Upon completion of this lesson, the successful participant will be able to understand: How do you store and retrieve the vast amount of data collected in a modern company? Why is the database management approach so important to business? How do you write questions for the DBMS to obtain data?,...
Introduction to MIS Chapter Security, Privacy, Anonymity Copyright © 1998-2002 by Jerry Post Introduction to MIS Outline Threats to Information Physical Security and Disaster Planning Logical Security and Data Protection Virus Threats User Identification and Biometrics Access controls Encryption and Authentication Internet Security Issues Privacy Anonymity Cases: Healthcare Appendix: Server Security Certificates Introduction to MIS Security, Privacy, and Anonymity Server Attacks The Internet Data interception Monitoring Introduction to MIS Accidents & Disasters Employees & Consultants Business Partnerships Outsiders Viruses Threats to Information Links to business partners Outside hackers Employees & Consultants Introduction to MIS Virus hiding in e-mail attachment Security Categories Physical attack & disasters Backup off-site Cold/Shell site Hot site Disaster tests Personal computers! Logical Unauthorized disclosure Unauthorized modification Unauthorized withholding Denial of Service $$ Introduction to MIS Horror Stories Security Pacific Oct 1978 Stanley Mark Rifkin Electronic Funds Transfer $10.2 million Switzerland Soviet Diamonds Came back to U.S The Impossible Dream Stock Manipulation Insurance Loans Fake computer records Introduction to MIS The Cuckoo’s Egg Berkeley Labs Unix account not balance Monitor, false information Track to East German spy Old Techniques Graduate Student Unix “Worm” Internet tied up for days Clifford Stoll 1989 Equity Funding 1973 Robert Morris 1989 Salami slice Bank deposit slips Trojan Horse Virus Manual v Automated Data Amount of data Identification of users Difficult to detect changes Speed Search Copy Statistical Inference Communication Lines Introduction to MIS Disaster Planning SunGard is a premier provider of computer backup facilities and disaster planning services Its fleet of Mobile Data Centers can be outfitted with a variety of distributed systems hardware and delivered at a disaster site within 48 hours Introduction to MIS Data Backup Backup is critical Offsite backup is critical Levels RAID (multiple drives) Real time replication Scheduled backups Introduction to MIS Power company Data Backup Use the network to backup PC data Use duplicate mirrored servers for extreme reliability UPS Frequent backups enable you to recover from disasters and mistakes Introduction to MIS Offsite backups are critical 10 Internet Firewall Internal company data servers Firewall router Company PCs Keeps local data from going to Web servers Internet Introduction to MIS Firewall router Examines each packet and discards some types of requests 28 Privacy criminal record complaints finger prints transportation data medical records financial regulatory employment environmental grocery store scanner data credit cards organizations purchases phone subscriptions education Introduction to MIS financial permits census loans & licenses 29 Cookies Web server Send page Find page and cookie Use cookie to identify user Send customized page time Request page Display page, store cookie Request new page and send cookie User PC Introduction to MIS 30 Misuse of Cookies: Third Party Ads Useful Web site National ad Web site Doubleclick.com Link to ads Requested page Request page Hidden prior cookie Useful Web Page Text and graphics Ads, and cookie [Advertisements] User PC Introduction to MIS 31 Wireless Privacy Cell phones require connections to towers E-911 laws require location capability Many now come with integrated GPS units Business could market to customers “in the neighborhood” Tracking of employees is already common Introduction to MIS 32 Privacy Problems TRW 1991 Lost wallet Impersonator, murders and robberies NCIC database Rogan arrested times in 14 months Sued and won $55,000 from LA Jeffrey McFadden 1989 26 million monitored electronically 10 million pay based on statistics Introduction to MIS SSN and DoB for William Kalin from military records Got fake Kentucky ID Wrote $6000 in bad checks Kalin spent days in jail Sued McFadden, won $10,000 San Francisco Chronicle 1991 Employees Norwich, VT Listed everyone delinquent on property taxes Terry Dean Rogan Person found 12 others using her SSN Someone got 16 credit cards from another’s SSN, charged $10,000 Someone discovered unemployment benefits had already been collected by others 33 Privacy Laws Minimal in US Credit reports Bork Bill can’t release video rental data Educational data limited availability 1994 limits on selling state/local data 2001 rules on medical data Europe Right to add comments 1994 disputes settled in 30 days 1994 some limits on access to data France and some other controls 1995 EU Privacy Controls Introduction to MIS 34 Primary U.S Privacy Laws Freedom of Information Act Family Educational Rights and Privacy Act Fair Credit Reporting Act Privacy Act of 1974 Privacy Protection Act of 1980 Electronic Communications Privacy Act of 1986 Video Privacy Act of 1988 Driver’s Privacy Protection Act of 1994 2001 Federal Medical Privacy rules (not a law) Introduction to MIS 35 Anonymity Anonymous servers: http://www.zeroknowledge.com Dianetics church (L Ron Hubbard) officials in the U.S Sued a former employee for leaking confidential documents over the Internet He posted them through a Danish anonymous server The church pressured police to obtain the name of the poster Zero knowledge server is more secure Should we allow anonymity on the Internet? Protects privacy Can encourage flow of information Chinese dissenters Government whistleblowers Can be used for criminal activity Introduction to MIS 36 Cases: Healthcare Introduction to MIS 37 Cases: Eli Lilly Owens & Minor, Inc www.lilly.com www.owensminor.com What is the company’s current status? What is the Internet strategy? How does the company use information technology? What are the prospects for the industry? Introduction to MIS 38 Appendix: Digital Security Certificates Digital security certificates are used to encrypt e-mail and to authenticate the sender Obtain a certificate from a certificate authority Verisign Thawte (owned by Verisign) Microsoft Your own company or agency Install the certificate in Outlook Select option boxes to encrypt or decrypt messages Install certificates sent by your friends and co-workers Introduction to MIS 39 Obtaining a Certificate Introduction to MIS 40 Installing a Certificate Tools + Options + Security tab Choose your certificate Check these boxes to add your digital signature and to encrypt messages These boxes set the default choices For each message, you can use the options to check or uncheck these boxes Introduction to MIS 41 Encrypting and Signing Messages Use the Options button and the Security Settings button to make sure the Encrypt and Signature boxes are checked Then the encryption and decryption are automatic Introduction to MIS 42 ... Attacks on Web servers 24 48 Denial of Service 37 39 Insider physical theft or damage of equipment 49 42 Insider electronic theft, destruction, or disclosure of data 24 22 Fraud 13 Dataquest,... services Its fleet of Mobile Data Centers can be outfitted with a variety of distributed systems hardware and delivered at a disaster site within 48 hours Introduction to MIS Data Backup Backup... other programs on the computer Attachment 01 3A 19 02 54 Introduction to MIS 23 7F 2C 8E 29 05 3C 2E FA 3F 06 5D A2 EA 4F 77 83 87 12 73 03 94 62 79 9F Virus spreads until a certain date, then