ch11- security, protection and ethics revised
TRANSCRIPT
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
1/48
Chapter 11
Security and Ethics
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
2/48
Objectives
Understanding Operating Systems, Fourth
Edition2
You will be able to describe:
y The role of the operating system with regard to system security
y The effects of system security practices on overall systemperformance
y The levels of system security that can be implemented and thethreats posed by evolving technologies
y The differences between computer viruses and worms, and howthey spread
y The difficulties of teaching ethics to user groups and the role ofeducation in system security
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
3/48
Role of the Operating System in Security
Understanding Operating Systems, Fourth
Edition3
y Operating system plays a key role in computer system security
y Any vulnerability at the operating system level opens the entire
system to attack
y The more complex and powerful the operating system, the morelikely it is to have vulnerabilities to attack
y System administrators must be on guard to arm their
operating systems with all available defenses against attack
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
4/48
System Survivability
Understanding Operating Systems, Fourth
Edition4
y Capability of a system to fulfill its mission, in a timely
manner, in the presence of attacks, failures, or accidents
y Key properties of survivable systems:
y Resistance to attacks
y Recognition of attacks and resulting damage
y Recovery of essential services after an attack
y Adaptation and evolution of system defense mechanisms to
lessen future attacks
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
5/48
System Survivability (continued)
Understanding Operating Systems, Fourth
Edition5
Table 11.1: Four key properties of a survivable system
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
6/48
Levels ofProtection
Understanding Operating Systems, Fourth
Edition6
Table 11.2: A simplified comparison of security protection
required for three typical computer configurations
System administrator must evaluate the risk of intrusion for
each computer configuration, which in turn depends on the
level of connectivity given to the system
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
7/48
Backup and Recovery
Understanding Operating Systems, Fourth
Edition7
y Backup and recovery policies are essential for most
computing systems
y Many system managers use a layered backup schedule
yBackups, with one set stored off-site, are crucial to disasterrecovery
y Written policies and procedures and regular user training are
essential elements of system management
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
8/48
Backup and Recovery
Understanding Operating Systems, Fourth
Edition8
y Written security procedures should recommend:
y Frequent password changes
y Reliable backup procedures
y
Guidelines for loading new softwarey Compliance with software licenses
y Network safeguards
y Guidelines for monitoring network activity
y R
ules for terminal access
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
9/48
Security Breaches
Understanding Operating Systems, Fourth
Edition9
y A gap in system security can be malicious or not
y Intrusions can be classified as:
y Due to uneducated users and unauthorized access to system
resourcesy Purposeful disruption of the systems operation
y Purely accidental
y Examples: Hardware malfunctions, undetected errors in OS or applications,
or natural disasters
y Malicious or not, a breach of security severely damages the
systems credibility
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
10/48
Unintentional Intrusions
Understanding Operating Systems, Fourth
Edition10
y Any breach of security or modification of data that was not
the result of a planned intrusion
y Examples:
y
Accidental incomplete modification of datay When nonsynchronized processes access data records and modify some
but not all of a records fields
y Errors due to incorrect storage of data values
y e.g., When the field isnt large enough to hold the numeric value stored
there
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
11/48
Unintentional Intrusions (continued)
Understanding Operating Systems, Fourth
Edition11
Figure 11.1: (a) Original data value in a field large enough to
hold it. If the field is too small, (b) FORTRAN replaces the
data with asterisks, (c) COBOL truncates the higher order
digits and stores only the digits that remain
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
12/48
Intentional Attacks
Understanding Operating Systems, Fourth
Edition12
y Types of Intentional attacks:
y Intentional unauthorized access
y e.g., denial of service attacks, browsing, wire tapping,
repeated trials, trap doors, and trash collection
y Viruses and worms
y Trojan Horses
y Bombs
y Blended threats
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
13/48
IntentionalUnauthorized Access
Understanding Operating Systems, Fourth
Edition13
y Denial of service (DoS) attacks:
y Synchronized attempts to deny service to authorized users by
causing a computer to perform repeated unproductive task
y B
rowsing:y Unauthorized users gain access to search through secondary
storage directories or files for information they should not have
the privilege to read
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
14/48
IntentionalUnauthorized Access
(continued)
Understanding Operating Systems, Fourth
Edition14
y WireTapping: Unauthorized users monitor or modify ausers transmission
y Passive wire tapping: Refers to just listening to thetransmission but not changing the contents, and reasonsinclude:y To copy data while bypassing any authorization procedures
y To collect specific information such as password
y Active wire tapping: Data being sent is modifiedy Methods include between lines transmission and piggyback entry
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
15/48
IntentionalUnauthorized Access
(continued)
Understanding Operating Systems, Fourth
Edition15
y RepeatedTrials:To enter systems by guessing authenticpasswords
y Trap doors: An unspecified and undocumented entry point
to the systemy Installed by a system diagnostician or programmer for future
use
y Leaves the system vulnerable to future intrusion
y Trash collection: Use of discarded materials such as disks,
CDs, printouts, etc., to enter the system illegally
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
16/48
IntentionalUnauthorized Access
(continued)
Understanding Operating Systems, Fourth
Edition16
Table 11.3: Average time required to guess passwords up to
ten alphabetic characters (A-Z) using brute force
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
17/48
IntentionalUnauthorized Access
(continued)
Understanding Operating Systems, Fourth
Edition17
y Malicious attacks on computers may violate state and federal law
under the Federal Computer Fraud andAbuseAct of 1986
y Those convicted have been sentenced to significant fines and jailterms, as well as confiscation of their computer equipment
y In the U.S., attempts to intrude into your system should be
reported to the FBI
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
18/48
Viruses
Understanding Operating Systems, Fourth
Edition18
y Small programs written to alter the way a computer operates,
without permission of the user
y Must meet two criteria: It must be self-executing and self-
replicating
y Usually written to attack a certain operating system
y Spread via a wide variety of applications
y
Macro virus works by attaching itself to a template (such asNORMAL.DOT), which in turn is attached to word processing
documents
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
19/48
Viruses (continued)
Understanding Operating Systems, Fourth
Edition19
Figure 11.2: A file infector virus attacks a clean file (a) by
attaching a small program to it (b)
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
20/48
Viruses (continued)
Understanding Operating Systems, Fourth
Edition20
Table 11.4: Types of viruses
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
21/48
Viruses (continued)
Understanding Operating Systems, Fourth
Edition21
Table 11.4 (continued): Types of viruses
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
22/48
Worms and Trojan Horses
Understanding Operating Systems, Fourth
Edition22
y Worm: A memory-resident program that copies itself from
one system to the next without requiring the aid of an
infected program file
y Results in slower processing time of real work
y Especially destructive on networks
y Trojan Horse: A destructive program thats disguised as a
legitimate or harmless program
y Allows the programs creator to secretly access users system
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
23/48
Bombs and Blended Threats
Understanding Operating Systems, Fourth
Edition23
y Logic bomb: A destructive program with a fuse a certaintriggering event (such as a keystroke or connection with theInternet)
y Spreads unnoticed throughout a network
y Time bomb: A destructive program triggered by a specifictime, such as a day of the year
y BlendedThreat: Combines into one program thecharacteristics of other attacks
y
e.g., including a virus, worm, Trojan Horse, spyware, and othermalicious code into a single program
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
24/48
Blended Threats (continued)
Understanding Operating Systems, Fourth
Edition24
BlendedThreats: (continued)
y Characteristics ofblended threat:
y Harms the affected system
y Spreads to other systems using multiple methods
y Attacks other systems from multiple points
y Propagates without human intervention
y Exploits vulnerabilities of target systems
y Protection: Combination of defenses in combination with
regular patch management
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
25/48
System Protection
Understanding Operating Systems, Fourth
Edition25
y No single guaranteed method of protection
y System vulnerabilities include:
y File downloads, e-mail exchange
y Vulnerable firewallsy Improperly configured Internet connections, etc.
y Need for continuous attention to security issues
y System protection is multifaceted and protection methods
include:y Use of antivirus software, firewalls, restrictive access and
encryption
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
26/48
Antivirus Software
Understanding Operating Systems, Fourth
Edition26
y Software to combat viruses can be preventive, diagnostic, or
both
y Preventive programs may calculate a checksum for each
production programy Diagnostic software compares file sizes, looks for replicating
instructions or unusual file activity
y Can sometimes remove the infection and leave the remainder
intacty Unable to repair worms, Trojan horses, or blended threats as
they are malicious code in entirety
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
27/48
Antivirus Software (continued)
Understanding Operating Systems, Fourth
Edition27
Table 11.5: Websites containing current information on
systems security
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
28/48
Antivirus Software (continued)
Understanding Operating Systems, Fourth
Edition28
Figure 11.4: (a) Uninfected file; (b) file infected with a virus; (c) a
Trojan horse or worm consists entirely of malicious code
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
29/48
Firewalls
Understanding Operating Systems, Fourth
Edition29
y A set of hardware and/or software designed to protect asystem by disguising its IP address from unauthorized users
y Sits between the Internet and network
y Blocks curious inquiries and potentially dangerous intrusionsfrom outside the system
y Mechanisms used by the firewall to perform various tasksinclude:
y Packet filtering
y Proxy servers
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
30/48
Firewalls (continued)
Understanding Operating Systems, Fourth
Edition30
Figure 11.5: Firewall sitting between campus networks and
Internet, filtering requests for access
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
31/48
Firewalls (continued)
Understanding Operating Systems, Fourth
Edition31
y Typical tasks of the firewall are to:
y Log activities that access the internet
y Maintain access control based on senders or receivers IP
addresses
y Maintain access control based on services that are requested
y Hide internal network from unauthorized users
y Verify that virus protection is installed and enforced
y Perform authentication based on the source of a request from theInternet
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
32/48
Firewalls (continued)
Understanding Operating Systems, Fourth
Edition32
y Packet filtering:
y Firewall reviews header information for incoming and outgoingInternet packets to verify authenticity of source address,
destination address, and protocoly Proxy server:
y Hides important network information from outsiders by makingnetwork server invisible
y Determines if request for access to the network is valid
y Proxy servers are invisible to users but are critical to the success ofthe firewall
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
33/48
Authentication
Understanding Operating Systems, Fourth
Edition33
y Authentication:A verification that an individual trying to
access a system is authorized to do so
y Kerberos: A network authentication protocol
y Need for password encryption to improve network security led to
development of Kerberos
y Designed to provide strong authentication for client/server
applications
y Uses strong cryptographyy Requires systematic revocation of access rights from clients who
no longer deserve to have access
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
34/48
Authentication (continued)
Understanding Operating Systems, Fourth
Edition34
Figure 11.6: Using Kerberos, when client A attempts to access
server B, user is authenticated (a) and receives a ticket for the
session (b). Once the ticket is issued, client and server can
communicate at will (c). Without the ticket, access is not granted
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
35/48
Encryption
Understanding Operating Systems, Fourth
Edition35
y Most extreme protection method for sensitive data where datais put into a secret code
y To communicate with another system, data is encrypted,
transmitted, decrypted, and processedy Sender inserts public key with the message
y Message receiver required to have private key to decode themessage
y Disadvantages:y Increases systems overhead
y System becomes totally dependent on encryption process itself
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
36/48
Sniffers and Spoofing
Understanding Operating Systems, Fourth
Edition36
y Sniffers: Programs that reside on computers attached to the
network
y Peruse data packets as they pass by, examine each one for
specific information
y e.g., Particularly problematic in wireless networks
y Spoofing: Assailant fakes IP addresses of an Internet server
by changing the address recorded in packets it sends over the
Internet
y Used when unauthorized users want to disguise themselves as
friendly sites
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
37/48
Password Management
Understanding Operating Systems, Fourth
Edition37
y Most basic techniques used to protect hardware and softwareinvestments include:
y Good passwords
y Careful user training
y Password Construction:y Good password is unusual, memorable, and changed often
y Password files normally stored in encrypted form
y Password length has a direct effect on the ability of password to
survive password cracking attempts
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
38/48
Password Construction (continued)
Understanding Operating Systems, Fourth
Edition38
Figure 11.8: Password verification flowchart
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
39/48
Password Construction (continued)
Understanding Operating Systems, Fourth
Edition39
Table 11.6: Number of combinations of passwords
depending on their length and available character set
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
40/48
Password Construction (continued)
Understanding Operating Systems, Fourth
Edition40
y Reliable techniques for generating a good password:
y Use minimum of eight characters, including numbers and
nonalphanumeric characters
y Create a misspelled word or join bits of phrases into a word thatseasy to remember
y Follow a certain pattern on the keyboard
y Create acronyms from memorable sentences
y Use upper and lowercase characters if allowedy Never use a word thats included in any dictionary
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
41/48
Password Construction (continued)
Understanding Operating Systems, Fourth
Edition41
y Dictionary attack: A method of breaking encrypted
passwords
y Requirements:
y A copy of the encrypted password file
y Algorithm used to encrypt the passwords
y Prevention:
y Some operating systems salt user passwords with extra random bits to make
them less vulnerable to dictionary attacks
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
42/48
Password Alternatives
Understanding Operating Systems, Fourth
Edition42
y Use of a smart card
y A credit card-sized calculator that requires both something youhave and something you know
y
Displays a constantly changing multidigit number synchronizedwith an identical number generator in the system
y User must type in the number that appears at that moment on thesmart card
y For added protection, user then enters a secret code
y User is admitted to the system only if both number and code arevalidated
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
43/48
Password Alternatives (continued)
Understanding Operating Systems, Fourth
Edition43
y Biometrics:
y The science and technology of identifying individuals based on
unique biological characteristics of each person
y Current research focuses ony Analysis of the human face, fingerprints, hand measurements, iris/retina, and
voice prints
y Positively identifies the person being scanned
y C
ritical factor is reducing the margin of errory Presently, biometric authentication is expensive
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
44/48
Social Engineering
Understanding Operating Systems, Fourth
Edition44
y A technique whereby system intruders gain access to
information about a legitimate user to learn active passwords by
y Looking in and around the users desk for a written reminder
y Trying the user logon ID as the password
y Searching logon scripts
y Telephoning friends and co-workers to learn the names of users
family members, pets, vacation destinations, favorite hobbies, car
model, etc.
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
45/48
Social Engineering (continued)
Understanding Operating Systems, Fourth
Edition45
y Phishing: Intruder pretends to be a legitimate entity andcontacts unwary users asking them to reconfirm theirpersonal and/or financial information
y Example: 2003 incident involving eBay customers
y Default passwords:y Pose unique vulnerabilities because they are widely known
y Routinely shipped with hardware or software
y Routinely passed from one hacker to the next
y
Should be changed immediately
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
46/48
Ethics
Understanding Operating Systems, Fourth
Edition46
y Ethical behavior: Be good. Do good.
y IEEE and ACM issued a standard of ethics in 1992
y Apparent lack of ethics in computing is a significant departure
from other professionsy Consequences of ethical lapses:
y Illegally copied software can result in lawsuits and fines
y Plagiarism is illegal and punishable by law
y Eavesdropping on e-mail, data, or voice communications issometimes illegal and usually unwarranted
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
47/48
Ethics (continued)
Understanding Operating Systems, Fourth
Edition47
y Consequences of ethical lapses: (continued)
y Cracking (malicious hacking) causes systems owner and users to
question the validity of systems data
y U
nethical use of technology is clearly the wrong thing to doy Specific activities to teach ethics can include:
y Publish policies that clearly state which actions will and will not be
condoned
y
Teach a regular seminar on the subject including real-life casehistories
y Conduct open discussions of ethical questions
-
8/3/2019 Ch11- Security, Protection and Ethics Revised
48/48
Summary
Understanding Operating Systems, Fourth
Edition48
y Cant overemphasize the importance of keeping the systemsecure
y System is only as good as the integrity of the data thats stored
on ity A single breach of security whether catastrophic or not,
whether accidental or not damages the systems integrity
y Damaged integrity threatens the viability of the best-designed
system, its managers, its designers, and its usersy Vigilant security precautions are essential