Danger! Internet Ahead!Danger! Internet Ahead!Copyright Daniel Elswit, 2007. This work is Copyright Daniel Elswit, 2007. This work is the intellectual property of the author. the intellectual property of the author. Permission is granted for this material to be Permission is granted for this material to be shared for non-commercial, educational shared for non-commercial, educational purposes, provided that this copyright purposes, provided that this copyright statement appears on the reproduced statement appears on the reproduced materials and notice is given that the copying materials and notice is given that the copying is by permission of the author. To disseminate is by permission of the author. To disseminate otherwise or to republish requires written otherwise or to republish requires written permission from the author.permission from the author.

Daniel ElswitDaniel Elswit

College of Agriculture & Life College of Agriculture & Life SciencesSciences

IT Security OfficerIT Security Officer

Online security and privacy without a Online security and privacy without a lot of jargonlot of jargon

Danger!Danger!Internet Ahead!Internet Ahead!

Cornell’s College of Agriculture & Life Sciences

About 30 departmentsAbout 4,000 workstationsPredominantly Windows XPLoosely centralized IT structure and

services

Accessible to non-technical audiences Help the audience think for themselves Local and late-breaking anecdotes 40 minute time limit not counting

questions Usable as both a standalone presentation

and an “insert” into other venues Live contact with end-users

Technical staff Review unfamiliar technical concepts Double-check facts

Non-technical staff What was most relevant to them? What did they already know? What do they want to know more about

Faculty

Form a pilot group of trusted facultyAsk for critique of delivery as well as

contentWith faculty input “Danger…”

became More focused More interesting Shorter (40 minutes instead of 75) Handout was added

Start off with one of the following: Tell a story Do a demonstration Do something to make them realize that this relates to them

Sometimes the only thing standing between you and disaster is your own discretion.

Security: Why Should We Care?

State and federal laws Cornell policy Cornell’s image

Prospective students Alumni Research and academic communities

Clean-up costs in time and dollars

“But this doesn’t relate to me!”

60-70% of Cornell faculty and staff harbor highly sensitive data on their computers.

FACT:

Antivirus programs may not immediately protect against the latest threats.

FACT:

Software updates may not address all threats in a timely manner.

FACT:

Firewalls may not protect you from yourself.

FACT:

Firewalls may not protect you from yourself.

FACT:

Firewalls may not protect you from yourself.

FACT:

The bad guys want to use your computer.

FACT:

What do the bad guys do?

Viruses, worms, and hacking are often associated with, among other things:

Backdoors – secret access to a computerBotnets – large groups of hacked computers

attacking targets en-masseKeyloggers – all keystrokes are captured

Do not install unnecessary software Consult IT prior to installing software Examples of common software with known

security concerns: Instant Messaging applications Weatherbug Web Shots Gator Google Desktop Voice-Over-IP applications

Avoiding Email Traps Red flags:

Requesting personal information Urgent tone (“Respond within 24 hours or…) Anonymous salutation (“Dear Valued Customer”) Asking you to install something by clicking on a link

Do not use “preview panes” Verify if unsure

Many companies have verification sites Contact IT if unsure

Passwords

An 8-letter password, all lowercase, can be cracked in less than 2 seconds

Cornell’s password policy:8 characters long minimum Must include letters, numbers, symbolsNetid passwords cannot be shared

The Internet and Email are Not Private Places

Networks are routinely monitored by good guys and eavesdropped on by bad guys

Most off-campus email (GMail, Yahoo, etc.), instant messaging, web, and ftp traffic can be easily intercepted and read online

If properly configured, messages sent via campus email are private (but not web mail)

When is Web Browsing Private?

Beware of the Unexpected…

The Internet from Cornell to Stanford

`

You

Em

ail

serv

er

at

Co

rne

ll

Co

rne

ll b

ord

er

Ne

w Y

ork

City

Ch

ica

go

De

nve

r

Ind

ian

ap

olis

Ka

nsa

s C

ity

Sa

n F

ran

cisc

o

Sta

nfo

rd b

ord

er `

Your colleagueat Stanford

Em

ail

serv

er

at

Sta

nfo

rd

Many potential eavesdropping locations

Be Wary of Wireless

“Party line” – everyone hears everything

Far more susceptible to eavesdropping than wired networks

Public wireless (airports, hotels, Starbucks, etc.) should never be considered private or secure

Limit File Sharing File sharing can open your computer to

hackers

File sharing, especially of sensitive data, should be confined to dedicated servers

Custodians of sensitive data should inform IT of where such data resides

Computer security has no single solution.

FACT:

Cornell Policy

“Cornell University expects all individuals using information technology devices connected to the Cornell network to take appropriate measures to manage the security of those devices.”