Internet Security - Lecture I
-
Upload
connie-white -
Category
Education
-
view
1.343 -
download
0
Transcript of Internet Security - Lecture I
ITC 241Introduction to Internet Security
Computer Security Defined by NIST - National Institute of Standards and Technologyhttp://csrc.nist.gov/
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).
Confidentiality information access and disclosure
Integrity modification or destruction of information
Availability timely, reliable access
Impact Considerations
Performance
Organizational assets
Financial loss
Harm to Individuals
http://www.youtube.com/watch?v=d-d5TDHa8jw
Confidentiality
Personal privacy
Proprietary information
Secret Info should remain secret
The unauthorized disclosure (access) of information
Confidentiality
Mechanisms of ProtectionCryptography
Access Controls
Examples of ThreatsMalware
Intruders
Social engineering
Insecure networks
Poorly administered systems
How does Anonymous do this?
What's the Impact Level of the following real world cases?
http://www.cnn.com/2013/08/21/us/bradley-manning-sentencing
http://www.cnn.com/2013/08/21/us/bradley-manning-sentencing
http://www.forbes.com/sites/ruchikatulshyan/2013/08/23/is-your-spouse-your-biggest-online-security-risk/
http://www.databreaches.net/university-of-north-carolina-servers-hacked-3500-employees-data-accessed/
Integrity
Trustworthiness
Origin
Completeness
Correctness
unauthorized modification or destruction of information
Integrity
Protective MechanismAccess controls to prevent modification
Detective Mechanismsidentify when modifications occur when protective mechanisms fail
Integrity ControlsPrinciples of least privilege
Separation
Rotation of duties
http://www.cultofmac.com/183063/apple-responds-to-journalist-victim-of-icloud-hack/
This all happened because the hackers were able to get a hold of Honans email address, his billing address and the last four digits of a credit card he has on file. Once the hacker had this info, he or she called Apple, asked for a reset to the iCloud account in Honans name, and was given a temporary password.
Availability disruption of access to or use of information or an information system.
Confidentiality and Integrity matter not if the system is not available!
Availability
ThreatsAttacks against Availability = DoS
Natural Disasters
Manmade Disasters
Protective MechanismsBusiness continuity
Disaster Recovery Planning
regular/reliable backups to minimize loss
How does Anonymous do this?
Identification scope, locality, uniqueness of IDs
Authentication prove to be the person you say you claim to be!
Identify-authenticate-authorize
login password permissions
Methods of Authentication
What you know (low strength)Passwords, passphrases, secret codes, PINs (low cost)
What you have (low strength)Keys, smart cards, tokens
(in possession of = higher cost)
What you are (potential high strength)Biometrics
Authorization
Role Privileges, Rights, PermissionsGuest
Participant
Admin
permissions to view, insert, delete, modify, admin
How does anybody do this?
http://live.wsj.com/video/news-hub-google-gmail-hit-with-china-based-scam/DBCAA5A4-62FD-493E-AF21-1E485E8218AA.html#!DBCAA5A4-62FD-493E-AF21-1E485E8218AA
Accountability who sent what where?
Ability to trace actions back to a person, place and time, back to a system and what processes were performed on it!
Provided by logs and audit trails.
Accountability
System/Application LogsOrdered list of:Events
Actions
Must have integrity
Time Stamped across entire system
High Level Actions (email, web page served)
Audit TrailOrdered list of:Events
Actions
Open files
Writing to files
Sending packets across network
http://www.theguardian.com/money/2011/aug/05/beware-hackers-take-over-gmail-account
Privacy = do you really have any?
Organizations should take necessary precautions to protect the confidentiality and integrity of personal information they collect, store and process.
Some Things to Ponder:
What are the types of threats?
Who is conducting these?
Why?