IT Security in a Scientific Research Environment

Free Powerpoint TemplatesPage 1

Free Powerpoint Templates

Computer Security Awareness, Social Engineering and

Physical Security in a Scientific Research

Environment-

Nicholas DavisMBA, CISA, CISSP

DoIT SecurityNov 20, 2012


Introduction• Background• Thank you for the invitation• Today’s Topic, Security Awareness,

Computer Security, Physical Security• Importance to scientific research field• Identification vs. Authentication• Social Engineering• Pretexting• Phishing• QR Code Danger• Social Networks• Passwords• Malware• Baiting• Identity Theft: How, Avoiding,

Responding• Physical Security• Sharing of information with the public


Technology Is NotThe Answer

Strong computer security has two components:

The Technology: passwords, encryption, endpoint protection such as anti-virus.

The People: You, your customers, your business partners

Today, we will talk about both components


Social Engineering

The art of manipulating people into performing actions or divulging confidential information

It is typically trickery or deception for the purpose of information gathering, fraud, or computer system access


Most Popular Type of Social Engineering

Pretexting: An individual lies to obtain privileged data. A pretext is a false motive.

Pretexting is a fancy term for impersonation

A big problem for computer Help Desks, in all organizations

Example:

Some steps the UW-Madison Help Desk takes to avoid pretexting


Identification Without Authentication

Rapidly establishing a trust relationship, then trying to exploit it

“I am Bucky Badger, therefore you should let me in to see Barry Alvarez”Ask yourself: Could this person have a motivation to be less than truthful?

Ask for ID. Does it look legit?


Identification by Impression

Fake BadgesUniformsLogosConfidenceDressBody LanguageTone of VoiceKnowledge of Specific InformationExamples from the audience!

What could be learned by a stranger, who observes your work environment?


Getting Access By Any Means

StealReadModifyDeploy

Manipulate you to:Reveal InformationPerform Actions


How They Do It

User InterfacesPhoneEmailLetters and DocumentsInstant Messaging and Phone TextingMedia, CDs, USB drives, etc.


Let’s Think of ElectronicPretexting Example

Dear Windows User,It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update.

This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to Confirm your records.

Thank you,

Microsoft Windows Team.


Phishing

• Deception, but not just in person

• Email• Websites• Facebook status updates• Tweets• Phishing, in the context of

the scientific research working environment is extremely dangerous


Phishing History

• Phreaking, term for making phone calls for free back in 1970s

• Fishing is the use bait to lure a target

• Phreaking + Fishing = Phishing


Phishing 1995

• Target AOL users• Account passwords = free

online time• Threat level: low• Techniques: Similar names,

such as www.ao1.com for www.aol.com


Phishling 2001

Target: Ebay and major banksCredit card numbers and account numbers = moneyThreat level: mediumTechniques: Same in 1995, as well as keylogger


Keyloggers

• Tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored

• Software or hardware based


Phishing 2007

Targets are Paypal, banks, ebayPurpose to steal bank accountsThreat level is highTechniques: browser vulnerabilities, link obfuscation


Don’t Touch That QR Code

• Just as bad as clicking on an unknown link

• Looks fancy and official, but is easy to create


Phishing in 2013

• Trends for the coming year

• Identity Information• Personal Harm• Blackmail


Looking In the Mirror

• Which types of sensitive information do you have access to?

• What about others who share the computer network with you?

• Think about the implications associated that data being stolen and exploited!


What Phishing Looks Like

• As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.

• They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.


Techniques For Phishing

• Employ visual elements from target site• DNS Tricks:• www.ebay.com.kr• [email protected]• www.gooogle.com• Unicode attacks• JavaScript Attacks• Spoofed SSL lock Certificates• Phishers can acquire certificates for

domains they own• Certificate authorities make mistakes


Social EngineeringTechniques

Often employed in Phishing, lower your guard

1.Threats – Do this or else!2.Authority – I have the authority to ask this3.Promises – If you do this, you will get money4.Praise – You deserve this


How to Know if You Are Being Socially Engineered

You know that what you are doing is wrong

The situation feels weird or unusual to you

You are in a situation in which you can’t contact a person of authority, to make a decision

You are being rushed to do something

Lots of name dropping is going on

You feel like you might offend someone if you don’t follow through


PhishingTechniques

• Socially aware attacks• Mine social relationships from public

data• Phishing email appears to arrive from

someone known to the victim• Use spoofed identity of trusted

organization to gain trust• Urge victims to update or validate their

account• Threaten to terminate the account if

the victims not reply• Use gift or bonus as a bait• Security promises


Let’s Talk About Facebook

• So important, it gets its own slide!• Essentially unauthenticated – discussion• Three friends and you’re out! - discussion• Privacy settings mean nothing – discussion• Treasure Trove of identity information• Games as information harvesters


Socially Aware


Context Aware

“Your bid on eBay has won!”“The books on your Amazon wish list are on sale!”


Seems Suspicious


419 Nigerian Email Scam


Too Good to be True, Even When It Is Signed


DetectingFraudulent Email

Information requested is inappropriate for the channel of communication:

"Verify your account."nobody should ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail.

Urgency and potential penalty or loss are implied:

"If you don't respond within 48 hours, your account will be closed.”


Detecting FraudulentEmail

"Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.


Dectecting FraudulentEmail

"Click the link below to gain access to your account.“

This is an example or URL Masking (hiding the web address)

URL alteration

www.micosoft.com www.mircosoft.com www.verify-microsoft.com


How to Defend AgainstPhishing Attacks

•Never respond to an email asking for personal information • Always check the site to see if it is secure (SSL lock)• Look for misspellings or errors in grammar• Never click on the link on the email. Enter the web address manually• Keep your browser updated• Keep antivirus definitions updated• Use a firewall• When in doubt, ask your Network Administrator for their opinion


A Note on Spear Phishing

• Designed especially for you• Includes your name• May reference an

environment or issue you are aware of and familiar with

• Asks for special treatment, with justification for the request


Other TechniquesAn ocean of Phishing techniques

•Clone Phishing - Discussion•Whaling - Discussion•Filter Evasion - Discussion•Phone Phishing - Discussion•Tabnabbing - Discussion•Evil Twins - Discussion


Passwords

Your password is your electronic key to valuable resources, treat it like your house key!

Sharing – DiscussionTheft – DiscussionPassword Rotation - Discussion


Creating a StrongPassword

Following two rules are bare minimal that you should follow while creating a password.

Rule 1 – Password Length: Stick with passwords that are at least 8 characters in length. The more character in the passwords is better, as the time taken to crack the password by an attacker will be longer. 10 characters or longer are better.

Rule 2 – Password Complexity: At least 4 characters in your passwords should be each one of the following:


Creating a StrongPassword

1.Lower case alphabets2.Upper case alphabets3.Numbers4.Special Characters

Use the “8 4 Rule”8 = 8 characters minimum length4 = 1 lower case + 1 upper case + 1 number + 1 special character.

Do not use a password strength checking website! Any ideas why this is a bad idea?


Adware, Malware, Spyware

Adware – unwanted ad software which is noticedMalware – unwanted software which is noticed and potentially causes harmSpyware – unwanted software which goes un-noticed and harvests your personal information

Use endpoint protection!


CIO.WISC.EDU/SECURITY


Adware, Malware, Spyware

How these get on your computer:EmailWeb pagesDownloaded softwareCD, USB flash driveSometimes, out of the box


Trojan Malware


Baiting

Hey, look! A free USB drive!I wonder what is on this confidential CD which I found in the bathroom?

These are vectors for malware!Play on your curiousity or desire to get something for nothing

Don’t be a piggy!


Social Engineering Methods

Using the Out of Office responder in a responsible manner


Synthetic Identity Theft

A variation of identity theft which has recently become more common is synthetic identity theft, in which identities are completely or partially fabricated. The most common technique involves combining a real social security number with a name and birthdate other than the ones associated with the number.


How Does IdentityTheft Happen

Let’s talk through the attached paper handout, entitled:

“Techniques for obtaining and exploiting personal information for identity theft”

Look through the list and think to yourself “Could this apply to me?” If so, think about taking steps to avoid it


Tips To AvoidIdentity Theft

1. Only Make Purchases On Trusted Sites 2. Order Your Credit Report 3. Know How To Spot Phishing 4. Secure Your Network 5. Can the Spam 6. Don't Store Sensitive Information On Non-

Secure Web Sites 7. Set Banking Alerts 8. Don't Reuse Passwords 9. Use Optional Security Questions 10. Don't Put Private Information On Public

Computers


If Your Identity Is Stolen(WORK)

1. Contact your supervisor immediately2. Report the incident to the Office of

Campus Information Security (OCIS) http://www.cio.wisc.edu/security-report.aspx

3. Contact the DoIT Help Desk4. Contact UW Police, depending on

nature of incident. Consider your personal safety! “Better safe, than sorry”


Physical Security

• The UW is a fairly open and shared physical environment

• Seeing strangers is normal, we won’t know if they are here as friend or foe

• Lock your office• Lock your desk• Lock your computer• Criminals are opportunistic• Even if you are just gone for a moment• Report suspicious activity to your

administration and UW Police• If you have an IT related concern,

contact the Office of Campus Information Security


Forget About Being Polite

Don’t hold the security door for anyone and beware of tailgaters

Be truthful, explain why….People will understand


Sharing Information WithThe Public

• The University of Wisconsin is an open environment

• However, on occasion, this open nature can be exploited by people with nefarious intent

• Don’t volunteer sensitive information• Only disclose what is necessary• Follow records retention policies• When in doubt, ask for proof, honest

people will understand, dishonest people will become frustrated


Publishing of Information

Consider carefully before publishing and disseminating information, such as phone directories and business cards

Sadly, obituaries are a great place to learn the answer to the most annoying password recovery question: “What is your mother’s maiden name?”


We Have So Much MoreTo Talk About

• Security Awareness matters not just to you, but to the University of Wisconsin as a whole

• Security Awareness is an important facet of everyone’s work

• My actions impact you• Your actions impact me• Security Awareness is an ever changing

and evolving area, which requires constant attention

• DoIT is here as a resource for you• Let us know how we can help• Let me know if I can help• Don’t be afraid to ask questions• Better safe than sorry


A Picture Is Worth1000 Words


Questions andDiscussion

Nicholas [email protected] 608-262-3837facebook.com/nicholas.a.davis