Embed Size (px)
Citation preview
Security 101Today’s must have
Pedro SerranoSummer 2015
Agenda • Home PC Essentials• Home WIFI Security• Facebook Settings• LinkedIn Settings• Laptop Encryption• Phone, tablets, laptop security• Social Engineering at its best• Passwords that you will never forget• Why so many phishing emails• Free Credit Report• Phishing website test (I dare you)
Home PC Essentials• Get a Router - Wireless (Cisco, Netgear, D-Link)
– Look for 802.11n or 802.11ac (new faster)• Why? They are dual band 2.4Ghz and 5Ghz, they
can accommodate new and old equipment.• Expect to pay $75 to $150
– They provide 1st line of defense into your home network• NAT (Network Address Translation) • Create an internal network, separate from provider.
Home Wi-Fi Security• Change default SSID (Linksys, netgear, d-link)
– Do not use your name (you could use “:(!@#$%)” or “error, unable to connect” or “~virus~” or “Hidden Network” (or disable the SSID)
• Change default password (admin/admin)• Setup WPA2 security (This is a must have)• Disable administration from the wireless network,
make only via wired connection (Google is your friend)• Position wireless in a central location• Going on vacation, turn it off !
Home PC Essentials• Install and maintain an antivirus
– The concern is not so much as which one (brand), but as to have one and have it update its database.
– Consumer Reports Magazine – comparison of free antivirus vs. security suites. • Free offers good basic protection but lack
features• (Avira, AVG, Avast, Microsoft Security Essentials)
– Install Ccleaner, Malwarebytes and ADblock plus in every PC that you have in your house (configure – in options to run at start up!)
Home PC Essentials
• Keep PC operating system (OS) updated – 91% of all OS’s are Microsoft Windows– 7% of all OS’s are MAC – 2% of all OS’s are UNIX based
• Every Tuesday there is a Microsoft update• Do you have automatic updates enabled
– Is it set up for 3:00 am ? – Is your computer turned on at 3:00am ?– Auto update for 3rd Party apps (office suite) ?
Wikipedia https://en.wikipedia.org/wiki/Usage_share_of_operating_systems
Home PC Essentials
• Windows firewall – verify that is enabled– Start, control panel, windows firewall, turn on (you want
green not red)
• Biggest Question – What will you lose if you lost your PC tomorrow ?– Pictures, financial statements, school work, work history,
emails.– Buy an external hard drive and make a backup (cheap
insurance) – 1Tb (< $100)
Facebook Settings (Social Network)1. Login to your Facebook account, and Never check
the box to “keep me logged in”2. Never share your password (simple right?)3. Never login in a public place PC4. Change your password ! (make this one hard)5. Never allow 3rd party apps to access it
– Meaning – LinkedIn sign in using your FB account or Chase bank using your FB account credentials (Cross app login )
Your WORK password should NEVER be used for anything else but work (BOTTOM LINE ….. it protects you and them!)
Facebook Settings6. Personalize your privacy
– Go to settings > security , option for secure browsing (make it HTTPS)
– Go to settings > security, login approvals, check mark on requiring a code to access from unknown browser.
– Go to settings > security, code generator enabled– Go to settings > security, trusted contact, add your
family or a trusted person – Go to settings > security , look for old dates and
delete
You can also use private shortcuts – a new way to secure your Facebook
Facebook Settings
• Go to settings > Privacy– Who can see your future post = friends– Review all your post = use activity log– Limit the audience for post = limit past post– Who can you send friend request = everyone– Who can look you up using email = friends– Who can look you up using phone = friends of F– Do you want search engine to link = (unchecked)
Most important setting: Do you really know all your “friends”? Please delete if you don’t.
LinkedIn Settings (Working Network)
1. Update your privacy settings– Turn off your activity broadcast (Unless, work search)– Select what others see when you see their profile– Select who can see your connections– Change who can see your profile photo (yes have a photo)
2. Must enable two-step verification– It will send you a code via txt
3. Turn on secure connection for all pages (https)
LinkedIn Settings
4. Passwords (change every year)5. Beware of phishing attempts
– LinkedIn will NEVER ask you for sensitive or financial information via email.
– Look out for bad grammar or spelling errors – They will never send you an email to tell you that you
need to install a software update (they are a web application)
LinkedIn Settings
6. Sign out of your account after you use a shared computer.7. Manage your account information and privacy settings
from the Profile and Account sections of your Privacy & Settings page.
8. Keep your antivirus software up to date.9. Don't put your email address, home address or phone
number in your profile's Summary*.10. Only connect to people you know and trust, or those you
have trustworthy common connections with.11. Be informed about
reporting inappropriate content or safety concerns.
Laptop Encryption (Why?)• Your laptop contains Personably Identifiable
Information (PII) – What is PII?– These include, SSN, passport numbers, financial records,
credit card numbers, address, telephone numbers, bank statements, your last purchase in Amazon, ebay or Expedia
• Your laptop contains Confidential business information / Intellectual Property– Business secrets, confidential emails
Bottom line: If the data in your laptop was published on the front page of the local newspaper, would it cause damage or embarrassment to You / Company?
4 digit pin for Cell Phones (minimum)
• 1st line of protection – Anyone can just take your phone and make a fool of you (you have
all your contacts access information)
• New “smart” phones are PC’s that make calls– Your email actually gets delivered to your phone, before it goes to
your computer.– Most of us have our personal contacts loaded
• If you lose it, sometimes you can wipe the data • IOS 9 will have a 6 digit option
Bottom line: If the data in your Phone was published on the front page of the local newspaper, would it cause damage or embarrassment to You / Company?
Social Engineering
• Real calls received asking for information:– Foreign man asking questions about our ERP (Enterprise
Resource Planning) system and my involvement….– Someone called pretending to be from Microsoft wanting me
to share my screen because something was wrong.– Someone pretending to be from IT Help Desk because my
PC USB was not working correctly
• Shadow IT is alive and a great way to get information
Microsoft or Apple will never call you about your PC not working correctly!
Passwords that you will never forget
• Use a password manager– Keypass or MiniKeePass works for IPhone and Android
• Encrypts the complete database using AES or Twofish– Use a USB loaded password manager
• Why password manager– We must remember on the average 10 different passwords
(Work, Bank, Email, Twitter, Facebook, Shopping, Airlines, LinkedIn, Google, Amazon, Netflix) – and their passwords are different right?
– Using a password manager you can add notes to your passwords (like last time changed)
• Break password in three parts (Prefix, Base, Suffix)– Prefix (month, date, account info)– Base (nickname with upper and lower case)– Suffix (wild character)
– Ex. AN0rN0wN0rfm+, B0k8675309!, Issa@V0t3forP3dr0
Passwords that you will never forget
Prefix 1012 the year and month of my granddaughter’s birthday “Goo” for Google account, or “Gma” for a Gmail account B0k for my bank account (that’s cap B, the number 0, and k)
Base 918-555-8243 - Mom’s original phone number; because she made
me memorize it as a child 2BorNot2B - Shakespeare’s “To be or not to be.” N0rN0wN0rfme – No right, No wrong, No rules for me (Frozen)
Suffix I like to use wild characters here (easier to remember) Use symbols that remind you of something, like a pointer: “-->”
• Is a longer password better? – If so then how long is “more better”– http://calc.opensecurityresearch.com
• Kevin Fogarty – IT World article
Passwords that you will never forget
Letter , Numbers, no upper, no symbolCharacters combinations 1000/sec 100Billion/sec 100Trillion/sec
6 2.25 Billion 3.7 weeks 0.0224 0.000022410 3.76 Quadrillion 3.7 weeks 10.45 hrs. 37.61 sec
Letter , Number, no upper , one symbolCharacters combinations 1000/sec 100Billion/sec 100Trilion/sec
6 7.6 Trillion 2.4 Centuries 1.2 minutes 0.0756sec10 1.71 x 1020
sextillion54 Centuries 54 years 2.83 week
(21 Char. Number)
Key: 10 characters minimum, upper, lower, number, AND SYMBOLS (Why symbol)
Why so many phishing emails
• Acct/Fin personnel you are “literally” the target– If I send 20,000 emails to my targeted accounting peeps
(yes you can buy that email group) and only ½ of 1% responded to my fake $1952.49 invoice. I just made (100 x $1952.49 = $195,249)
– The issue is in the economies of scale, you see sending 20k or 200k emails is not a big deal.
– Medium companies receives 450K emails a week and most likely 80% of them are junk (filtered email)
– 120 x 52 = 23,400,000 emails a year processed • Very conservative number !!
Free Credit report / Opt-Out• Please , Please, Please
– Annualcreditreport.com (the only one that is free)– Why? – know your credit status– Free from Experian, TransUnion, and Equifax
• OPT-OUT on pre screen offers– Optoutprescreen.com
• www.donotcall.gov (add your cell phone number)• www.dmachoice.org (Commercial email opt-out)• Credit freeze vs. Fraud Alert
– Credit freeze = no new or changes to your credit– Fraud alert = Usually for 90 days to 1 year. They just tell you
that you have been victimized.
Summary
• Pedro Serrano• ISSA Oklahoma Chapter – Vice President
• (Information System Security Association)
Phishing test (I dare you )
https://phishingquiz.mcafee.com/
