability and responsibility  Financial losses FBI estimates that an insider attack results in an average loss of $2.8 million Estimates of annual losses: $5 billion - $45 billion ○ Why such a big range?  National defense Protection of critical infrastructures ○ Power grid ○ Air transportation Interlinked government agencies ○ Severe concerns regarding security management and access control measures (GAO report 2003) ○ Grade F for most of the agencies

11. Attack Vs Threat  A threat is a “potential” violation of security Violation need not actually occur Fact that the violation might occur makes it a threat  The actual violation (or attempted violation) of security is called an attack

12. Common security attacks  Interruption, delay, denial of receipt or denial of service System assets or information become unavailable or are rendered unavailable  Interception or snooping Unauthorized party gains access to information by browsing through files or reading communications  Modification or alteration Unauthorized party changes information in transit or information stored for subsequent access  Fabrication, masquerade, or spoofing Spurious information is inserted into the system or network by making it appear as if it is from a legitimate source  Repudiation of origin False denial that the source created something

13. Denial of Service Attacks  explicit attempt to prevent legitimate users from using service  two types of attacks denial of service (DOS) distributed denial of service (DDOS)  asymmetric attack attacker with limited resource (old PC and slow modem) may be able to disable much faster and more sophisticated machines or networks  methods Bots or Zombie machines Trojans or Smurf attack: distributed attack that sends specified number of data packets to a victim

14. Phishing (Spoofing)  use 'spoofed' e-mails and fraudulent websites  designed to fool recipients into divulging personal financial data credit card numbers account usernames and passwords social security numbers  hijacking of trusted brands banks online retailers credit card companies  able to convince up to 5% of recipients to respond  http://www.antiphishing.org/ http://www.antiphishing.org/

15. Goals of Security  Prevention Prevent someone from violating a security policy  Detection Detect activities in violation of a security policy Verify the efficacy of the prevention mechanism  Recovery Stop attacks Assess and repair damage Ensure availability in presence of ongoing attack Fix vulnerabilities to prevent future attacks Deal with the attacker

16. Human Issues  Outsiders and insiders Which do you think is the real threat?  Social engineering How much do you disclose about security? Claim more or less security than exists

17. Honeypots  Setting up a server to attract hackers Used by corporations as early warning system Used to attract spam to improve filters Used to attract viruses to improve detection  http://www.honeypots.net/ http://www.honeypots.net/