Computer and Society (CS)
IT Security Incidents: A Worsening Problem
Security of information technology is critical
Security concerns must be balanced against other business needs and issues.
Number of IT-related security incidents is increasing around the world.
Computer Emergency Response Team Coordination Center (CERT/CC).
Increasing complexity increases vulnerability.
Computing environment is enormously complex
.
Continues to increase in complexity:
networks, computers, OSes
apps, web sites
switches, routers, gateways
all interconnected and driven by 100s of millions of lines of code.
Number of possible entry points to a network expands continuously as more devices added.
this increases possibility of security breaches
Increased reliance on commercial software with known vulnerabilities.
Exploit
Attack on system
Takes advantage of a particular system vulnerability
Due to poor system design or implementation
Zero-day attack
Takes place before a vulnerability is discovered or fixed
Software developers quickly create and issue patch:
a “fix” to eliminate the problem
users are responsible for obtaining and installing patches
- which they can download from the Web
delays in installing patches expose users to security breaches
Often patches are released on a regular basis, one example being Microsoft’s Patch Tuesday. On the second Tuesday of each month, Microsoft releases security fixes that resolve identified holes. If, however, a critical vulnerability is discovered, a patch may be released outside of schedule
US companies continue to use installed software “as is”
IE
RealPlayer
JRE
Since security fixes could make Software harder to use or
eliminate “nice to have” features.
Bring Your Own Device.
A business policy that permits and encourages employees to use their own mobile devices (smartphones, tablets, or laptops) to access company computing resources and applications.
Higher computer user expectations.
Computer help desks
Under intense pressure to provide fast responses to users’ questions.
Sometimes forget to
Verify users’ identities.
Check whether users are authorized to perform the requested action.
Computer users share login IDs and passwords
Types of Attacks
Most frequent attack is on a networked computer from an outside source
Virus
Malicious pieces of programming code
Usually disguised as something else
that causes a computer to behave in unexpected and undesirable manner
Often attached to files - when file is opened, virus executes
Deliver a “payload”
display a message
delete or modify a document
reformat hard drive
Does not spread itself from computer to computer
Must be passed on to other users through
Infected e-mail document attachments
Shared files
Macro viruses
Most common types of virus and easily created
Created in an application macro language
Infect documents
insert unwanted words, numbers or phrases
Famous Virus: Melissa
Worm
Harmful programs
Reside in active memory of a computer
replicate itself in order to consume resources to bring system down.
Can propagate without human intervention (unlike viruses)
Negative impact of virus or worm attack
Lost data and programs
Lost productivity
as IT workers attempt to recover data & programs
Effort for IT workers
to clean up mess
Trojan horse
Program that a hacker secretly installs
Users are tricked into installing it
disguised as iTunes file or malicious web site
Used to steal passwords, or spy on users by recording keystrokes
Distributed denial-of-service (DDoS)
Malicious hacker takes over computers on the Internet and causes them to flood a target site with demands for data and other small tasks
The computers that are taken over are called zombies
Does not involve a break-in at the target computer
Target machine is busy responding to a stream of automated requests
Legitimate users cannot get in
Spoofing generates a false return address on packets therefore, sources of attack cannot be identified and turned off
Ingress filtering
When Internet service providers (ISPs) prevent
incoming packets with false IP addresses from being passed on.
Egress filtering
Ensuring spoofed packets don’t leave a network
Subtopic
Perpetrators
Thrill seekers wanting a challenge
Common criminals looking for financial gain
Industrial spies trying to gain an advantage
Terrorists seeking to cause destruction
Hackers and Crackers
Hacker: Someone who tests the limitations of information systems out of intellectual curiosity—to see if he or she can gain access. These are also called Ethical Hackers or white hat hackers
Crackers or Black Hat hackers are also called cheaters or simply criminals. They are called criminals because they intend to cause harm to security, stealing very useful data and using it in wrong ways.
Malicious Insiders
Someone who gain financially and/or disrupt company’s information systems and business operations
Top security concern for companies
Estimated 85 percent of all fraud is committed by employees
Usually due to weaknesses in internal control procedures
Collusion is cooperation between an employee and an outsider
Insiders are not necessarily employees
Can also be consultants and contractors
Industrial Spies
Someone who uses illegal means to obtain trade secrets from competitors.
Competitive intelligence
Uses legal techniques
Gathers information available to the public
Industrial espionage
Uses illegal means
Obtains information not available to the public
Cybercriminals
An individual, motivated by the potential for monetary gain, who hacks into computers to steal, often by transferring money from one account to another.
Engage in all forms of computer fraud
Loss of customer trust has more impact than fraud
Cyberterrorists
An individual who launches computer-based attacks against other computers or networks in an attempt to intimidate or coerce a government in order to advance certain political or social objectives.
Reducing Vulnerabilities
Combination of technology, policy, and people
Requires a wide range of activities to be effective
To increase the security of a system, we need to…
Assess threats to an organization’s computers and network (i.e., risk management)
Identify actions that address the most serious vulnerabilities
Educate users
Monitor to detect a possible intrusion
Create a clear reaction (response) plan
Risk Assessment
The process of assessing security-related risks from both internal and external threats to an organization’s computers and networks
Aims to improve security in areas with:
Highest estimated cost
Poorest level of protection
Prevention
Firewall
Limits network access
Antivirus software
Scans for a specific sequence of bytes
Examples: Norton Antivirus, McAfee
Keep track of well-known vulnerabilities
SANS
CERT/CC
Back up critical applications and data regularly
Perform a security audit: A process that evaluates whether an organization has a well-considered security policy in place and if it is being followed.
Educating Employees, Contractors, and Part-Time Workers
Educate users about the importance of security
Motivate them to understand and follow security policy which is a written statement that defines an organization’s security requirements, as well as the controls and sanctions needed to meet those requirements.
Discuss recent security incidents that affected the organization
Help protect information systems by:
Guarding passwords
Not allowing others to use passwords
Applying strict access controls to protect data
Reporting all unusual activity
Response
Response plan
Develop well in advance of any incident
Approved by
Legal department
Senior management
Primary goals
Regain control
Limit damage
Incident notification defines:
Who to notify and Who not to notify
Document all details of a security incident
All system events and Specific actions taken
All external conversations
Act quickly to contain an attack
Eradication effort
Collect and log all possible criminal evidence from the system
Verify necessary backups are current and complete
Create new backups
Follow-up
Determine how security was compromised
Review
Determine exactly what happened
Evaluate how the organization responded
Consider the potential for negative publicity
Legal precedent