Vince Verbeke

http://www.slideshare.net/vcv1/info-secday-pennstate

Dangers of Social Networking9:00 am to 10:00 am

Computer Best Practices to Prevent Malware10:30 am to 11:30 am

How to Respond to an ‘Antivirus’ Pop-Up Ad12:00 pm to 1:00 pm

Better Passwords and Pass Phrases1:30 pm to 2:30 pm

Protecting Your Data3:00 pm to 4:00 pm

Dangers of Social NetworkingWho are your friends really?

Computer Best Practices to Prevent MalwareUpdate! Update! Update!

How to Respond to an ‘Antivirus’ Pop-Up AdWarning! Warning! Warning!

Better Passwords and Pass PhrasesWho would want my information?

Protecting Your DataLet’s be safe out there!

All the IT groups within the College work to make a safe computing environment◦ Install Antivirus Software◦ Network Threat Protection◦ Firewalls

Individual’s actions are of great importance to the security of computing systems

What you do (or don’t do) matters as well We need your help and support

1. Don't expect human behavior to change. Ever

2. You cannot survive with defense alone3. Not all threats are equal, and all checklists

are wrong4. You cannot eliminate all vulnerabilities5. You will be breached

Source: http://securosis.com/blog/my-personal-security-guiding-principles/

What threats are out there How can we minimize our risk

Twitter Phishing Attack Spreading via Direct Message (Feb 20, 2010)

Facebook Accounts Hacked; 1.5 Million Login IDs For Sale? (April 23, 2010)

Google Asking Buzz Users to Confirm Contacts (April 6, 2010)

Foursquare's privacy loopholes (March 25, 2010)

Twitter Phishing Attack Spreading via Direct Message (Feb 20, 2010)

Facebook Accounts Hacked; 1.5 Million Login IDs For Sale? (April 23, 2010)

Google Asking Buzz Users to Confirm Contacts (April 6, 2010)

Foursquare's privacy loopholes (March 25, 2010)

Facebook Safety Center Sophos's recommendations for Facebook

settings Facebook Newbie | Good Practices

◦ Be careful of stuff sent to you, even by people you respect (their Facebook account may have been hacked)

◦ Limit or eliminate access to games and plugins◦ Think before you click

Let’s look at my FB page...

The Internet is fun but also dangerous People don’t know what they do and can

easily be duped The more cool stuff, the more risks Updates should be applied religiously Browsing to a site (ANY site) can infect your

computer

Source: Safe Computing Tips For All

You need to review and look at your various social media account settings

Be aware that what you post is there for everyone to see◦ bad folks to gather and sell◦ Google to cache◦ Library of Congress to archive (April 28, 2010)

Walk away from Social Media

Where are the threats coming from What can we do to shield ourselves What to do if infected

Malware authors attempt to evade detection by continually releasing new variants in an effort to outpace the release of new signatures by antivirus vendors

More than 126 million malicious samples were detected in the wild in 2nd half of 2009

Misc. Potentially Unwanted Software1st Half 09 2nd Half 09 Diff2,753,008 4,674,336 69.8%

Source: Microsoft Security Intelligence Report Volume 8 (Apr 2010)

Infection rates for more recently released operating systems are consistently lower than previous ones

For operating systems with service packs, each successive service pack has a lower infection rate than the one before it.

The infection rate for Windows XP with SP3 is less than half of that for SP2, and less than a third of that for SP1.

Source: Microsoft Security Intelligence Report Volume 8 (Apr 2010)

QuickTime (and iTunes) Sun Java (and remove old versions) Adobe Flash Player Firefox Real Player See

How To Download Latest Updates for Enterprise Dell Computers for a list

YOU NEED TO FIND THE TIME!!

Don’t click on, or attempt to close, any of the malware windows

SHUT DOWN Contact Ag IT Support at 814-865-1229 or

submit a Help Request from another machinehttp://agsci.psu.edu/it/help-request

Ag IT will ...◦ Attempt to clean the infection◦ Will back up the data and re-image the machine

Computers can be infected from any website THINK, THINK, THINK ... BEFORE YOU CLICK,

especially in search results If you receive a message from unrecognized

or unsolicited source, be wary Apply Windows updates and apply your 3rd

party updates◦ Subscribe to AgSci IT Tech Alerts◦ Read AgSci IT eNews

If infected, shut down, and contact Ag IT

What just happened What if the computer is infected

Don't panic Go to another computer and print

How To Respond to an "Antivirus" Pop-Up Ad

http://agsci.psu.edu/it/how-to/respond-to-an-antivirus-pop-up-ad

Let’s review the steps

Computers can be infected from any website

THINK, THINK, THINK ... BEFORE YOU CLICK Apply Windows updates and apply your 3rd

party updates◦ Subscribe to AgSci IT Tech Alerts◦ Read AgSci IT eNews

If infected, you can try these steps (or shut down, and contact Ag IT straightaway)

What are password rules for the College What are Penn State’s guidelines What are good passwords What are bad passwords How can you protect your passwords How can you remember your passwords What other tech hardware uses passwords

Questions ... Questions .... Questions

Use two numbers in the first eight characters. Pick long passwords, at least 8 characters in

length if the system allows it. Don't use a common dictionary word, a name,

a string of numbers, or your User ID. Certain special characters may be used.

Examples of permitted special characters are$ . , ! % ^ *

Source: http://its.psu.edu/password/bestpractices.html

Use a password based on a phrase phrase: "It was a dark and stormy night...".

password : iWadasn7method: Chose first letter from each word, followed by the age of nephew.

phrase: My Brother's Birthday Is april(4) Twenty Two Nineteen Sixty three(3)password : mbbi4tt19s3method: Chose first letter from most words, and substitute numbers for letters

Anything so complicated you have to write it down

Anything in all upper case or lower case Anything with the first or last character

uppercase and the rest lower case Anything you've come across as a textbook

example Anything containing letters of the alphabet

only

Interleave two words e.g. Penn State = PsEtNaNte

Interleave a word with a numeric string e.g. flash 978 = f9L7a0s8H

Concatenate two words, possibly with a symbol as delimiter e.g. egG^rIbBoN (read: egg^ribbon)

Source: Choosing Your Password (PDF)

Embed special characters or non-alphanumeric symbols ($ . , ! % ^ *)

Misspell (but consistently!) Unorthodox caPitaliZation Use a personally significant acronym e.g.

WaPSftG (We Are Penn State For The Glory) Replace letters with digits or equivalent

characters, and words with abbreviations e.g. $h0wprg^m or Eag!RnPH*LL

Don't re-use same password

Do not let anyone else know or use your password; this is a violation of University policy

For optimum security, don't write your password down. Don’t post it on your computer or anywhere around your desk.

If the URL does not begin with "https" then you should not use your Penn State Access Account password.

Source: http://its.psu.edu/password/bestpractices.html#misuse

Both Penn State and the College require that you update passwords at least once a year

For security reasons, it is recommended that you change these passwords every 6 months

Neither Penn State or the College will ever send you an E-mail asking for your password

Software allows you to create a “master” password to store passwords for all your other accounts

Encrypts your passwords Fill in remembers online forms Examples:

KeePass - http://keepass.info/LastPass - http://lastpass.com/RoboForm - http://www.roboform.com/

Home Routers with default passwordhttp://www.routerpasswords.com/

Multifunction devices with default passwordshttp://www.passwordsdatabase.com/vendor/xerox

Multifunction print, scan and fax deviceshave the ability to store faxes, scans & print jobs to memory, and can archive to hard diskA Security Assessment of the Ricoh Afcio 450E Multifunction Device (2003)

Password should be at least 8 characters Use a pass-phrase Use mixed case, embed at least 2 numbers

and one special character in your passwords

Change your Penn State and Ag passwords every 6 months

Don’t share your passwords (or write down) Don’t use your Penn State or Ag password

for any other purpose (like Facebook)

◦ What if an EN computer was stolen◦ What if you misplaced a USB drive with research

or sensitive information◦ What does the future hold for data safety on

University machines◦ Can you check your online identity

Report theft to local authorities Change Passwords IMMEDIATELY Report the theft to Ag IT Report the theft to Penn State Security Report the theft to Dell (if applicable)

Source: http://agsci.psu.edu/it/how-to/what-to-do-if-your-computer-is-stolen

If thief has physical access, they can gain access to the drive contents ... PERIOD

Reboot from a CD and reset the local Windows password on that machine

Reboot from a Linux CD (Ultimate Boot CD) and gain access to entire hard drive

Spend less than $50 on a hard drive caddy to mount your drive as an external device

Upside - small size, easy portability, durability, and low cost make them very popular

Downside – they are just as easy to swipe and to conceal as well as misplace or lose

Many horror stories involving missing USB drives

Record your EN computer’s Service Tag and Express Service Code (other computers record the serial number)

Physically secure the machine Do not leave laptops unattended in public Label your computer (laptops at least) with

name and contact information (but not your password)

More: How to deal with a lost or stolen laptop

Label the drive with “If Found” and a phone number

Create Rohos Mini Drive allows you to create a password-protected partition on USB driveshttp://www.rohos.com/products/rohos-mini-drive/

Demonstration

Operate computers in ‘least privilege’ mode◦ Better system security◦ Less obtrusive in Windows 7

Enable full disk encryption to protect data from thieves◦ Feature is built-in to Windows 7 Enterprise

Think security all the time With Windows 7 on EN machines, security

will be more stringent Check your online identity

202 total participants across all 5 sessions◦ 56 – Dangers of Social Networking◦ 56 - Best Practices to Prevent Malware◦ 31 - Respond to an 'Antivirus' Pop-Up◦ 26 - Better Passwords and Pass Phrases◦ 31 - Protecting Your Data

85 unique participants 34 (16 %) attended single session 51 (25%) attended more than one session 14 attended each of the sessions

Views of Recorded Sessionshttp://agsci.psu.edu/it/training/self-paced-learning/information-security-day-april-29-2010◦ 20 – Dangers of Social Networking◦ 10 - Best Practices to Prevent Malware◦ 4 - Respond to an 'Antivirus' Pop-Up◦ 11 - Better Passwords and Pass Phrases◦ 3 - Protecting Your Data

48 "additional" participantsOverall impact: 202 + 48 = 250

85 unique out of 202 is 42% 42% of 48 recorded watchers is 20105 total unique ~ 1400 full time faculty, staff, educators,

and tech service staff in College of Ag Sciences

Reached 7.5% of the College We DID ASK these people to carry the

message to co-workers

September 21 during ITChatter ITChatter Series is a monthly lunch

conversation about technologies ITChatter runs from 12:15 to12:50 We’ll do follow-up on all 5 topics Check out our Training Page

http://agsci.psu.edu/it/training/self-paced-learning/itchatter-series

Security and security awareness is NOT a once and done deal

We will continue to use eNews and Tech Alerts to keep awareness "in the face" of college faculty and staff

We must be vigilant and aware in our technology use each and every day

This message MUST be delivered .... each and every day if necessary

SECURITY DAY AS ONGOING SERIES