1. ITC 241
Introduction to Internet Security

2. Computer Security Defined by
NIST - National Institute of Standards and Technology
http://csrc.nist.gov/
“The protection afforded to an automated
information system in order to attain the applicable
objectives of preserving the integrity, availability,
and confidentiality of information system resources
(includes hardware, software, firmware,
information/data, and telecommunications).”

3. ●Confidentiality –
information access and
disclosure
●Integrity – modification
or destruction of
information
●Availability – timely,
reliable access

4. Impact Considerations
● Performance
● Organizational assets
● Financial loss
● Harm to Individuals

5. http://www.youtube.com/watch?v=d-d5TDHa8jw

6. Confidentiality
● Personal privacy
● Proprietary information
● Secret Info should remain secret
The unauthorized disclosure
(access) of information

7. Confidentiality
● Mechanisms of
Protection
● Cryptography
● Access Controls
● Examples of Threats
● Malware
● Intruders
● Social engineering
● Insecure networks
● Poorly administered
systems

8. How does Anonymous do this?

9. What's the Impact Level of the following real world cases?

10. http://www.cnn.com/2013/08/21/us/bradley-manning-sentencing

11. http://www.cnn.com/2013/08/21/us/bradley-manning-sentencing

12. http://www.forbes.com/sites/ruchikatulshyan/2013/08/23/is-your-spouse-your-biggest-online-security-risk/

13. http://www.databreaches.net/university-of-north-carolina-servers-hacked-3500-employees-data-accessed/

14. Integrity
● Trustworthiness
● Origin
● Completeness
● Correctness
unauthorized modification or
destruction of information

15. Integrity
● Protective
Mechanism
● Access controls to
prevent modification
● Detective
Mechanisms
● identify when
modifications occur
when protective
mechanisms fail
● Integrity Controls
● Principles of least
privilege
● Separation
● Rotation of duties

16. http://www.cultofmac.com/183063/apple-responds-to-journalist-victim-of-icloud-hack/

17. This all happened because the hackers were
able to get a hold of Honan’s email address,
his billing address and the last four digits of a
credit card he has on file. Once the hacker
had this info, he or she called Apple, asked
for a reset to the iCloud account in Honan’s
name, and was given a temporary password.

18. Availability – disruption of access
to or use of information or an
information system.
Confidentiality and Integrity matter
not if the system is not available!

19. Availability
Threats
● Attacks against
Availability = DoS
● Natural Disasters
● Manmade Disasters
Protective
Mechanisms
● Business continuity
● Disaster Recovery
Planning
● regular/reliable
backups to minimize
loss

20. How does Anonymous do this?

21. Identification – scope, locality,
uniqueness of IDs
Authentication – prove to be the
person you say you claim to be!
Identify-authenticate-authorize
login – password – permissions

22. Methods of Authentication
● What you know (low strength)
● Passwords, passphrases, secret codes,
PINs (low cost)
● What you have (low strength)
● Keys, smart cards, tokens
● (in possession of = higher cost)
● What you are (potential high strength)
● Biometrics

23. Authorization
● Role Privileges, Rights, Permissions
● Guest
● Participant
● Admin
permissions to view, insert, delete, modify, admin

24. How does anybody do this?
http://live.wsj.com/video/news-hub-google-gmail-hit-with-china-based-scam/D

25. Accountability – who sent
what where?
Ability to trace actions back to a
person, place and time, back to a
system and what processes were
performed on it!
Provided by logs and audit trails.

26. Accountability
System/Application
Logs
● Ordered list of:
● Events
● Actions
● Must have integrity
● Time Stamped across
entire system
● High Level Actions
(email, web page served)
Audit Trail
● Ordered list of:
● Events
● Actions
● Open files
● Writing to files
● Sending packets
across network

27. http://www.theguardian.com/money/2011/aug/05/beware-hackers-take-over-gmail-account

28. Privacy = do you really have any?
Organizations should take necessary precautions
to protect the confidentiality and integrity of
personal information they collect, store and
process.

30. Some Things to Ponder:
What are the types of threats?
Who is conducting these?
Why?