Upload
nicholas-davis
View
269
Download
0
Tags:
Embed Size (px)
Citation preview
Free Powerpoint TemplatesPage 1
Free Powerpoint Templates
Computer Security Awareness, Social Engineering and
Physical Security in a Scientific Research
Environment-
Nicholas DavisMBA, CISA, CISSP
DoIT SecurityNov 20, 2012
Free Powerpoint TemplatesPage 2
Introduction• Background• Thank you for the invitation• Today’s Topic, Security Awareness,
Computer Security, Physical Security• Importance to scientific research field• Identification vs. Authentication• Social Engineering• Pretexting• Phishing• QR Code Danger• Social Networks• Passwords• Malware• Baiting• Identity Theft: How, Avoiding,
Responding• Physical Security• Sharing of information with the public
Free Powerpoint TemplatesPage 3
Technology Is NotThe Answer
Strong computer security has two components:
The Technology: passwords, encryption, endpoint protection such as anti-virus.
The People: You, your customers, your business partners
Today, we will talk about both components
Free Powerpoint TemplatesPage 4
Social Engineering
The art of manipulating people into performing actions or divulging confidential information
It is typically trickery or deception for the purpose of information gathering, fraud, or computer system access
Free Powerpoint TemplatesPage 5
Most Popular Type of Social Engineering
Pretexting: An individual lies to obtain privileged data. A pretext is a false motive.
Pretexting is a fancy term for impersonation
A big problem for computer Help Desks, in all organizations
Example:
Some steps the UW-Madison Help Desk takes to avoid pretexting
Free Powerpoint TemplatesPage 6
Identification Without Authentication
Rapidly establishing a trust relationship, then trying to exploit it
“I am Bucky Badger, therefore you should let me in to see Barry Alvarez”Ask yourself: Could this person have a motivation to be less than truthful?
Ask for ID. Does it look legit?
Free Powerpoint TemplatesPage 7
Identification by Impression
Fake BadgesUniformsLogosConfidenceDressBody LanguageTone of VoiceKnowledge of Specific InformationExamples from the audience!
What could be learned by a stranger, who observes your work environment?
Free Powerpoint TemplatesPage 8
Getting Access By Any Means
StealReadModifyDeploy
Manipulate you to:Reveal InformationPerform Actions
Free Powerpoint TemplatesPage 9
How They Do It
User InterfacesPhoneEmailLetters and DocumentsInstant Messaging and Phone TextingMedia, CDs, USB drives, etc.
Free Powerpoint TemplatesPage 10
Let’s Think of ElectronicPretexting Example
Dear Windows User,It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update.
This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to Confirm your records.
Thank you,
Microsoft Windows Team.
Free Powerpoint TemplatesPage 11
Phishing
• Deception, but not just in person
• Email• Websites• Facebook status updates• Tweets• Phishing, in the context of
the scientific research working environment is extremely dangerous
Free Powerpoint TemplatesPage 12
Phishing History
• Phreaking, term for making phone calls for free back in 1970s
• Fishing is the use bait to lure a target
• Phreaking + Fishing = Phishing
Free Powerpoint TemplatesPage 13
Phishing 1995
• Target AOL users• Account passwords = free
online time• Threat level: low• Techniques: Similar names,
such as www.ao1.com for www.aol.com
Free Powerpoint TemplatesPage 14
Phishling 2001
Target: Ebay and major banksCredit card numbers and account numbers = moneyThreat level: mediumTechniques: Same in 1995, as well as keylogger
Free Powerpoint TemplatesPage 15
Keyloggers
• Tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored
• Software or hardware based
Free Powerpoint TemplatesPage 16
Phishing 2007
Targets are Paypal, banks, ebayPurpose to steal bank accountsThreat level is highTechniques: browser vulnerabilities, link obfuscation
Free Powerpoint TemplatesPage 17
Don’t Touch That QR Code
• Just as bad as clicking on an unknown link
• Looks fancy and official, but is easy to create
Free Powerpoint TemplatesPage 18
Phishing in 2013
• Trends for the coming year
• Identity Information• Personal Harm• Blackmail
Free Powerpoint TemplatesPage 19
Looking In the Mirror
• Which types of sensitive information do you have access to?
• What about others who share the computer network with you?
• Think about the implications associated that data being stolen and exploited!
Free Powerpoint TemplatesPage 20
What Phishing Looks Like
• As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.
• They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
Free Powerpoint TemplatesPage 21
Techniques For Phishing
• Employ visual elements from target site• DNS Tricks:• www.ebay.com.kr• [email protected]• www.gooogle.com• Unicode attacks• JavaScript Attacks• Spoofed SSL lock Certificates• Phishers can acquire certificates for
domains they own• Certificate authorities make mistakes
Free Powerpoint TemplatesPage 22
Social EngineeringTechniques
Often employed in Phishing, lower your guard
1.Threats – Do this or else!2.Authority – I have the authority to ask this3.Promises – If you do this, you will get money4.Praise – You deserve this
Free Powerpoint TemplatesPage 23
How to Know if You Are Being Socially Engineered
You know that what you are doing is wrong
The situation feels weird or unusual to you
You are in a situation in which you can’t contact a person of authority, to make a decision
You are being rushed to do something
Lots of name dropping is going on
You feel like you might offend someone if you don’t follow through
Free Powerpoint TemplatesPage 24
PhishingTechniques
• Socially aware attacks• Mine social relationships from public
data• Phishing email appears to arrive from
someone known to the victim• Use spoofed identity of trusted
organization to gain trust• Urge victims to update or validate their
account• Threaten to terminate the account if
the victims not reply• Use gift or bonus as a bait• Security promises
Free Powerpoint TemplatesPage 25
Let’s Talk About Facebook
• So important, it gets its own slide!• Essentially unauthenticated – discussion• Three friends and you’re out! - discussion• Privacy settings mean nothing – discussion• Treasure Trove of identity information• Games as information harvesters
Free Powerpoint TemplatesPage 26
Socially Aware
Free Powerpoint TemplatesPage 27
Context Aware
“Your bid on eBay has won!”“The books on your Amazon wish list are on sale!”
Free Powerpoint TemplatesPage 28
Seems Suspicious
Free Powerpoint TemplatesPage 29
419 Nigerian Email Scam
Free Powerpoint TemplatesPage 30
Too Good to be True, Even When It Is Signed
Free Powerpoint TemplatesPage 31
DetectingFraudulent Email
Information requested is inappropriate for the channel of communication:
"Verify your account."nobody should ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail.
Urgency and potential penalty or loss are implied:
"If you don't respond within 48 hours, your account will be closed.”
Free Powerpoint TemplatesPage 32
Detecting FraudulentEmail
"Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.
Free Powerpoint TemplatesPage 33
Dectecting FraudulentEmail
"Click the link below to gain access to your account.“
This is an example or URL Masking (hiding the web address)
URL alteration
www.micosoft.com www.mircosoft.com www.verify-microsoft.com
Free Powerpoint TemplatesPage 34
How to Defend AgainstPhishing Attacks
•Never respond to an email asking for personal information • Always check the site to see if it is secure (SSL lock)• Look for misspellings or errors in grammar• Never click on the link on the email. Enter the web address manually• Keep your browser updated• Keep antivirus definitions updated• Use a firewall• When in doubt, ask your Network Administrator for their opinion
Free Powerpoint TemplatesPage 35
A Note on Spear Phishing
• Designed especially for you• Includes your name• May reference an
environment or issue you are aware of and familiar with
• Asks for special treatment, with justification for the request
Free Powerpoint TemplatesPage 36
Other TechniquesAn ocean of Phishing techniques
•Clone Phishing - Discussion•Whaling - Discussion•Filter Evasion - Discussion•Phone Phishing - Discussion•Tabnabbing - Discussion•Evil Twins - Discussion
Free Powerpoint TemplatesPage 37
Passwords
Your password is your electronic key to valuable resources, treat it like your house key!
Sharing – DiscussionTheft – DiscussionPassword Rotation - Discussion
Free Powerpoint TemplatesPage 38
Creating a StrongPassword
Following two rules are bare minimal that you should follow while creating a password.
Rule 1 – Password Length: Stick with passwords that are at least 8 characters in length. The more character in the passwords is better, as the time taken to crack the password by an attacker will be longer. 10 characters or longer are better.
Rule 2 – Password Complexity: At least 4 characters in your passwords should be each one of the following:
Free Powerpoint TemplatesPage 39
Creating a StrongPassword
1.Lower case alphabets2.Upper case alphabets3.Numbers4.Special Characters
Use the “8 4 Rule”8 = 8 characters minimum length4 = 1 lower case + 1 upper case + 1 number + 1 special character.
Do not use a password strength checking website! Any ideas why this is a bad idea?
Free Powerpoint TemplatesPage 40
Adware, Malware, Spyware
Adware – unwanted ad software which is noticedMalware – unwanted software which is noticed and potentially causes harmSpyware – unwanted software which goes un-noticed and harvests your personal information
Use endpoint protection!
Free Powerpoint TemplatesPage 41
CIO.WISC.EDU/SECURITY
Free Powerpoint TemplatesPage 42
Adware, Malware, Spyware
How these get on your computer:EmailWeb pagesDownloaded softwareCD, USB flash driveSometimes, out of the box
Free Powerpoint TemplatesPage 43
Trojan Malware
Free Powerpoint TemplatesPage 44
Baiting
Hey, look! A free USB drive!I wonder what is on this confidential CD which I found in the bathroom?
These are vectors for malware!Play on your curiousity or desire to get something for nothing
Don’t be a piggy!
Free Powerpoint TemplatesPage 45
Social Engineering Methods
Using the Out of Office responder in a responsible manner
Free Powerpoint TemplatesPage 46
Synthetic Identity Theft
A variation of identity theft which has recently become more common is synthetic identity theft, in which identities are completely or partially fabricated. The most common technique involves combining a real social security number with a name and birthdate other than the ones associated with the number.
Free Powerpoint TemplatesPage 47
How Does IdentityTheft Happen
Let’s talk through the attached paper handout, entitled:
“Techniques for obtaining and exploiting personal information for identity theft”
Look through the list and think to yourself “Could this apply to me?” If so, think about taking steps to avoid it
Free Powerpoint TemplatesPage 48
Tips To AvoidIdentity Theft
1. Only Make Purchases On Trusted Sites 2. Order Your Credit Report 3. Know How To Spot Phishing 4. Secure Your Network 5. Can the Spam 6. Don't Store Sensitive Information On Non-
Secure Web Sites 7. Set Banking Alerts 8. Don't Reuse Passwords 9. Use Optional Security Questions 10. Don't Put Private Information On Public
Computers
Free Powerpoint TemplatesPage 49
If Your Identity Is Stolen(WORK)
1. Contact your supervisor immediately2. Report the incident to the Office of
Campus Information Security (OCIS) http://www.cio.wisc.edu/security-report.aspx
3. Contact the DoIT Help Desk4. Contact UW Police, depending on
nature of incident. Consider your personal safety! “Better safe, than sorry”
Free Powerpoint TemplatesPage 50
Physical Security
• The UW is a fairly open and shared physical environment
• Seeing strangers is normal, we won’t know if they are here as friend or foe
• Lock your office• Lock your desk• Lock your computer• Criminals are opportunistic• Even if you are just gone for a moment• Report suspicious activity to your
administration and UW Police• If you have an IT related concern,
contact the Office of Campus Information Security
Free Powerpoint TemplatesPage 51
Forget About Being Polite
Don’t hold the security door for anyone and beware of tailgaters
Be truthful, explain why….People will understand
Free Powerpoint TemplatesPage 52
Sharing Information WithThe Public
• The University of Wisconsin is an open environment
• However, on occasion, this open nature can be exploited by people with nefarious intent
• Don’t volunteer sensitive information• Only disclose what is necessary• Follow records retention policies• When in doubt, ask for proof, honest
people will understand, dishonest people will become frustrated
Free Powerpoint TemplatesPage 53
Publishing of Information
Consider carefully before publishing and disseminating information, such as phone directories and business cards
Sadly, obituaries are a great place to learn the answer to the most annoying password recovery question: “What is your mother’s maiden name?”
Free Powerpoint TemplatesPage 54
We Have So Much MoreTo Talk About
• Security Awareness matters not just to you, but to the University of Wisconsin as a whole
• Security Awareness is an important facet of everyone’s work
• My actions impact you• Your actions impact me• Security Awareness is an ever changing
and evolving area, which requires constant attention
• DoIT is here as a resource for you• Let us know how we can help• Let me know if I can help• Don’t be afraid to ask questions• Better safe than sorry
Free Powerpoint TemplatesPage 55
A Picture Is Worth1000 Words
Free Powerpoint TemplatesPage 56
Questions andDiscussion
Nicholas [email protected] 608-262-3837facebook.com/nicholas.a.davis