Session 7

LBSC 690

Information Technology

Security

Agenda

• Questions

• Complex systems

• Security

• Midterm exam review

Complex System Issues

• Critical system availability– Who needs warfare - we do it to ourselves!

• Understandability– Why can’t we predict what systems will do?

• Nature of bugs– Why can’t we get rid of them?

• Auditability– How can we learn to do better in the future?

Crisis Management

• Computer Emergency Response Team– Issues advisories about known problems– Need to make sure these reach the right people

• Information Warfare– We depend on our information infrastructure– How can we prevent attacks against it?

• Hacking is individual, this would be organized

– Policy for this is still being worked out

Ownership

• Who has the right to use a computer?

• Who establishes this policy? How?– What equity considerations are raised?

• Can someone else deny access?– Denial of service attacks

• How can denial of service be prevented?– Who can gain access and what can they do?

Denial of Service Attacks

• Viruses– Platform dependent– Typically binary– Virus checkers need frequent updates

• Flooding– The Internet worm– Chain letters

Identity

• Establishing identity permits access control

• What is identity in cyberspace?– Attribution

• When is it desirable?

– Impersonation• How can it be prevented?

• Forgery is really easy– Just set up your mailer with bogus name and email

Authentication

• Used to establish identity• Two types

– Physical (Keys, badges, cardkeys, thumbprints)

– Electronic (Passwords, digital signatures)

• Protected with social structures– Report lost keys

– Don’t tell anyone your password

• Password sniffers will eventually find it

Good Passwords

• Long enough not to be guessed– Programs can try every combination of 4 letters

• Not in the dictionary– Programs can try every word in a dictionary

– And every date, and every proper name, ...

– And even every pair of words

• Mix upper case, lower case, numbers, etc.• Change it often and use one for each account

Other Access Control Issues

• Protect system administrator access– Greater potential for damaging acts– What about nefarious system administrators?

• Trojan horses– Intentionally undocumented access techniques

• Firewalls– Prevent unfamiliar packets from passing through– Makes it harder for hackers to hurt your system

Privacy

• What privacy rights do computer users have?– On email?– When using computers at work? At school?– What about your home computer?

• What about data about you?– In government computers?– Collected by companies and organizations?

• Does obscurity offer any privacy?

Cookies

• Web servers know a little about you– Machine, prior URL, browser,

• From this they can guess a little more– Path you followed, who is on that machine

• Cookies allow them to remember things– They send you a string and your browser stores it– If they ask for the string, your browser provides it– The string can represent identity and/or information

Integrety

• How do you know what’s there is correct?– Attribution is invalid if the contents can change

• Access control would be one solution– No system with people has perfect access control

• Risks digest provides plenty of examples!

• Encryption offers an alternative

Encryption

• Separate keys for writing and reading– Pretty Good Privacy (PGP) is one “standard”

• Identity– “Digital signature” from a private write key

• Integrety– Public read key will decode only one write key

• Privacy– Either write key or read key can be kept secret

Policy Solutions

• Five guidelines– Establish policies– Authenticate– Authorize– Audit– Supervise

• CSC Acceptable Use Policy

Exam Structure

• One hour and 15 minutes• Approximately 4 questions

– Each may have multiple parts

• Open Book (Oakman only)– You may hand write anything in your Oakman– No extra pages of notes

• The software you may use will be specified• You may bring a calculator

Exam Advice

• The only goal is to get points!– Spend each minute in the best place

• Develop a strategy for each question type– Guessing can’t hurt on multiple choice

• This is a change from prior exams

– Don’t write a page when a sentence will do

• Study concepts, not details– Grading rewards conceptual understanding

– Don’t expect a clone of the sample exams

Questions

??????