View
339
Download
3
Category
Tags:
Preview:
DESCRIPTION
On Tuesday, Novermber 13th, at 11:00 AM, I will be giving this presentation to faculty and staff at the University of Wisconsin-Madison, School of Medicine and Public Health, at the Health Sciences Learning Center (HSLC), next to UW Hospital. IT Security and Healthcare, go together, like chocolate and peanut butter!
Citation preview
Free Powerpoint TemplatesPage 1
Free Powerpoint Templates
The Wild, Wild Web-
Social Engineering, Malware and Security
Awareness-
Nicholas DavisMBA, CISA, CISSP
DoIT Security
November 13, 2012
Free Powerpoint TemplatesPage 2
Introduction
• Background• Thank you for the invitation• Today’s Topic, Malware, Social
Engineering and overall Security Awareness
• Importance to the healthcare field• Pretexting• Phishing• QR Code Danger• Social Networks• Passwords• Malware• Baiting• Identity Theft: How, Avoiding,
Responding• Physical Security• Sharing of information with the public
Free Powerpoint TemplatesPage 3
Technology Is NotThe Answer
Strong computer security has two components:
The Technology: passwords, encryption, endpoint protection such as anti-virus.
The People: You, your customers, your business partners
Today, we will talk about both components
Free Powerpoint TemplatesPage 4
Social Engineering
The art of manipulating people into performing actions or divulging confidential information
It is typically trickery or deception for the purpose of information gathering, fraud, or computer system access
Free Powerpoint TemplatesPage 5
Most Popular Type of Social Engineering
Pretexting: An individual lies to obtain privileged data. A pretext is a false motive.
Pretexting is a fancy term for impersonation
Caused resignation on CEO at HP
Brings new meaning to HP’s logo “I n v e n t”
Free Powerpoint TemplatesPage 6
Let’s Think of HSLCPretexting Example
“This is the Epic upload site for UW-Madison School of Medicine, test subjects diabetes study data. Click here to submit your patient data”
Just because it says so, does not make it true!Website address correct?Consistent interface?SSL lock?Does it seem reasonable?Have you double checkedwith others?
Free Powerpoint TemplatesPage 7
Phishing
• Deception, but not just in person
• Email• Websites• Facebook status updates• Tweets• Phishing, in the context of
the healthcare working environment is extremely dangerous
Free Powerpoint TemplatesPage 8
Phishing History
• Phreaking, term for making phone calls for free back in 1970s
• Fishing is the use bait to lure a target
• Phreaking + Fishing = Phishing
Free Powerpoint TemplatesPage 9
Phishing 1995
• Target AOL users• Account passwords = free
online time• Threat level: low• Techniques: Similar names,
such as www.ao1.com for www.aol.com
Free Powerpoint TemplatesPage 10
Phishling 2001
Target: Ebay and major banksCredit card numbers and account numbers = moneyThreat level: mediumTechniques: Same in 1995, as well as keylogger
Free Powerpoint TemplatesPage 11
Keyloggers
• Tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored
• Software or hardware based
Free Powerpoint TemplatesPage 12
Phishing 2007
Targets are Paypal, banks, ebayPurpose to steal bank accountsThreat level is highTechniques: browser vulnerabilities, link obfuscation
Free Powerpoint TemplatesPage 13
Don’t Touch That QR Code
• Just as bad as clicking on an unknown link
• Looks fancy and official, but is easy to create
Free Powerpoint TemplatesPage 14
Phishing in 2013
• Trends for the coming year
• Identity Information• Personal Harm• Blackmail
Free Powerpoint TemplatesPage 15
Example
• Mitt Romney• Hackers claimed to have his tax
returns and threatened to release them
• What could the ramifications have been for him and his accountants?
Free Powerpoint TemplatesPage 16
Looking In the Mirror
• Which types of sensitive information do you have access to?
• What about others who share the computer network with you?
• Think about the implications associated that data being stolen and exploited!
Free Powerpoint TemplatesPage 17
What Phishing Looks Like
• As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.
• They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
Free Powerpoint TemplatesPage 18
Techniques For Phishing
• Employ visual elements from target site• DNS Tricks:• www.ebay.com.kr• www.ebay.com@192.168.0.5• www.gooogle.com• Unicode attacks• JavaScript Attacks• Spoofed SSL lock Certificates• Phishers can acquire certificates for
domains they own• Certificate authorities make mistakes
Free Powerpoint TemplatesPage 19
Social EngineeringTechniques
Often employed in Phishing, lower your guard
1.Threats – Do this or else!2.Authority – I have the authority to ask this3.Promises – If you do this, you will get money4.Praise – You deserve this
Free Powerpoint TemplatesPage 20
PhishingTechniques
• Socially aware attacks• Mine social relationships from public
data• Phishing email appears to arrive from
someone known to the victim• Use spoofed identity of trusted
organization to gain trust• Urge victims to update or validate their
account• Threaten to terminate the account if
the victims not reply• Use gift or bonus as a bait• Security promises
Free Powerpoint TemplatesPage 21
Let’s Talk About Facebook
• So important, it gets its own slide!• Essentially unauthenticated – discussion• Three friends and you’re out! - discussion• Privacy settings mean nothing – discussion• Treasure Trove of identity information• Games as information harvesters
Free Powerpoint TemplatesPage 22
Socially Aware
Free Powerpoint TemplatesPage 23
Context Aware
“Your bid on eBay has won!”“The books on your Amazon wish list are on sale!”
Free Powerpoint TemplatesPage 24
Seems Suspicious
Free Powerpoint TemplatesPage 25
419 Nigerian Email Scam
Free Powerpoint TemplatesPage 26
Too Good to be True, Even When It Is Signed
Free Powerpoint TemplatesPage 27
DetectingFraudulent Email
Information requested is inappropriate for the channel of communication:
"Verify your account."nobody should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail.
Urgency and potential penalty or loss are implied:
"If you don't respond within 48 hours, your account will be closed.”
Free Powerpoint TemplatesPage 28
Detecting FraudulentEmail
"Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.
Free Powerpoint TemplatesPage 29
Dectecting FraudulentEmail
"Click the link below to gain access to your account.“
This is an example or URL Masking (hiding the web address)
URL alteration
www.micosoft.com www.mircosoft.com www.verify-microsoft.com
Free Powerpoint TemplatesPage 30
How to Defend AgainstPhishing Attacks
•Never respond to an email asking for personal information • Always check the site to see if it is secure (SSL lock)• Look for misspellings or errors in grammar• Never click on the link on the email. Enter the web address manually• Keep your browser updated• Keep antivirus definitions updated• Use a firewall• When in doubt, ask your Network Administrator for their opinion
Free Powerpoint TemplatesPage 31
A Note on Spear Phishing
• Designed especially for you• Includes your name• May reference an
environment or issue you are aware of and familiar with
• Asks for special treatment, with justification for the request
Free Powerpoint TemplatesPage 32
Other TechniquesAn ocean of Phishing techniques
•Clone Phishing - Discussion•Whaling - Discussion•Filter Evasion - Discussion•Phone Phishing - Discussion•Tabnabbing - Discussion•Evil Twins - Discussion
Free Powerpoint TemplatesPage 33
Passwords
Your password is your electronic key to valuable resources, treat it like your house key!
Sharing – DiscussionTheft – DiscussionPassword Rotation - Discussion
Free Powerpoint TemplatesPage 34
Creating a StrongPassword
Following two rules are bare minimal that you should follow while creating a password.
Rule 1 – Password Length: Stick with passwords that are at least 8 characters in length. The more character in the passwords is better, as the time taken to crack the password by an attacker will be longer. 10 characters or longer are better.
Rule 2 – Password Complexity: At least 4 characters in your passwords should be each one of the following:
Free Powerpoint TemplatesPage 35
Creating a StrongPassword
1.Lower case alphabets2.Upper case alphabets3.Numbers4.Special Characters
Use the “8 4 Rule”8 = 8 characters minimum length4 = 1 lower case + 1 upper case + 1 number + 1 special character.
Do not use a password strength checking website! Any ideas why this is a bad idea?
Free Powerpoint TemplatesPage 36
Adware, Malware, Spyware
Adware – unwanted ad software which is noticedMalware – unwanted software which is noticed and potentially causes harmSpyware – unwanted software which goes un-noticed and harvests your personal information
Use endpoint protection!
Free Powerpoint TemplatesPage 37
Adware, Malware, Spyware
How these get on your computer:EmailWeb pagesDownloaded softwareCD, USB flash driveSometimes, out of the box
Free Powerpoint TemplatesPage 38
Trojan Malware
Free Powerpoint TemplatesPage 39
Baiting
Hey, look! A free USB drive!I wonder what is on this confidential CD which I found in the bathroom?
These are vectors for malware!Play on your curiousity or desire to get something for nothing
Don’t be a piggy!
Free Powerpoint TemplatesPage 40
Social Engineering Methods
Using the Out of Office responder in a responsible manner
Free Powerpoint TemplatesPage 41
Medical Identity Theft
Use another person’s nameSometimes other identifying information such as a medical bracelet or insurance informationObtain medical servicesMake false claimsCauses erronious information to be put into medical recordsMay lead to inappropriate and life threatening situaitons
Free Powerpoint TemplatesPage 42
Synthetic Identity Theft
A variation of identity theft which has recently become more common is synthetic identity theft, in which identities are completely or partially fabricated. The most common technique involves combining a real social security number with a name and birthdate other than the ones associated with the number.
Free Powerpoint TemplatesPage 43
How Does IdentityTheft Happen
Let’s talk through the attached paper handout, entitled:
“Techniques for obtaining and exploiting personal information for identity theft”
Look through the list and think to yourself “Could this apply to me?” If so, think about taking steps to avoid it
Free Powerpoint TemplatesPage 44
Tips To AvoidIdentity Theft
1. Only Make Purchases On Trusted Sites 2. Order Your Credit Report 3. Know How To Spot Phishing 4. Secure Your Network 5. Can the Spam 6. Don't Store Sensitive Information On Non-
Secure Web Sites 7. Set Banking Alerts 8. Don't Reuse Passwords 9. Use Optional Security Questions 10. Don't Put Private Information On Public
Computers
Free Powerpoint TemplatesPage 45
If Your Identity Is Stolen
See paper handout from the FTC
1.Place a fraud alert on your credit reports, and review your reports. 2.Close the accounts that you know, or believe, have been tampered with or opened fraudulently.3.File a report with your local police or the police in the community where the identity theft took place. 4.File a complaint with the Federal Trade Commission.
Free Powerpoint TemplatesPage 46
Physical Security
• The UW is a fairly open and shared physical environment
• Seeing strangers is normal, we won’t know if they are here are friend or foe
• Lock your office• Lock your desk• Lock your computer• Criminals are opportunistic• Even if you are just gone for a moment• Report suspicious activity to your
administration and UW Police• If you have an IT related concern,
contact the Office of Campus Information Security
Free Powerpoint TemplatesPage 47
Sharing Information WithThe Public
• The University of Wisconsin is an open environment
• However, on occasion, this open nature can be exploited by people with nefarious intnet
• Don’t volunteer sensitive information• Only disclose what is necessary• Follow records retention policies• When in doubt, ask for proof, honest
people will understand, dishonest people will become frustrated
Free Powerpoint TemplatesPage 48
We Have So Much MoreTo Talk About
• Security Awareness matters not just to you, but to the University of Wisconsin as a whole
• Security Awareness is an important facet of everyone’s work
• My actions impact you• Your actions impact me• Security Awareness is an ever changing
and evolving area, which requires constant attention
• DoIT is here as a resource for you• Let us know how we can help• Let me know if I can help• Don’t be afraid to ask questions• Better safe than sorry
Free Powerpoint TemplatesPage 49
A Picture Is Worth1000 Words
Free Powerpoint TemplatesPage 50
Questions andDiscussion
Nicholas Davisndavis1@wisc.edu 608-262-3837facebook.com/nicholas.a.davis
Recommended