Managing Information Security and Privacy.docx

16 Pages
Unlock Document

Western University
Computer Science
Computer Science 1032A/B
Diane Goldstein

Managing Information Security and Privacy Sources of Security Threats  Human errors and mistakes o Accidental problems o Poorly written programs o Poorly designed procedures o Physical accidents  Malicious human activity o Intentional destruction of data o Destroying systems components o Hackers o Virus and worm writers o Criminals o Terrorists  Natural events and disasters o Fires, floods, hurricanes, earthquakes, tsunamis, avalanches and tornadoes o Initial losses of capability o Losses from recovery actions Unauthorized Data Disclosures  Human error o Posting private information in a public place o Placing restricted information on searchable web sites o Inadvertent disclosure  Malicious release o Pretexting  Someone pretending to be someone else o Phishing  How it happens:  Obtain unauthorized data using pretexting via email  Create a replica of an existing web pages to fool a user into submitting personal, financial or password data  Email is sent to direct you to the website that appears to be from a legitimate company  You are advised that information or a security check is needed on your account and advised to click on a link to the company’s website to provide the information  Link connects to a website that is an imitation of the spoofed company’s actual website  These counterfeit websites and emails appear very authentic  One way to test the validity of the site might be to enter an incorrect password because a phishing website will typically accept an incorrect password which cues you that it is a phishing scam  Phishing for credit card accounts  Usually initiated by email request o Designed to cause you to click o Asks for personal data o May install spyware, malware or adware  Defences o Know your purchases and deal directly with vendors o Implausibility of email o Don’t be misled by legitimate-looking graphics or addresses o Sniffing  Interception of computer communications  Wired network  Requires physical connection  Wireless network  Access gained through unprotected network  “drive-by”  Packet sniffers  Programs capturing data from information packets as they travel over the Internet or company networks  Confidential information taken from the captured packets  Breaking into networks  Stealing data o Customer lists o Product information o Employee information o Other confidential data Incorrect Data Modifications  Human errors o Incorrect entries and information o Procedural problems  Systems errors  Faulty recovery actions  Hacking o Unauthorized access to and use of computer systems – usually by means of a personal computer and a telecommunications network o Most hackers break into systems using known flaws in operating systems, application programs or access controls o Some are simply motivated by curiosity and a desire to overcome a challenge while some have malicious intent and do significant damage  Faulty service o Incorrect systems operations  Human  Technical o Usurpation  Unauthorized programs invade a system and replace a legitimate program  Unauthorized program halts legitimate one and substitutes their own processing Denial of Service Attacks (DoS attacks)  Force the victim computer to rest or consume its resources such that it can no longer provide its intended service  Obstruct the communication media between the intended users and the victim so that they can no longer communicate adequately  E.g. – o Overloading and shutting down an ISP’s email system by sending email “bombs” at a rate of thousands per second – often randomly generated email addresses o Shutting down a web server by sending a load of requests for web pages o In both cases the system performance degrades until the system freezes up or crashes Loss of Infrastructure  Accidental  Theft  Terrorism  Natural disasters Elements of a Security Program  Senior management involvement o Sets policies o Balances costs against risks o Responsible for information security  Safeguards  Incident response  Support mission of the organization o Nature and size of organization  Integral to the management o Are appropriate safeguards in place? o Employees trained for system failure?  Cost effective o Cost benefit analysis  Direct (labour costs)  Intangible (customer frustration)  Explicit responsibilities and accountabilities o Assignment of specific task to individuals  Responsibilities outside of department o Consequences can affect other units  Comprehensive and integrated o No single solution  Periodically assessed o Issues continually changing  Constrained by societal factors o Conflicts with personal privacy  Find appropriate balance  Senior management o Define policy o Manage risk  General statement of security program o Provides foundation for more specific security measures o Specifies  Goals  Assets to be protected o Designates security management departments o Ensures enforcement of policies  Issue-specific policies o E.g. –  Personal use of computers  Use of email services and the Internet o Employees must be made aware  System-specific policy o Addressed as a part of standard systems development process o E.g. –  Customer data: sold or shared with others  Processing employee data Risk  Likelihood of adverse occurrence o Known threats and consequences  Management must manage likelihood o Limit consequences o Reducing risk always costs  E.g. – o A hurricane – keeping adequate backups at a remote site Uncertainty  Different from risk o Unknown (threats and consequences)  Due to uncertainty, risk management is never exact Management’s Assessment of Risk  Defines assets o Sensitive data o Computer facilities o Trademark and brand (phishing) o Employee privacy  Assess potential threats o Likelihood of occurrence o Consequences of occurrence  Safeguard o Action, device, procedure or technique that reduces vulnerability to threat o Identify for each threat o Residual risk occurs due to not being able to protect in all situations  Vulnerability o Opening or weakness in the security system  Consequences o Damages that occur when an asset is compromised o Tangible and intangible  Likelihood o Probability given assets will be compromised  Probable loss o Bottom line of risk assessment  Measure of probable loss: multiply likelihood by cost of consequences Difficulty with Risk – Management Decisions  Given probable loss o Management must decide what to do  Some assets can be protected by inexpensive and easily implemented safeguards o E.g. – virus protection software  Some vulnerabilities are expensive to eliminate o Effectiveness of safeguard may be unknown o Probable loss subject to uncertainty  Must make prudent decisions  Consider all factors and take most cost effective action to reduce probable losses Identification and Authentication  User names and passwords o Identification and authentication  Smart cards  Biometric authentication  Single sign-on Authentication Methods  What do you know? o Password, PIN  Effective passwords satisfies a number of requirements:  Length  Multiple character types  Randomness  Changed frequently  Secret  Deficiencies increase security threats  What do you have? o Smart card  Normally size of credit card  Magnetic strip or microchip contains identification information  Can be used with Personal Identification Number (PIN) to the more effective  What are you? o Biometric  Authenticates with physical characteristics  Fingerprints  Facial scans  Retina scans  Early stages of development  Invasive?  Typically multiple levels of authentication o Personal computer o LAN o Database  Systems can provide single authentication Encryption  Used for secure storage or communication  Common encryption algorithms o DES – Data Encryption Standards and AES – Advanced Encryption Standard  US government’s standard for data encryption o 3DES – Triple Data Encryption Standard  Uses a key three times as long as Standard DES  Used for banks and other organizations that transmit highly sensitive data  Encryptions techniques o Senders use key to encrypt plaintext messages o Recipient uses key to decrypt  Encryption o The process of transforming normal text into coded text  Decryption o Reverses encryption  Symmetric encryption o Uses the same key to encrypt and decrypt o Advantages:  Much faster than asymmetric encryption o Disadvantages:  Sender and receiver must both know the key  Both must ensure that the key is kept secret  If key becomes public, others will be able to decrypt  Both sides of a transaction use the same key – difficult to know who created the document  Asymmetric encryption o Use two keys  Public key is shared/exchanged publicly  Private key is known only to the owner of that key o Message encoded with one, decoded with the other o Advantages:  Public key can be publicly distributed  Only one party has the private key, easy to know who created the document  Easy to implement over a network o Disadvantages:  Slower encryption method  Too slow for large amounts of data  HTTPS Protocol o Secure communication over Internet  http that uses SSL/TLS is //https  encrypted using Secured Socket layer (SSL)/Transport Layer Security (TLS) protocol  encodes messages using web site’s public key, decoded with private key o secure for sending sensitive data o normal Internet communications are not encrypted SSL/TLS  Secured Socket layer (SSL)/Transport Layer Security (TLS)  Protocol uses both encryption methods  Works between levels 4 and 5 of TCP-OSI protocol architecture  Asymmetric encryption transmits symmetric key  Both parties then use the symmetric key  Allows verification that communication is with a “true” web site Digital Signatures  Messages sent using plaintext o Can be intercepted and altered  Digital signatures o Ensure no alteration of plaintext messages o Plaintext message hashed  Method that mathematically manipulates messages to create bit string Hashing  Hash – transformation of plaintext of any length into a short code  Differs from encryption o Encryption always produces ciphertext similar in length to the plaintext but hashing produces a hash of a fixed short length o Encryption is reversible but hashing is not – you cannot transform a hash back into its original plaintext Certificate Authority (CA)  Organization that issues public/private keys and records the pu
More Less

Related notes for Computer Science 1032A/B

Log In


Don't have an account?

Join OneClass

Access over 10 million pages of study
documents for 1.3 million courses.

Sign up

Join to view


By registering, I agree to the Terms and Privacy Policies
Already have an account?
Just a few more details

So we can recommend you notes for your school.

Reset Password

Please enter below the email address you registered with and we will send you a link to reset your password.

Add your courses

Get notes from the top students in your class.