Global Lehigh Strategic Initiatives (without descriptions)
Security and ethics
1. ROLE OF OPERATING SYSTEM IN SECURITY
System Survivability
System survivability - is defined as “the capability of a system
to fulfill its mission, in a
timely manner, in the presence of attacks, failures, or accidents
(Linger, 2002).”
• The term system refers to any system. It’s used here in the
broadest possible sense from laptop to distributed system to
supercomputer.
• A mission is a very high-level set of requirements or goals.
• In a timely manner refers to system response time, a critical factor
for most systems.
• The terms attack, failure, and accident refer to any potentially
damaging incident, regardless of the cause, whether intentional or
not.
2. backup and recovery, policies in place and performing
other archiving techniques - are standard operating
procedure for most computing systems.
Backups, with one set stored off-site, are also crucial to
disaster recovery. The disaster could come from anywhere.
Here are just a few of the threats:
• water from a fire upstairs
• fire from an electrical connection
• malfunctioning server
• corrupted archival media
• intrusion from unauthorized users
3. Security Breaches
Unintentional Intrusions
An unintentional attack - is defined as any breach of
security or modification of data that was not the result of a
planned intrusion.
accidental incomplete modification of data - When non-
synchronized processes access data records and modify
some of a record’s fields,
An example was given in Chapter 5 when we discussed the
topic of a race in a database with two processes working on
the same student record and writing different versions of
it to the database.
4. Intentional Attacks
Intentional unauthorized access includes denial of service
attacks, browsing, wiretapping, repeated trials, trapdoors,
and trash collection.
Intentional Unauthorized Access
Denial of service (DoS) attacks - are synchronized
attempts to deny service to authorized users by causing
a computer (usually a Web server) to perform a task (often
an unproductive task) over and over, thereby making the
system unavailable to perform the work it is designed to
do.
Browsing is when unauthorized users gain the
capability to search through storage, directories, or files
for information they aren’t privileged to read.
5. Wiretapping - is nothing new. Just as telephone lines
can be tapped, so can most data communication lines.
There are two reasons for passive tapping:
to copy data while bypassing any authorization procedures
and
to collect specific information (such as passwords) that
will permit the tapper to enter the system at a later date.
Active wiretapping is when the data being sent is modified
Two methods of active wiretapping are:
“between lines transmission” and “piggyback entry.”
Between lines doesn’t alter the messages sent by the
legitimate user, but it inserts additional messages into the
communication line while the legitimate user is pausing.
6. Piggyback entry intercepts and modifies the original
messages.
Repeated trials - describes the method used to enter systems
by guessing authentic passwords.
Average time required for a human and computer to guess
passwords up to 10 alphabetic characters (A–Z) using brute
force.
7. Trapdoors - including backdoor passwords, are
defined as unspecified and undocumented entry
points to the system.
Trash collection - also known as dumpster diving - is an
evening pastime for those who enjoy perusing anything
and everything thrown out by system users—the discarded
disks, CDs, faxes, printer ribbons, as well as printouts of
source code, programs, memory dumps, and notes.
8. Viruses
A virus - is defined as a small program written to alter the
way a computer operates, without the permission or
knowledge of the user.
A virus must meet two criteria:
• It must be self-executing. Often, this means placing its own
code in the path of another program.
• It must be self-replicating. Usually, this is accomplished by
copying itself from infected files to clean files as shown in
Figure 11.2. Viruses can infect desktop computers and network
servers alike and spread each time the host file is executed.
9. A file infector virus attacks a clean file (a) by attaching a small program to it
(b), which executes every time the infected file runs.
10. Worms
A worm - is a memory-resident program that copies
itself from one system to the next without requiring the
aid of an infected program file.
Trojans
A Trojan - (originally called a Trojan Horse) is a
destructive program that’s disguised as a legitimate or
harmless program that sometimes carries within itself the
means to allow the program’s creator to secretly access the
user’s system.
11. There are five recognized types of viruses:
File infector virus - Infects files on the computer, normally
executable files such as .exe and .com files commonly
found on Microsoft operating systems. These viruses
commonly become resident in memory and then infect any
clean executable program that runs on that computer.
Boot sector virus - Infects the boot record, the system area
of a floppy disk or hard drive. These viruses activate
whenever the user starts up (powers on) the computer.
Most boot sector viruses were written for MS-DOS, but
other operating systems are potential targets.
Master boot record virus - Infects the boot record of a disk,
saving a legitimate copy of the master boot record in a
different location on the volume.
12. Multipartite virus - Infects both the boot record and
program files, making them especially difficult to repair.
Successful removal requires that all instances of the virus
be removed at once—on the boot records as well as all
instances of files infected with the virus. Should any
instance of the infection remain, the virus will infect the
system again.
Macro virus - Infects data files (such as word processing
documents, spreadsheets, etc.), though newer versions
now infect other program files as well. Computer users are
advised to disable the automatic execution of macros on
files they don’t completely trust. macro virus - works by
attaching itself to the template which, in turn, is attached
to word processing documents.
13. Intruders have been known to capture user passwords by using
a Trojan to replace the standard login program on the computer
with an identical fake login that captures keystrokes. Once it’s
installed, it works like this:
1. The user sees a login prompt and types in the user ID.
2. The user sees a password prompt and types in the password.
3. The rogue program records both the user ID and password and
sends a typical login failure message to the user. Then the
program stops running and returns control to the legitimate
program.
4. Now, the user sees the legitimate login prompt and retypes the
user ID.
5. The user sees the legitimate password prompt and retypes the
password.
6. Finally, the user gains access to the system, unaware that the
rogue program has stored the first attempt and recorded the
user ID and password.
14.
15. Bombs
A logic bomb - is a destructive program with a fuse—a
certain triggering event (such as a certain keystroke or
connection with the Internet).
A time bomb - is similar to a logic bomb but is
triggered by a specific time, such as a day of the year.
Blended Threats
A blended threat - combines into one program the
characteristics of other attacks, including a virus, a
worm, a trojan, spyware, key loggers, and other
malicious code.
16. System protection
Antivirus software - can be purchased to protect systems
from attack by malicious software.
The level of protection is usually in proportion to the
importance of its data. Medical data should be highly protected.
Information about current viruses is available from vendors and
government agencies
dedicated to system security, such as those listed in Table 11.5.
17. Firewall - is a set of hardware and/or software designed to
protect a system by disguising its IP address from outsiders
who don’t have authorization to access it or ask for information
about it.
The typical tasks of the firewall are to:
• log activities that access the Internet
• maintain access control based on the senders’ or receivers’
IP addresses
• maintain access control based on the services that are requested
• hide the internal network from unauthorized users requesting
network information
• verify that virus protection is installed and being enforced
• perform authentication based on the source of a request from
the Internet
18. shows the threats (viruses, worms, and Trojans) as of September 2009.
19. proxy server - hides important network information from
outsiders by making the network server invisible.
Authentication - is verification that an individual trying to
access a system is authorized to do so.
Kerberos - One popular authentication tool.
- The Kerberos protocol uses strong cryptography (the science
of coding messages) so that a client can prove its identity to a
server, and vice versa, across an insecure network connection.
Using Kerberos, when client A attempts to access server B, the
user is authenticated (a) and receives a ticket for the session (b).
Once the ticket is issued, client and server can communicate at
will (c). Without the ticket, access is not granted.
20.
21. Encryption
The most extreme protection for sensitive data is with
encryption—putting it into a secret code.
private key - is a pair of two prime numbers (usually with
75 or more digits each) chosen by the person who wants to
receive a private message.
public key - Once the message receiver has the product, k, it
can be posted in any public place, even an online directory, for
anyone to see, because the private key can’t be decoded from
the public key.
Packet sniffers also called sniffers - are programs that reside
on computers attached to the network.
Spoofing - is a security threat that relies on cleartext
transmission whereby the assailant falsifies the IP addresses
of an Internet server by changing the address recorded in
packets it sends over the Internet.
22. Password Management
Passwords - are one of the easiest and most effective protection
schemes to implement, but only if they’re used correctly.
There are several reliable techniques for generating a good
password:
• Using a minimum of eight characters, including numbers and
non-alphanumeric characters
• Creating a misspelled word or joining bits of phrases into a word
that’s easy to remember
• Following a certain pattern on the keyboard, generating new
passwords easily by starting your sequence with a different letter
each time
• Creating acronyms from memorable sentences, such as
MDWB4YOIA, which stands for: “My Dog Will Be 4 Years Old
In April”
23. • If the operating system differentiates between upper- and
lowercase characters (as UNIX and Linux do), users should
take advantage of that feature by using both in the
password: MDwb4YOia
• Avoiding any words that appear in any dictionary
Number of combinations of passwords depending on their
length and available character set.
24. Dictionary attack - is the term used to describe a
method of breaking encrypted passwords.
Password Alternatives
smart card – a credit-card-sized calculator that requires
both something you have and something you know.
Biometrics - the science and technology of identifying
individuals based on the unique biological characteristics
of each person.
A graphical password is
created by clicking certain
areas of the photo in a
certain sequence.
25. Social Engineering - means looking in and around the
user’s desk for a written reminder, trying the user logon ID
as the password, searching logon scripts, and even
telephoning friends and co-workers to learn the names of a
user’s family members, pets, vacation destinations, favorite
hobbies, car model, etc.
Phishing (pronounced “fishing”) - is a form of social
engineering whereby an intruder pretends to be a
legitimate entity and contacts unwary users asking them to
reconfirm their personal and/or financial information.
Ethics
ethics—the rules or standards of behavior that members of
the computer-using community are expected to follow,
demonstrating the principles of right and wrong.
26. For the system’s owner, ethical lapses by authorized or
unauthorized users can have severe consequences:
• Illegally copied software can result in lawsuits and fines of
several times the retail price of each product for each
transgression. Several industry associations publish toll-
free numbers encouraging disgruntled employees to turn
in their employers who use illegal software.
• Plagiarism, the unauthorized copying of copyrighted work
(including but not limited to music, movies, textbook
material, databases), is illegal and punishable by law in the
United States as well as in many other nations. When the
original work is on paper, most users know the proper
course of action, but when the original is in electronic
form, some people don’t recognize the ethical issues
involved.
27. • Eavesdropping on e-mail, data, or voice communications is
sometimes illegal and usually unwarranted, except under
certain circumstances. If calls or messages must be
monitored, the participants should always be notified
before the monitoring begins.
• Cracking, sometimes called hacking, is gaining access to
another computer system to monitor or change data, and
it’s seldom an ethical activity. Although it’s seen as a sport
by certain people, each break-in should cause the system’s
owner and users to question the validity of the system’s
data.
28. • Unethical use of technology, defined as unauthorized
access to private or protected computer systems or
electronic information, is a murky area of the law, but it’s
clearly the wrong thing to do. Legally, the justice system
has great difficulty keeping up with each specific form of
unauthorized access because the technology changes so
quickly. Therefore, system owners can’t rely on the law for
guidance. Instead, they must aggressively teach their users
about what is and is not ethical behavior.
How can users be taught to behave ethically? A continuing
series of security awareness and ethics communications to
computer users is more effective than a single
announcement. Specific activities can include the
following:
29. • Publish policies that clearly state which actions will and will
not be condoned.
• Teach a regular seminar on the subject including real-life
case histories.
• Conduct open discussions of ethical questions such as: Is it
okay to read someone else’s e-mail? Is it right for someone
else to read your e-mail? Is it ethical for a competitor to
read your data? Is it okay if someone scans your bank
account? Is it right for someone to change the results of
your medical test? Is it acceptable for someone to copy your
software program and put it on the Internet? Is it
acceptable for someone to copy a government document
and put it on the Internet?
THE END: THANK YOU!!!