CIS 310 Management Information Systems

Information Security

Information Security

• An increasingly important issue today.• Global issue– Comment Crew– StuxNet

• Expensive for Companies – Symantec Study– Cyber crime costs US business $114 Billion/yr– “cybercrime costs the world significantly more

than the global black market in marijuana, cocaine and heroin combined ($288 billion)“

– Many companies do not report the crimes

Recently…..

Legislation on Cyber Crime

• Privacy Act (1974) – Restricts what information the federal government can collect and gives procedures for the government to secure the information. Forbids sharing the information without consent.

• Electronic Communications Privacy Act (1986) – Companies have the right to access all information on company computers, including email correspondence.

• Computer Fraud and Abuse Act (1986) – Makes unauthorized access of financial institutions via computers a crime.

Legislation (contd.)

• Communications Assistance for Law Enforcement Act (1994) – Telecom equipment has to be designed so that government agencies with authorization can intercept the correspondence.

• Freedom of Information Act (1997-1998) - Allows for people to examine government records, unless it creates an invasion of privacy.

• HIPPA (1996) - Patient information needs to be confidential.

Legislation (contd.)

• Patriot Act (2001 – 2003) – Allows law enforcement great freedom in access of electronic records related to purchasing and other information related to terrorist attacks.

• Homeland Security Act (2002) – Government agencies can mind data about individuals and groups .

• Sarbanes-Oxley Act (2002) – Requires companies to assure their information is accurate and reliable. Delineates what data should be kept for what periods of time.

• CAN-SPAM Act (2003) – Prohibits SPAM (unwanted advertising email) by limiting deceptive subjects lines, headers, addresses…etc.

Global Issues

• Laws are different for each country.• Difficult to find the criminal.• Crimes:– Hacking– Software piracy– Intellectual property– Child pornography

Cyber Crime Goes Social

• 11 percent of people have had their social account hacked. This year, the number is up to 15 percent.

• The total rate of cybercrime on social networks (more than simply a hacked account, but also including harassment, bullying, click- or like-jacking, and falling victim to scams) is 39 percent.

Infamous Hackers

• John Draper – Capn’ Crunch. Phone Phreak.Found that a whistle from the cereal could be used to hack into AT&T for free calling. Got 5 years probation for toll fraud (1972).Later became a software developer and a CTO.

• Robert Tappan Morris – First Internet WormVirus propagated over the Internet.3 years probation and 10K fine.

Infamous Hackers (contd.)

• David L. Smith – Melissa (1998)3/26/99 Shut down internet email because it created too much email traffic.10 years (served 20 months) and paid $5,000

• Kevin Mitnick – Unauthorized access to many computer systems.Notorious fugitive.Convicted twice.

Infamous Hackers (contd.)

• Kevin Poulson – Hacked phone systemsto win prizes. Went on the run from the FBI. Convicted of mail, Wire and computer fraud and money laundering.4 years in prison and $60,000 fine.Currently an editor for Wired.com

• Onel de Guzman & Reomel Ramones. (2000, Love Bug or I Love You Virus).Virus sent by students in the Philippines. Two were arrested and then released because there are no laws against releasing a virus in the Philippines.

Infamous Hackers (contd.)

• Aaron Swartz – Founder of Computing Commons and Reddit. Computer Activist.Accused of making journal articles (JSTOR) freely available to the public.Department of Justice arrested him for 13 counts of felony hacking. Committed suicide at the age of 26.

End

• What was the name of the famous computer virus that infected Iranian nuclear facilities?

• What was the alias for John Draper, the phone service hacker who used the whistle?

• In what sense is cyber crime global?

Stuxnet

Cap’n Crunch

The internet is global. The laws for cyber crime are different for different countries.

CIS 310 Management Information Systems

Attacks & Prevention

Attacks & Prevention

• Hackers• Password Theft• Social Engineering• Phishing• Viruses/Trojan Horse/ Worm• Hoaxes• Elevation of Privilege• DOS Attack• Spyware

Hackers

• Hacker– White Hat – Black Hat

• Hacktivist• Cyber-Terrorist• Groups– 2600– 4Chan/

Anonymous

CyberCrimeWatch.com• 25% cyber crime remain unresolved• 75 Million Scam Emails are sent

every day claiming 2,00 victims• 73% of Americans have experienced

some form of cyber crime and (65% globally) do the same.

• 10.5% of the world’s Hackers from the UK

• 66% of the world’s hackers are American

• 7.5% are Nigerian• The Average Internet Crime will cost

the Victim $ 128

The Hacker Ethic

1. Access to computers - and anything which might teach you something about the way the world works - should be unlimited and total. Always yield to the Hands-On imperative!

2. All information should be free. 3. Mistrust authority - promote decentralization. 4. Hackers should be judged by their hacking, not bogus

criteria such as degrees, age, race, or position. 5. You can create art and beauty on a computer. 6. Computers can change your life for the better.

Passwords• Why Bother?• WIRED “Kill the Password: Why a String of Characters Can’t Protect Us

Anymore” 11/15/12• Passwords Vulnerabilities

– Easy to guess (password, 123456)– Easy to brute-force figure out (Cain and Abel, John the Ripper)– Super Reused – 50% of people– Phishing – emails asking you to divulge a password– Malware & Keylogger – software hidden on your computer that sends

information to hacker (Verizon says 69% of data breaches are from this)• Biometrics• PassPhrases• Two-factor authentication

Social Engineering

• Talking your way into access to someone’s accounts.

• “Hello Jane, this is Ruth from IT. I see that you’ve got some stuck processes on the network. …..chat chat chatCan you just tell me what your password is and I’ll see if I can eliminate those and fix the problem.”

WIRED tips on Password Selection• Don’t– Reuse passwords– Use a dictionary word as your password– Use standard number substitutions - P@ssw0rd– Use a short password

• Do– Use two-factor authentication– Give bogus answers to security questions– Scrub your online presence– Use a unique, secure, email when recovering a password.

Phishing

Virus

• Program that attaches itself to other things (like email) and spreads to all the computers it connects with.

• Mellissa 1999 – David L. Smith• Trojan Horse – virus that lays hidden until a

specific time.• Worm – virus that eats through data,

destroying it or randomly writing over data or changing it.

Hoax

Elevation of Privilege

• Get higher access levels to computer systems.– Destroy information– Get confidential information

• Gain access by stealing passwords, social engineering, and other techniques.

DOS Attacks

• Massive amount of traffic sent to a network so that it crashes.– Ping attack – sending so many pings that normal

network traffic cannot get through.– Teardrop attack – packets have malformed IP

addresses and overlaps of data. The network tries to reassemble them.

• Distributed DOS Attacks

Spyware

• Program that is installed without your knowledge to spy on your computer activities.

• Tracks what you do: adware, cookies, keystrokes and shares it with others.

• Used to facilitate pop-up ads and sales.

Spam

• Unwanted email• Not a virus but, a problem with email.– Takes your time– Uses your disk space

• Some estimates are as high as 45% of all email is spam.

• Spam blockers and filters help so that you don’t see those messages.

Solutions

• Education• Authentication• Properly Maintained Systems• Firewall• Virus Protection Software• Network monitoring• Spam filters in eMail

Education

• Ultimately, people are the first place that you can protect against computer crime.

• Education/training can prevent problems:– Password naming conventions– Antivirus– What email not to open– Secure data practices

Authentication and Authorization

• Authentication refers to making sure people are who they say they are.1. Password

2. Access Card

3. Biometrics

• Authorization refers to ensuring that only authorized people have access to the data they need to see.

Properly Maintained Networks

• Up to date software• Latest patches• Latest firewall• Latest anti-virus

Firewall

• Software and/or Hardware that blocks bad things from entering an organizations computer system.

• Firewall has a set of rules it applies to block unwanted messages or attacks.

• You can set this on your own computer.• Companies have firewalls at every place that

their network connects to the Internet.

Virus Protection Software

• Software that is specifically written to find and eradicate viruses from your machine.

• Companies update lists frequently.• Users need to run periodic scans to find and

eliminate problems.

Content Filtering

• Software that blocks unwanted traffic.– Email messages with questionable content.– Time filtering to limit children’s time on the

computer.– Browser filtering, network filtering, ISP filtering.

• Criticism: censorship or over-filtering.• Libraries: free speech vs. preventing children

from viewing inappropriate sites.• Child’s Internet Protection Act (CIPA)• Pro: less spam, less ads in email.

Network Monitoring

• Used to identify an attack on the network by watching traffic load and other variables.

Anti-SPAM Software• Stops junk mail from getting to you. • Deletes it or puts it in your SPAM folder.• Sometimes messages marked as SPAM

erroneously.

End

• Is a worm a computer virus?

• What is the type of attack sends many messages to a Web site at the same time in an attempt to crash the site?

• Is it OK to use a password like P@ssw0rd?

Yes.

DOS Attack or Denial of Service Attack

Nope. Password cracking lists have these in them.

CIS 310 Management Information Systems

Corporate Policiesand

Ethical Issues of the Information Age

Scenarios for IT

• Browsing a company database to see what people’s salaries are.

• Taking company copies of software home for your own use.

• Using company email for private, non-work related, messages.

• Showing co-workers YouTube videos.• Playing computer games at work.• Copying confidential data onto a thumb drive.

Policies

• Ethical Computer Use or Acceptable Use Policies– Agree not to use computer resources for unethical

activities.– Hate crimes– Adding unauthorized software– Agree not to use computer resources for unapproved

activities.– Games, movies…etc.

• Privacy Policies– Any place with sensitive data– Sign agreement to protect people’s privacy

Cal Poly Appropriate Use Policy

Workplace Monitoring

• Through cameras, computers and even RFID tags, employers can keep track of your activities.

• Usually people are informed about monitoring before they accept a job.

• Companies like to monitor productivity with metrics like how long it takes to close a customer call.

• Controversial because it is demeaning and shows a lack of trust.

Security Policy

• All companies need security policies.

• Having a plan, in place, protects you from more damage or liability.

• Security Policies cover many things.

• Companies can tailor their security policies to fit their specific needs.

• Acceptable Use Policy• Authentication Policy• Backup Policy• Confidential Data Policy• Data Classification Policy• Encryption Policy• Email Policy• Guest Access Policy• Incident Response Policy• ‘Mobile Device Policy• Network Access Policy• Network Security policy• Outsourcing Policy• Password Policy• Physical Security policy• Remote Access Policy

List of Policies from InstantSecurityPolicy.com

Security Audits

• Evaluate your environment, policies and people to see what your risks are.– Security Policy

• Does the company have a policy and is it periodically reviewed and updated?

– Organization of information security• Is management involved?• Is the policy disseminated?

– Asset Management• Are all the assets known/inventoried?• Do acceptable use polies exist?

Security Audits (contd.)– HR Security

• Screen applicants for employment• Appropriate training• Disciplinary process

– Physical and Environmental Security• Locks, gates, access to specific people.• Secure, maintained, protected equipment.

– Etc.

• Communications and Operations Management• Access Control• Information Systems Acquisition, Development and Maintenance• Information Security Incident Management• Business Continuity Management• Compliance

Ethical Issues of the Information Age

• Richard Mason, MISQ 1986, “Ethical Issues of the Information Age”– Privacy– Accuracy – Property– Access

Privacy

• Two forces threatening our privacy:– Growth of IT and its ability to do surveillance,

communicate and retrieve and store information.– Increased value of information in decision-making.

Accuracy

• The right to ensure data about you is accurate.• Erroneous data can create large problems to

individuals– Inaccurate medical records– Mistakes on a credit report– Bad driving directions

• Fixing an error, once it has occurred can be a problem.– Finding out the error exists– Making sure the error didn’t propagate to other databases.

Property

• Intellectual Property• Copyrights, trademarks

and patents• Software Piracy• Business Software

Alliance

Access

• Technology haves and have-nots.– Did refer to people without computers.– Now, people without skills is more of an issue.

• People need:– Intellectual skills to deal with information.– Infrastructure to access information– The information itself.

End

• Is workplace monitoring legal?

• What are Mason’s 4 issues with the Information Age?

• What is the piracy rate in the United States according to the Business Software Alliance?

Yes. Typically it is.

Property, Accuracy, Privacy and Access

19%

References• Sanger, David, et al, Chinese Army Unit is Seen as Tied to Hacking Against US, New

York Times, 2/18/13.• Asa, Norman, “Cyterattacks on Iran – Stuxnet and Flame”, New York Times, 8/9/12.• Statistics on Cyber Crime, http://

www.cybercrimeswatch.com/cyber-crime/cyber-crime-statistics.html• Wikipedia Articles on John Draper, Robert Morris, David Smith, Kevin Mitnick, Kevin

Poulson, Onel de Guzman and Aaron Swartz.• The Hacker’s Ethic• Honan, Mat, Kill the Password: Why a String of Characters Can’t Protect Us Anymore

, Wired, 11/15/12.• Spam statistics - http://www.spamlaws.com/spam-stats.html• McAfee.com and Symantec.com• 2011 Business Software Alliance Report on Piracy -

http://portal.bsa.org/globalpiracy2011/