ITC 241Introduction to Internet Security

Computer Security Defined by NIST - National Institute of Standards and Technologyhttp://csrc.nist.gov/

The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).

Confidentiality information access and disclosure

Integrity modification or destruction of information

Availability timely, reliable access

Impact Considerations

Performance

Organizational assets

Financial loss

Harm to Individuals

http://www.youtube.com/watch?v=d-d5TDHa8jw

Confidentiality

Personal privacy

Proprietary information

Secret Info should remain secret

The unauthorized disclosure (access) of information

Confidentiality

Mechanisms of ProtectionCryptography

Access Controls

Examples of ThreatsMalware

Intruders

Social engineering

Insecure networks

Poorly administered systems

How does Anonymous do this?

What's the Impact Level of the following real world cases?

http://www.cnn.com/2013/08/21/us/bradley-manning-sentencing

http://www.cnn.com/2013/08/21/us/bradley-manning-sentencing

http://www.forbes.com/sites/ruchikatulshyan/2013/08/23/is-your-spouse-your-biggest-online-security-risk/

http://www.databreaches.net/university-of-north-carolina-servers-hacked-3500-employees-data-accessed/

Integrity

Trustworthiness

Origin

Completeness

Correctness

unauthorized modification or destruction of information

Integrity

Protective MechanismAccess controls to prevent modification

Detective Mechanismsidentify when modifications occur when protective mechanisms fail

Integrity ControlsPrinciples of least privilege

Separation

Rotation of duties

http://www.cultofmac.com/183063/apple-responds-to-journalist-victim-of-icloud-hack/

This all happened because the hackers were able to get a hold of Honans email address, his billing address and the last four digits of a credit card he has on file. Once the hacker had this info, he or she called Apple, asked for a reset to the iCloud account in Honans name, and was given a temporary password.

Availability disruption of access to or use of information or an information system.

Confidentiality and Integrity matter not if the system is not available!

Availability

ThreatsAttacks against Availability = DoS

Natural Disasters

Manmade Disasters

Protective MechanismsBusiness continuity

Disaster Recovery Planning

regular/reliable backups to minimize loss

How does Anonymous do this?

Identification scope, locality, uniqueness of IDs

Authentication prove to be the person you say you claim to be!

Identify-authenticate-authorize
login password permissions

Methods of Authentication

What you know (low strength)Passwords, passphrases, secret codes, PINs (low cost)

What you have (low strength)Keys, smart cards, tokens

(in possession of = higher cost)

What you are (potential high strength)Biometrics

Authorization

Role Privileges, Rights, PermissionsGuest

Participant

Admin

permissions to view, insert, delete, modify, admin

How does anybody do this?

http://live.wsj.com/video/news-hub-google-gmail-hit-with-china-based-scam/DBCAA5A4-62FD-493E-AF21-1E485E8218AA.html#!DBCAA5A4-62FD-493E-AF21-1E485E8218AA

Accountability who sent what where?

Ability to trace actions back to a person, place and time, back to a system and what processes were performed on it!

Provided by logs and audit trails.

Accountability

System/Application LogsOrdered list of:Events

Actions

Must have integrity

Time Stamped across entire system

High Level Actions (email, web page served)

Audit TrailOrdered list of:Events

Actions

Open files

Writing to files

Sending packets across network

http://www.theguardian.com/money/2011/aug/05/beware-hackers-take-over-gmail-account

Privacy = do you really have any?

Organizations should take necessary precautions to protect the confidentiality and integrity of personal information they collect, store and process.

Some Things to Ponder:

What are the types of threats?

Who is conducting these?

Why?