Transcript Chapter 6a PowerPoint

Chapter 6 Network and Internet
Security and Privacy
Why be concerned about Internet security?
The Computer Fraud and Abuse Act of 1986 is the main law protecting against
computer crimes. The USA PATRIOT Act increased
the scope and penalties of computer fraud:
1. raising the maximum penalty for violations
to 10 years (from 5) for a first offense and
20 years (from 10) for a second offense;
2. ensuring that violators only need to intend to
cause damage generally, not intend to cause
damage or other specified harm over the $5,000 statutory damage threshold;
3. allowing aggregation of damages to different computers over a year to reach
the $5,000 threshold;
4. enhancing punishment for violations involving any (not just $5,000) damage to
a government computer involved in criminal justice or the military;
5. including damage to foreign computers involved in US interstate commerce;
6. including state law offenses as priors for sentencing; and
7. expanding the definition of loss to expressly include time spent investigating
and responding for damage assessment and for restoration.
Unauthorized Access (hacking)
Gaining access to a computer, network, or system without authorization.
Businesses, schools, and organizations have codes of conduct outlining
acceptable computer use.
Theft of Data
Data theft or information theft is the theft of data or information located on or
being sent from a computer.
Interception of Communications
Instead of accessing data stored on a computer via hacking, some criminals gain
unauthorized access to data, files, email messages, VoIP calls, and other content
as it is being sent over the Internet.
A new trend is criminals intercepting credit and
debit card information during the card verification
process; that is, intercepting the data from a card
in real time as a purchase is being authorized.
Botnets and Zombie Computers
• A computer that is controlled by a hacker or other computer criminal is referred
to as a bot or zombie computer.
• A group of bots that are controlled by one individual and can work together in a
coordinated fashion is called a botnet.
• According to the FBI, an estimated one million U.S. computers are currently part
of a botnet.
WiFi Piggybacking
Many home users have wireless (WiFi) networks.
Many people do not have security implemented
and neighbors or someone driving down the street
could access their network and use their Internet
access.
Computer/Data Sabotage
Malicious destruction to a computer or data. This could be performed
physically or electronically. A disgruntled employee could destroy
a network server or backup tapes. Data or programs could be
altered. Web sites could be defaced.
Denial of Service
A denial of service (DoS) attack is an act of sabotage that attempts to flood a
network server or Web server with so many requests for action that it shuts down or
simply cannot handle legitimate requests any longer, causing legitimate users to be
denied service.
Identity Theft
This occurs when someone obtains enough information about a person (e.g. name,
birth date, SS#, address, credit card#, mother’s maiden name) to be able to
masquerade as that person. The thief could get a driver’s license and credit cards
under your name.
Salami Shaving/Slicing
Writing a computer program that transfers small
amounts of money (e.g. a few cents) from each
transaction to a secret account. This is usually
performed by someone within a company.
e.g. the movie Office Space
Online Auction Fraud
Purchase items on eBay and never receive them. Craigslist also has many scams.
Phishing
The use of a spoofed e-mail to gain credit card numbers, usernames and passwords, or other
personal info. The user is often redirected to a fraudulent (spoofed) web site.
Spoofed or Fraudulent
Web Sites (dot cons)
Many phishing scams use spoofed
web sites. The user will type in his
username/password which is stored
on the server.
• In addition to disclosing personal information only when it is necessary and
only via secure Web pages, you should use security software and keep it up
to date.
• To avoid phishing schemes, never click a link in an email message to go to a
secure Web site—always type the URL for that site in your browser.
Malware – Malicious programs installed without your knowledge.
This includes
adware, spyware, and viruses. The best defense is anti-virus software and good
practices.
Adware
Software that delivers advertisements to
your desktop. It could be installed without
your knowledge, or built in to legitimate apps.
Spyware
Software that secretly gathers information
about the user and transmits it on the
Internet. It could be marketing information transmitted to advertisers or it could be more
malicious and transmit your keystrokes (e.g. usernames and passwords) to someone on
the internet.
Viruses
A program that is installed without the permission or knowledge of the user. It will affect
the computer’s operation in some manner. Viruses are attached to legitimate executable
files and can replicate themselves to other files when you execute them. It is common to
get a virus from executable files downloaded from the Internet, or from executable files
attached to e-mails and instant messages.
A couple types of viruses:
Trojan Horse is a virus that is disguised as a legitimate program. They are downloaded
from the Internet and executed by the user. For example: a game. A regular virus
attaches itself to a legitimate program and executes when you run the program.
Worm is a type of virus that replicates itself over the network or Internet without user
intervention, as opposed to being attached to a file that is downloaded. Without a
firewall, your computer could get a worm when you connect to the Internet.
E-mail Hoaxes/Chain Letters
E-mails chain letters are usually an unreliable source of news. You can go to
snopes.com to verify the content of an e-mail, as well as other rumors.
>>> TO: [email protected] >>> FROM: [email protected] >>> ATTACH:
[email protected]/Track883432/~TraceActive/On.html >>> Hello Everyone, >>> And thank you
for signing up for my Beta Email Tracking >>> Application or (BETA) for short. My name is Bill Gates.
>>> Here at Microsoft we have just compiled an >>> e-mail tracing program that tracks everyone to
whom this message >>> is forwarded to. It does this through an unique IP (Internet Protocol) >>>
address log book database. We are experimenting with >>> this and need your help. Forward this to
everyone you know >>> and if it reaches 1000 people everyone on the list will >>> receive $1000 and a
copy of Windows98 at my expense. >>> Enjoy. >>> Note: Duplicate entries will not be counted. You will
be >>> notified by email with further instructions once this email >>> has reached 1000 people.
Windows98 will not be shipped >>> unitl it has been released to the generalpublic. >>> Your friend,
>>> Bill Gates & The Microsoft Development Team.
Subject: Make A Wish Foundation (fwd) A plea from a sick little girl Little Kimberly Anne is
dying of a horrible tropical disease. Her goal, before she passes into the Great Beyond, is
to collect as many free America Online disks as she can, to make the Guiness Book of
Records. Her project is being sponsored by the Wish-Upon-a-Star Foundation, which
specializes in fulfilling the final wishes of such sick little girls. So, next time you get an
unwanted AOL disk in the mail, don't throw it away! Think of the sparkle it will bring to the
eye of a dying child. Write on the package: [Address deleted to prevent this hoax from
continuing.] Please copy this message and circulate it to your friends, neighbors, and
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ co-workers. Only
you can child's wish reality! God bless you from the Wish-Upon-a-Star Foundation!</h3>
Email Encryption
E-mail is currently the popular form of business communication. E-mail (SMTP) messages
are not encrypted when being sent over the Internet. Some companies will have encryption
for internal e-mails. Some devices such as Blackberries offer encryption for messages to
other Blackberry users.
Web Site Encryption
Web sites which are encrypted
use public/private key encryption.
These web sites use the https://
The web browser will also display
a lock. If you click on the area to
the left of the https, you can see
the security certificate. The web
site is also verified as authentic
by a 3rd party such as VeriSign.
Protecting Against Hardware Loss, Hardware
Damage, and System Failure
Who would you trust to give you drugs?
Since a program can affect your computer the same way a drug can affect your
body, who do you trust to install a program on your computer?
Which one of these software programs
is from a well-known company?
Be careful when you install legitimate
software because the installation
program often tries to install extra
unneeded software.
Be careful installing web
browser plug-ins – this is a
popular way to trick you into
installing malware.
The safest way to install a
plug-in is to go to the site that
makes the software rather
than the site that tries to install
it for you. Here are some
popular browser plug-ins.
Java – from www.sun.com
Flash – from www.adobe.com
Acrobat Reader – from www.adobe.com
Shockwave – from www.adobe.com
Quicktime – from www.apple.com
RealPlayer – from www.realaudio.com
Windows Media Player – from www.microsoft.com
Most add-on toolbars contain adware and/or spyware
My recommendation: DON’T install them. If you REALLY want it, research it first.
To protect hardware from damage due
to power fluctuations, everyone should
use a surge suppressor with a
computer whenever it is plugged into a
power outlet.
Users who want their desktop
computers to remain powered up when
the electricity goes off should use an
uninterruptible power supply (UPS).
Anti-Virus Software
WiFi Security
- prevents unauthorized
access and piggybacking
- provides encryption
WEP (least secure)
Wired Equivalent Privacy
WPA (more secure)
WiFi Protected Access
Firewalls
• Firewalls block unrequested Internet traffic to your computer.
• Windows includes the Windows Firewall (software firewall)
• Many home DSL/Cable routers include a firewall (hardware firewall)
What is your primary defense against hardware loss,
damage, or system failure? Backups!!!!!!!!!!!
•Securing Backup Media
The media used to store backups (tapes, CD-R, DVD-R) needs to be secure.
Fireproof safes provide some protection. Off-site storage of backups adds
considerable protection of media. Data storage companies store backup media
at secure remote locations.
Disaster Recovery Plan
Spells out what an organization will do to prepare for and recover from a
disruptive event.
Q: What data do YOU have that should be backed up?
Q: How do YOU backup your data?