Computer & Network Security
Content
Network and Internet Security
By
Ashu Shukla Comdt 165 Bn
1
Learning Objectives
• Explain why computer users should be concerned about network and Internet security. • List several examples of unauthorized access, unauthorized use, and computer sabotage. • Explain how access control systems, firewalls, antivirus software, and encryption protect against unauthorized access, unauthorized use, and computer sabotage. • Discuss online theft, identity theft, Internet scams, spoofing, phishing, and other types of dot cons.
Chapter 9
Understanding Computers, 12th Edition
2
Learning Objectives
• Detail steps an individual can take to protect against online theft, identity theft, Internet scams, spoofing, phishing, and other types of dot cons. • Identify personal safety risks associated with Internet use. • List steps individuals can take to safeguard their personal safety when using the Internet. • Name several laws related to network and Internet security.
Chapter 9
Understanding Computers, 12th Edition
3
Overview
• This chapter covers:
– Security concerns stemming from the use of computer networks
– Safeguards and precautions that can be taken to reduce the risk of problems related to these security concerns – Personal safety issues related to the Internet – Safeguards and precautions that can be taken to reduce the risk of problems related to these personal safety issues – Legislation related to network and Internet security
Chapter 9
Understanding Computers, 12th Edition
4
Why Be Concerned about Network and Internet Security?
• Security concerns related to computer networks and the Internet abound • Computer crime (cybercrime): Any illegal act involving a computer, including: – Breaking through the security of a network – Theft of financial assets – Manipulating data for personal advantage – Act of sabotage (releasing a computer virus, shutting down a Web server) • All computer users should be aware of security issues and the precautions that can be taken
Chapter 9
Understanding Computers, 12th Edition
5
• Unauthorized access: Gaining access to a computer, network, file, or other resource without permission • Unauthorized use: Using a computer resource for unapproved activities • Both can be committed by insiders and outsiders • Codes of conduct: Used to specify rules for behavior, typically by a business or school
Unauthorized Access and Unauthorized Use
Chapter 9
Understanding Computers, 12th Edition
6
Unauthorized Access and Unauthorized Use
• Hacking: The act of breaking into another computer system – A serious threat for individuals, business, and the country (national security) • Wi-Fi hacking: Common for hackers to gain entrance via Wi-Fi • War driving or Wi-Fi piggybacking: Using someone else’s Wi-Fi network to gain free access to the Internet – Illegal in some areas – Can lead to criminal behavior – Ethical issues
Chapter 9
Understanding Computers, 12th Edition
7
Unauthorized Access and Unauthorized Use
• Interception of communications: Gaining unauthorized access to data as it is being sent over the Internet or another network – The increased use of wireless networks has opened up new opportunities for data interception
• Business and personal wireless networks
• Use of public hotspots • Wireless connections with mobile phones and mobile devices – Once intercepted, the content can be read, altered, or otherwise used for unintended purposes
Chapter 9
Understanding Computers, 12th Edition
8
Computer Sabotage
• Computer sabotage: Acts of malicious destruction to a computer or computer resource • Bot: A PC that is controlled by a computer criminal • Botnet: A group of bots that can work together in a controlled fashion – Used by botherders to send spam, launch Internet attacks and malware, etc. • Malware: Any type of malicious software – Includes viruses, worms, Trojan horses, etc. – Increasingly used for computer crimes and to take control of individuals’ PCs for botnet activities – Can infect mobile phones and mobile devices (some preinstalled on mobile devices)
Chapter 9 Understanding Computers, 12th Edition 9
Computer Sabotage
• Computer virus: Malicious program embedded in a file that is designed to cause harm to the computer system – Often embedded in downloaded programs and email messages • Computer worm: Malicious program designed to spread rapidly by sending copies of itself to other computers – Typically sent via e-mail • Trojan horse: Malicious program that masquerades as something else – Usually appear to be a game or other program – Cannot replicate themselves; must be downloaded and installed
Chapter 9 Understanding Computers, 12th Edition 10
Computer Sabotage
Chapter 9
Understanding Computers, 12th Edition
11
Computer Sabotage
• Denial of service (DoS) attack: Act of sabotage that floods a Web server with so much activity that it is unable to function – Distributed DoS attack: Uses multiple computers
Chapter 9
Understanding Computers, 12th Edition
12
Computer Sabotage
• Data or program alteration: When a hacker breaches a computer system in order to delete or change data – Students changing grades – Employees performing vengeful acts, such as deleting or changing corporate data – Web site defacement (cybervandalism): Changing content of a Web site • Often used to make political statements
Chapter 9
Understanding Computers, 12th Edition
13
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• Access control systems: Used to control access to: – Facilities – Computer networks – Databases – Web site accounts • Can be individual or part of a complete network access control (NAC) system • Can be: – Identification systems: Verify that the person trying to access the facility or system is an authorized user – Authentication systems: Determine if the person is who he or she claims to be • Can use more than one type (two-factor systems)
Chapter 9 Understanding Computers, 12th Edition 14
Access Control Systems
• Possessed knowledge access systems: Use information that only an individual should know – Usernames – PINs – Passwords • Should be strong passwords and changed frequently • Tokens can generate passwords – Cognitive authentification systems: Use information the individual knows (past teachers, birthplace, first home, etc.) • Disadvantage: Can be used by an unauthorized individual with the proper knowledge
Chapter 9 Understanding Computers, 12th Edition 15
Passwords
Chapter 9
Understanding Computers, 12th Edition
16
Possessed Knowledge Systems
Chapter 9
Understanding Computers, 12th Edition
17
Access Control Systems
• Possessed object access systems: Use physical objects that an individual has in his or her possession – Smart cards – RFID-encoded badges – Magnetic cards – Encoded badges – USB security keys or e-tokens • Disadvantage: can be lost or used by an unauthorized individual – When used with passwords or biometrics = two-factor authentication
Chapter 9 Understanding Computers, 12th Edition 18
Access Control Systems
• Biometric access systems: Use a unique physical characteristic of an individual in order to grant access – Fingerprint – Hand geometry – Face – Iris – Can also use personal traits, such as voice or signature
– Increasingly being built into hardware
• Advantage: Can only be used by the authorized individual and cannot be lost or forgotten
• Disadvantage: Cannot be reset ; expensive
Chapter 9 Understanding Computers, 12th Edition 19
Biometric Systems
Chapter 9
Understanding Computers, 12th Edition
20
Access Control Systems
• Controlling access to wireless networks – In general, Wi-Fi is less secure than wired networks – Security is usually off by default; wireless networks should be secured – Wireless network owners should: • Enable Wi-Fi encryption (WPA is more secure than WEP) • Not broadcast the network name • Change the default network administrator password • Can use Media Access Control (MAC) address filtering
Chapter 9 Understanding Computers, 12th Edition 21
Controlling Access to Wireless Networks
Chapter 9
Understanding Computers, 12th Edition
22
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• Firewall: Security system that provides a protective boundary between a computer or network and the outside world – Works by closing down all external communications port addresses – Blocks access to the PC from outside hackers – Blocks access to the Internet from programs on the user’s PC unless authorized by the user – Important for home PCs that have a direct Internet connection as well as for businesses – Intrusion protection system (IPS) software is related • Monitors and analyzes traffic allowed by the firewall to try and detect possible attacks
Chapter 9 Understanding Computers, 12th Edition 23
Firewalls
Chapter 9
Understanding Computers, 12th Edition
24
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• Encryption: Method of scrambling e-mail or files to make them unreadable – Private key encryption: Uses a single key • Most often used to encrypt files on a PC • If used to send files to others, the recipient needs to be told the key – Public key encryption: Uses two keys • Public key: Can be given to anyone; used to encrypt messages to be sent to that person • Private key: Only known by the individual; used to decrypt messages that are encrypted with the individual’s public key • Key pairs can be obtained through a Certificate Authority
Chapter 9 Understanding Computers, 12th Edition 25
Encryption
Chapter 9
Understanding Computers, 12th Edition
26
Protecting Against Unauthorized Access, Use, and Computer Sabotage
– Secure Web pages: Use encryption (SSL, EV SSL, etc.) to protect information transmitted via their Web pages • Look for a locked padlock on the status bar and https:// in the URL
• Only transmit credit card numbers and other sensitive data via a secure Web server
– Web-based encrypted e-mail (HushMail) is available
– Various strengths of encryption available
• Stronger is more difficult to crack • Strong = 128-bit (16-character keys)
• Military = 2,048-bit (256-character keys)
Chapter 9 Understanding Computers, 12th Edition 27
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• Virtual private networks (VPNs): Secure path over the Internet – Allows authorized users to securely access a private network via the Internet – Much less expensive than a private secure network since uses the Internet – Can provide a secure environment over a large geographical area – Typically used by businesspeople to remotely access corporate networks via the Internet – Personal VPNs can be used by individuals to surf safely at a wireless hotspot
Chapter 9
Understanding Computers, 12th Edition
28
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• Antivirus software: Used to detect and eliminate computer viruses and other types of malware – Should be set up to run continuously to check incoming e-mail messages, instant messages, and downloaded files – Should be set up to scan the entire PC regularly – Needs to be updated regularly since new malware is introduced at all times – Best to have the program automatically download new virus definitions on a regular basis – Some programs also scan for other threats, such as spyware, bots, possible phishing schemes, etc.
Chapter 9
Understanding Computers, 12th Edition
29
Antivirus Software
Chapter 9
Understanding Computers, 12th Edition
30
Protecting Against Unauthorized Access, Use, and Computer Sabotage
– Some ISPs filter include virus checking – E-mail authentication systems can protect against viruses sent via e-mail – Common sense precautions can help prevent a virus infection
Chapter 9
Understanding Computers, 12th Edition
31
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• Individuals should take additional precautions when using public hotspots in addition to using security software, secure Web pages, VPNs, and file encryption – Turn off file sharing – Disable Wi-Fi and Bluetooth if not needed – Use firewall to block incoming connections – Turn off automatic and ad hoc connections
Chapter 9 Understanding Computers, 12th Edition 32
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• A significant number of security breaches (over 60%) are committed by insiders • Taking caution with employees can help avoid security problems – Screen potential new hires carefully – Watch for disgruntled employees and exemployees – Develop policies and controls – Use data-leakage prevention and enterprise rightsmanagement software – Ask business partners to review their security to avoid attacks coming from someone located at that organization
Chapter 9
Understanding Computers, 12th Edition
33
Data-Leakage Prevention Software
Chapter 9
Understanding Computers, 12th Edition
34
Online Theft, Fraud, and Other Dot Cons
• Dot con: A fraud or scam carried out through the Internet • Data theft or information theft can be committed by: – Stealing an actual PC – A hacker gaining unauthorized access – Includes personal data, proprietary corporate information, and money • Identity theft – Using someone else’s identity to purchase goods or services, obtain new credit cards or bank loans, or illegally masquerade as that individual – Information obtained via documents, phishing schemes, stolen information, etc. – Expensive and time consuming to recover from
Chapter 9 Understanding Computers, 12th Edition 35
Identity Theft
Chapter 9
Understanding Computers, 12th Edition
36
Online Theft, Fraud, and Other Dot Cons
• Online auction fraud: When an item purchased through an online auction is never delivered, or the item is not as specified by the seller • Internet offer scams: A wide range of scams offered through Web sites or unsolicited e-mails – Loan and pyramid scams – Work-at-home cons and bogus prize offers – Nigerian letter fraud scheme • Spoofing: Making it appear that an e-mail or a Web site originates from somewhere other than where it really does – Web site spoofing – E-mail spoofing
Chapter 9
Understanding Computers, 12th Edition
37
Online Theft, Fraud, and Other Dot Cons
• Phishing: Use of spoofed e-mail messages to gain credit card numbers and other personal data – After victim clicks a link in the message and supplies sensitive data, they transmit that data to the thief – E-mails and Web sites often look legitimate
Chapter 9
Understanding Computers, 12th Edition
38
Online Theft, Fraud, and Other Dot Cons
• Spear phishing: Targeted to specific individuals – Often include personalized information to seem more legitimate – May impersonate someone in your organization, such as from human resources or the IT dept. • Pharming: The use of spoofed domain names to obtain personal information – DNS servers are hacked to route requests for legitimate Web pages to spoofed Web pages (DNS poisoning) – Often take place via company DNS servers • Drive-by pharming: Hacker changes the DNS server used by a victim’s router or access point to use a DNS server set up by the pharmer
Chapter 9 Understanding Computers, 12th Edition 39
Online Theft, Fraud, and Other Dot Cons
• Spyware: Program installed without the user’s knowledge that secretly collects information and sends it to an outside party via the Internet – Can be installed: • With another program (particular freeware programs) • By clicking a link in a phishing e-mail message • By visiting a Web site – Security risk if it transmits personal data that can be used in identity theft or other illegal activities – Can also slow down a PC or make it malfunction – Stealthware: Aggressive spyware programs • Often continually deliver ads, change browser settings, etc.
Chapter 9 Understanding Computers, 12th Edition 40
Protecting Against Online Theft, Fraud, and Other Dot Cons
• Protecting against identity theft – Do not give out personal information (Social Security number, mother’s maiden name, etc.) unless absolutely necessary – Never give out sensitive information over the phone or by e-mail – Shred documents containing sensitive data, credit card offers, etc. – Don’t place sensitive outgoing mail in your mailbox – Watch your bills and credit report to detect identity theft early – Can get a free credit report from 3 major consumer credit bureaus each year
Chapter 9 Understanding Computers, 12th Edition 41
Protecting Against Identity Theft
Chapter 9
Understanding Computers, 12th Edition
42
Protecting Against Online Theft, Fraud, and Other Dot Cons
• Protecting against other dot cons:
– Use common sense
– Check online auction seller’s feedback before bidding – Pay for online purchases via a credit card so transactions can be disputed if needed – Never respond to e-mail request for updated credit card information
– Never click a link in an unsolicited e-mail
– Keep your browser and operating system up to date
Chapter 9
Understanding Computers, 12th Edition
43
Protecting Against Online Theft, Fraud, and Other Dot Cons
Chapter 9
Understanding Computers, 12th Edition
44
Protecting Against Online Theft, Fraud, and Other Dot Cons
Chapter 9
Understanding Computers, 12th Edition
45
Protecting Against Online Theft, Fraud, and Other Dot Cons
• Protecting against spyware:
– Check Web sites that list known spyware programs before downloading a program
– Run antispyware programs regularly
– Be cautious about downloads
– Keep operating system and browser up to date
Chapter 9
Understanding Computers, 12th Edition
46
Protecting Against Online Theft, Fraud, and Other Dot Cons
• Digital signature: Unique digital code that can be attached to an e-mail message or document – Can be used to verify the identity of the sender – Can be used to guarantee the message or file has not been changed
– Uses public key encryption
• Document is signed with the sender’s private key
• The key and the document create a unique digital signature
• Signature is verified using the sender’s public key
Chapter 9
Understanding Computers, 12th Edition
47
Protecting Against Online Theft, Fraud, and Other Dot Cons
• Digital certificate: Group of electronic data that can be used to verify the identity of a person or organization – Obtained from a Certificate Authority – Typically contains identity information about the person or organization, an expiration date, and a pair of keys to be used with encryption and digital signatures – Are also used with secure Web sites to guarantee that the site is secure and actually belongs to the stated individual or organization • Can be SSL or EV SSL – Banks and other financial institutions may soon issue digital certificates to customers to protect against dot cons
Chapter 9 Understanding Computers, 12th Edition 48
Protecting Against Online Theft, Fraud, and Other Dot Cons
Chapter 9
Understanding Computers, 12th Edition
49
Personal Safety Issues
• Cyberbullying: Bullying someone via the Internet or email – Increasingly happening to children and teenagers • Cyberstalking: Repeated threats or harassing behavior via e-mail or another Internet communication method including: – Sending harassing e-mail messages to the victim – Sending unwanted files to the victim – Posting inappropriate messages about the victim – Signing the victim up for offensive material – Publicizing the victim’s contact information • Sometimes escalates to personal violence
Chapter 9
Understanding Computers, 12th Edition
50
Personal Safety Issues
• Online pornography
– Concern for parents and schools
– Difficult to stop due to constitutional rights – Online pornography involving minors is illegal
– Link between online pornography and child molestation
– Internet can make it easier to arrange dangerous meetings between predators and children
Chapter 9
Understanding Computers, 12th Edition
51
Protecting Against Cyberstalking and Other Personal Safety Concerns
• Safety tips for adults – Be cautious in chat rooms, discussion groups – Use gender-neutral, nonprovocative names – Do not reveal personal information – Do not respond to insults or harassing comments – Request to have personal information removed from online directories • Safety tips for children – Parents should monitor Internet activities – Have children use a PC in a family room – They should be told which activities are allowed – Instruct them to tell a parent of a request for personal information or a personal meeting
Chapter 9 Understanding Computers, 12th Edition 52
• It is difficult for the legal system to keep pace with the rate at which technology changes • There are domestic and international jurisdictional issues • Computer crime legislation continues to be proposed and computer crimes are being prosecuted
Network and Internet Security Legislation
Chapter 9
Understanding Computers, 12th Edition
53
NEED FOR CYBER LAWS
• TACKLING CYBER CRIMES
• INTELLECTUAL PROPERTY RIGHTS AND COPYRIGHTS PROTECTION ACT
Chapter 9
Understanding Computers, 12th Edition
CYBER LAWS IN INDIA
• ITACT PASSED IN 2000 • INTERNET IN INDIA • IMPLEMENTATION OF CYBER LAW • REASONS FOR DELAY IN IMPLEMENTATION OF CYBER LAWS IN INDIA
Chapter 9 Understanding Computers, 12th Edition
IT ACT PROVISIONS
• email would now be a valid and legal form of communication in our country that can be duly produced and approved in a court of law.
• Companies shall now be able to carry out electronic commerce using the legal infrastructure provided by the Act.
• Digital signatures have been given legal validity and sanction in the Act.
Chapter 9
Understanding Computers, 12th Edition
• The Act now allows Government to issue notification on the web thus heralding egovernance • statutory remedy in case if anyone breaks into companies computer systems or network and causes damages or copies data
IT ACT PROVISIONS
Chapter 9
Understanding Computers, 12th Edition
CYBER CRIMES
• CYBER CRIMES AGAINST PERSONS eg ‘melissa’and ‘lovebug’ virus
• CYBER CRIMES AGAINST PROPERTY
eg computer vandalism
• CYBER CRIMES AGAINST GOVERNMENT
• eg ‘Al-Qaeda’
Chapter 9 Understanding Computers, 12th Edition
CYBER CRIMES
Chapter 9
Understanding Computers, 12th Edition
CRIME THROUGH ORKUT
• Koushambi ,24-year old software professional working for TCS was brutally killed by Manish Thakur, in a hotel room at Andheri.
Chapter 9
Understanding Computers, 12th Edition
INTERNET AND ITS EFFECT
• 20% - 30% of Internet pornography consumption is by children of ages 12 - 17. • MySpace is being used by predators to meet and entice kids online. • Specific marketing strategies are being used to attract children to porn sites.
Chapter 9 Understanding Computers, 12th Edition
OFFENCES AND LAWS IN CYBER SPACE • TAMPERING WITH COMPUTER DOCUMENTS • HACKING WITH COMPUTER SYSTEM • PUBLISHING OBSCENE MATERIAL ON INTERNET • BREACHING OF CONFIDENTIALITY AND PRIVACY
Chapter 9 Understanding Computers, 12th Edition
CYBER LAWS AMENDMENTS
• INDIAN PENAL CODE,1860
• INDIAN EVIDENCE ACT,1872
• BANKER’S BOOK EVIDENCE ACT,1891 • GENERAL CLAUSES ACT,1897
Chapter 9
Understanding Computers, 12th Edition
Summary
• Why Be Concerned about Network and Internet Security? • Unauthorized Access, Unauthorized Use, and Computer Sabotage • Protecting Against Unauthorized Access, Unauthorized Use, and Computer Sabotage • Online Theft, Fraud, and Other Dot Cons • Protecting Against Online Theft, Fraud, and Other Dot Cons • Personal Safety Issues • Protecting Against Cyberstalking and Other Personal Safety Concerns
• Network and Internet Security Legislation
Chapter 9 Understanding Computers, 12th Edition 64
By
Ashu Shukla Comdt 165 Bn
1
Learning Objectives
• Explain why computer users should be concerned about network and Internet security. • List several examples of unauthorized access, unauthorized use, and computer sabotage. • Explain how access control systems, firewalls, antivirus software, and encryption protect against unauthorized access, unauthorized use, and computer sabotage. • Discuss online theft, identity theft, Internet scams, spoofing, phishing, and other types of dot cons.
Chapter 9
Understanding Computers, 12th Edition
2
Learning Objectives
• Detail steps an individual can take to protect against online theft, identity theft, Internet scams, spoofing, phishing, and other types of dot cons. • Identify personal safety risks associated with Internet use. • List steps individuals can take to safeguard their personal safety when using the Internet. • Name several laws related to network and Internet security.
Chapter 9
Understanding Computers, 12th Edition
3
Overview
• This chapter covers:
– Security concerns stemming from the use of computer networks
– Safeguards and precautions that can be taken to reduce the risk of problems related to these security concerns – Personal safety issues related to the Internet – Safeguards and precautions that can be taken to reduce the risk of problems related to these personal safety issues – Legislation related to network and Internet security
Chapter 9
Understanding Computers, 12th Edition
4
Why Be Concerned about Network and Internet Security?
• Security concerns related to computer networks and the Internet abound • Computer crime (cybercrime): Any illegal act involving a computer, including: – Breaking through the security of a network – Theft of financial assets – Manipulating data for personal advantage – Act of sabotage (releasing a computer virus, shutting down a Web server) • All computer users should be aware of security issues and the precautions that can be taken
Chapter 9
Understanding Computers, 12th Edition
5
• Unauthorized access: Gaining access to a computer, network, file, or other resource without permission • Unauthorized use: Using a computer resource for unapproved activities • Both can be committed by insiders and outsiders • Codes of conduct: Used to specify rules for behavior, typically by a business or school
Unauthorized Access and Unauthorized Use
Chapter 9
Understanding Computers, 12th Edition
6
Unauthorized Access and Unauthorized Use
• Hacking: The act of breaking into another computer system – A serious threat for individuals, business, and the country (national security) • Wi-Fi hacking: Common for hackers to gain entrance via Wi-Fi • War driving or Wi-Fi piggybacking: Using someone else’s Wi-Fi network to gain free access to the Internet – Illegal in some areas – Can lead to criminal behavior – Ethical issues
Chapter 9
Understanding Computers, 12th Edition
7
Unauthorized Access and Unauthorized Use
• Interception of communications: Gaining unauthorized access to data as it is being sent over the Internet or another network – The increased use of wireless networks has opened up new opportunities for data interception
• Business and personal wireless networks
• Use of public hotspots • Wireless connections with mobile phones and mobile devices – Once intercepted, the content can be read, altered, or otherwise used for unintended purposes
Chapter 9
Understanding Computers, 12th Edition
8
Computer Sabotage
• Computer sabotage: Acts of malicious destruction to a computer or computer resource • Bot: A PC that is controlled by a computer criminal • Botnet: A group of bots that can work together in a controlled fashion – Used by botherders to send spam, launch Internet attacks and malware, etc. • Malware: Any type of malicious software – Includes viruses, worms, Trojan horses, etc. – Increasingly used for computer crimes and to take control of individuals’ PCs for botnet activities – Can infect mobile phones and mobile devices (some preinstalled on mobile devices)
Chapter 9 Understanding Computers, 12th Edition 9
Computer Sabotage
• Computer virus: Malicious program embedded in a file that is designed to cause harm to the computer system – Often embedded in downloaded programs and email messages • Computer worm: Malicious program designed to spread rapidly by sending copies of itself to other computers – Typically sent via e-mail • Trojan horse: Malicious program that masquerades as something else – Usually appear to be a game or other program – Cannot replicate themselves; must be downloaded and installed
Chapter 9 Understanding Computers, 12th Edition 10
Computer Sabotage
Chapter 9
Understanding Computers, 12th Edition
11
Computer Sabotage
• Denial of service (DoS) attack: Act of sabotage that floods a Web server with so much activity that it is unable to function – Distributed DoS attack: Uses multiple computers
Chapter 9
Understanding Computers, 12th Edition
12
Computer Sabotage
• Data or program alteration: When a hacker breaches a computer system in order to delete or change data – Students changing grades – Employees performing vengeful acts, such as deleting or changing corporate data – Web site defacement (cybervandalism): Changing content of a Web site • Often used to make political statements
Chapter 9
Understanding Computers, 12th Edition
13
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• Access control systems: Used to control access to: – Facilities – Computer networks – Databases – Web site accounts • Can be individual or part of a complete network access control (NAC) system • Can be: – Identification systems: Verify that the person trying to access the facility or system is an authorized user – Authentication systems: Determine if the person is who he or she claims to be • Can use more than one type (two-factor systems)
Chapter 9 Understanding Computers, 12th Edition 14
Access Control Systems
• Possessed knowledge access systems: Use information that only an individual should know – Usernames – PINs – Passwords • Should be strong passwords and changed frequently • Tokens can generate passwords – Cognitive authentification systems: Use information the individual knows (past teachers, birthplace, first home, etc.) • Disadvantage: Can be used by an unauthorized individual with the proper knowledge
Chapter 9 Understanding Computers, 12th Edition 15
Passwords
Chapter 9
Understanding Computers, 12th Edition
16
Possessed Knowledge Systems
Chapter 9
Understanding Computers, 12th Edition
17
Access Control Systems
• Possessed object access systems: Use physical objects that an individual has in his or her possession – Smart cards – RFID-encoded badges – Magnetic cards – Encoded badges – USB security keys or e-tokens • Disadvantage: can be lost or used by an unauthorized individual – When used with passwords or biometrics = two-factor authentication
Chapter 9 Understanding Computers, 12th Edition 18
Access Control Systems
• Biometric access systems: Use a unique physical characteristic of an individual in order to grant access – Fingerprint – Hand geometry – Face – Iris – Can also use personal traits, such as voice or signature
– Increasingly being built into hardware
• Advantage: Can only be used by the authorized individual and cannot be lost or forgotten
• Disadvantage: Cannot be reset ; expensive
Chapter 9 Understanding Computers, 12th Edition 19
Biometric Systems
Chapter 9
Understanding Computers, 12th Edition
20
Access Control Systems
• Controlling access to wireless networks – In general, Wi-Fi is less secure than wired networks – Security is usually off by default; wireless networks should be secured – Wireless network owners should: • Enable Wi-Fi encryption (WPA is more secure than WEP) • Not broadcast the network name • Change the default network administrator password • Can use Media Access Control (MAC) address filtering
Chapter 9 Understanding Computers, 12th Edition 21
Controlling Access to Wireless Networks
Chapter 9
Understanding Computers, 12th Edition
22
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• Firewall: Security system that provides a protective boundary between a computer or network and the outside world – Works by closing down all external communications port addresses – Blocks access to the PC from outside hackers – Blocks access to the Internet from programs on the user’s PC unless authorized by the user – Important for home PCs that have a direct Internet connection as well as for businesses – Intrusion protection system (IPS) software is related • Monitors and analyzes traffic allowed by the firewall to try and detect possible attacks
Chapter 9 Understanding Computers, 12th Edition 23
Firewalls
Chapter 9
Understanding Computers, 12th Edition
24
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• Encryption: Method of scrambling e-mail or files to make them unreadable – Private key encryption: Uses a single key • Most often used to encrypt files on a PC • If used to send files to others, the recipient needs to be told the key – Public key encryption: Uses two keys • Public key: Can be given to anyone; used to encrypt messages to be sent to that person • Private key: Only known by the individual; used to decrypt messages that are encrypted with the individual’s public key • Key pairs can be obtained through a Certificate Authority
Chapter 9 Understanding Computers, 12th Edition 25
Encryption
Chapter 9
Understanding Computers, 12th Edition
26
Protecting Against Unauthorized Access, Use, and Computer Sabotage
– Secure Web pages: Use encryption (SSL, EV SSL, etc.) to protect information transmitted via their Web pages • Look for a locked padlock on the status bar and https:// in the URL
• Only transmit credit card numbers and other sensitive data via a secure Web server
– Web-based encrypted e-mail (HushMail) is available
– Various strengths of encryption available
• Stronger is more difficult to crack • Strong = 128-bit (16-character keys)
• Military = 2,048-bit (256-character keys)
Chapter 9 Understanding Computers, 12th Edition 27
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• Virtual private networks (VPNs): Secure path over the Internet – Allows authorized users to securely access a private network via the Internet – Much less expensive than a private secure network since uses the Internet – Can provide a secure environment over a large geographical area – Typically used by businesspeople to remotely access corporate networks via the Internet – Personal VPNs can be used by individuals to surf safely at a wireless hotspot
Chapter 9
Understanding Computers, 12th Edition
28
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• Antivirus software: Used to detect and eliminate computer viruses and other types of malware – Should be set up to run continuously to check incoming e-mail messages, instant messages, and downloaded files – Should be set up to scan the entire PC regularly – Needs to be updated regularly since new malware is introduced at all times – Best to have the program automatically download new virus definitions on a regular basis – Some programs also scan for other threats, such as spyware, bots, possible phishing schemes, etc.
Chapter 9
Understanding Computers, 12th Edition
29
Antivirus Software
Chapter 9
Understanding Computers, 12th Edition
30
Protecting Against Unauthorized Access, Use, and Computer Sabotage
– Some ISPs filter include virus checking – E-mail authentication systems can protect against viruses sent via e-mail – Common sense precautions can help prevent a virus infection
Chapter 9
Understanding Computers, 12th Edition
31
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• Individuals should take additional precautions when using public hotspots in addition to using security software, secure Web pages, VPNs, and file encryption – Turn off file sharing – Disable Wi-Fi and Bluetooth if not needed – Use firewall to block incoming connections – Turn off automatic and ad hoc connections
Chapter 9 Understanding Computers, 12th Edition 32
Protecting Against Unauthorized Access, Use, and Computer Sabotage
• A significant number of security breaches (over 60%) are committed by insiders • Taking caution with employees can help avoid security problems – Screen potential new hires carefully – Watch for disgruntled employees and exemployees – Develop policies and controls – Use data-leakage prevention and enterprise rightsmanagement software – Ask business partners to review their security to avoid attacks coming from someone located at that organization
Chapter 9
Understanding Computers, 12th Edition
33
Data-Leakage Prevention Software
Chapter 9
Understanding Computers, 12th Edition
34
Online Theft, Fraud, and Other Dot Cons
• Dot con: A fraud or scam carried out through the Internet • Data theft or information theft can be committed by: – Stealing an actual PC – A hacker gaining unauthorized access – Includes personal data, proprietary corporate information, and money • Identity theft – Using someone else’s identity to purchase goods or services, obtain new credit cards or bank loans, or illegally masquerade as that individual – Information obtained via documents, phishing schemes, stolen information, etc. – Expensive and time consuming to recover from
Chapter 9 Understanding Computers, 12th Edition 35
Identity Theft
Chapter 9
Understanding Computers, 12th Edition
36
Online Theft, Fraud, and Other Dot Cons
• Online auction fraud: When an item purchased through an online auction is never delivered, or the item is not as specified by the seller • Internet offer scams: A wide range of scams offered through Web sites or unsolicited e-mails – Loan and pyramid scams – Work-at-home cons and bogus prize offers – Nigerian letter fraud scheme • Spoofing: Making it appear that an e-mail or a Web site originates from somewhere other than where it really does – Web site spoofing – E-mail spoofing
Chapter 9
Understanding Computers, 12th Edition
37
Online Theft, Fraud, and Other Dot Cons
• Phishing: Use of spoofed e-mail messages to gain credit card numbers and other personal data – After victim clicks a link in the message and supplies sensitive data, they transmit that data to the thief – E-mails and Web sites often look legitimate
Chapter 9
Understanding Computers, 12th Edition
38
Online Theft, Fraud, and Other Dot Cons
• Spear phishing: Targeted to specific individuals – Often include personalized information to seem more legitimate – May impersonate someone in your organization, such as from human resources or the IT dept. • Pharming: The use of spoofed domain names to obtain personal information – DNS servers are hacked to route requests for legitimate Web pages to spoofed Web pages (DNS poisoning) – Often take place via company DNS servers • Drive-by pharming: Hacker changes the DNS server used by a victim’s router or access point to use a DNS server set up by the pharmer
Chapter 9 Understanding Computers, 12th Edition 39
Online Theft, Fraud, and Other Dot Cons
• Spyware: Program installed without the user’s knowledge that secretly collects information and sends it to an outside party via the Internet – Can be installed: • With another program (particular freeware programs) • By clicking a link in a phishing e-mail message • By visiting a Web site – Security risk if it transmits personal data that can be used in identity theft or other illegal activities – Can also slow down a PC or make it malfunction – Stealthware: Aggressive spyware programs • Often continually deliver ads, change browser settings, etc.
Chapter 9 Understanding Computers, 12th Edition 40
Protecting Against Online Theft, Fraud, and Other Dot Cons
• Protecting against identity theft – Do not give out personal information (Social Security number, mother’s maiden name, etc.) unless absolutely necessary – Never give out sensitive information over the phone or by e-mail – Shred documents containing sensitive data, credit card offers, etc. – Don’t place sensitive outgoing mail in your mailbox – Watch your bills and credit report to detect identity theft early – Can get a free credit report from 3 major consumer credit bureaus each year
Chapter 9 Understanding Computers, 12th Edition 41
Protecting Against Identity Theft
Chapter 9
Understanding Computers, 12th Edition
42
Protecting Against Online Theft, Fraud, and Other Dot Cons
• Protecting against other dot cons:
– Use common sense
– Check online auction seller’s feedback before bidding – Pay for online purchases via a credit card so transactions can be disputed if needed – Never respond to e-mail request for updated credit card information
– Never click a link in an unsolicited e-mail
– Keep your browser and operating system up to date
Chapter 9
Understanding Computers, 12th Edition
43
Protecting Against Online Theft, Fraud, and Other Dot Cons
Chapter 9
Understanding Computers, 12th Edition
44
Protecting Against Online Theft, Fraud, and Other Dot Cons
Chapter 9
Understanding Computers, 12th Edition
45
Protecting Against Online Theft, Fraud, and Other Dot Cons
• Protecting against spyware:
– Check Web sites that list known spyware programs before downloading a program
– Run antispyware programs regularly
– Be cautious about downloads
– Keep operating system and browser up to date
Chapter 9
Understanding Computers, 12th Edition
46
Protecting Against Online Theft, Fraud, and Other Dot Cons
• Digital signature: Unique digital code that can be attached to an e-mail message or document – Can be used to verify the identity of the sender – Can be used to guarantee the message or file has not been changed
– Uses public key encryption
• Document is signed with the sender’s private key
• The key and the document create a unique digital signature
• Signature is verified using the sender’s public key
Chapter 9
Understanding Computers, 12th Edition
47
Protecting Against Online Theft, Fraud, and Other Dot Cons
• Digital certificate: Group of electronic data that can be used to verify the identity of a person or organization – Obtained from a Certificate Authority – Typically contains identity information about the person or organization, an expiration date, and a pair of keys to be used with encryption and digital signatures – Are also used with secure Web sites to guarantee that the site is secure and actually belongs to the stated individual or organization • Can be SSL or EV SSL – Banks and other financial institutions may soon issue digital certificates to customers to protect against dot cons
Chapter 9 Understanding Computers, 12th Edition 48
Protecting Against Online Theft, Fraud, and Other Dot Cons
Chapter 9
Understanding Computers, 12th Edition
49
Personal Safety Issues
• Cyberbullying: Bullying someone via the Internet or email – Increasingly happening to children and teenagers • Cyberstalking: Repeated threats or harassing behavior via e-mail or another Internet communication method including: – Sending harassing e-mail messages to the victim – Sending unwanted files to the victim – Posting inappropriate messages about the victim – Signing the victim up for offensive material – Publicizing the victim’s contact information • Sometimes escalates to personal violence
Chapter 9
Understanding Computers, 12th Edition
50
Personal Safety Issues
• Online pornography
– Concern for parents and schools
– Difficult to stop due to constitutional rights – Online pornography involving minors is illegal
– Link between online pornography and child molestation
– Internet can make it easier to arrange dangerous meetings between predators and children
Chapter 9
Understanding Computers, 12th Edition
51
Protecting Against Cyberstalking and Other Personal Safety Concerns
• Safety tips for adults – Be cautious in chat rooms, discussion groups – Use gender-neutral, nonprovocative names – Do not reveal personal information – Do not respond to insults or harassing comments – Request to have personal information removed from online directories • Safety tips for children – Parents should monitor Internet activities – Have children use a PC in a family room – They should be told which activities are allowed – Instruct them to tell a parent of a request for personal information or a personal meeting
Chapter 9 Understanding Computers, 12th Edition 52
• It is difficult for the legal system to keep pace with the rate at which technology changes • There are domestic and international jurisdictional issues • Computer crime legislation continues to be proposed and computer crimes are being prosecuted
Network and Internet Security Legislation
Chapter 9
Understanding Computers, 12th Edition
53
NEED FOR CYBER LAWS
• TACKLING CYBER CRIMES
• INTELLECTUAL PROPERTY RIGHTS AND COPYRIGHTS PROTECTION ACT
Chapter 9
Understanding Computers, 12th Edition
CYBER LAWS IN INDIA
• ITACT PASSED IN 2000 • INTERNET IN INDIA • IMPLEMENTATION OF CYBER LAW • REASONS FOR DELAY IN IMPLEMENTATION OF CYBER LAWS IN INDIA
Chapter 9 Understanding Computers, 12th Edition
IT ACT PROVISIONS
• email would now be a valid and legal form of communication in our country that can be duly produced and approved in a court of law.
• Companies shall now be able to carry out electronic commerce using the legal infrastructure provided by the Act.
• Digital signatures have been given legal validity and sanction in the Act.
Chapter 9
Understanding Computers, 12th Edition
• The Act now allows Government to issue notification on the web thus heralding egovernance • statutory remedy in case if anyone breaks into companies computer systems or network and causes damages or copies data
IT ACT PROVISIONS
Chapter 9
Understanding Computers, 12th Edition
CYBER CRIMES
• CYBER CRIMES AGAINST PERSONS eg ‘melissa’and ‘lovebug’ virus
• CYBER CRIMES AGAINST PROPERTY
eg computer vandalism
• CYBER CRIMES AGAINST GOVERNMENT
• eg ‘Al-Qaeda’
Chapter 9 Understanding Computers, 12th Edition
CYBER CRIMES
Chapter 9
Understanding Computers, 12th Edition
CRIME THROUGH ORKUT
• Koushambi ,24-year old software professional working for TCS was brutally killed by Manish Thakur, in a hotel room at Andheri.
Chapter 9
Understanding Computers, 12th Edition
INTERNET AND ITS EFFECT
• 20% - 30% of Internet pornography consumption is by children of ages 12 - 17. • MySpace is being used by predators to meet and entice kids online. • Specific marketing strategies are being used to attract children to porn sites.
Chapter 9 Understanding Computers, 12th Edition
OFFENCES AND LAWS IN CYBER SPACE • TAMPERING WITH COMPUTER DOCUMENTS • HACKING WITH COMPUTER SYSTEM • PUBLISHING OBSCENE MATERIAL ON INTERNET • BREACHING OF CONFIDENTIALITY AND PRIVACY
Chapter 9 Understanding Computers, 12th Edition
CYBER LAWS AMENDMENTS
• INDIAN PENAL CODE,1860
• INDIAN EVIDENCE ACT,1872
• BANKER’S BOOK EVIDENCE ACT,1891 • GENERAL CLAUSES ACT,1897
Chapter 9
Understanding Computers, 12th Edition
Summary
• Why Be Concerned about Network and Internet Security? • Unauthorized Access, Unauthorized Use, and Computer Sabotage • Protecting Against Unauthorized Access, Unauthorized Use, and Computer Sabotage • Online Theft, Fraud, and Other Dot Cons • Protecting Against Online Theft, Fraud, and Other Dot Cons • Personal Safety Issues • Protecting Against Cyberstalking and Other Personal Safety Concerns
• Network and Internet Security Legislation
Chapter 9 Understanding Computers, 12th Edition 64
