327 14 609KB
Russian Pages [95]
МОСКОВСКИЙ УНИВЕРСИТЕТ МВД РОССИИ ИМЕНИ В.Я. КИКОТЯ КАФЕДРА ИНОСТРАННЫХ ЯЗЫКОВ
В.Н. КУЛИКОВ
COMPUTER SECURITY (УЧЕБНО-МЕТОДИЧЕСКОЕ ПОСОБИЕ)
Под редакцией заведующего кафедрой иностранных языков, к.ю.н., профессора, заслуженного работника Высшей школы РФ И.А.Горшеневой
Москва 2019г.
2
Пояснительная записка
Настоящее учебно-методическое пособие «COMPUTER SECURITY» предназначено для курсантов факультета подготовки специалистов в области информационной безопасности (ФПСОИБ), специальность: «Безопасность информационных технологий в правоохранительной сфере», изучающих английский язык. Пособие составлено в соответствии с требованиями Государственного образовательного стандарта по английскому языку для неязыковых специальностей высших учебных заведений и рабочей учебной программы для обучающихся в Московском университете МВД России им. В.Я. Кикотя. Целью данного пособия является формирование у обучающихся программных навыков и умений аналитического чтения, понимания и перевода аутентичных текстов по специальности, расширение словарного запаса, а также развитие коммуникативных навыков в целях использования иностранного языка в профессиональной деятельности. Пособие состоит из двух частей. Первая часть включает в себя 5 однотипных разделов- (Unit), включающих аутентичные тексты для чтения и перевода лексических упражнений. Каждый Unit включает в себя тексты на английском языке по специальности, активный словарь, подлежащий усвоению, послетекстовые упражнения и дополнительные контролирующие тесты и тексты для перевода с использованием словаря и без него. Вторая часть включает в себя аутентичные тексты для составления аннотаций, реферирования и дополнительного чтения по специальности. Представленный в пособии материал соответствует указанной тематике, современен и актуален. Методическая концепция позволяет обучающимся совершенствовать межкультурную коммуникативную компетенцию в сфере будущей профессиональной деятельности. Пособие может быть использовано как на аудиторных занятиях, так и при самостоятельной работе.
3
Unit 1. Introduction to Computer Security
Text 1. Read and translate the text.
What Is Computer Security? The term Сomputer security is closely related to the term Information security. Information security is the process of protecting information. It protects its availability, privacy and integrity. Access to stored information on computer databases has increased greatly. More companies store business and individual information on computer than ever before. Much of the information stored is highly confidential and not for public viewing. Many businesses are solely based on information stored in computers. Personal staff details, client lists, salaries, bank account details, marketing and sales information may all be stored on a database. Without this information, it would often be very hard for a business to operate. Information security systems need to be implemented to protect this information. Effective information security systems incorporate a range of policies, security products, technologies and procedures. Software applications which provide firewall information security and virus scanners are not enough on their own to protect information. A set of procedures and systems needs to be applied to effectively deter access to information. There are people who make a living from hacking or information security systems. They use their technological skills to break into computer systems and access private information. Firewalls, which are designed to prevent access to a computer's network, can be bypassed by a hacker with the right hardware. This could result in the loss of vital information, or a virus could be planted and erase all information. A computer hacker can gain access to a network if a firewall is shut down for only a minute. One of the biggest potential threats to information security is the people who operate the computers. A workplace may have excellent information security systems in place, but security can be easily compromised. If a help desk worker gives out or resets passwords without verifying who the information is for, then
4
anyone can easily gain access to the system. Computer operators should be made fully aware of the importance of security. Simple security measures can be used by everyone to keep data secure. Changing passwords on your computer, and using combinations of letters and numbers, makes it harder for hackers to gain access. Also, do not keep a note of your password where it can be easily accessed. This is the same idea as not keeping you bank card and PIN number together. You would not want anyone to have access to the information or funds in your bank account, and it is the same with your computer. There has never been such a thing as a totally secure system. Hackers will always find more sophisticated ways to gain access. However, with technology implementing higher levels of information security, such as iris recognition systems, security systems should keep them out for a little longer. Task 1. Study the vocabulary 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19.
information security process of protecting information availability privacy integrity access increase store to implement deter breaking through iris procedure software hardware vital information gain access threat to be aware of
Информационная безопасность Процесс защиты информации Доступность Частная жизнь Целостность Доступ Увеличивать Хранить Выполнять, осуществлять Ограничивать допуск Проникать Радужная оболочка глаза Метод, процедура Программное обеспечение Аппаратное обеспечение Жизненно важная информация Получить доступ Угроза Знать, понимать, осознавать
Task 2. Answer the questions. 1. What is information security? 2. Where do many companies store business and individual information? 3. What kind of information is stored in computers now?
5
4. What systems need to be implemented to protect this information? 5. Are software applications which provide firewall information security and virus scanners enough on their own to protect information? 6. What measures should be applied to effectively deter access to information? 7. Can a computer hacker gain access to a network if a firewall is shut down for only a minute? 8. What is the biggest potential threat to information security? 9. Has there ever been such a thing as a totally secure system?
Fig. 1.
6
Text 2. Read and translate the text. Information Security Attributes. Information Security Attributes or qualities i.e., Confidentiality, Integrity and Avalability (CIA). Information Systems are decomposed in three main portions, hardware, software and communications with the purpose to help identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: physical, personal and organizational. Essentially, procedures or policies are implemented to tell people (administrators, users and operators) how to use products to ensure information security within the organizations. Information security (sometimes shortened to InfoSec) is the practice
of
defending information from
unauthorized
access,
use,
disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...) Below are the typical terms you will hear when dealing with information security: IT Security = Sometimes referred to as computer security, IT Security is information security when applied to technology (most often some form of computer system). It is worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any device with a processor and some memory (even a calculator). IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. They are responsible for keeping all of the technology within the company secure
7
from malicious cyber-attacks that often attempt to breach into critical private information or gain control of the internal systems. Information Assurance = the act of ensuring that data is not lost when critical issues arise. These issues include but are not limited to; natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost. Since most information is stored on computers in our modern era, information assurance is typically dealt with by IT security specialists. One of the most common methods of providing information assurance is to have an off-site backup of the data in case one of the mentioned issues arises. Governments, military, corporations, financial
institutions, hospitals,
and private businesses amass a great deal of confidential information about their employees, customers, products, research and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to negative consequences. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement. For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures. The field of information security has grown and evolved significantly in recent years. There are many ways of gaining entry into the field as a career. It offers many areas for specialization including: securing network(s) and allied infrastructure, securing applications and databases, security testing, information systems auditing, business continuity planning and digital forensics, etc.
8
Notes: quality ['kwɔlətɪ] – качество; disclosure - [dɪs'kləuʒə] обнаружение, открытие, разоблачение, раскрытие sensational / startling disclosure — сенсационное разоблачение disruption - [dɪs'rʌpʃ(ə)n] нарушение, сбой, срыв; расстройство; perusal [pə'ruːz(ə)l] - внимательное чтение; прочтение destruction [dɪ'strʌkʃ(ə)n] - разрушение; уничтожение due to - благодаря; вследствие; в результате; из-за an accident due to negligence — авария, произошедшая из-за невнимательности; malicious [mə'lɪʃəs] злобный, зловредный; breach [briːʧ] брешь, пролом, дыра; повреждение; assurance [ə'ʃuər(ə)n(t)s] гарантия, заверение, обещание; backup 1)резервное оборудование 2)резервирование, дублирование, копирование 3) резервировать (устройство); amass [ə'mæs] - собирать; копить, накапливать;
Task 2. Answer the questions: 1. What are the information security attributes or qualities? 2. In what portions are information systems decomposed? 3. What are the three levels of information security industry standards? 4. What do procedures or policies of Information Security tell people? 5. What is IT security? 6. What is a computer? 7. What are the responsibilities of IT security specialists? 8. What is one of the most common methods of providing information assurance? Task 3.
Find in the text English equivalents for the following word
combination.
9
Составные
части
конфиденциальность, обеспечение,
информационной
целостность,
программное
безопасности,
доступность,
обеспечение,
связь,
аппаратное
промышленные
стандарты информационной безопасности, механизмы защиты и предотвращения, защита информации, несанкционированный доступ, независимо
от
формы
данных,
безопасность
информационных
технологий. Task 4. Translate into Russian: 1. Confidentiality Confidentiality refers to preventing the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. Confidentiality is necessary for maintaining the privacy of the people whose personal information is held in the system. 2. Integrity In information security, data integrity means maintaining and assuring the accuracy and consistency of data over its entire life-cycle. This means that data cannot be modified in an unauthorized or undetected manner. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of consistency as understood in the classic model of transaction processing. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality. 3. Availability For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to
10
protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system essentially forcing it to shut down. 4. Authenticity In computing, e-Business, and information security, it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim to be. Some information security systems incorporate authentication features such as "digital signatures", which give evidence that the message data is genuine and was sent by someone possessing the proper signing key. 5. Non-repudiation In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. It is important to note that while technology such as cryptographic systems can assist in non-repudiation efforts, the concept is at its core a legal concept transcending the realm of technology. It is not, for instance, sufficient to show that the message matches a digital signature signed with the sender's private key, and thus only the sender could have sent the message and nobody else could have altered it in transit. The alleged sender could in return demonstrate that the digital signature algorithm is vulnerable or flawed, or allege or prove that his signing key has been compromised. The fault for these violations may or may not lie with the sender himself, and such assertions may or may not relieve the sender of liability, but the assertion would invalidate the claim that the signature necessarily proves authenticity and integrity and thus prevents repudiation. 6. Information security analysts Information security analysts are information technology (IT) specialists who are accountable for safeguarding all data and communications that are stored and shared in network systems. In the financial industry, for example, information security analysts might continually upgrade firewalls that prohibit superfluous access to sensitive
11
business data and might perform defenselessness tests to assess the effectiveness of security measures. Electronic commerce uses technology such as digital signatures and public key encryption to establish authenticity and nonrepudiation. Task 5. Translate into English. 1. Конфиденциальность: обеспечение доступа к информации только авторизованным пользователям. Состояние информации, при котором доступ к ней осуществляют только субъекты, имеющие на неё право; 2. Целостность: обеспечение достоверности и полноты информации и методов ее обработки. Избежание несанкционированной модификации информации; 3. Доступность: обеспечение доступа к информации и связанным с ней активам авторизованных пользователей по мере необходимости. Отсутствие временного или постоянного сокрытия информации от пользователей, получивших права доступа. 4. Информационная безопасность — все аспекты, связанные с определением, достижением и поддержанием конфиденциальности, целостности, доступности, неотказуемости, подотчётности, аутентичности и достоверности информации или средств её обработки. 5. Неотказуемость или апеллируемость (non-repudiation) — способность удостоверять имевшее место действие или событие так, что эти события или действия не могли быть позже отвергнуты; 6. подотчётность (accountability) — обеспечение идентификации субъекта доступа и регистрации его действий; 7. достоверность (reliability) — свойство соответствия предусмотренному поведению или результату; 8. аутентичность или подлинность (authenticity) — свойство, гарантирующее, что субъект или ресурс идентичен заявленным.
12
Text 2. Read and translate the text. DEFINING INFORMATION SECURITY Information security does not guarantee the safety of your organization or your information or your computer systems. Information security cannot, in and of itself, provide protection for your information. That being said, information security is also not a black art. There is no sorcery to implementing proper information security and the concepts that are included in information security are not rocket science. In many ways, information security is a mindset. It is a mindset of examining the threats and vulnerabilities of your organization and managing them appropriately. According to Merriam-Webster’s online dictionary (www.m-w.com), information is defined as: Knowledge obtained from investigation, study, or instruction, intelligence, news, facts, data, a signal or character (as in a communication system or computer) representing data, something (as a message, experimental data, or a picture) which justifies change in a construct (as a plan or theory) that represents physical or mental experience or another construct And security is defined as: Freedom from danger, safety; freedom from fear or anxiety If we put these two definitions together we can come up with a definition of information security: Measures adopted to prevent the unauthorized use, misuse, modification, or denial of use of knowledge, facts, data, or capabilities.
13
That definition encompasses quite a lot. It talks about all measures, whatever they may be, to prevent bad things from happening to knowledge, facts, data, or capabilities. We are also not limited to the form of the information. It might be knowledge or it might be capabilities. However, this definition of information security does not guarantee protection. Information security cannot guarantee protection. We could build the biggest fortress in the world and someone could just come up with a bigger battering ram. Information security is the name given to the preventative steps we take to guard our information and our capabilities. We guard these things against threats, and we guard them from the exploitation of a vulnerability.
Task 1. Answer the questions.
1. Does Information Security guarantee the safety of your organization? 2. What is the definition of Information according to Merriam-Webster’s online dictionary? 3. What is the definition of Security according to Merriam-Webster’s online dictionary? 4. What is the definition of Information Security?
Task 2. Translate the following words into Russian. 1. process, processing, processor, processed 2. memory, memorize, memorial, memorable, memorability 3. support, supporter, supporting 4. control, controllable, controller 5. specification, specify, specificator, specifier 6. compare, comparison, comparative, comparatively, comparable 7. transfer, transferrable, transferability, transferee, transferor 8. different, differ, difference, differential, differentiate 9. similarity, similar, similarly
14
10. access, accessibility, accessible, accessor 11. apply, application, аррliсablе, applied 12. multitasking, multiprocessing, multipurpose, multivalued. 13. interfere, interference 14. advantage, disadvantage 15. management, manage, manageable, manager, manageress 16. precision, precise, precisely Text 3. Read and translate the text. Information security. The protection of any type of important data. Information security is the process of protecting the availability, privacy, and integrity of data. While the term often describes measures and methods of increasing computer security, it also refers to the protection of any type of important data, such as personal diaries or the classified plot details of an upcoming book. No security system is foolproof, but taking basic and practical steps to protect data is critical for good information security. Password Protection Using passwords is one of the most basic methods of improving information security. This measure reduces the number of people who have easy access to the information, since only those with approved codes can reach it. Unfortunately, passwords are not foolproof, and hacking programs can run through millions of possible codes in just seconds. Passwords can also be breached through carelessness, such as by leaving a public computer logged into an account or using a too simple code, like "password" or "1234." To make access as secure as possible, users should create passwords that use a mix of upper and lowercase letters, numbers, and
15
symbols, and avoid easily guessed combinations such as birthdays or family names. People should not write down passwords on papers left near the computer, and should use different passwords for each account. For better security, a computer user may want to consider switching to a new password every few months. Notes: measure ['meʒə] - мера; единица измерения; foolproof ['fuːlpruːf] - защищённый от неправильного использования (о технических устройствах), надёжный, верный, foolproof plan — надёжный план
Questions: 1. What is information security? 2. What does the term “Information security” often describe? 3. What is one of the most basic methods of improving information security? 4. How do you think: are passwords foolproof or not? 5. What kind of passwords should users create to make access as secure as possible?
Antivirus and Malware Protection One way that hackers gain access to secure information is through malware, which includes computer viruses, spyware, worms, and other programs. These pieces of code are installed on computers to steal information, limit usability, record user actions, or destroy data. Using strong antivirus software is one of the best ways of improving information security. Antivirus programs scan the system to check for any known malicious software, and most will warn the user if he or she is on a webpage that contains a potential virus. Most programs will also perform a
16
scan of the entire system on command, identifying and destroying any harmful objects. Most operating systems include a basic antivirus program that will help protect the computer to some degree. The most secure programs are typically those available for a monthly subscription or one-time fee, and which can be downloaded online or purchased in a store. Antivirus software can also be downloaded for free online, although these programs may offer fewer features and less protection than paid versions. Even the best antivirus programs usually need to be updated regularly to keep up with the new malware, and most software will alert the user when a new update is available for downloading. Users must be aware of the name and contact method of each anti-virus program they own, however, as some viruses will pose as security programs in order to get an unsuspecting user to download and install more malware. Running a full computer scan on a weekly basis is a good way to weed out potentially malicious programs. Questions: 1. In what way do hackers gain access to secure information? 2. What kind of programs does malware include? 3. What is one of the best ways of improving information security?
Firewalls A firewall helps maintain computer information security by preventing unauthorized access to a network. There are several ways to do this, including by limiting the types of data allowed in and out of the network, rerouting network information through a proxy server to hide the real address of the computer, or by monitoring the characteristics of the data to determine if it's trustworthy. In essence, firewalls filter the information that
17
passes through them, only allowing authorized content in. Specific websites, protocols (like File Transfer Protocol or FTP), and even words can be blocked from coming in, as can outside access to computers within the firewall. Most computer operating systems include a pre-installed firewall program, but independent programs can also be purchased for additional security options. Together with an antivirus package, firewalls significantly increase information security by reducing the chance that a hacker will gain access to private data. Without a firewall, secure data is more vulnerable to attack.
Questions: 1. How does a firewall help maintain computer security? 2. What does an acronym FTP mean? 3. Is a firewall program pre-installed in most computer operating systems?
Codes and Cyphers Encoding data is one of the oldest ways of securing written information. Governments and military organizations often use encryption systems to ensure that secret messages will be unreadable if they are intercepted by the wrong person. Encryption methods can include simple substitution codes, like switching each letter for a corresponding number, or more complex systems that require complicated algorithms for decryption. As long as the code method is kept secret, encryption can be a good basic method of information security. On computers systems, there are a number of ways to encrypt data to make it more secure. With a symmetric key system, only the sender and
18
the receiver have the code that allows the data to be read. Public or asymmetric key encryption involves using two keys — one that is publicly available so that anyone can encrypt data with it, and one that is private, so only the person with that key can read the data that has been encoded. Secure socket layers use digital certificates, which confirm that the connected computers are who they say they are, and both symmetric and asymmetric keys to encrypt the information being passed between computers.
Questions: 1. What is one of the oldest ways of securing written information? 2. What do Governments and military organizations often use to ensure that secret messages will be unreadable if they are intercepted by the wrong person? 3. What is a symmetric key system? 4. What does the public or asymmetric key encryption involve?
Legal Liability Businesses and industries can also maintain information security by using privacy laws. Workers at a company that handles secure data may be required to sign non-disclosure agreements (NDAs), which forbid them from revealing or discussing any classified topics. If an employee attempts to give or sell secrets to a competitor or other unapproved source, the company can use the NDA as grounds for legal proceedings. The use of liability laws can help companies preserve their trademarks, internal processes, and research with some degree of reliability. Training and Common Sense
19
One of the greatest dangers to computer data security is human error or ignorance. Those responsible for using or running a computer network must be carefully trained in order to avoid accidentally opening the system to hackers. In the workplace, creating a training program that includes information on existing security measures as well as permitted and prohibited computer usage can reduce breaches in internal security. Family members on a home network should be taught about running virus scans, identifying potential Internet threats, and protecting personal information online. In business and personal behavior, the importance of maintaining information security through caution and common sense cannot be understated. A person who gives out personal information, such as a home address or telephone number, without considering the consequences may quickly find himself the victim of scams, spam, and identity theft. Likewise, a business that doesn't establish a strong chain of command for keeping data secure, or provides inadequate security training for workers, creates an unstable security system. By taking the time to ensure that data is handed out carefully and to reputable sources, the risk of a security breach can be significantly reduced. Questions: 1. What kind of document workers at a company that handles secure data may be required to sign? 2. What do the non-disclosure agreements (NDAs) forbid them? 3. What cannot be understated in business and personal behavior?
How often should I change my password? Most computer experts and online security professionals recommend changing your Internet passwords and account login information at least
20
once every three months. It may be safe for you to wait longer; it just depends on your computer habits, and how and where you surf the web. Changing all of your passwords every three to six months can be a time-consuming and even a frustrating task, but it is a sure way to guarantee some level of safety for all of your online accounts. It is not the only safety precaution that should be considered for your login information, however. Whether you bank online or you are just sending a few simple emails, secure passwords are essential. It is also important to keep them all private. Avoid writing them down, even in your own home. Writing down a password is a quick way for an unauthorized person to gain access to your login information and every part of your online life. Online passwords are used for everything from email accounts to website subscriptions and shopping accounts. Some of these online records
even
hold
important
financial
information,
such
as credit
card numbers. With phishing, identity theft, and other Internet crimes becoming more frequent everyday occurrences, it is important to choose a password that cannot be easily estimated or presumed. It is the people that use family or pet names that are the most vulnerable to Internet crimes. So choose a strong word and be sure to change it often. Changing your password is an easy task that can be completed in a matter of a few minutes. How often a person should change it depends on the way that they use the Internet. It is best for people who habitually use public computers to change their passwords often. In fact, these people may need to change certain ones much more frequently than people who use personal computers and private Internet connections 100% of the time. When changing your password, it is imperative that you keep in mind the following tips. First, choose a word that no one knows and no one would be able to guess. Then combine your chosen word with a selection
21
or numbers or letters for extra security. Make it case-sensitive as well, since those that include both upper and lowercase letters are more difficult to figure out. Questions: 1. How often do most computer experts and online security professionals recommend changing your Internet passwords and accounting login information? 2. What Internet crimes become more frequent every day? 3. What is it imperative when changing your password?
Malware Malware is a portmanteau, a term combining "malicious" and "software" to describe a type of program designed to steal information from or
cause
damage
to
a
computer.
It
includes
things
like spyware and adware programs, including pop-ups and even tracking cookies, which are used to monitor users' surfing habits without permission. It also includes more sinister hazards, such as keyloggers, Trojan horses, worms, and viruses. In simpler terms, it is any software that is intended by the developer to cause harm or exploit people's computers or private records without consent. The Threat Posed by Malware The threat posed by malicious software has expanded roughly in parallel with the number of people using the Internet around the world. The earliest well-known examples of malware, which appeared during the early to mid-1990s, were largely the result of experimentation and pranks by
22
curious developers trying to expand their skills. Many of these caused little if any actual harm, and simply resulted in uncommanded actions such as displaying a humorous image on the victim's computer screen. This gradually gave way to efforts to exploit infected computers for annoying but relatively mundane purposes, such as distributing spam email and other forms of advertising. As Internet usage became more widespread, however, a new term was coined: cyber-crime. People with bad intentions quickly realized the potential for using these same tools for stealing, extortion, and carrying out various political agendas. Other perpetrators have used dedicated software to target specific victims; this would include so-called "denial of service attacks" against large companies or government agencies, as well as programs designed for identity theft. To make matters more confusing, it is widely believed that the governments of many countries have either experimented with or have directly employed malware to carry out attacks against enemy groups or nations, as well as for intelligence gathering; experts commonly refer to this as electronic warfare. Questions: 1. What is a malware? 2. What does malware include? 3. When the earliest well-known examples of malware appeared? 4. What new types of cyber-crimes appeared as Internet usage became more widespread?
Types of Malware Though new types of malicious software are constantly under development, these programs generally fall into a few broad categories. Viruses are perhaps the best-known category, and consist of harmful
23
programs designed to "infect" legitimate software programs. Once a person installs and runs the infected program, the virus activates and spreads itself to other programs installed on the computer before taking further action such as deleting critical files within the operating system. Similarly, "worms" are stand-alone programs that are able to transmit themselves across a network directly. Both types of malware can cause severe damage by eating up essential system resources, which may cause the victimized computer to freeze or crash. Viruses and worms commonly exploit shared files and databases like email address books to spread to other computers. Less obvious but equally insidious threats include keyloggers, programs that record every keystroke the user makes and then forward that information to whomever installed the program to begin with. This makes it possible to steal information such as passwords, bank account numbers, and credit card numbers. A Trojan horse is a malicious program disguised within another piece of software that appears to be legitimate. Once installed, however, the Trojan may install a "backdoor" through which to retrieve
personal
information
computer. Hackers commonly
and
employ
transfer
these
forms
it
to
another
of
malware
for
perpetrating identity theft. Questions: 1. What a few broad categories of malicious software do you know? 2. What is one of the best known categories of malicious software? 3. How could viruses and worms be spread to other computers?
PCs vs Macs It is generally true that PCs are more likely to fall victim to malware than Apple Macintosh® machines. There are many theories behind why this is so. Some suggest that the sheer number of Windows® PCs in
24
existence makes them a more profitable target. Other experts have suggested that the architecture of the operating system used in Macs is designed in a way that makes it harder to hack. Despite these advantages, Mac-oriented viruses and related hazards are out there, and reasonable precautions are just as important as they are for PCs. Countering the Threat Anti-virus programs are good protection when kept up to date. Some of these products can even scan email for any type of malicious or suspicious code, and alert the user to its presence, even if it is not currently recognized. Frequently, however, they miss certain types of threats, such as Trojans and spyware, so it is a good idea to run at least one anti-adware program in conjunction with anti-virus. Using a firewall is also helpful because, while it won't keep malware out, it can keep such programs from accessing the Internet and delivering personal information to the intended target. No single product can guarantee to protect a computer from all of these malicious programs. Developers on both sides are locked in a constant battle to get ahead of the other. Ultimately, the user is the last line of defense by being cautious about opening emails from unknown sources, and steering away from disreputable websites. Hunting down the Culprits While developing software to detect, remove, and undo the damage has become a profitable industry, there is also a concerted effort underway to bring those responsible to justice. This is a huge challenge because even though cyber criminals often form large underground organizations, the individual participants are typically scattered around the world, and can communicate or do their work from any location that has a computer and
25
Internet
access.
Only
through
international
cooperation
can
law
enforcement agencies be effective; indeed such joint operations have led to some dramatic successes. Not all governments are equally cooperative, however, and some seem to turn a blind eye altogether, greatly impeding attempts to attack the problem at its source.
Task 2. INFORMATION SECURITY TEST 1. Due to a malfunction in the online security system, the database was left open and ......... to attack. (a) palpable (b) negotiable (c) vulnerable (d) operable 2. The customers' information was hijacked and ......... to a rival company. (a) on sold (b) undersold (c) oversold (d) sold 3. After the company's data records mysteriously went missing overnight, new password protection programs were .......... (a) implemented (b) illustrated
26
(c) instilled (d) instigated 4. The computer hacker paid his fellow worker ......... money not to speak to anyone about his criminal activities. (a) hush (b) calm (c) silent (d) quiet 5. By day, the accountant went about his work in a professional manner. No one suspected that at night, he was ......... the books. (a) logging (b) cooking (c) drawing (d) overturning 6. According to ......... theory, the longer a password is, the more difficult it is to guess. Unfortunately this also makes it more difficult to remember! (a) compatible (b) constructive (c) convenient (d) contemporary 7. Patents do not protect a product from being duplicated. Many countries simply do not ......... patent laws. (a) recognise (b) regale (c) neglect (d) discover 8. The PR company hoped that by ......... potential employees to personality profiling tests, they would discover if any candidates were untrustworthy. (a) instructing
27
(b) submitting (c) demanding (d) attending 9. ......... wisdom holds that one should upload new files only if they have been checked with virus-detection software. (a) Concise (b) Convivial (c) Conventional (d) Correctional
10. The man's employment ......... were not good. He had a criminal record for credit card fraud. (a) prospects (b) negotiations (c) applications, (d) negations
Task 3. Translate the following words without the dictionary, guess their meaning. Conductor; to contain; application; to automize; attraction; efficiency; creature; to extract; expansion; percent; variation; original; compression; to modify; the same; to calculate; сору; to сору; memory; to alter; manufacture; routine; to detect; to invalidate; multiple; reason; authority; definition. Task 4. Read the instruction: Переведите словосочетания. Помните, что главное слово находится в конце словосочетания, следовательно, переводить словосочетание нужно справа налево, организуя eгo потом правильно на русском зыке (это правило не касается словосочетаний с предлогами). Многие слова, приведенные здесь, производные и интернациональные. 1. digital signal processor; general purpose processor; data processor; support processor; self-testing chip; basis circuit; digital computing circuit; feedback
28
circuit; storage selection circuit; communication support; hardware support; firstline support; character recognition (распознавание) device; exchange device; external device; servo drive; 2. concurrent process; predefined process; bit-by-bit transfer; internal transfer; serial transfer; alternative path; circuit path; execution path (ветвь); multiple choice (выбор) path; address bus; check bus; control bus; child pointer; parent pointer; current-line pointer; 3. nonprocedural data access; single user access; unauthorized access; direct access application;
distributed
application;
equipment
compatibility;
firmware
compatibility; unit-to-unit compatibility; fail-safe feature; noiseproof feature; query enhancement; design for reliability; design for testability; file access mode; multitask mode; manual mode; control current; pulse current; storage contents; data content; computing flexibility; computer assisted management; network resource manager; 4. complex integer; single precision integer; design value; fractional value; desired value; upper value of game; successive values; engineering solution; check solution; machine independant solution; degree of freedom; double precision; single precision; mixed precision; operational reliability; block address interrupt routine; error control routine; debugging routine; complete routine; еnd-оf-filе routine; end-of-run routine; maintenance routine; search routine; "Watchdog" routine; transient routine.
29
Unit 2. Text 1. Read and translate the text. History of Information Security Since the early days of writing, politicians, diplomats and military commanders understood that it was necessary to provide some mechanism to protect the confidentiality of correspondence and to have some means of detecting tampering. Julius Caesar is credited with the invention of the Caesar cipher ca. 50 B.C., which was created in order to prevent his secret messages from being read should a message fall into the wrong hands, but for the most part protection was achieved through the application of procedural handling controls. Sensitive information was marked up to indicate that it should be protected and transported by trusted persons, guarded and stored in a secure environment or strong box. As postal services expanded, governments created official organizations to intercept, decipher, read and reseal letters (e.g. the UK Secret Office and Deciphering Branch in 1653). In the mid-19th century more complex classification systems were developed to allow governments to manage their information according to the degree of sensitivity. The British Government codified this, to some extent, with the publication of the Official Secrets Act in 1889. By the time
30
of the First World War, different classification systems were used to communicate information to and from various fronts, which encouraged greater use of code making and breaking sections in diplomatic and military headquarters. In the United Kingdom this led to the creation of the Government Codes and Cypher School in 1919. Encoding became more sophisticated between the wars as machines were employed to scramble and unscramble information. The volume of information shared by the Allied countries during the Second World War necessitated formal alignment of classification systems and procedural controls. An arcane range of markings evolved to indicate who could handle documents (usually officers rather than men) and where they should be stored as increasingly complex safes and storage facilities were developed. The end of the 20th century and early years of the 21st century saw rapid advancements in telecommunications, computing hardware and software and data encryption. The availability of smaller, more powerful and
less
expensive
computing
equipment
made electronic
data
processing within the reach of small business and the home user. These computers quickly became interconnected through a network generically called the Internet. The rapid growth and widespread use of electronic data processing and electronic business conducted through the Internet, along with numerous occurrences of international terrorism, fueled the need for better methods of protecting the computers and the information they store, process
and
transmit.
security and information
The
academic
assurance emerged
disciplines along
with
of computer numerous
professional organizations – all sharing the common goals of ensuring the security and reliability of information systems.
31
Notes: tampering - 1) вмешиваться 2) портить, наносить ущерб. Someone has been tampering with this machine; it won't work. — Кто-то что-то сделал с этой машиной, она не работает. 3) подделывать; ca. 50 B.C - circa (ca) ['sɜːkə] – приблизительно; Sensitive
information
-
важная
[значимая,
секретная,
конфиденциальная,
критичная] информация; информация, потеря, раскрытие или уничтожение которой
по
тем
или
иным
причинам
нежелательны
для
бизнеса,
функционирования системы, или её владельца; Intercept - 1) перехват (сообщений, сигналов) 2) прослушивание, подслушивание; arcane [ɑː'keɪn] - тайный, скрытый; тёмный, загадочный; секретный; generically - в общем;
Task 1. Answer the questions. 1. Why it was necessary to provide some mechanism to protect the confidentiality of correspondence and to have some means of detecting tampering? 2. When did Julius Caesar invent his cipher? 3. When was the UK Secret Office and Deciphering Branch founded? 4. When was the Government Codes and Cypher School created in the United Kingdom? 5. In what period we saw rapid advancements in telecommunications, computing hardware and software and data encryption?
Text 2. Read and translate the text BRIEF HISTORY OF SECURITY
How we handle the security of information and other assets has evolved over time as our society and technology have evolved.
32
Understanding this evolution is important to understanding how we need to approach security today. The following sections follow security in a rough chronological order. If we learn from history, we are much less likely to repeat the mistakes of those who came before us. Physical Security Early in history, all assets were physical. Important information was also physical as it was carved into stone and later written on paper. (Actually, most historical leaders did not place sensitive/critical information in any permanent form, which is why there are very few records of alchemy. They also did not discuss it with anyone except their chosen disciples—knowledge was and is power. Maybe this was the best security. Sun Tzu said “A secret that is known by more than one is no longer a secret.”) To protect these assets, physical security, such as walls, moats, and guards, was used. If the information was transmitted, it usually went by messenger and usually with a guard. The danger was purely physical. There was no way to get at the information without physically grasping it. In most cases, the asset (money or written information) was stolen. The original owner of the asset was deprived of it.
Communications Security
Unfortunately, physical security had a flaw. If a message was captured in transit, the information in the message could be learned by an enemy. As far back as Julius Caesar, this flaw was identified. The solution was communications security. Julius Caesar created the Caesar cipher. This cipher allowed him to send messages that could not be read if they were intercepted.
33
This concept continued into World War II. Germany used a machine called Enigma (see Figure 2) to encrypt messages sent to military units. The Germans considered Enigma to be unbreakable; if it had been used properly, it certainly would have been very difficult. As it was, some operator mistakes were made and the Allies were able to read some messages. Military communications also used code words for units and places in their messages. Japan used code words for their objectives during the war and that made true understanding of their messages difficult even though the United States had broken their code. During the lead-up to the Battle of Midway, American code breakers tried to identify the target referenced only as “AF” in Japanese messages.
Figure 2. The Enigma machine.
34
They finally had Midway send a message in the clear regarding a water shortage. The Japanese intercepted the message and sent a coded message noting that “AF” was short of water. Since the Americans were reading the Japanese messages, they were able to learn that “AF” was in fact Midway. Messages were not the only type of traffic that was encoded. To guard against the enemy listening to voice messages, American military units used Navaho Code Talkers. The Navaho spoke their native language to transmit messages; if the enemy was listening to the radio traffic, they would not be able to understand the messages. After World War II, the Soviet Union used one-time pads to protect information transmitted by spies. The one-time pads were literally pads of paper with random numbers on each page. Each page was used for one message and only one message. This encryption scheme is unbreakable if used properly, but the Soviet Union made the mistake of not using it properly (they reused the one-time pads) and thus some of the messages can be decrypted.
Emissions Security Aside from mistakes in the use of encryption systems, good encryption is hard to break. Therefore, attempts were made to find other ways to capture information that was being transmitted in an encrypted form. In the 1950s, it was learned that access to messages could be achieved by looking at the electronic signals coming over phone lines. All electronic systems give off electronic emissions. This includes the teletypes and the encryptors being used to send encrypted messages. The encryptor would take in the message, encrypt it, and send it out over a telephone line. It was found that electric signals representing the original
35
message were also found on the telephone line. This meant that the messages could be recovered with some good equipment. This problem caused the United States to create a program called TEMPEST. The TEMPEST program created electrical emissions standards for computer systems used in very sensitive environments. The goal was to reduce emissions that could be used to gather information.
Computer Security Communications and emissions security were sufficient when messages were sent by teletype. Then computers came on the scene and most of the information assets of organizations migrated on to them in an electronic format. Over time, computers became easier to use and more people got access to them with interactive sessions. The information on the systems became accessible to anyone who had access to the system. In the early 1970s, David Bell and Leonard La Padula developed a model for secure computer operations. This model was based on the government concept of various levels of classified information (unclassified, confidential, secret, and top secret) and various levels of clearances. Thus, if a person (a subject) had a clearance level that dominated (was higher than) the classification level of a file (an object), that person could access the file. If the person’s clearance level was lower than the file’s classification, access would be denied. This concept of modeling eventually lead to United States Department of Defense Standard 5200.28, The Trusted Computing System Evaluation Criteria (TCSEC, also Electronic signals bypass encryption known as the Orange Book) in 1983. The Orange Book defines computer systems according to the following scale: D Minimal Protection or Unrated
36
C1 Discretionary Security Protection C2 Controlled Access Protection B1 Labeled Security Protection B2 Structured Protection B3 Security Domains A1 Verified Design For each division, the Orange Book defined functional requirements as well as assurance requirements. Thus, in order for a system to meet the qualifications for a particular level of certification it had to meet the functional and the assurance requirements. The assurance requirements for the more secure certifications took significant periods of time and cost the vendor a lot of money. This resulted in few systems being certified above C2 (in fact, only one system was ever certified A1, the Honeywell SCOMP) and the systems that were certified were obsolete by the time they completed the process. Other criteria attempted to decouple functionality from assurance. These efforts included the German Green Book in 1989, the Canadian Criteria in 1990, the Information Technology Security Evaluation Criteria (ITSEC) in 1991, and the Federal Criteria in 1992. Each of these efforts attempted to find a method of certifying computer systems for security. The ITSEC and the Federal Criteria went so far as to leave functionality virtually undefined. The concept was that common application environments would develop their own profiles for security functionality and assurance levels. The profiles would then be used by some authority to certify the compliance of computer systems. In the end, computer system technology moved too fast for certification programs. New versions of operating systems and hardware
37
were being developed and marketed before an older system could be certified.
Network Security One other problem related to the computer security evaluation criteria was the lack of a network understanding. When computers are networked together, new security issues arise and old issues arise in different ways. For example, we have communications but we have it over local area networks instead of wide area networks. We also have higher speeds and many connections to a common medium. Dedicated encryptors may not be the answer any more. We also have emissions from copper wire running throughout a room or building. And lastly, we have user access from many different systems without the central control of a single computer system. The Orange Book did not address the issue of networked computers. In fact, network access could invalidate an Orange Book certification. The answer to this was the Trusted Network Interpretation of the TCSEC (TNI, or the Red Book) in 1987. The Red Book took all of the requirements of the Orange Book and attempted to address a networked environment of computers. Unfortunately, it too linked functionality with assurance. Few systems were ever evaluated under the TNI and none achieved commercial success. Information Security Characteristics So where does this history lead us? It would appear that none of the solutions by themselves solved all of the security problems. In fact, good security actually is a mix of all of these solutions. Good physical security is necessary to protect physical assets like paper records and systems. Communication security (COMSEC) is necessary to protect information in transit. Emission security (EMSEC) is needed when the enemy has
38
significant resources to read the electronic emissions from our computer systems. Computer security (COMPUSEC) is necessary to control access on our computer systems and network security (NETSEC) is needed to control the security of our local area networks. Together, all of these concepts provide information security (INFOSEC). What we do not have is any kind of certification process for computer systems that validates the security that is provided. Technology has simply progressed too fast for most of the proposed processes. The concept of a security Underwriters Laboratory has been proposed recently. The idea would be to have the lab certify the security of various products. If the product is not certified, users might be considered negligent if their site was successfully penetrated. Unfortunately, we have two problems with such a concept: The pace of technology continues so there is little reason to believe that a lab would have any better luck certifying products before they become obsolete than previous attempts. It is extremely difficult if not impossible to prove that something is secure. You are in effect asking the lab to prove a negative (that the system cannot be broken into). What if a new development tomorrow causes all previous certifications to become obsolete? Does every system now have to be recertified? As the industry continues to search for the final answer, we are left to define security as best we can. We do this through good security practice and constant vigilance.
WHY SECURITY IS A PROCESS, NOT POINT PRODUCTS Obviously, we cannot just rely on a single type of security to provide protection to an organization’s information. Likewise, we cannot rely on a single product to provide all of the necessary security for our computer and
39
network systems. Unfortunately, some vendors (in their zeal to sell their products) have implied that such was actually true. The reality of the situation is that no one product will provide total security for an organization. Many different products and types of products are necessary to fully protect an organization’s information assets. In the next few paragraphs, we will see why some of the more prominent security product categories cannot be the all-encompassing solution.
Anti-Virus Software
Anti-virus software is a necessary part of a good security program. If properly implemented and configured, it can reduce an organization’s exposure to malicious programs. However, anti-virus software only protects an organization from malicious programs (and not all of them—remember Melissa?). It will not protect an organization from an intruder who misuses a legitimate program to gain access to a system. Nor will anti-virus software protect an organization from a legitimate user who attempts to gain access to files that he should not have access to. Access Controls Each and every computer system within an organization should have the capability to restrict access to files based on the ID of the user attempting the access. If systems are properly configured and the file permissions set appropriately, file access controls can restrict legitimate users from accessing files they should not have access to. File access controls will not prevent someone from using a system vulnerability to gain access to the system as an administrator and thus see files on the system. Even access control systems that allow the configuration of access controls on systems across the organization cannot do this. To the access control
40
system, such an attack will look like a legitimate administrator attempting to access files to which the account is allowed access.
Firewalls Firewalls are access control devices for the network and can assist in protecting an organization’s internal network from external attacks. By their nature, firewalls are border security products, meaning that they exist on the border between the internal network and the external network. Properly configured, firewalls have become a necessary security device. However, a firewall will not prevent an attacker from using an allowed connection to attack a system. For example, if a Web server is allowed to be accessed from the outside and is vulnerable to an attack against the Web server software, a firewall will likely allow this attack since the Web server should receive Web connections. Firewalls will also not protect an organization from an internal user since that internal user is already on the internal network.
Smart Cards Authenticating an individual can be accomplished by using any combination of something you know, something you have, or something you are. Historically, passwords (something you know) have been used to prove the identity of an individual to a computer system. Over time, we have found out that relying on something you know is not the best way to authenticate an individual. Passwords can be guessed or the person may write it down and the password becomes known to others. To alleviate this problem, security has moved to the other authentication methods— something you have or something you are. Smart cards can be used for authentication (they are something you have) and thus can reduce the risk of someone guessing a password.
41
However, if a smart card is stolen and if it is the sole form of authentication, the thief could masquerade as a legitimate user of the network or computer system. An attack against a vulnerable system will not be prevented with smart cards as a smart card system relies on the user actually using the correct entry path into the system. Biometrics Biometrics is yet another authentication mechanism (something you are) and thus they too can reduce the risk of someone guessing a password. As with other strong authentication methods, for biometrics to be effective, access to a system must be attempted through a correct entry path. If an attacker can find a way to circumvent the biometric system, there is no way for the biometric system to assist in the security of the system.
Intrusion Detection Intrusion detection systems were once touted as the solution to the entire security problem. No longer would we need to protect our files and systems, we could just identify when someone was doing something wrong and stop them. In fact, some of the intrusion detection systems were marketed with the ability to stop attacks before they were successful. No intrusion detection system is foolproof and thus they cannot replace a good security program or good security practice. They will also not detect legitimate users who may have incorrect access to information.
Policy Management Policies and procedures are important components of a good security program and the management of policies across computer systems is
42
equally important. With a policy management system, an organization can be made aware of any system that does not conform to policy. However, policy management may not take into account vulnerabilities in systems or misconfigurations in application software. Either of these may lead to a successful penetration. Policy management on computer systems also does not guarantee that users will not write down their passwords or give their passwords to unauthorized individuals.
Vulnerability Scanning
Scanning computer systems for vulnerabilities is an important part of a good security program. Such scanning will help an organization to identify potential entry points for intruders. In and of itself, however, vulnerability scanning will not protect your computer systems. Each vulnerability must be fixed after it is identified. Vulnerability scanning will not detect legitimate users who may have inappropriate access nor will it detect an intruder who is already in your systems.
Encryption Encryption is the primary mechanism for communications security. It will certainly protect information in transit. Encryption might even protect information that is in storage by encrypting files. However, legitimate users must have access to these files. The encryption system will not differentiate between legitimate and illegitimate users if both present the same keys to the encryption algorithm. Therefore, encryption by itself will not provide security. There must also be controls on the encryption keys and the system as a whole.
Physical Security Mechanisms
43
Physical security is the one product category that could provide complete protection to computer systems and information. It could actually be done relatively cheaply as well. Just dig a hole about 30 feet deep. Line the hole with concrete and place all-important systems and information in the hole. Then fill up the hole with concrete. Your systems and information will be secure. No one will be able to access them. Unfortunately, this is not a reasonable solution to the security problem. Employees must have access to computers and information in order for the organization to function. Therefore, the physical security mechanisms that we put in place must allow some people to gain access and the computer systems will probably end up on a network. If this is the case, physical security will not protect the systems from attacks that use legitimate access or attacks that come across the network instead of through the front door.
Information Security Quiz Total = 10 Questions
a b c d e
a b c d e
1. A firewall is meant to: screen incoming traffic on a network screen outgoing traffic on a network screen emails from a contact list of accepted recipients screen incoming and outgoing traffic on a network screen for viruses 2. Phishing is A type of computer virus Email designed to fool recipients into divulging personal information An example of a security method to protect computers A type of computer network A Farmville application 3. Most often it is safe to assume information from public wireless hotspots (such as airports, hotels, coffee shops etc.) is:
44
a b c d e
a b c d e
secured with 128 bit encryption secured with 256 bit encryption not secure highly secure secure only if you have firewall installed on your laptop 4. You receive an email from your bank asking you to login to your account to verify information. You should: Ignore the message Enter the link in the email manually into your web browser Reply to the email asking the sender for additional information about the bank Follow detailed instruction given in the email Click the link in the email and login to your account so you are sure your information is correct
a b c d e
5. Once an anti-virus program is installed on your computer You should not update it You are fully protected from infections You are protected only against viruses You are protected against viruses and spam You are protected against viruses, spam, and malware
a b c d e
6. Files on your computer can be made unreadable to others by using: Partitions Backups Obscure filenames Subdirectories Encryption
a b c d e
7. While shopping online you know the website is secure if: The web URL starts with http:// The web URL starts with https:// The web URL starts with ftp:// The web URL includes numbers e.g. http://192.168.0.1 The web URL ends in .com
a b c d
8. The most secure corporate network is one that is connected via: Internet DSL Wireless Network Dial up phone lines
45
e VPN
a b c d e
9. Digital Certificates on the web are managed and signed by: ICANN Authority GoDaddy Authority Certificate Authority Government Authority Corporate Authority
a b c d e
10. System that is able to monitor logs, watch network traffic, and identify patters that look like an attack is known as: FDS (Firewall Detection System) FNS (False Negative Systems) FPS (False Positive Systems) IDS (Intrusion Detection System) HAS (Honeypot Assessment Systems)
UNIT 3
Task 1. Read and translate the text.
Text 1. Data Theft: How Big is a Problem?
Data theft is, quite simply, the unauthorized copying or removal of confidential information from a business or other large enterprise. It can take the form of ID-related theft or the theft of a company’s proprietary information or intellectual property. ID-related data theft occurs when customer records are stolen or illegally copied. The information stolen typically includes customers’ names, addresses, phone numbers, usernames, passwords and PINs, account and credit card numbers, and, in some instances, Social Security numbers. When transmitted
46
or sold to lower-level criminals, this information can be used to commit all manner of identity fraud. A single data theft can affect large numbers of individual victims. Non-ID data theft occurs when an employee makes one or more copies of a company’s confidential information, and then uses that information either for his own personal use or transmits that information to a competitor for the competitor’s use. However it’s done, this is a theft of the business’ intellectual property, every bit as harmful as a theft of money or equipment. A company’s confidential information includes its employee records, contracts with other firms, financial reports, marketing plans, new product specifications, and so on. Imagine you’re a competitor who gets hold of a company’s plans for an upcoming product launch; with knowledge beforehand; you can create your own counter-launch to blunt the impact of the other company’s new product. A little inside information can be extremely valuable - and damaging for the company from which it was stolen. Data theft can be a virtual theft (hacking into a company’s systems and transmitting stolen data over the Internet) or, more often, a physical theft (stealing the data tapes or discs). In many ways, it’s easier for a thief to physically steal a company’s data than it is to hack into the company’s network for the same purpose. Most companies give a lot of attention to Internet-based security, but less attention is typically paid to the individuals who have physical access to the same information. One would expect data theft to be somewhat widespread. And it probably is if we truly knew all the numbers. The problem with trying to size the data theft issue is twofold. First, many companies do not report data theft to the police or do not publicize such thefts; they’re trying to avoid bad publicity. And even when data theft is reported, the dollar impact of such theft is difficult to ascertain. Whichever number is correct, that’s a lot of stolen data. Add to that the immeasurable cost of intellectual property data theft, and you get a sense of the size of the problem - it’s big and it’s getting bigger.
47
Unfortunately, there’s little you as an individual can do to prevent data theft; the onus is all on the company holding the data. You could reduce your risk by limiting the number of companies with which you do business, but that may not be practical. Being alert is your only defense against this type of large-scale theft.
Task 2. Give definitions to the following word combinations. Data theft, ID-related data theft, non-ID data theft, virtual theft, physical theft, company’s confidential information.
Task 3. A. Translate the following words with negative prefixes. Unauthorized, illegally, immeasurable, unfortunately.
B. Make the words negative with the help of prefixes and translate them:
un- reliable, able, pleasant, intentionally, likely, suspecting, wanted, questionable; in- visible, dependent, accurate, compatible, adequate, appropriate; im- possible, perfect, proper, mobile; ir- regular, rational, resistible, responsible; mis- lead, understand, pronounce, print, direction; anti- virus, spyware, glare; dis- continue, appear, connect, advantage, agreement.
Task 4. Find in the text English equivalents for the following word combinations. Интеллектуальная собственность; в некоторых случаях; информация может быть чрезвычайно ценной; во многом; с той же целью; уделять большое внимание; меньше внимания уделяется; это довольно широко распространено; пытаться избежать дурной славы; проблема в два раза серьезнее; во-первых; трудно установить; к сожалению; предотвратить кражу информации; вся ответственность лежит на компании; быть осторожным.
48
Task 5. Answer the questions. 1. Why is it easier for a thief to physically steal a company’s data than to hack into the company’s network? 2. How widespread is the data theft problem? 3. How do thieves steal corporate data? 4. What happens to the stolen data? 5. What can you do to prevent data theft?
Task 6. Speak about the data theft problem.
Task 7. Translate the following sentences paying attention to the words in bold type. 1. The malicious code problem will continue to grow as the Internet grows. 2. As cyber criminals get smarter and smarter, staying one step ahead of emerging security threats is getting harder and harder. 3. As you might guess from the name, the decryption key is different from the encryption key. 4. The threat has grown to the point where using a password as the sole form of authentication provides you with almost no protection at all. 5. Most folks devise simple passwords, such as the names of their pets or the names of their favorite sports teams. 6. As a result, phishing has become big business, and very profitable for attackers with little fear of being caught for their crimes. 7. While new security technologies and products are developed in order to meet the changing needs, the bad guys are coming up with new technologies and strategies as well. As has been said many times, there is no silver bullet in the security world. 8. Over time, the threats have grown in both number and complexity, while the timeframe for response has been shortened dramatically.
49
9. Failure is the only thing one can achieve without effort.
Task 8. Read and translate the text.
Text 2. What is Malicious Code?
Malicious code is any code added, changed, or removed from a software system in order to intentionally cause harm or subvert the intended function of the system. Though the problem of malicious code has a long history, a number of recent, widely publicized attacks and certain economic trends suggest that malicious code is rapidly becoming a critical problem for industry, government, and individuals. Traditional examples of malicious code include viruses, worms, Trojan Horses, and attack scripts, while more modern examples include Java attack applets and dangerous ActiveX controls. Viruses are pieces of malicious code that attach to host programs and propagate when an infected program is executed. Worms are particular to networked computers. Instead of attaching themselves to a host program, worms carry out programmed attacks to jump from machine to machine across the network. Trojan Horses, like viruses, hide malicious intent inside a host program that appears to do something useful (e. g., a program that captures passwords by masquerading as the login daemon.) Attack scripts are programs written by experts that exploit security weaknesses, usually across the network, to carry out an attack. Attack scripts exploiting buffer overflows by “smashing the stack” are the most commonly encountered variety. Java attack applets are programs embedded in Web pages that achieve foothold through a Web browser. Dangerous ActiveX controls are program components that allow a malicious code fragment to control applications or the operating system.
50
Recently, the distinctions between malicious code categories have been bleeding together, and so classification has become difficult. Any computing system is susceptible to malicious code. The growing connectivity of computers through the Internet has increased both the number of attack vectors, and the ease with which an attack can be made. More and more computers, ranging from home PCs to systems that control critical infrastructures (e.g., the power grid), are being connected to the Internet. Furthermore, people, businesses, and governments are increasingly dependent upon network-enabled communication such as e-mail or Web pages provided by information systems. Unfortunately, as these systems are connected to the Internet, they become vulnerable to attacks from distant sources. Put simply, it is no longer the case that an attacker needs physical access to a system to install or propagate malicious code. A second trend that has enabled widespread propagation of malicious code is the size and complexity of modern information systems. Complex devices, by their very nature, introduce the risk that malicious functionality may be added (either during creation or afterwards) that extends the original device past its primary intended design. An unfortunate side effect of inherent complexity is that it allows malicious subsystems to remain invisible to unsuspecting users until it is too late. A third trend enabling malicious code is the degree to which systems have become extensible. From an economic standpoint, extensible systems are attractive because they provide flexible interfaces that can be adapted through new components. Unfortunately, the very nature of extensible systems makes it hard to prevent malicious code from slipping in as an unwanted extension.
Task 9. Find in the text English equivalents for the following words and word combinations. Причинить вред; намеренно; несмотря на; недавно; кроме того; к сожалению; больше не; вместо; например; различия между категориями; становиться уязвимым; широкое распространение; сложность современных систем;
51
побочный эффект; оставаться невидимым для доверчивого пользователя; слишком поздно; с экономической точки зрения.
Task 10. Complete the table.
Noun
Verb
Adjective
access
—
—
action
—
—
—
apply
—
—
—
behavioral
—
assess
—
—
—
computational
—
depend
—
harm
—
—
—
perform
—
protection
—
—
—
—
strong
Task 11. Answer the questions. 1. What is malicious code? 2. What are traditional examples of malicious code? Give examples of more modern malicious code. 3. What are the key trends that are making malicious code a critical national problem? 4. What is an unfortunate side effect of inherent complexity of modern information systems?
52
5. What are the advantages and disadvantages of extensible systems?
Task 12. Read and translate the text.
Text 3. Defense against Malicious Code Creating malicious code is not hard. In fact, it is as simple as writing a program or downloading and configuring a set of easily customized components. It is becoming increasingly easy to hide ill-intentioned code inside otherwise innocuous objects, including Web pages and e-mail messages. This makes detecting and stopping malicious code before it can do any damage extremely hard. To make matters worse, our traditional tools for ensuring the security and integrity of hosts have not kept pace with the ever-changing suite of applications. For example, traditional security mechanisms for access control reside within an operating system kernel and protect relatively primitive objects (e. g., files); but increasingly, attacks such as the Melissa virus happen at the application level where the kernel has no opportunity to intervene. In general, when a computational agent arrives at a host, there are four approaches that the host can take to protect itself. 1. Analyze the code and reject it if there is the potential that executing it will cause harm. 2. Rewrite the code before executing it so that it can do no harm. 3. Monitor the code while its executing and stop it before it does harm, or 4. Audit the code during executing and take policing action if it did some harm. Analysis includes simple techniques, such as scanning a file and rejecting it if it contains any known virus, as well as more sophisticated techniques from compilers, such as dataflow analysis, that can determine previously unseen malicious code. Analysis can also be used to find bugs (e. g., potential buffer overruns) that malicious code can use to gain a foothold in a system. However, static analysis is necessarily limited, because determining if code will misbehave is as hard as the halting problem. Consequently, any analysis will both be too
53
conservative (and reject some perfectly good code) or too permissive (and let some bad code in) or more likely, both. Furthermore, software engineers working on their own systems often neglect to apply any bug-finding analyses. Code rewriting is a less pervasive approach to the problem, but may become more important. With this approach, a rewriting tool inserts extra code to perform dynamic checks that ensure bad things cannot happen. Monitoring programs, using a reference monitor, is the traditional approach used to ensure programs don’t do anything bad. For instance, an operating system uses the page-translation hardware to monitor the set of addresses that an application attempts to read, write, or execute. If the application attempts to access memory outside of its address space, then the kernel takes action (e. g., by signaling a segmentation fault). If malicious code does damage, recovery is only possible if the damage can be properly assessed and addressed. Creating an audit trail that captures program behavior is an essential step. Several program auditing tools are commercially available. Each of the basic approaches, analysis, rewriting, monitoring, and auditing, has its strengths and weaknesses, but fortunately, these approaches are not mutually exclusive and may be used in concert. Task 13. Find in the text English equivalents for the following words and word combinations. На самом деле; так же просто, как; так же сложно, как; в противном случае; в довершение всего; не отставать от чего-либо; вообще; более сложные методы; следовательно; слишком нестрогий; более вероятно; часто забывают использовать; менее распространенный метод; например; важный этап; каждый метод имеет свои сильные стороны и недостатки; не являются несовместимыми. Task 14. Answer the questions. 1. What makes detecting and stopping malicious code extremely hard? 2. Do the defenses keep pace with the ever-changing suite of applications? Give examples. 3. What are the main methods to protect the host?
54
4. What are the strengths and weaknesses of each of the basic approaches? Task 15. Speak about the malicious code problem and main approaches to dealing with it. Essential Vocabulary alert a бдительный, настороже, осторожный ascertain v устанавливать, выяснять assess v определять, оценивать audit v проверять blunt v ослабить capture v захватывать, перехватывать; собирать defense n защита exploit v использовать в своих интересах fault n повреждение, ошибка fraud n обман, мошенничество halting problem проблема остановки harm n вред, ущерб hide v скрывать, прятать impact n воздействие, влияние inherent a присущий, свойственный innocuous a безвредный, безобидный integrity n целостность, сохранность intent n намерение, цель intervene v помешать, вмешиваться kernel n ядро malicious a враждебный, злонамеренный masquerade v выдавать себя за кого-л.; нелегально проникать neglect v пренебрегать overflow n переполнение overrun n перегрузка, переполнение pervasive a всеобъемлющий, распространенный
55
property n собственность propagate v распространяться, передаваться proprietary a частный, патентованный, оригинальный recovery n восстановление, исправление reject v отказывать, отбрасывать slip v проскользнуть, вкрасться steal v красть subvert v нарушать, разрушать susceptible a восприимчивый, поддающийся theft n воровство, кража thief n вор twofold a двукратный, удвоенный victim n жертва vulnerable a уязвимый
UNIT 4
Task 1. Read and translate the text.
Text 1. Authentication, Authorization, and Accounting
Whether a security system serves the purposes of information asset protection or provides for general security outside the scope of IT, it is common to have three
56
main security processes working together to provide access to assets in a controlled manner. These processes are: authentication, authorization, and accounting. Identification and Authentication The process of authentication is often considered to consist of two distinct phases: (1) identification and (2) (actual) authentication. Identification provides user identity to the security system. This identity is typically provided in the form of a user ID. The security system will typically search through all the abstract objects that it knows about and find the specific one for the privileges of which the actual user is currently applying. Once this is complete, the user has been identified. Authentication is the process of validating user identity. The fact that the user claims to be represented by a specific abstract object (identified by its user ID) does not necessarily mean that this is true. To ascertain that an actual user can be mapped to a specific abstract user object in the system, and therefore be granted user rights and permissions specific to the abstract user object, the user must provide evidence to prove his identity to the system. Authentication is the process of ascertaining claimed user identity by verifying user-provided evidence. The evidence provided by a user in the process of user authentication is called a credential. Different systems may require different types of credentials to ascertain user identity, and may even require more than one credential. In computer systems, the credential very often takes the form of a user password, which is a secret known only to the individual and the system. Credentials may take other forms, however, including PIN numbers, certificates, tickets, etc. User identification and authentication are typically the responsibility of the operating system. Before being allowed to create even a single process on a computer, the individual must authenticate to the operating system. Applications and services may or may not honor authentication provided by the operating system, and may or may not require additional authentication upon access to them.
57
There are typically three components involved in the process of user authentication: Supplicant. The party in the authentication process that will provide its identity, and evidence for it, and as a result will be authenticated. This party may also be referred to as the authenticating user, or the client. Authenticator. The party in the authentication process that is providing resources to the client (the supplicant) and needs to ascertain user identity to authorize and audit user access to resources. The authenticator can also be referred to as the server. Security authority/database. A storage or mechanism to check user credentials. This can be as simple as a flat file, or a server on the network providing for centralized user authentication, or a set of distributed authentication servers that provide for user authentication within the enterprise or on the Internet. In a simple scenario, the supplicant, authenticator, and security database may reside on the same computer. It is also possible and somewhat common for network applications to have the supplicant on one computer and the authenticator and security database collocated on another computer. It is also possible to have the three components geographically distributed on multiple computers. It is important to understand that the three parties can communicate independently with one another. Depending on the authentication mechanism used, some of the communication channels might not be used - at least not by an actual dialogue over the network. The type of communication and whether or not it is used depends on the authentication mechanism and the model of trust that it implements. Authorization Authorization is the process of determining whether an already identified and authenticated user is allowed to access information resources in a specific way. Authorization is often the responsibility of the service providing access to a resource. Before authorization takes place, the user must be identified and authenticated. Authorization relies on identification information to maintain access control lists for each service.
58
User Logon Process Authentication and authorization work very closely together, and it is often difficult to distinguish where authentication finishes and where authorization starts. In theory, authentication is only supposed to ascertain the identity of the user. Authorization, on the other hand, is only responsible for determining whether or not the user should be allowed access. To provide for the logical interdependence between authentication and authorization, operating systems and applications typically implement the so-called user logon process (or login process, also signing process). The logon process provides for user identification; it initiates an authentication dialogue between the user and the system, and generates an operating system or application-specific structure for the user, referred to as an access token. This access token is then attached to every process launched by the user, and is used in the process of authorization to determine whether the user has or has not been granted access. The access token structure sits in between user authentication and authorization. The access token contains user authorization information but this information is typically provided as part of the user identification and authentication process. The logon process can also perform nonsecurity-related tasks. For instance, the process can set up the user work environment by applying specific settings and user preferences at the time of logon.
Accounting Users are responsible for their actions in a computer system. Users can be authorized to access a resource; and if they access it, the operating system or application needs to provide an audit trail that gives historical data on when and how a user accessed a resource. On the other hand, if a user tries to access a
59
resource and is not allowed to do so, an audit trail is still required to determine an attempt to violate system authorization and, in some cases, authentication policies. Accounting is the process of maintaining an audit trail for user actions on the system. Accounting may be useful from a security perspective to determine authorized or unauthorized actions; it may also provide information for successful and unsuccessful authentication to the system. Accounting should be provided, regardless of whether or not successful authentication or authorization has already taken place. A user may or may not have been able to authenticate to the system, and accounting should provide an audit trail of both successful and unsuccessful attempts. Furthermore, if a user has managed to authenticate successfully and tries to access a resource, both successful and unsuccessful attempts should be monitored by the system; access attempts and their status should appear in the audit trail files. If authorization to access a resource was successful, the user ID of the user who accessed the resource should be provided in the audit trail to allow system administrators to track access. Task 2. Find in the text English equivalents for the following words and word combinations. Защита информационных ресурсов; обеспечить доступ к ресурсам; система защиты;
пользователь
подлинность;
проверить
должен имя
представить пользователя
доказательства; и
пароль;
доказать
персональный
идентификационный номер; обязанность операционной системы; важно понимать; в зависимости от; независимо друг от друга; по крайней мере; до того как произойдет авторизация; полагаться на; часто сложно различить; с другой стороны; так называемый процесс регистрации пользователя; называемый маркером доступа; определить, был ли пользователю разрешен доступ; выполнять задачи, не связанные с системой защиты; попытка проникнуть в систему; в некоторых случаях; полезный с точки зрения безопасности; невзирая на; как успешные, так и безуспешные попытки; отслеживать доступ.
60
Task 3. Translate the following derivative groups. Depend, dependent, dependence, interdependence. Distinguish, distinguishable, distinguished. Identity, identical, identify, identification. Prefer, preferable, preferably, preference. Responsible, responsibly, responsibility. Secure, security. Set, settings. Success, successful, successfully, unsuccessful. Use, user, useful, useless. Task 4. Complete the sentences giving definitions to. 1. Authentication is often considered to consist of … 2. Identification provides … 3. Authorization is … 4. Accounting is sometimes referred to as … 5. Supplicant is the party … 6. Authenticator is … 7. Credential is … 8. A user password is … Task 5. Decide whether the following statements are true or false in relation to the information in the text. If you feel a statement is false, change it to make it true. 1. User identity is typically provided in the form of a user ID. 2. Different systems may require different types of credentials to ascertain user identity. 3. In computer systems, the credential always takes the form of a user password. 4. There are typically two components involved in the process of user authentication. 5. The authenticator can also be referred to as the client. 6. The supplicant, authenticator, and security database reside on the same computer.
61
Task 6. Answer the questions. 1. What does authorization rely on? 2. What is the difference between authentication and authorization? 3. What does the access token contain? 4. What tasks does the logon process perform? 5. What information does an audit trail contain? Task 7. Speak about three main security processes and the relationship between them. Task 8. Translate the following sentences paying attention to the words in bold type. 1. There are doubts about whether the system is safe. 2. It is difficult to establish whether this problem can be solved at all. 3. The results of the test are to be recorded whether successful or not. 4. Theft is theft, whether the target is money, jewels, or information. 5. If a user tries to access a file that resides on a file server, it will be the responsibility of the file service to determine whether the user will be allowed this type of access. 6. Whether you’re a beginner or an expert, you’ll learn something from the course. 7. Once operational requirements have been defined, the next step is to ensure that the SIM (Security Information Management) solution can support what will be needed today and tomorrow. 8. Once your password is no longer secret, it no longer protects access to your valuable information. 9. Keep a close watch on your credit reports and accounts for at least the next year after a problem has been resolved. 10. Cracking passwords is too large a topic for one article, but I can highlight at least a couple of methods.
62
11. For instance, using my e-mail address for the password might be a long password, but a fairly easy one to crack. 12. The key for any organization — regardless of its size or the industry in which it plays — is to implement a data protection program.
Task 9. Read and translate the text. Text 2. Understanding Denial of Service A denial-of-service attack is different in goal, form, and effect than most of the attacks that are launched at networks and computers. Most attackers involved in cybercrime seek to break into a system, extract its secrets, or fool it into providing a service that they should not be allowed to use. Attackers commonly try to steal credit card numbers or proprietary information, gain control of machines to install their software or save their data, deface Web pages, or alter important content on victim machines. Frequently, compromised machines are valued by attackers as resources that can be turned to whatever purpose they currently deem important. In DDoS attacks, breaking into a large number of computers and gaining malicious control of them is just the first step. The attacker then moves on to the DoS attack itself, which has a different goal—to prevent victim machines or networks from offering service to their legitimate users. No data is stolen, nothing is altered on the victim machines, and no unauthorized access occurs. The victim simply stops offering service to normal clients because it is preoccupied with handling the attack traffic. While no unauthorized access to the victim of the DDoS flood occurs, a large number of other hosts have previously been compromised and controlled by the attacker, who uses them as attack weapons. In most cases, this is unauthorized access, by the legal definition of that term. While the denial-ofservice effect on the victim may sound relatively benign, especially when one considers that it usually lasts only as long as the attack is active, for many network users it can be devastating. Use of Internet services has become an important part of our daily lives. Following are some examples of the damaging effects of DoS attacks.
63
• Sites that offer services to users through online orders make money only when users can access those services. For example, a large book-selling site cannot sell books to its customers if they cannot browse the site's Web pages and order products online. A DoS attack on such sites means a severe loss of revenue for as long as the attack lasts. Prolonged or frequent attacks also inflict long-lasting damage to a site's reputation — customers who were unable to access the desired service are likely to take their business to the competition. Sites whose reputations were damaged may have trouble attracting new customers or investor funding in the future. • Large news sites and search engines are paid by marketers to present their advertisements to the public. The revenue depends on the number of users that view the site's Web page. A DoS attack on such a site means a direct loss of revenue from the marketers, and may have the long-lasting effect of driving the customers to more easily accessible sites. Loss of popularity translates to a direct loss of advertisers' business. • Numerous businesses have come to depend on the Internet for critical daily activities. A DoS attack may interrupt an important videoconference meeting or a large customer order. • The Internet is increasingly being used to facilitate management of public services, such as water, power, and sewage, and to deliver critical information for important activities, such as weather and traffic reports for docking ships. A DoS attack that disrupts these critical services will directly affect even people whose activities are not related to computers or the Internet. It may even endanger human lives. • A vast number of people use the Internet on a daily basis for entertainment or for communicating with friends and family. While a DoS attack that disrupts these activities may not cause them any serious damage, it is certainly an unpleasant experience that they wish to avoid. If such disruptions occur frequently, people are likely to stop using the Internet for these purposes, in favor of more reliable technologies.
64
Task 10. A. Find in the text words which have the same or a similar meaning to the following. To change, to happen, to consider, to cause, usually, often, aim, serious, now, extremely large, every day, problem. B. Now find words that mean the opposite of. Malicious, rare, short, able, authorized, same, illegal, gain, pleasant.
Task 11. Make adverbs from the following adjectives and translate them. Intentional, frequent, direct, certain, wide, rapid, usual, common, recent, unfortunate, easy, extreme, relative, necessary, perfect, consequent, proper, previous, current, simple. Task 12. Find in the text English equivalents for the following word combinations. Пытаться взломать систему; обманом заставить предоставить услуги; изменить важную информацию; цель, которую они в данный момент считают важной; в большинстве случаев; действие может казаться сравнительно безвредным; стал важной частью нашей повседневной жизни; пользователи могут иметь доступ; серьезная потеря; длительные или частые атаки; прервать важную видеоконференцию; подвергать опасности жизнь людей; вызывать серьезные повреждения; для этих целей. Task 13. Answer the questions. 1. What is the difference between a denial-of-service attack and most of the attacks that are launched at networks and computers? 2. What is the goal of DoS attacks? 3. Are DoS attacks a real threat to some Internet sites? 4. What is the effect of DoS attacks? Give examples.
Task 14. Read the text and decide on a suitable title for it. Text 3.
65
“Phishing” is a new term widely popularized in mainstream media. Microsoft defines it as any type of attack that attempts to lure users to a fake Web site to enter in sensitive information that is then used for identity and banking theft. This normally occurs via an e-mail, directing users to a phishing Web site. Originally, phishers obtained passwords by tricking users into supplying the passwords in response to an e-mail request. Although this method is still prevalent today, with firms such as the major banks, eBay, and PayPal being among the largest targets, more complex and creative methods have been developed to attempt to fool the end user. These include such methods as directing users to fake Web sites that appear as if they are issued by the same company (i. e., eBay, Chase, U.S. Bank), man-in-the-middle proxies to capture data, Trojan-horse key loggers, and screen captures. Phishing activity has been increasing dramatically over the past few years. The United States leads as the country hosting the most phishing sites, with 24.27 per cent. The other top countries are China (17.23 per cent), Republic of Korea (11 per cent), and Canada, with 4.05 per cent. These statistics point out that this is a growing activity and increasingly used as a criminal activity to open an account, make an unauthorized transaction, obtain log-in credentials, or perform some other kind of identity theft. A First Data survey in 2005 revealed that over 60 per cent of online users had inadvertently visited a spoofed site. A Consumer Reports survey indicated that 30 per cent of users had reduced their overall use of the Internet and 25 per cent had discontinued online shopping. Where once there was trust in the major brands, as indicated earlier, this trust is eroding with respect to online transactions, in large part due to a lack of trust in Web sites and fear of identity theft. Educating consumers about the dangers of phishing is a delicate balance. On the one hand, consumers need to be vigilant in not responding to emails with links to sites requesting their personal information; on the other hand, consumers should not be afraid to participate in online commerce and use e-mail wisely. Phishing has become so prevalent that the Federal Trade Commission (FTC) issued a consumer alert advising consumers how not to get hooked by a phishing scam. The key points from the FTC included the following.
66
• If you get an e-mail or pop-up message that asks for personal or financial information, do not reply. And do not click on the link in the message, either. • Area codes can mislead (and may not be in your area due to Voice-over-IP technology). • Use antivirus and antispyware software, as well as a firewall, and update them all. • Do not e-mail personal or financial information. • Review credit card and bank account statements as soon as you receive them. • Be cautious about opening any attachment or downloading any file from e-mails. • Forward spam that is phishing for information to [email protected] and to the bank or company that was impersonated with the e-mail. If you believe you have been scammed, file a complaint at www.ftc.gov. However, the entire burden cannot be on the consumer. There are multiple known delivery methods, attack vectors, and solutions to help minimize the risk. Organizations must be vigilant in their education of internal and external customers, the design of secure software, the maintenance of appropriate patch levels, and providing a phishing reporting and remediation capability and must remain continuously aware of the techniques and threats related to this type of attack. Task 15. These are answers to questions about the text. Write the questions. 1. Phishing is a variant of the word “fishing”, describing the use of sophisticated techniques to “fish” for sensitive information. 2. The United States, China, Republic of Korea, and Canada. 3. Via an e-mail, directing users to a phishing Web site. 4. Such methods as directing users to fake Web sites, man-in-themiddle proxies to capture data, Trojan-horse keyloggers, and screen captures. 5. Due to a lack of trust in Web sites and fear of identity theft. 6. Use antivirus and antispyware software.
Essential Vocabulary access token маркер доступа
67
alert n уведомление, предупреждение alter v изменять ascertain v установить, удостовериться asset n ресурс, имущество audit n проверка, ревизия audit trail контрольный журнал, файл регистрации сетевых событий aware a сознающий; знающий, осведомленный benign a неопасный, безвредный burden n груз; бремя capture v захватывать, перехватывать; собирать cautious a осторожный, предусмотрительный collocate v располагать credentials n полномочия, имя пользователя и пароль deem v считать, думать deface v искажать, портить denial of service отказ в обслуживании devastating a разрушительный disrupt v разрывать, разрушать distinguish v различать erode v подрывать evidence n доказательство, основание facilitate v содействовать, способствовать, облегчать fake a ложный, фиктивный grant v давать, предоставлять hook v ловить, поймать inadvertently adv ненамеренно, неумышленно inflict v наносить, причинять lack n отсутствие, недостаток legitimate a законный lure v завлекать, приманивать
68
malicious a враждебный, злонамеренный preference n предпочтение, преимущество responsibility n ответственность, обязанность seek to do smth. (sought, sought) пытаться что-л. сделать scam n афера, жульничество spoof v обманывать trick into v обманом заставить что-л. сделать vigilant a бдительный violate v нарушать
69
UNIT 5
Task 1. Read and translate the text.
Text 1. Information Warfare In the past decade we have witnessed phenomenal growth in the capabilities of information management systems. National security implications of these capabilities are only now beginning to be understood by national leadership. There is no doubt IW is a concept the modern military officer should be familiar with, for advancements in computer technology have significant potential to dramatically change the face of military command and control. Information warfare is an orchestrated effort to achieve victory by subverting or neutralizing an enemy command and control (C2) system, while protecting use of C2 systems to coordinate the actions of friendly forces. A successful IW campaign seizes initiative from an enemy commander; the IW campaign allows allied forces to operate at a much higher tempo than an enemy can react to. The concept of an “OODA Loop” is often used to illustrate information warfare. OODA stands for the steps in a commander’s decision making cycle — Observe, Orient, Decide and Act. Based on the premise that information is a strategic asset, a portion of IW doctrine seeks to disrupt or deny access to information in order to seize initiative from an adversary. The other half of IW doctrine seeks to maintain the integrity of our information gathering and distribution infrastructure. Applying Information Warfare Most modern political and military C2 systems are based on high speed communications and computers. It follows that this information infrastructure, also known as an “infosphere”, will be the arena in which information warfare is waged. Any system or person who participates in the C2 process will be a potential
70
target in an IW campaign. An IW campaign will focus against the enemy infosphere. It will be necessary to isolate, identify and analyze each element of an enemy infosphere in order to determine portions which can affect the OODA loop’s size. Once these areas of the enemy infosphere are identified, an attack against critical nodes would deny access to information, destroy the information, or render it useless to the adversary forces. Even more damaging, information warriors could alter data in a network, causing the adversary to use false information in his decision making process and follow a game plan of the friendly commander’s design. Fighting the Information War One development with implications for the military is the appearance of “hackers” and “phreakers” — persons who gain unauthorized access to computer and telephone systems, respectively. A computer network or telephone system is designed to transmit information. Much of that information will form an excellent intelligence picture of an adversary. Computer networks can be monitored through telephone modems, peripheral equipment, power lines, human agents and other means. If a system can be monitored remotely, it might also be accessed remotely. A program could be installed to record and relay computer access codes to a remote location. Employing computers as a weapon system will introduce a new glossary of terminology. Computer warfighting weapons can be divided into four categories: software, hardware, electromagnetic systems and other assets. Software consists of programs designed to collect information on, inhibit, alter, deny use of, or destroy the enemy infosphere. The examples of software warfighting assets have exotic, computer hacker names: “knowbot”, “demons”, “sniffers”, “viruses”, “Trojan horses”, “worms” or “logic bombs”. A KNOWBOT (knowledge robot) is a program which moves from machine to machine, possibly cloning itself. KNOWBOTs can communicate with one another, with various servers in a network, and with users. The KNOWBOT could even be programmed to relocate or erase itself to prevent discovery of espionage activity.
71
KNOWBOTs could seek out, alter or destroy critical nodes of an enemy C2 system. Demon. A program which, when introduced into a system, records all commands entered into the system. Similar to the demon is the “sniffer”. A sniffer records the first 128 bits of data on a given program. Logon information and passwords are usually contained in this portion of any data stream. Because they merely read and record data, such programs are very difficult to detect. Virus. A program which, upon introduction, attaches itself to resident files or tables on a machine or network. The virus spreads itself to other files as it comes into contact with them. It may reproduce without doing any actual damage, or it may erase files via the file allocation table. Trap Door. A back door into a system, written in by a programmer to bypass future security codes. Trojan Horse. A code which remains hidden within a computer system or network until it emerges to perform a desired function. A Trojan Horse can authorize access to the system, alter, deny or destroy data, or slow down system function. Worm. A nuisance file which grows within an information storage system. It can alter files, take up memory space, or displace and overwrite valuable information. Logic Bomb. This instruction remains dormant until a predetermined condition occurs. Logic bombs are usually undetectable before they are activated. The logic bomb can alter, deny or destroy data and inhibit system function. Hardware. The primary purpose of a hardware asset is to bring software assets into contact with an enemy computer system. Any piece of equipment connected to a computer, be it a fiberoptic or telephone cable, facsimile machine or printer, is capable of transmitting information to that computer. Therefore it is a potential avenue for gaining access to the infosphere. Electromagnetic Systems. Any mechanisms using the electromagnetic spectrum to subvert, disrupt or destroy enemy command and control are electromagnetic systems. Electromagnetic pulse simply shorts-out electronic equipment.
72
Other assets. This catch-all category makes an important point. Information warfare is not limited to electronic systems. Simply put, non-computer assets can compliment use of computer hardware and software assets, or can act unilaterally. Their goal is to achieve the desired effect upon the enemy C2 network in pursuit of strategic, operational or tactical objectives. Successful employment of IW assets could theoretically end a war before the first shot is fired. IW doctrine has significant implications for modern military theory. IW will focus on preventing the enemy soldier from talking to his commander. Without coordinated action, an enemy force becomes an unwieldy mob, and a battle devolves to a crowd-control issue. In the not too distant future, computer weapon systems will conduct “software strikes” against the enemy infosphere to disrupt command and control. Targets will be chosen for military, political or economic significance. IW opens new doors throughout the spectrum of conflict to achieve tactical, operational and strategic objectives. Information warfare is a concept which is only now beginning to make its way through governmental and military circles. The technology currently exists with which to conduct an IW campaign. National leaders must reflect on the implications of this new technology in order to develop coherent policy and rules of engagement. Task 2. Answer the questions. 1. What does the text acquaint us with? 2. What is the concept of an “OODA Loop”? 3. How can the IW campaign be characterized? 4. What is a potential target of the IW campaign? 5. What are the main parts of IW doctrine? 6. What is predicted to be the most wide-spread fighting the IW? 7. How many categories can computer war fighting weapons be divided into? What are they? Task 3. Render the text using the given phrases. The text is devoted to … The introductory part is concerned with …
73
It is shown that … The problems of … are outlined. The author stresses the importance of … Special attention is paid to … There are critical reviews on … Recommendations for … are presented. Conclusions regarding … are made.
Task 4. Read and translate the text. Text 2. Information Warfare: Its Application in Military and Civilian Contexts The lexicon of information warfare (IW), or cyberwar, to use a common variant, has been around for more than two decades, but for most of that time it has remained the preserve of the defense community. The privileging of military thinking is myopic. Information warfare concepts deserve to be liberated from their military associations and introduced into other discourse communities concerned with understanding the social consequences of pervasive computing. Already, the principles and practices of information warfare are being exhibited, more or less wittingly, in a variety of civilian contexts, and there are good grounds for assuming that this trend will intensify, causing potentially serious social problems and creating novel challenges for the criminal justice system. To paraphrase a wellworn cliché, information warfare is too important to be left to the military. The term “information warfare” is still popularly associated with high-technology weapons and broadcast images of Cruise missiles seeking out Iraqi or other military targets with apparently unerring accuracy. The media’s early focus on smart bombs and intelligent battle systems masked the potentially deeper societal implications of virtual warfare strategies. That, however, is beginning to change, as journalists and pundits foreground computer hacking and data corruption as pivotal information warfare techniques. Simplifications and confusions notwithstanding, an axial assumption of information age warfare is that brains matter more than
74
brawn. In tomorrow’s battlefield, be it military or civilian, information technology will act as a force multiplier. Traditional notions about the bases of superiority existing between attacker and target may thus require redefinition. Pandemic access to digital networks creates a downward adjustment of established power differentials at all levels of society. The principles and practice of information warfare have potentially much wider implications for society at large in a networked age. We consider four spheres of activity in which information warfare may very soon become relatively commonplace: military, corporate/economic, community/social, and personal.
The Military Context The term “information warfare” is widely used within the defense community. Information warfare implies a range of measures or actions intended to protect, exploit, corrupt, deny, or destroy information or information resources in order to achieve a significant advantage, objective, or victory over an adversary. A typical goal of conventional warfare is to destroy or degrade the enemy’s physical resources, whereas the aim of IW is to target information assets and infrastructure, such that the resultant damage may not be immediately visible or detectable to the untrained eye. These strikes are called soft kills. In practical terms, cyberwarfare means infiltrating, degrading, or subverting the target’s information systems using logic bombs or computer viruses. But it also extends traditional notions of psychological warfare. An IW goal may be silent penetration of the target’s information and communications system in order to shape community perceptions, foster deception, or seed uncertainty. In the battle for hearts and minds, the control of broadcast technologies has been a prime objective. In one sense, nothing much has changed, but the picture has become more complicated with the emergence of the Internet and World Wide Web, which give voice to the most unlikely individuals and groups, their multidirectional communication properties affording access to audiences that, under monopolistic or oligopolistic broadcasting conditions, would have remained permanently out of reach. In the information age,
75
the silent enemy can easily acquire a voice and quickly amplify its dissident message. Of course, IW constitutes a double-edged sword for information intensive nations. The greater the military’s reliance on complex networks and smart weaponry, the greater is its potential vulnerability to stealth attack by materially much weaker enemies blessed with networking savvy, be they foreign agents or corrupted insiders. And it is this aspect of IW - resource asymmetricality that has attracted so much attention among both military planners and media analysts and shifted much of the discussion from offensive to defensive information warfare strategy.
Corporate/Economic Information Warfare The similarities between the military and business world grow each day. Both involve competition between adversaries with various assets, motives, and goals. With the progressive globalization of trade and internationalization of business, the parallels will intensify. Business would thus seem to be an obvious site to appropriate the discourse of information warfare. Given the growing dependence of companies on sophisticated information systems, and, more particularly, the rapid growth of Web-based electronic commerce, it is reasonable to conclude that information warfare theory will soon establish a curricular foothold in leading business schools. In the age of economic and corporate information warfare, proactive intelligence management systems become essential requirements for high-performing companies.
Community/Social Information Warfare The rise of the networked society has resulted in an intensification of debate on a vast array of social issues. What makes distributed computing, or more specifically the Internet, so attractive to individuals or groups interested in having their opinions heard or waging word warfare with others is the lack of restraints. Gatekeeping, particularly in the public sphere, is not a new concept. Government control of the Internet, however, has not followed that of newspapers, radio, and
76
television. Consequently, the Internet remains a communications arena where discourse, positive and negative, rational and irrational, flourishes freely. With the advent of the World Wide Web and graphical user interfaces or browsers such as Netscape, social and political activists have an even richer agora in which to debate, pontificate, or castigate. It is clear that delayering and disintermediation the loss of intervening controls - have created a climate conductive to information warfare and cyber-terrorism. Personal Information Warfare Ordinary citizens are vulnerable to various kinds of overt and covert attack by cyber-terrorists acting alone or in concert, whether the motivation is ostensibly ludic or demonstrably criminal. Hacker culture may dismiss electronic break-inns and impersonation as punkishly acceptable behaviors, but the victim will probably view matters differently. The sense of violation and loss of sanctuary can have long-lasting psychological effects. The reconstitution of trust and salvaging of reputations in the wake of virtual vilification campaigns will likely pose major challenges for targeted individuals and collectivities. As with military or business resources, an individual’s information assets and online identity are potentially highly degradable by a determined hacker - which isn’t to say that anything other than a minority of individuals will ever be targeted in systematic fashion by information warriors/terrorists. Ontological warfare is thus a novel option within the digital battle space. It’s clear that IW thinking need not be bounded by the discourse of the military community. The principles of information warfare and net terrorism are being instantiated in a diverse set of social contexts, though the range of motivations and practices varies greatly. Decoupled from their military roots, the language and principles of information warfare have enormously wide applicability.
Internetworking
technologies
and
emergence
of
complex
computational communities provide the conditions to support multidimensional information warfare and net terrorism. Task 5. Answer the questions. 1. How can IW concepts be defined?
77
2. Can you compare the typical goal of conventional warfare and the aim of IW? 3. Will high-performing companies be involved in economic and corporate information warfare? 4. What makes the Internet so attractive to individuals or groups interested in having their opinions heard or waging word warfare with others? 5. Ordinary citizens are vulnerable to various kinds of overt and covert attacks, aren’t they? Comment the situation. 6. What provides the conditions to support multidimensional information warfare and net terrorism? Task 6. Speak about the spheres of activity in which IW may become commonplace. Essential Vocabulary adversary противник allied forces союзники assets активы, ресурсы coherent policy and rules согласованная политика и правовые нормы defense community службы безопасности digital battle space цифровая среда моделирования боевых действий electronic break-ins электронные средства слежения fighting the Information War приемы ведения информационной войны force multiplier многократное усиление боеспособности friendly forces союзники game plan план операции human agent агент information warfare информационная война intelligent battle system интеллектуальная боевая система управления knowbot программа глобального поиска military planners военные планирующие организации multidimensional information warfare многомерная инф. война
78
pervasive computing распределенные вычисления phreaker злоумышленник, взламывающий телефонные сети proactive intelligence упреждающая система management system интеллектуального управления satellite communities спутниковые системы soft killers способы уничтожения программного обеспечения (ПО) software strikes активация атак с помощью ПО unerring accuracy точные координаты ИНТЕРНЕТ-ИСТОЧНИКИ http://www.ittoday.info http://www.infosecurity-magazine.com http://www.itsec.ru/main.php
Keys to the Information security test: 1. C
2. D
3. A
4. A
5. B
6. D
7. A
Answeres Total = 10 Questions A firewall is meant to: screen incoming traffic on a network screen outgoing traffic on a network screen emails from a contact list of accepted recipients screen incoming and outgoing traffic on a network screen for viruses Phishing is A type of computer virus Email designed to fool recipients into divulging personal information An example of a security method to protect computers A type of computer network A Farmville application
8. B
9. C
10. A
79
Most often it is safe to assume information from public wireless hotspots (such as airports, hotels, coffee shops etc.) is: secured with 128 bit encryption secured with 256 bit encryption not secure highly secure secure only if you have firewall installed on your laptop You receive an email from your bank asking you to login to your account to verify information. You should: Ignore the message Enter the link in the email manually into your web browser Reply to the email asking the sender for additional information about the bank Follow detailed instruction given in the email Click the link in the email and login to your account so you are sure your information is correct Once an anti-virus program is installed on your computer You should not update it You are fully protected from infections You are protected only against viruses You are protected against viruses and spam You are protected against viruses, spam, and malware Files on your computer can be made unreadable to others by using: Partitions Backups Obscure filenames Subdirectories Encryption While shopping online you know the website is secure if: The web URL starts with http:// The web URL starts with https:// The web URL starts with ftp:// The web URL includes numbers e.g. http://192.168.0.1 The web URL ends in .com The most secure corporate network is one that is connected via: Internet DSL Wireless Network Dial up phone lines
80
VPN Digital Certificates on the web are managed and signed by: ICANN Authority GoDaddy Authority Certificate Authority Government Authority Corporate Authority System that is able to monitor logs, watch network traffic, and identify patters that look like an attack is known as: FDS (Firewall Detection System) FNS (False Negative Systems) FPS (False Positive Systems) IDS (Intrusion Detection System) HAS (Honeypot Assessment Systems)
Supplementary reading Text 1. An Introduction to Information, Network and Internet Security What is 'Information Security'? Information security is exactly what it says, the security of information. Typically, this is the information that you or an organization 'own' and process. Applying security to information is analogous to the application of security to any physical asset. Take for example your home or car, protecting this can be summarized as follows: You need to have someone responsible for your car or home (you) so that this person can set the level of security required; If you have two homes or cars- which one do you spend more on protecting (risk assessment) or if you have only one - what level of protection do you set (risk assessment)? If you get burgled, how do you know what is missing from your house or car (asset register)?
81
If you are going to have staff or third parties work on your car or in your house (perhaps you run a business or work from home?) then how do you select them and what protection do you need to have in place (personnel and contract security)? What sort of level of physical security, in terms of locks and bolts or maybe alarms do you need to have in place, including their infrastructure (physical security)? If you had a computer at home that is used by the family then you need to ensure that it is all working properly and that it is properly managed and maintained - such things as backups etc. (Communications and operations management); If you work from home then you may not want all of the family to view your work or you may need to ensure, as a responsible parent, that your children are protected from adult or inappropriate content on the internet (access control); If, like many people, you do some programming, then you will want to properly test the code before putting it live on the system. You may also need to ensure that if you are testing software that you ensure there is appropriate security in place and that you don't break the law (system development and maintenance); If your car is stolen, what fall back do you have to allow you to travel as if you still had your car (fallback planning)? When running your car or maintaining your house what legal or regulatory aspects do you need to take note of and how can you prove that you are complying with them (legislative and regulatory compliance). Historically, information security has been called a number of different things such as:
Data security;
IT Security;
Computer security.
But these terms (except possibly data security) ignore the fact that the information that is held on the computers is almost always and most certainly worth many times more than the computers that it runs on.
82
The correct term is 'information security' and typically information security comprises three component parts: Confidentiality. Assurance that information is shared only among authorised persons or organisations. Breaches of confidentiality can occur when data is not handled in a manner appropriate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data etc.; Integrity. Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The term 'integrity' is used frequently when considering information security as it represents one of the primary indicators of information security (or lack of it). The integrity of data is not only whether the data is 'correct', but whether it can be trusted and relied upon; Availability. Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them. These components have been at the root of information security since the start of computing and the growing need for information security. It has been suggested that these should be reviewed completely (Parker 1998) or that at least two more components should be added: Accountability. Someone is personally accountable and responsible for the protection of an asset or set of assets. The emphasis here is on the 'someone' and the 'personally accountable'. Often this does not work in the organisational setup but it still should be the goal; Auditability. This component has two parts, firstly that any position that a system is found in should be able to be backtracked to determine how it got into that state and secondly, that an ongoing process of management review or audit should be undertaken to ensure that the systems meet all documented requirements. These two new components are derived from BS 7799 (BS 7799 2002), ISO 27002 (ISO 27002 2005) and ISO 27001 (ISO 27001 20005).
Text 2. Basic information computer terminology. These terms are asset, threat, threat agent, vulnerability, exploit and risk.
83
Consider this analogy with a house that has money inside. The money stored in the house is an asset meaning that it has value. Anything that money must be protected from is a threat. A threat includes anything that makes course the money to be lost or damaged. Likewise in information security data is an asset and any potential actions that in danger that confidentiality, availability or integrity of the data of threats such as lost, corruption, or denial of service. A threat agent is someone or something that actually has the power to carry out a threat. In the case of the money a threat agent could be a thief and for information security a threat agent could be a virus or hacker. Vulnerability is anything which allows a threat agent unauthorized access to an asset. In the case of the money stored in the house an open door or unlocked window would be vulnerability. For information security vulnerability could be unpatched software or wick password. Exploiting vulnerability would be for a thief to actually go throw the door or the hacker using wick password to login to the computer system. A risk is likelihood that the money or data would be lost or damaged.
TEXT 3. DEFINITION cyberterrorism According to the U.S. Federal Bureau of Investigation, cyberterrorism is any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against noncombatant targets by sub-national groups or clandestine agents." Unlike a nuisance virus or computer attack that results in a denial of service, a cyberterrorist attack is designed to cause physical violence or extreme financial harm. According to the U.S. Commission of Critical Infrastructure Protection, possible cyberterrorist targets include the banking industry, military installations, power plants, air traffic control centers, and water systems. Cyberterrorism is sometimes referred to as electronic terrorism or information war. SOURCE:
84
http://searchsecurity.techtarget.com/definition/cyberterrorism?track=NL34&ad=874884&asrc=EM_NLN_17790562&uid=10981798
Text 4. Computer Security Scammers, hackers, and identity thieves are looking to steal your personal information – and your money. But there are steps you can take to protect yourself, like keeping your computer software up-to-date and giving out your personal information only when you have a good reason. -Use Security Software That Updates Automatically -Treat Your Personal Information Like Cash -Check Out Companies to Find Out Who You’re Really Dealing With -Give Personal Information Over Encrypted Websites Only -Protect Your Passwords -Back Up Your Files
Use Security Software That Updates Automatically The bad guys constantly develop new ways to attack your computer, so your security software must be up-to-date to protect against the latest threats. Most security software can update automatically; set yours to do so. You can find free security software from well-known companies. Also, set your operating system and web browser to update automatically. If you let your operating system, web browser, or security software get outof-date, criminals could sneak their bad programs – malware – onto your computer and use it to secretly break into other computers, send spam, or spy on your online activities. There are steps you can take to detect and get rid of malware. Don’t buy security software in response to unexpected pop-up messages or emails, especially messages that claim to have scanned your computer and found malware. Scammers send messages like these to try to get you to buy worthless software, or worse, to “break and enter” your computer.
85
Treat Your Personal Information Like Cash Don’t hand it out to just anyone. Your Social Security number, credit card numbers, and bank and utility account numbers can be used to steal your money or open new accounts in your name. So every time you are asked for your personal information – whether in a web form, an email, a text, or a phone message – think about whether you can really trust the request. In an effort to steal your information, scammers will do everything they can to appear trustworthy. Learn more about scammers who phish for your personal information. Check Out Companies to Find out Who You’re Really Dealing With When you’re online, a little research can save you a lot of money. If you see an ad or an offer that looks good to you, take a moment to check out the company behind it. Type the company or product name into your favorite search engine with terms like “review,” “complaint,” or “scam.” If you find bad reviews, you’ll have to decide if the offer is worth the risk. If you can’t find contact information for the company, take your business elsewhere. Don’t assume that an ad you see on a reputable site is trustworthy. The fact that a site features an ad for another site doesn’t mean that it endorses the advertised site, or is even familiar with it. Give Personal Information Over Encrypted Websites Only If you’re shopping or banking online, stick to sites that use encryption to protect your information as it travels from your computer to their server. To determine if a website is encrypted, look for https at the beginning of the web address (the “s” is for secure). Some websites use encryption only on the sign-in page, but if any part of your session isn’t encrypted, the entire account could be vulnerable. Look for https on every page of the site you’re on, not just where you sign in. Protect Your Passwords Here are a few principles for creating strong passwords and keeping them safe: The longer the password, the tougher it is to crack. Use at least 10 characters; 12 are ideal for most home users. Mix letters, numbers, and special characters. Try to be unpredictable – don’t use your name, birthdate, or common words.
86
Don’t use the same password for many accounts. If it’s stolen from you – or from one of the companies with which you do business – it can be used to take over all your accounts. Don’t share passwords on the phone, in texts or by email. Legitimate companies will not send you messages asking for your password. If you get such a message, it’s probably a scam. Keep your passwords in a secure place, out of plain sight. Back Up Your Files No system is completely secure. Copy important files onto a removable disc or an external hard drive, and store it in a safe place. If your computer is compromised, you’ll still have access to your files.
Start the Security IQ Quiz here.
1) Surf’s up? Ted really wants to improve productivity in his department. Studies show surfing the web is the number one time-wasting activity for many employees. The percentage of employees using social networks and other non-business websites from 1 to 5 hours a day is: a) 5% b) 16% c) 50% d) 64% 2) “He clicked on what?” Kevin is explaining to his CIO how a fake LinkedIn invite could have taken down the network for the second time in a month. But his boss is convinced that employees have become too sophisticated to fall for phishing ploys. Kevin tells the CIO about the alarming effectiveness of Phishing 2.0, which involves: a) Targeting – using topics that would be top of mind to a specific type of employee b) Reconnaissance – gathering personal information from company websites, social networks and video and photo sharing sites c) Losses of $50,000 to $1 million even for small to medium-sized businesses d) All of the above 3) Does size really matter?
87
As endpoint security vendors have struggled to adapt the traditional signature-based approach to cope with a tidal wave of malware, endpoint clients and update downloads have ballooned in size. The average install size of today’s endpoint client is: a) 3 megabytes b) 478 megabytes c) 1,254 megabytes d) 4,818 megabytes 4) Smartphone smarts? Edward received a text message from someone in his address book asking him to check out a link. Later that day, he got an email from his bank with a notice of insufficient funds. He checked and found that his bank balance had been transferred to an account in Bulgaria. This is an example of: a) Drive-by download b) SQL injection с) Malicious mobile app (MMA) d) Ransomware 5) The path most chosen? John is responsible for IT in a 180-person company with remote and mobile workers and multiple locations. In the last year, he has experienced numerous malware attacks that have impacted users and the corporate network. This not only involved monetary cost in terms of remediation, including reimaging machines, but the company also experienced a costly data breach. The main pathways for malware to enter your network are: a) Drive-by downloads b) SQL injection c) Web-borne phishing attacks d) All of the above Here are the Answers! 1) 50% is correct. An additional 11% spend more than 5 hours a day on non-business websites. IT departments can deploy a secure web gateway that has granular web usage controls to help get teams back to work without potentially alienating valuable employees – managers don’t have to speak directly to employees to curb their usage. 2) “All of the Above” is correct. As IT departments deploy countermeasures and users have become educated about phishing, ‘mass’ phishing attacks no longer offer cybercriminals much financial gain. However, a new generation of highly targeted phish evades traditional antivirus and
88
anti-phishing products. They are not only fewer and fewer in number, but the creators also use sophisticated techniques such as throw-away domains. Cybercriminals also use extensive reconnaissance to obtain targeted information to help fool recipients into believing the bogus email, text or website is legitimate. 3) 1,254 megabytes is correct. 1,254 megabytes is correct, with 4,818 megabytes on the high end. These overweight clients as well as huge signature downloads cause software conflicts, hog RAM and network bandwidth, and bog down device performance during long scans. According to Forrester Research, Frost & Sullivan and other leading researchers, there’s a more efficient, effective solution. An example is the small 3 megabyte installation of Webroot cloud-based endpoint protection. Let the heavy lifting occur in the cloud – not on the client – significantly improving both performance and security, especially since a cloudbased threat engine can provide real-time protection against zero-day attacks. 4) Malicious mobile app is correct. With the explosion in mobility, cybercriminals have increasingly turned their focus to smartphones and tablets. In fact, one in ten mobile apps – even ones downloaded from reputable sources – are infected with malware. In this case, by accessing the address book on the phone, the malicious app tricked the user into trusting the message as legitimate. Enterprises, mobile app providers and app stores can ensure users download only ‘good’ apps by using a Mobile App Reputation Service. 5) “All of the Above” is correct. Web-borne attacks, including phishing, now represent the number one vector for malware infections. You can protect your organization from these costly threats by deploying a secure web gateway that includes content and URL filtering using a global cloud database.
A. Conversation Questions. Computers and Computer security. 1. 2. 3. 4. 5. 6. 7. 8. 9.
Are you computer literate? Are you connected to the Internet? Do you access the Internet with your computer? Can you access the Internet from your home? What is your favorite "news" site? What Internet sites do you visit regularly? Can your mother and father use a computer? Do you have a computer? Do you have a computer at work and at home?
89
10.Do you have a laptop or a desktop computer? Do you have both? 11.Do you use your computer when you do homework for classes? 12.Have you ever studied English using your computer? 13.How many times have you upgraded your computer? 14.How powerful is your computer? 15.What company made your computer? 16.What kind of computer do you have? 17.What size is your computer screen? 18.What do you think is the best size to have? 19.Where do you use your computer? 20.Where in your room is your computer? 21.Why did you buy your computer? 22.Do you have a digital camera? 23.Do you send photos by e-mail? 24.What kind of pictures do you take with your digital camera? 25.Do you have a scanner? 26.What kind of scanner do you have? 27.Do you have a web page? 28.What is the URL? 29.When did you start it? 30.How much time did it take to make? 31.How much time do you spend keeping it updated? 32.Do you know any computer programming languages? 33.How many computer programming languages do you know? 34.Which languages do you know? 35.Which language do you use the most often? 36.Do you read computer magazines? 37.Which computer magazines do you read? 38.Do you use a computer? 39.Are you good at using a computer? 40.Are you still using your first computer? 41.Did you learn to use a computer in high school? 42.Do you know how to type well? 43.How often do you use a computer? 44.What are some of your favorite computer games? 45.What do you use a computer for? 46.What operating system do you use? 47.What software do you use the most often? 48.When did you first start using a computer? 49.Who taught you to use a computer? 50.Do you use chat-rooms? If so, what chat-rooms do you use and who do you talk to?
90
51.Do you use e-mail? 52.Do you use e-mail every day? 53.Do you write e-mail in English? 54.Have you ever sent an e-mail to your teacher? 55.How many e-mails do you get a day? 56.How many e-mails do you send a day? 57.How many times a day do you access your e-mail? 58.What's your e-mail address? 59.How many e-mail addresses do you have? 60.Do you want a more powerful computer? If so, what computer do you want? 61.Does your family have a computer? 62.How fast can you type? 63.Have you ever taken a course at school where you used a computer? 64.Have you tried Mac-OS, Windows and Linux? 65.How do you study English with your computer? 66.How does e-mail work? 67.How many people in your family can use a computer? 68.How much did your first computer cost? How much did your last computer cost? 69.How much does it cost to buy a computer? 70.What's the least expensive? 71.What's the most expensive? 72.How much does your Internet service provider cost? 73.Which ISP do you use? 74.If you could buy a new computer, what would you like to buy? 75.If you had lots of money, what kind of computer system would you like to buy? 76.What is the difference between software and hardware? 77.Which do you like better, a laptop computer or a desktop computer? 78.What is your favorite website? 79.Do you ever visit English websites while web-surfing? 80.Do you think our lives have been improved by computer technology? Think of a few examples of how computers have an educational or an entertainment value. Could you do without them? 81.What is multimedia? 82.What are the components and the element of multimedia? 83.When did you first get a computer? 84.What kind of computer was it? 85.About how much did it cost? 86.Do you still have it? 87.Do you still use it?
91
88.Do you remember the first time you used a computer or the Internet? 89.What did you think about it? 90.How long have there been personal computers in your country? 91.When did the average person start using a computer? 92.Can your parents operate a computer? 93.Do you think a computer can bring us happiness? 94.Do you have a computer? 95.Do you know any computer languages like C or C++? 96.What is configuration of your PC? 97.How often do you perform a backup? What kind of backup method do you use? What kind of backup media do you use? 98.What are some good things about having a computer? 99.What are some bad things about having a computer? 100. Does having a computer make life more complicated or less complicated? 101. What computer games have you played? 102. Which are your favorites? 103. Which do you think are not so interesting? 104. What are chat rooms and instant messaging? Why can these be dangerous for you and your kids?
B. Conversation Questions Internet and Internet Security 1. 2. 3. 4. 5. 6. 7.
Do you often use the Internet? When did you first use the Internet? About how many hours a day do you use the Internet? About how many hours a week do you use the Internet? Who uses the Internet the most in your family? What computer do you use to access the Internet? What are some security issues you must think about when you access the Internet? 8. Have you ever bought something using the Internet?
92
9. How can the internet help you learn English? Do you take advantage of this? 10.How can the Internet be improved? 11.How often do you use the internet? 12.Do you think our lives have been improved by the Internet? 13.Do you have any ideas or ambitions to start an Internet company? 14.Do you think the Internet favors men or women? 15.Do men and women use the internet for different purposes? 16.Do you use the Internet for fun or education? 17.What are some of the ways the Internet can be used for education? 18.What are some of the ways the Internet can be used for entertainment? 19.What are the sites you most commonly access? 20.What is the best thing about the Internet? 21.What problems does the Internet create? What problems does it solve? 22.Which company is your Internet provider? 23.Why did you choose this company? 24.Are you satisfied with their service? 25.How much does it cost you? 26.Is it expensive to access the Internet by mobile phone in your country? 27.Is there too much sex on the Internet? 28.Does your family have wireless Internet access in your home? 29.Do you access the Internet from your mobile phone? 30.What type of pages do you access with your phone? 31.Do you have many e-mail addresses? 32.Why do you need more than one e-mail address? 33.Have you ever chatted on the Internet? 34.Is it dangerous to meet people on the Internet? 35.Would you like to go on a date with someone you meet on the Internet? 36.Do you think governments have the right to censor the Internet? 37.Do you think that the Internet safe for children? Why? 38.Do you think that it is important for schools to have Internet access? Why? 39.Can you believe all the information that is published (available) on the Internet? 40.Do you think that people should put photos of their friends onto the Internet? 41.Why is it a good idea to have books and magazines published on the Internet? 42.Do you think that it is a good or bad habit for young people to play computer games? 43.Why should you be careful about giving out personal information to people that you meet in chat-rooms?
93
44.Give me a reason why you think that email is a good way for people to communicate. 45.The Internet can help people work from home. Do you think that this is good or bad? 46.Many disreputable companies get personal information from your computer when you visit their web site. Why is this bad? 47.Many people download MP3 music without paying any money for it. Do you think that this is a problem? 48.Would you consider going out with someone that you met on the Internet? 49.In your opinion, what is the most important feature of the Internet? 50.Do you think that meeting people on the Internet is easier than meeting people face to face? 51.Are old people disadvantaged by today's usage of the Internet? How? 52.When you buy something on the Internet, trust is very important. Why? 53.Do you think that the Internet will replace Libraries? 54.Do you think that online banking (being able to do most of your banking by the Internet and ATM machines) will become popular in all countries? What is a disadvantage of this? 55.In many big cities it is possible to buy your groceries online and have them delivered to your home. Why has this become popular? 56.Why is it illegal to download movies and music from the Internet? 57.What is a computer virus and how do we protect our computers from being infected? 58.How does the Internet help people from different countries to communicate with each other? 59.How do we stop young children from looking at Internet sites that have inappropriate content? 60.Do you think that some people spend too much time on the Internet and does this stop them from seeing their friends? Why? 61.Do you think that having Internet access is mainly for rich people? Will poor people be disadvantaged? 62.In some countries you can sell personal items on the Internet (E-Bay). Do you think this is a good idea? 63.Many Universities are now offering online courses. Give me some reasons why this is a good thing. 64.Many Universities are now offering online courses. Give me some reasons why this is a bad thing. 65.If you want reliable and good information from the Internet, then you should look for sites operated by which types of organizations? 66.Do you think that the Internet usage is an anti-social activity? 67.E-commerce (buying and selling things on the Internet) has become very popular. Give a reason for this?
94
68.Is it better to buy online or to go to a shop? Why? 69.Why is it very important not to give out personal information on the Internet? 70.Many sites require you to have ID's and passwords. Why do we need to keep these safe? 71.Some web sites hold very dangerous information, for example how to make a bomb. How can we control these Web sites? 72.If you give personal information to a Website do you think that they will always keep this private? Sometimes they sell this information. Is this a good or bad thing? 73.Search engine are used to find information. Do you think that they always give you the best sites or do they give you sites that pay money in order to be on the top of the list? 74.What is copyright? How do we break copyright law on the Internet? 75.Many students use the Internet to help them do their assignments and they just cut and paste information from the Internet. How could we stop this? 76.We can use the Internet to find jobs overseas. Is this good or bad for both the employer and employee? 77.If you employ someone via the Internet, how do you check if the person is giving you truthful information? 78.To be current, that is to be up-to-date, is an important feature of the Internet. Why is this important and what impact is this having on society? 79.In Japan, many young men lock themselves in their bedrooms, sometimes for years, to escape the pressures of study. They refuse to see people, but they still use the Internet and mobile phones. Do you think that this will happen in other countries? 80.Is the Internet making people more impatient? Are we becoming a society where we all want instant satisfaction? 81.Many people use the Internet for fun and entertainment at work. Do you think that this is right? 82.How has the Internet changed society?
95
Литература 1. Горшенева И.А.,Куликов В.Н., Котылева Ю.В. Учебно-методическое пособие английскому языку. Тема: «Информационная безопасность», Часть 1. Москва, 2006г. 2. Горшенева И.А.,Куликов В.Н. ENGLISH FOR LAW ENFORCEMENT GLOSSARY. Москва, 2010г. 3. Куликов В.Н. Глоссарий для курсантов, привлекаемых к обеспечению функций досмотра в период проведения XXII зимних Олимпийских Игр в Сочи. ENGLISH-RUSSIAN GLOSSARY, Москва, 2013г. 4. Куликов В.Н. INFORMATION SECURITY, учебно-методическое пособие, Москва, 2015. 5. Горшенева И. А., Куликов В.Н., BASIC PRINCIPLES OF INFORMATION SECURITY, учебно-методическое пособие, Москва, 2008. 6. Куликов В.Н. МЕТОДИЧЕСКИЕ ПРИНЦИПЫ ОБУЧЕНИЯ ИНОСТРАННЫМ ЯЗЫКАМ С ПРИМЕНЕНИЕМ КОМПЬЮТЕРНЫХ СРЕДСТВ, В сборнике: Научные труды Пензенского филиала Международного независимого эколого-политологического университета, Пенза, 2003. С. 55-57. 7.
Горшенева И.А., Куликов В.Н. GLOSSARY. ENGLISH FOR LAW ENFORCEMENT. Учебно-методическое пособие, Москва, 2016.
Куликов В.Н. PSYCHOLOGY. Texts for reading, Учебно-методическое пособие по английскому языку, Москва, 2016г. 9. Куликов В.Н. Учебный глоссарий по теме: Информационная безопасность, Москва, 2016г. 10. Куликов В.Н. TESTS FOR STUDENTS OF PSYCHOLOGY. Учебнометодическое пособие по английскому языку, Москва, 2018г. 8.