《管理信息系统 MIS课件:ch04 Security, Privacy, Anonymity》由会员分享,可在线阅读,更多相关《管理信息系统 MIS课件:ch04 Security, Privacy, Anonymity(67页珍藏版)》请在金锄头文库上搜索。
1、Introduction to MIS1Copyright 1998-2002 by Jerry PostIntroduction to MISChapter 4Security, Privacy, AnonymityIntroduction to MIS2OutlineThreats to InformationPhysical Security and Disaster PlanningLogical Security and Data ProtectionVirus ThreatsUser Identification and BiometricsAccess controlsEncry
2、ption and AuthenticationInternet Security IssuesPrivacyAnonymityCases: HealthcareAppendix: Server Security CertificatesIntroduction to MIS3Security, Privacy, and AnonymityServer AttacksData interceptionThe InternetMonitoringIntroduction to MIS4Threats to InformationAccidents & DisastersEmployees & C
3、onsultantsBusiness PartnershipsOutsidersVirusesEmployees & ConsultantsLinks to businesspartnersOutsidehackersVirus hiding in e-mail attachment.Introduction to MIS5$Security CategoriesPhysical attack & disastersvBackup-off-sitevCold/Shell sitevHot sitevDisaster testsvPersonal computers!LogicalvUnauth
4、orized disclosurevUnauthorized modificationvUnauthorized withholdingDenial of ServiceIntroduction to MIS6Horror StoriesSecurity Pacific-Oct. 1978vStanley Mark RifkinvElectronic Funds Transferv$10.2 millionvSwitzerlandvSoviet DiamondsvCame back to U.S.Equity Funding-1973vThe Impossible DreamvStock Ma
5、nipulationInsuranceLoansFake computer recordsRobert Morris-1989vGraduate StudentvUnix “Worm”vInternet-tied up for 3 daysClifford Stoll-1989vThe Cuckoos EggvBerkeley LabsvUnix-account not balancevMonitor, false informationvTrack to East German spyOld TechniquesvSalami slicevBank deposit slipsvTrojan
6、HorsevVirusIntroduction to MIS7Manual v Automated DataAmount of dataIdentification of usersDifficult to detect changesSpeedvSearchvCopyStatistical InferenceCommunication LinesIntroduction to MIS8SunGard is a premier provider of computer backup facilities and disaster planning services. Its fleet of
7、Mobile Data Centers can be outfitted with a variety of distributed systems hardware and delivered at a disaster site within 48 hours.Disaster PlanningIntroduction to MIS9Data BackupBackup is criticalOffsite backup is criticalLevelsvRAID (multiple drives)vReal time replicationvScheduled backupsIntrod
8、uction to MIS10Data BackupOffsite backups are critical.Frequent backups enable you to recover from disasters and mistakes.Use the network to backup PC data.Use duplicate mirrored servers for extreme reliability.UPSPower companyIntroduction to MIS11VirusAttachment01 23 05 06 77 033A 7F 3C 5D 83 9419
9、2C 2E A2 87 6202 8E FA EA 12 7954 29 3F 4F 73 9F1231. User opens an attached program that contains hidden virus2. Virus copies itself into other programs on the computer3. Virus spreads until a certain date, then it deletes files.Virus codeFrom: afriendTo: victimMessage: Open the attachment for some
10、 excitement. Introduction to MIS12Dataquest, Inc; Computerworld 12/2/91National Computer Security Association; Computerworld 5/6/96http:/www.info- Virus Damage1999 virus costs in the U.S.: $7.6 billion.Attacks1991199620002001Viruses/Trojans/Worms62808089Attacks on Web servers2448Denial of Service373
11、9Insider physical theft or damage of equipment4942Insider electronic theft, destruction, or disclosure of data2422Fraud139Introduction to MIS13Stopping a VirusBackup your data!Never run applications unless you are certain they are safe.Never open executable attachments sent over the Internet-regardl
12、ess of who mailed them.Antivirus softwarevNeeds constant updatingvRarely catches current virusesvCan interfere with other programsUltimately, viruses sent over the Internet can be traced back to the original source.Introduction to MIS14User IdentificationPasswordsvDial up service found 30% of people
13、 used same wordvPeople choose obviousvPost-It notesHintsvDont use real wordsvDont use personal namesvInclude non-alphabeticvChange oftenvUse at least 6 charactersAlternatives: BiometricsvFinger/hand printvVoice recognitionvRetina/blood vesselsvIris scannervDNA ?Password generator cardsCommentsvDont
14、have to remembervReasonably accuratevPrice is droppingvNothing is perfectIntroduction to MIS15Iris Scanhttp:/ patents by JOHN DAUGMAN 1994 http:/www.cl.cam.ac.uk/jgd1000/http:/ System at Charlotte/Douglas International Airport.Introduction to MIS16Several methods exist to identify a person based on
15、biological characteristics. Common techniques include fingerprint, handprint readers, and retinal scanners. More exotic devices include body shape sensors and this thermal facial reader which uses infrared imaging to identify the user.Biometrics: ThermalIntroduction to MIS17Access Controls: Permissi
16、ons in WindowsFind the folder or directory in explorer.Right-click to set properties.On the Security tab,assign permissions.Introduction to MIS18Security ControlsAccess ControlvOwnership of datavRead, Write, Execute, Delete, Change Permission, Take OwnershipSecurity MonitoringvAccess logsvViolations
17、vLock-outsIntroduction to MIS19Additional Controlshttp:/ checks:Introduction to MIS20Encryption: Single KeyEncrypt and decrypt with the same keyvHow do you get the key safely to the other party?vWhat if there are many people involved?Fast encryption and decryptionvDES - old and falls to brute force
18、attacksvTriple DES - old but slightly harder to break with brute force.vAES - new standardPlain textmessageEncryptedtextKey: 9837362Key: 9837362AESEncryptedtextPlain textmessageAESSingle key: e.g., AESIntroduction to MIS21AliceBob消息公钥Alice 29Bob 17消息加密私钥13私钥37使用Bob的公钥使用Bob的私钥Alice 发出只有Bob本人能读的消息.Enc
19、ryption: Dual KeyIntroduction to MIS22AliceBobPublic KeysAlice 29Bob 17Private Key13Private Key37UseBobsPublic keyUseBobsPrivate keyBob sends message to Alice:His key guarantees it came from him.Her key prevents anyone else from reading message.MessageMessageEncrypt+TEncrypt+T+MEncrypt+MUseAlicesPub
20、lic keyUseAlicesPrivate keyTransmissionDual Key: AuthenticationIntroduction to MIS23Certificate AuthorityPublic keyvImposter could sign up for a public key.vNeed trusted organization.vOnly Verisign today, a public company with no regulation.vVerisign mistakenly issued a certificate to an imposter cl
21、aiming to work for Microsoft in 2001.AlicePublic KeysAlice 29Bob 17UseBobsPublic keyHow does Alice know that it is really Bobs key?Trust the C.A.C.A. validate applicantsIntroduction to MIS24Internet Data TransmissionStartDestinationEavesdropperIntermediate MachinesIntroduction to MIS25Encrypted conv
22、ersationEscrow keysClipper chipin phonesInterceptDecrypted conversationJudicial orgovernment officeClipper Chip: Key EscrowIntroduction to MIS26Denial Of ServiceZombie PCs at homes, schools, and businesses. Weak security.Break in.Flood program.Coordinated flood attack.Targeted server.Introduction to
23、 MIS27Securing E-Commerce Servershttp:/ Install and maintain a working network firewall to protect data accessible via the Internet. 2. Keep security patches up-to-date. 3. Encrypt stored data. 4. Encrypt data sent across networks. 5. Use and regularly update anti-virus software. 6. Restrict access
24、to data by business need to know. 7. Assign a unique ID to each person with computer access to data. 8. Dont use vendor-supplied defaults for system passwords and other security parameters. 9. Track access to data by unique ID. 10. Regularly test security systems and processes. 11. Maintain a policy
25、 that addresses information security for employees and contractors. 12. Restrict physical access to cardholder information. Introduction to MIS28Internet FirewallCompany PCsInternal company data serversInternetFirewall routerFirewall routerExamines each packet and discards some types of requests.Kee
26、ps local data from going to Web servers.Introduction to MIS29Privacycredit cardsorganizationsloans & licensesfinancialpermitscensustransportation datafinancialregulatoryemploymentenvironmentalsubscriptionseducationpurchases phonecriminal recordcomplaintsfinger printsmedicalrecordsgrocery store scann
27、er dataIntroduction to MIS30CookiesWeb serverUser PCtimeRequest page.Send page and cookie.Display page, store cookie.Find page.Request new page and send cookie.Use cookie to identify user.Send customized page.Introduction to MIS31Misuse of Cookies: Third Party AdsUseful Web siteUser PCUseful Web Pag
28、eText and graphicsAdvertisementsNational ad Web siteDLink to adsRequested pageAds, and cookieRequest pageHidden prior cookieIntroduction to MIS32Wireless PrivacyCell phones require connections to towersE-911 laws require location capabilityMany now come with integrated GPS unitsBusiness could market
29、 to customers “in the neighborhood”Tracking of employees is already commonIntroduction to MIS33Privacy ProblemsTRW-1991vNorwich, VTvListed everyone delinquent on property taxesTerry Dean RoganvLost walletvImpersonator, 2 murders and 2 robberiesvNCIC databasevRogan arrested 5 times in 14 monthsvSued
30、and won $55,000 from LAEmployeesv26 million monitored electronicallyv10 million pay based on statisticsJeffrey McFadden-1989vSSN and DoB for William Kalin from military recordsvGot fake Kentucky IDvWrote $6000 in bad checksvKalin spent 2 days in jailvSued McFadden, won $10,000San Francisco Chronicle
31、-1991vPerson found 12 others using her SSNvSomeone got 16 credit cards from anothers SSN, charged $10,000vSomeone discovered unemployment benefits had already been collected by 5 othersIntroduction to MIS34Privacy LawsMinimal in USvCredit reportsRight to add comments1994 disputes settled in 30 days1
32、994 some limits on access to datavBork Bill-cant release video rental datavEducational data-limited availabilityv1994 limits on selling state/local datav2001 rules on medical dataEuropevFrance and some other controlsv1995 EU Privacy ControlsIntroduction to MIS35Primary U.S. Privacy LawsFreedom of In
33、formation ActFamily Educational Rights and Privacy ActFair Credit Reporting ActPrivacy Act of 1974Privacy Protection Act of 1980Electronic Communications Privacy Act of 1986Video Privacy Act of 1988Drivers Privacy Protection Act of 19942001 Federal Medical Privacy rules (not a law)Introduction to MI
34、S36AnonymityAnonymous servers: http:/Dianetics church (L. Ron Hubbard) officials in the U.S.vSued a former employee for leaking confidential documents over the Internet.vHe posted them through a Danish anonymous server.vThe church pressured police to obtain the name of the poster.vZero knowledge ser
35、ver is more secureShould we allow anonymity on the Internet?vProtects privacyvCan encourage flow of informationChinese dissentersGovernment whistleblowersvCan be used for criminal activityIntroduction to MIS37Cases: HealthcareIntroduction to MIS38What is the companys current status?What is the Inter
36、net strategy?How does the company use information technology?What are the prospects for the industry?www.owens-Cases: Eli LillyOwens & Minor, Inc.Introduction to MIS39Appendix: Digital Security CertificatesDigital security certificates are used to encrypt e-mail and to authenticate the sender.Obtain
37、 a certificate from a certificate authorityvVerisignvThawte (owned by Verisign)vMicrosoftvYour own company or agencyInstall the certificate in OutlookSelect option boxes to encrypt or decrypt messagesInstall certificates sent by your friends and co-workers.Introduction to MIS40Obtaining a Certificat
38、eIntroduction to MIS41Installing a Certificate1.Tools + Options + Security tab2.Choose your certificate3.Check these boxes to add your digital signature and to encrypt messages.4.These boxes set the default choices. For each message, you can use the options to check or uncheck these boxes.Introducti
39、on to MIS42Encrypting and Signing MessagesUse the Options button and the Security Settings button to make sure the Encrypt and Signature boxes are checked. Then the encryption and decryption are automatic.Introduction to MIS43Security, Privacy, and Anonymity服务器攻击者数据截听The Internet监控Introduction to MI
40、S44Threats to InformationAccidents & DisastersEmployees & ConsultantsBusiness PartnershipsOutsidersViruses员工与咨询与商业伙伴的联接 外部黑客隐藏在邮件中的病毒.Introduction to MIS45$Security CategoriesPhysical attack & disastersvBackup-off-sitevCold/Shell sitevHot sitevDisaster testsvPersonal computers!LogicalvUnauthorized d
41、isclosurevUnauthorized modificationvUnauthorized withholdingDenial of ServiceIntroduction to MIS46Iris Scanhttp:/ patents by JOHN DAUGMAN 1994 http:/www.cl.cam.ac.uk/jgd1000/http:/ System at Charlotte/Douglas International Airport.Introduction to MIS47Virus附件附件01 23 05 06 77 033A 7F 3C 5D 83 9419 2C
42、 2E A2 87 6202 8E FA EA 12 7954 29 3F 4F 73 9F123用户打开含有病毒的邮件附件病毒自我复制至计算机中的其它程序中在某一个日期之前病毒在不停地传播,然后病毒开始删除计算机上的文件病毒代码From: 一个朋友To: 受害者Message: 打开附件你会发现好东西. 用户计算机Introduction to MIS48Data Backup离线备份很重频繁的备份可以帮你免除灾难与错.通过网络进行PC数据备通过双机镜像服务器提供高可靠UPS电力公司Introduction to MIS49Additional Controlshttp:/ to MIS50
43、Encryption: Single KeyEncrypt and decrypt with the same keyvHow do you get the key safely to the other party?vWhat if there are many people involved?Fast encryption and decryptionvDES - old and falls to brute force attacksvTriple DES - old but slightly harder to break with brute force.vAES - new sta
44、ndard原文本信息加密后文本Key: 9837362Key: 9837362AES加密后文本原文本信息AES单钥: 如AESIntroduction to MIS51AliceBob消息公钥Alice 29Bob 17消息加密私钥13私钥37使用Bob的公钥使用Bob的私钥Alice 发出只有Bob本人能读的消息Encryption: Dual KeyIntroduction to MIS52AliceBob公钥Alice 29Bob 17私钥13Private Key37用Bob的公钥用Bob的私钥Bob 给Alice发消息: Bob的密钥保证了消息是从他那发出的。 Alice的密钥防止了
45、其他人读取这个消息。消息消息加密T加密+T+M加密+M用Alice的公钥用Alice的私钥传送Dual Key: AuthenticationIntroduction to MIS53Internet Data Transmission发送方目标方偷听者中间机器Introduction to MIS54加密谈话托管密钥电话中的微小芯片加密解密谈话法院或政府机构Clipper Chip: Key EscrowIntroduction to MIS55Denial Of Service位于赞比亚家庭、学校和商业机构的弱安全PC。插入洪水程序协调一致的洪水攻击.攻击目标.Introduction t
46、o MIS56Securing E-Commerce Servershttp:/ Install and maintain a working network firewall to protect data accessible via the Internet. 2. Keep security patches up-to-date. 3. Encrypt stored data. 4. Encrypt data sent across networks. 5. Use and regularly update anti-virus software. 6. Restrict access
47、 to data by business need to know. 7. Assign a unique ID to each person with computer access to data. 8. Dont use vendor-supplied defaults for system passwords and other security parameters. 9. Track access to data by unique ID. 10. Regularly test security systems and processes. 11. Maintain a polic
48、y that addresses information security for employees and contractors. 12. Restrict physical access to cardholder information. Introduction to MIS57Internet Firewall公司内的PC机公司内数据服务器Internet防火墙路由器防火墙路由器检查每一个数据包,滤除某些请求。保持本地数据进入Web服务器。Introduction to MIS58Privacy 信用卡 组织机构贷款及许可证 金融 执照 人口普查运输数据 金融 法规 用工 环境
49、用户 教育 购买 电话 犯罪记录 抱怨 指纹 军用医疗记录 杂货店 扫描仪数据Web 服务器用户 PC 机时间网页请求发送网页及 cookie显示网页, 储存 cookie找到网页新网页请求并发送 cookie用 cookie 识别用户发送定制的网页Cookies有用的网站用户 PC 机有用的网页文本及图片广告国家广告网站D连接到广告广告及 cookie网页请求隐藏的以前的 cookie网页请求Misuse of Cookies: Third Party Ads附件附件01 23 05 06 77 033A 7F 3C 5D 83 9419 2C 2E A2 87 6202 8E FA EA
50、12 7954 29 3F 4F 73 9F123用户打开含有病毒的邮件附件病毒自我复制至计算机中的其它程序中在某一个日期之前病毒在不停地传播,然后病毒开始删除计算机上的文件病毒代码From: 一个朋友To: 受害者Message: 打开附件你会发现好东西. 用户计算机离线备份很重要频繁的备份可以帮你免除灾难与错误通过网络进行PC数据备份通过双机镜像服务器可提供高可靠性AliceBob公钥Alice 29Bob 17私钥13私钥37用Bob的公钥用Bob的私钥Bob 给Alice发消息: Bob的密钥保证了消息是从他那发出的。 Alice的密钥防止了其他人读取这个消息。消息消息加密T加密+T+M加密+M用Alice的公钥用Alice的私钥传送加密谈话托管密钥电话中的加密芯片加密解密谈话法院或政府机构办公室加密芯片加密芯片家庭、学校和商业机构的僵尸PC,安全性较差插入洪水程序协调一致的洪水攻击.攻击目标服务器.公司的PC机公司内部数据服务器Internet防火墙路由器防火墙路由器检查每一个数据包,滤除某些请求阻止本地数据进入Web服务器 信用卡 组织机构贷款及许可证 金融 执照 人口普查运输数据 金融 法规 用工 环境 用户 教育 购买 电话 犯罪记录 抱怨 指纹 军用医疗记录 杂货店 扫描仪数据
