Connecting with Computer Science, 2e Chapter 2 Computing Security and EthicsObjectives • In this chapter you will: – Learn about the origins of computer hacking – Learn about some of the motivations for hackers and crackers – Learn about technologies that system intruders use – Learn about malicious code – Learn what social engineering is and how it works – Learn how security experts categorize types of system attacks – Learn about physical and technical safeguards Connecting with Computer Science, 2e 2Connecting with Computer Science, 2e 3 Objectives (cont’d.) • In this chapter you will (cont’d.): – Learn how to create a good password – Learn about antivirus software – Learn about encryption – Learn about preventive system setup, including firewalls and routers – Learn about laws to protect intellectual property and prosecute cracking – Learn about ethical behavior in computing – Learn about privacy in computing and ways to ensure itConnecting with Computer Science, 2e 4 Why You Need to Know About… Computing Security and Ethics • Good computer security – Requires looking beyond Hollywood characterization – Based on prevention • Accidental and natural events • Security affects everyone, and everyone can affect it – Business computers are better protected than home computers • Mainly because corporations make a conscious effort to secure themThe Intruder • Hacker – Technically proficient individual who breaks into a computer system – Originally connoted good intent • Cracker – Unwelcome system intruder with malicious intent • Phreaking – Illegally manipulating the AT&T phone system • Script kiddie – Amateur hacker using available hacking tools Connecting with Computer Science, 2e 5Connecting with Computer Science, 2e 6 The Intruder (cont’d.) • Intentional intruder types – Undirected hacker • Motivated by challenge of breaking into a system – Directed hacker • Motivated by greed and/or politics • Hacktivism – Cracking into a system as a political act – The Hacker’s Manifesto • Anonymous document justifying cracking into systems as an ethical exerciseConnecting with Computer Science, 2e 7 How Do They Get In? • Failure to follow sound security practices – System configuration, programming, security • Malicious software programs – Viruses • Social engineering – Taking advantage of the innocent human tendency to be helpful • One of the most effective tools for hackersConnecting with Computer Science, 2e 8 Holes in the System • Open nature of the Internet and networks – Remote access and mounting drives on other machines • Backdoors – Shortcuts into programs created by system designers • Sloppy programming – Leaving sensitive information in a URL string • Buffer overflow – Placing more information into a memory location than that location can handleConnecting with Computer Science, 2e 9 Viruses, Worms, and Other Nasty Things • Malicious code – Designed to breach system security and threaten digital information • Viruses – Uninvited guest programs on a computer • Potential to damage files and the operating system – May be silent for a while – Sharing files may transmit viruses – E-mail attachments can host a virus • Activate when openedConnecting with Computer Science, 2e 10 Figure 2-1, A typical virus e-mail warning Viruses, Worms, and Other Nasty Things (cont’d.)Connecting with Computer Science, 2e 11 Viruses, Worms, and Other Nasty Things (cont’d.) • Worm – Program that actively reproduces itself across a network • A bot is a program that can roam the Internet anonymously and works on its own • Trojan program – Program posing as an innocent program • Worst possible is an antivirus programConnecting with Computer Science, 2e 12 The Human Factor: Social Engineering • Preys on human gullibility, sympathy, or fear to take advantage of the target – Posing as an insider at a company – Dumpster diving – Browsing a company Web site for intranet information – Using cracker techniques – Sending spamConnecting with Computer Science, 2e 13 Types of Attacks • Access attacks include snooping, eavesdropping, and interception – Snooping: browsing a person’s files – Eavesdropping: using a sniffer program • Allows the user to listen in on network traffic – Intercepting: determines whether the information continues on to its intended receiver • Modification attacks – Alter information illicitlyConnecting with Computer Science, 2e 14 Types of Attacks (cont’d.) • Denial-of-service attacks – Prevent legitimate users from using the system or accessing information • Pure vandalism • Repudiation attacks – Injure the reliability of information by creating a false impression about an event • Sending an e-mail to someone as if it were from someone elseConnecting with Computer Science, 2e 15 Managing Security: The Threat Matrix • Managed risk – Basis of security • Risk – Relationship between vulnerability and threat • Vulnerability – Sensitivity of the information and the skill level needed by the attacker to threaten that information • Open ports and Internet connections • Threat – Characterized by targets, agents, and eventsVulnerabilities • Examples: – Internet connections – Hard or soft connections to partner organizations – Open ports – Physical access to the facilities – Phone modem access • Evaluating vulnerabilities is essential Connecting with Computer Science, 2e 16Threat: Agents • Examples: – Crackers – Employees and ex-employees – Terrorists and criminals – Commercial rivals, partners, customers, visitors – Natural disasters – General public • Items to examine regarding agents: – Access capability to information, knowledge, and motivation Connecting with Computer Science, 2e 17Connecting with Computer Science, 2e 18 Threat: Targets and Events • Confidentiality – Ensures that only those authorized to access information can do so • Encryption – Used for information with a
View Full Document