Security and Privacy: Computers

and the Internet

 Objectives
• Explain the different types of computer crime and the
difficulties of discovery and prosecution.
• Describe the aspects of securing corporate data, including
software and data security, disaster recovery plans, and
security legislation.
• Describe in general terms how viruses work, the damage
they can cause, and procedures used to prevent this damage.
• Explain the threats to personal privacy posed by computers
and the Internet. Describe actions you can take to maximize
your privacy.
 Contents
• Computer Crime
• Security
• Disaster Recovery
• Backup
• Pests
• Privacy
• Junk e-mail
 Computer Crime

Stealing and using or selling of data:

Company data
Personal information in company files
 Computer Crime

Employees and individuals need to

recognize the possible danger from
computer systems and protect their
assets.
 Computer Crime
Security and Privacy
Data communications capabilities provides new
challenges
Keep data secure Keep data private
• Destruction • Salaries
• Accidental damage • Medical information
• Theft • Social security numbers
• Espionage • Bank balances
 Data, not equipment
Computer (cont)
Crime

Ways to secure data

• Locked servers
• Removable hard drives that are locked when not in use
• Hard disk drives requiring special tools for detachment
• Physical cages around computers that prohibit access
• Passwording files
 Computer Crime
• Supplies for the Hacker
– PC
– Communications network
• Why hack?
– Harass
– Show-off
– Gain access to computer services without paying
– Obtain information to sell

Hackers are individuals who attempt to gain access to

computer systems illegally
 Computerhackers
White-hat Crime
Hackers for Hire
• Computer professionals hired to illicitly gain entry
into a system
– Reveal weak points
– Protect the points
– May not alert its own employees of the testing
• Tiger teams
• Intrusion tester
• White hat hackers
 Computer Crime
What Systems Have Been Invaded?
• Corporate networks
– Over half largest corporations were invaded
– Competitors?
• Government networks
– Dept of Defense attacked more than 200,000 times per
year
– Computer attack abilities of other nations?
• Web sites
 Computer Crime
How Can Systems be Easily Compromised?

Social engineering
Con artist – persuade others to give away their
passwords over the phone
Electronic pickpockets
Use computers to transfer or change assets to their
advantage
 Computer Crime
Frequently Reported Crimes
• Credit-card fraud
– Numbers captured and used fraudulently
• Data communications fraud
– Piggyback on someone else’s network
– Office network for personal purposes
– Computer-directed diversion of funds
• Unauthorized access to computer files
– Accessing confidential employee records
– Theft of trade secrets and product pricing
• Unlawful copying of copyrighted software
– Casual sharing of copyrighted software
– Assembly-line copying
 Computer Crimes
• Bomb
– Program to trigger damage
– Scheduled to run at a later date
– May be found in software for general public, especially shareware
• Data diddling
– Changing data before or as it enters the system
• Denial of service attack (DOS)
– Hackers bombard a site with more request for service than it can
possible handle
– Prevents legitimate users from accessing the site
– Appearance of requests coming from many different sites
simultaneously
 Computer Crimes

• Piggybacking
– Original user does not sign off properly
– Intruder gains accesses to files via the original user id
• Salami technique
– Embezzlement
• Scavenging
– Search garbage and recycling bins for personal information
 Computer Crimes
• Trapdoor
– Illicit program left within a completed legitimate program
– Permits unauthorized and unknown entry to the program
• Trojan horse
– Illegal instructions placed inside a legitimate program
– Program does something useful and destructive at the same time
• Zapping
– Software to bypass security systems
 Computer Crimes

• Discovery
– Difficult
– Accidental
– 85% of computer crimes are never reported
• Prosecution
– Legal representatives lack technical knowledge
to understand the crime
 Computer Crime
Discovery and Prosecution
Computer Forensics
Uncovering computer-stored information suitable for legal use
 Security
System of safeguards designed to protect a computer
system and data from deliberate or accidental damage

• Natural disasters • Theft

• Fire • Theft or destruction of
data
• Accidents
• Industrial espionage
• Vandalism
• Hackers
 Security
Identification and Access
• Provide access to authorized individuals only
• Uses one of more of the following systems
– What you have
– What you know
– What you do
– What you are
 Security
Identification and Access
What You Have
• Key
• Badge
• Token
• Plastic card – magnetized strip
• Active badge – signals wearer’s location using
infrared signals
 Security
Identification and Access
What You Know
• Password
• Identification number
• Combination
 Security
Identification and Access

What You Do
• Verify signature – software verifies scanned and
online signatures
 Security
Identification and Access
What You Are
• Biometrics – science of measuring individual
body characteristics
• Fingerprints
• Voice pattern
• Retina of the eye
• Entire face
 Security
Identification and Access
• Internal controls
– Transaction log
• Auditor checks
– Who has accessed data during periods when that data is
not usually used?
– Off-the-shelf software to access the validity and
accuracy of the system’s operations and output
 Security
Identification and Access
• Secured waste
– Shredders
– Locked trash barrels
• Applicant screening
– Verify the facts on a resume
– Background checks
• Built-in software protection
– Record unauthorized access attempts
– User profile
 Security
Software Security

Ownership
• Company if programmer is employee
• Contractual agreement if the programmer is not an
employee
• Software can be copyrighted
 Security
The Internet
Firewall
Dedicated computer that
governs interaction
between internal network
and the Internet
Encryption
Data Encryption Standard
(DES)
 Security
Personal Computers
• Physical security with locks and cables
• Surge protector
• Uninterruptible power supply (UPS)
• Backup files regularly and systematically
 Disaster Recovery

Hardware loss
• Can be replaced
• Temporarily diminished processing ability
Software loss
• Industry standard – make backups of program files
 Disaster Recovery

Data loss
• Reassemble records
– Customer information
– Accounting data
– Design information
• Major costs and time
 Disaster Recovery Plan

Restoring computer processing operations and

data files if operations are halted or files are
damaged by major destruction
 Disaster Recovery Plan
Approaches
• Manual services temporarily
• Purchase time from a service bureau
• Mutual aid pack
– Two or more companies will lend each other
computer power
– Problem if regional disaster
 Disaster Recovery Plan
Approaches
• Consortium
– Joint venture
– Complete computer system
– Routinely tested
– Used only if disaster
– Sites
• Hot site – fully equipped and environmentally
controlled computer center
• Cold site – environmentally suitable empty shell
 Disaster Recovery Plan
Advance Arrangements
Everything except hardware safely stored in
geographically distant locations
– Program and data files
– Program listings
– Program and operating systems documentation
– Hardware inventory lists
– Output forms
– Copy of the disaster plan manual
 Disaster Recovery Plan
Includes
• Priorities for programs
• Plans for notifying employees
• List of needed equipment and where it is located
• Alternative computing facilities
• Procedures for handling input and output data
• Emergency Drills
 Backup
Why Backup?

“If you are not backing up your files regularly,

you deserve to lose them.”

Average user experiences loss once a year

 Backup
What Can Cause Data Loss?
• Incorrect software use
• Input data incorrectly
• Software may harm data
• Hard disk malfunctions
• Accidentally delete files
• Virus infection
 Backup

Methods Media
Full backup Diskette
Differential backup Tape
Zip disk
Incremental backup CD-R / CR-RW
DVD-RAM
Mirrored hard drive
 Pests

Invade the computer system and cause

something unexpected to occur

May interfere with function of PC

 Worms

• Rare
• Transfers over a network
• Plants as a separate file on the target’s
computer
 Viruses

• Illicit instructions that pass themselves

on to other programs
– Benign
– Damaging to computer

• Digital vandalism
 Viruses

Vaccine or antivirus
• Stops the spread of and eradicates the virus
• Install software
• Download signature files regularly
 Viruses

• Retrovirus
– Fights the vaccine and may delete the antivirus
software
• Costs
– Billions of dollars a year
– Aggravation to individual users
Virus Transmission

Networks
Diskettes
 Virus
Getting Infected
• Executing the virus program
• Booting from a diskette containing an infected boot
sector including accidentally leaving a “non-system
disk” in the floppy drive
• Downloading an infected file and executing it
• Opening an infected e-mail attachment
• By viewing e-mail in some versions of Microsoft
Outlook
 Virus
Precautions
• Be wary of free software from the Internet or friends
• Only install programs from diskettes in sealed
packages
• Use virus-scanning software to check any file or
document before loading it onto your hard disk
 Privacy

• Where is my data?
• How is it used?
• Who sees it?
• Is anything private anymore?

Everything about you is in at least one

computer file
 Privacy
How Did They Get My Data?
• Loans • Insurance claim
• Charge accounts • Hospital stay
• Orders via mail • Sending checks
• Magazine subscriptions • Fund-raisers
• Advertisers
• Tax forms
• Warranties
• Applications for schools,
jobs, clubs • Military draft registration
• Court petition
 Privacy
How Did They Get My Data?
 Privacy
Your Boss is Spying on You!
Monitoring software
– Screens
– E-mail
– Keystrokes per minute
– Length of breaks
– What computer files are used and for how long
Privacy groups want legislation requiring employers
to alert employees that they are being monitored.
 Privacy
Monitoring by Web Sites
Records:
• City
• Site you just left
• Everything you do while on the site
• Hardware and software you use
• Click stream
– Series of clicks that link from site to site
– History of what the user chooses to view
 Privacy
Monitoring by Web Sites
Cookie
• Stores information about you
• Located on your hard drive
• Beneficial uses
– Viewing preferences
– Online shopping
– Secure sites retain password in cookie
• Controversial use
– Tracking surfing habits for advertisers
• Can set browser to refuse cookies or warn before storing
• Software available to manage cookies
 Privacy

P3P
Platform for Privacy Preference Project
• Standards proposed by the World Wide Web
Consortium (W3C)
– User sets privacy preferences
– Web server transmits privacy policies
– Software determines if web site meets users’
requirements
• Participation by web site is voluntary
Junk e-mail

• Cheaper than snail mail

• Spamming
– Sends e-mail messages to
“everyone”
– Abandons the originating
site