Class 7 LBSC 690 Information Technology Security

Class 7

LBSC 690

Information Technology

Security

Agenda

• Questions

• Computing as a social process

• Complex systems

Limiting the Use of Computing/IT• Variety of justifications

– Parental control• Web browsing software, time limits

– Intellectual property protection• Copyright, trade secrets

– National security• Classified material

– Censorship

Techniques for Limiting Use• Access control

– Effective multilevel security is hard to achieve

• Copy protection– Hardware and software

• Licensing– Shrink-wrap, Shareware, GNU Public license

• Digital watermarks– Provide a basis for prosecution

Anonymity

• Serves several purposes– Sensitive issues on discussion groups– Brainstorming– Whistleblowers– Marketing (“Spam”)

• Common techniques– Anonymous re-mailers– Pseudonyms

Nettiquite

• Mailing lists and USENET News– “Emily Postnews” on comp.announce.newusers

• Some simple guidelines– Send private replies unless a public one is needed– Limit business uses to appropriate venues– Don’t send unsubscribe requests to the list– Read the FAQ before asking one– Avoid things that start “flames” unless you intend

to

Computing/IT as a Social Process• Programs must implement social norms

– Ownership– Identity– Integrity– Privacy

• Two basic techniques are used– Authentication– Encryption

Ownership• Who has the right to use a computer?

• Who establishes this policy? How?– What equity considerations are raised?

• Can someone else deny access?– Denial of service attacks

• How can denial of service be prevented?– Who can gain access and what can they do?

Identity

• Establishing identity permits access control

• What is identity in cyberspace?– Attribution

• When is it desirable?

– Impersonation• How can it be prevented?

• Forgery is really easy– Just set up your mailer with bogus name and email

Authentication

• Used to establish identity

• Two types– Physical (Keys, badges, cardkeys, thumbprints)– Electronic (Passwords, digital signatures)

• Protected with social structures– Report lost keys– Don’t tell anyone your password

• Password sniffers will eventually find it

Good Passwords

• Long enough not to be guessed– Programs can try every combination of 4 letters

• Not in the dictionary– Programs can try every word in a dictionary– And every date, and every proper name, ...– And even every pair of words

• Mix upper case, lower case, numbers, etc.

• Change it often and use one for each account

Integrity

• How do you know what’s there is correct?– Attribution is invalid if the contents can change

• Access control would be one solution– No system with people has perfect access control

• Risks digest provides plenty of examples!

• Encryption offers an alternative

Privacy

• What privacy rights do computer users have?– On email?– When using computers at work? At school?– What about your home computer?

• What about data about you?– In government computers?– Collected by companies and organizations?

• Does obscurity offer any privacy?

Encryption• Separate keys for writing and reading

– Pretty Good Privacy (PGP) is one “standard”

• Identity– “Digital signature” from a private write key

• Integrity– Public read key will decode only one write key

• Privacy– Either write key or read key can be kept secret

Cookies• Web servers know a little about you

– Machine, prior URL, browser,

• From this they can guess a little more– Path you followed, who is on that machine

• Cookies allow them to remember things– They send you a string and your browser stores it– If they ask for the string, your browser provides it– The string can represent identity and/or information

Access Control Issues• Protect system administrator access

– Greater potential for damaging acts– What about nefarious system administrators?

• Trojan horses– Intentionally undocumented access techniques

• Firewalls– Prevent unfamiliar packets from passing through– Makes it harder for hackers to hurt your system

Denial of Service Attacks• Viruses

– Platform dependent– Typically binary

• Virus checkers– Need frequent updates

• Flooding– The Internet worm– Chain letters

Policy Solutions• Five guidelines

– Establish policies– Authenticate– Authorize– Audit– Supervise

• CSC Acceptable Use Policy

Crisis Management

• Computer Emergency Response Team– Issues advisories about known problems– Need to make sure these reach the right people

• Information Warfare– We depend on our information infrastructure– How can we prevent attacks against it?

• Hacking is individual, this would be organized

– Policy for this is still being worked out

Complex System Issues

• Critical system availability– Who needs warfare - we do it to ourselves!

• Understandability– Why can’t we predict what systems will do?

• Nature of bugs– Why can’t we get rid of them?

• Audit-ability– How can we learn to do better in the future?

Midterm Structure

• One hour and 15 minutes• Approximately 4 questions

– Each may have multiple parts

• Open Book (Oakman only)– You may hand write anything in your Oakman– No extra pages of notes

• The software you may use will be specified• You may bring a calculator

Midterm Advice

• The only goal is to get points!– Spend each minute in the best place

• Develop a strategy for each question type– Guessing CAN hurt on multiple choice– Don’t write a page when a sentence will do

• Study concepts, not details– Grading rewards conceptual understanding– Don’t expect a clone of the sample exams

Questions

??????