1 / 17

Security and privacy

22 November 2010. Security and privacy. Security and Privacy. Security: the protection of data, networks and computing power Privacy: complying with a person's desires when it comes to handling his or her personal information . Security. Consider.

wilton
Télécharger la présentation

Security and privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 22 November 2010 Security and privacy

  2. Security and Privacy • Security: the protection of data, networks and computing power • Privacy: complying with a person's desires when it comes to handling his or her personal information

  3. Security

  4. Consider • 1994: Vladimir Levin breaks into Citibank's network and transfers $10 million dollars into his accounts • Mid 90’s: Phonemasters • stole tens of thousands of phone card numbers • found private White House telephone lines • 1996: Tim Lloyd, disgruntled employee inserts time bomb that destroys all copies of Omega Engineering machining code. Estimated lost: $10 million.

  5. Security “Gospel” • The Morris Internet worm of 1988 cost $98 million to clean up • The Melissa virus crashed email networks at 300 of the Fortune 500 companies • The Chernobyl virus destroyed up to a million PCs throughout Asia • The ExploreZip virus alone cost $7.6 billion to clean up

  6. Security Reality • The Morris Internet worm of 1988 cost $98under $1 million to clean up • The Melissa virus crashedscared executives into disconnecting email networks at 300 of the Fortune 500 companies • The Chernobyl virus destroyedcaused replacement of up to a million PCs throughout Asia • The ExploreZip virus alone could have cost $7.6 billion to clean up

  7. Information Systems Security • Deals with • Security of (end) systems • Operating system, files, databases, accounting information, logs, ... • Security of information in transit over a network • e-commerce transactions, online banking, confidential e-mails, file transfers,...

  8. Basic Components of Security • Confidentiality • Keeping data and resources secret or hidden • Integrity • Ensuring authorized modifications • Refers to both data and origin integrity • Availability • Ensuring authorized access to data and resources when desired • Accountability • Ensuring that an entity’s action is traceable uniquely to that entity • Security assurance • Assurance that all four objectives are met

  9. Info Security 20 Years Ago • Physical security • Information was primarily on paper • Lock and key • Safe transmission • Administrative security • Control access to materials • Personnel screening • Auditing

  10. Information Security Today • Emergence of the Internet and distributed systems • Increasing system complexity • Digital information needs to be kept secure • Competitive advantage • Protection of assets • Liability and responsibility • Financial losses • FBI estimates that an insider attack results in an average loss of $2.8 million • Estimates of annual losses: $5 billion - $45 billion • Why such a big range? • National defense • Protection of critical infrastructures • Power grid • Air transportation • Interlinked government agencies • Severe concerns regarding security management and access control measures (GAO report 2003) • Grade F for most of the agencies

  11. Attack Vs Threat • A threat is a “potential” violation of security • Violation need not actually occur • Fact that the violation might occur makes it a threat • The actual violation (or attempted violation) of security is called an attack

  12. Common security attacks • Interruption, delay, denial of receipt or denial of service • System assets or information become unavailable or are rendered unavailable • Interception or snooping • Unauthorized party gains access to information by browsing through files or reading communications • Modification or alteration • Unauthorized party changes information in transit or information stored for subsequent access • Fabrication, masquerade, or spoofing • Spurious information is inserted into the system or network by making it appear as if it is from a legitimate source • Repudiation of origin • False denial that the source created something

  13. Denial of Service Attacks • explicit attempt to prevent legitimate users from using service • two types of attacks • denial of service (DOS) • distributed denial of service (DDOS) • asymmetric attack • attacker with limited resource (old PC and slow modem) may be able to disable much faster and more sophisticated machines or networks • methods • Bots or Zombie machines • Trojans or Smurf attack: distributed attack that sends specified number of data packets to a victim

  14. Phishing (Spoofing) • use 'spoofed' e-mails and fraudulent websites • designed to fool recipients into divulging personal financial data • credit card numbers • account usernames and passwords • social security numbers • hijacking of trusted brands • banks • online retailers • credit card companies • able to convince up to 5% of recipients to respond • http://www.antiphishing.org/

  15. Goals of Security • Prevention • Prevent someone from violating a security policy • Detection • Detect activities in violation of a security policy • Verify the efficacy of the prevention mechanism • Recovery • Stop attacks • Assess and repair damage • Ensure availability in presence of ongoing attack • Fix vulnerabilities to prevent future attacks • Deal with the attacker

  16. Human Issues • Outsiders and insiders • Which do you think is the real threat? • Social engineering • How much do you disclose about security? • Claim more or less security than exists

  17. Setting up a server to attract hackers Used by corporations as early warning system Used to attract spam to improve filters Used to attract viruses to improve detection http://www.honeypots.net/ Honeypots

More Related