Upload
vince-verbeke
View
2.062
Download
0
Embed Size (px)
DESCRIPTION
Too often faculty and staff fail to realize how important individual actions are to the security of computing systems. What each person does (or doesn't do) makes a significant difference with regards to both their individual privacy and the greater security of the institution.To reinforce the idea that everyone must work together to ensure a secure computing environment, an Information Security Day was held within our College. This session will relate the concept behind the day and how it was held.Information security and security awareness topics were discussed via short, "bite-sized" Adobe Connect sessions and included:• Dangers of Social Networking • Computer Best Practices to Prevent Malware• How to Respond to an ‘Antivirus’ Pop-Up Ad• Better Passwords and Pass Phrases• Protecting Your Data
Citation preview
Vince Verbeke
http://www.slideshare.net/vcv1/info-secday-pennstate
Dangers of Social Networking9:00 am to 10:00 am
Computer Best Practices to Prevent Malware10:30 am to 11:30 am
How to Respond to an ‘Antivirus’ Pop-Up Ad12:00 pm to 1:00 pm
Better Passwords and Pass Phrases1:30 pm to 2:30 pm
Protecting Your Data3:00 pm to 4:00 pm
Dangers of Social NetworkingWho are your friends really?
Computer Best Practices to Prevent MalwareUpdate! Update! Update!
How to Respond to an ‘Antivirus’ Pop-Up AdWarning! Warning! Warning!
Better Passwords and Pass PhrasesWho would want my information?
Protecting Your DataLet’s be safe out there!
All the IT groups within the College work to make a safe computing environment◦ Install Antivirus Software◦ Network Threat Protection◦ Firewalls
Individual’s actions are of great importance to the security of computing systems
What you do (or don’t do) matters as well We need your help and support
1. Don't expect human behavior to change. Ever
2. You cannot survive with defense alone3. Not all threats are equal, and all checklists
are wrong4. You cannot eliminate all vulnerabilities5. You will be breached
Source: http://securosis.com/blog/my-personal-security-guiding-principles/
What threats are out there How can we minimize our risk
Twitter Phishing Attack Spreading via Direct Message (Feb 20, 2010)
Facebook Accounts Hacked; 1.5 Million Login IDs For Sale? (April 23, 2010)
Google Asking Buzz Users to Confirm Contacts (April 6, 2010)
Foursquare's privacy loopholes (March 25, 2010)
Twitter Phishing Attack Spreading via Direct Message (Feb 20, 2010)
Facebook Accounts Hacked; 1.5 Million Login IDs For Sale? (April 23, 2010)
Google Asking Buzz Users to Confirm Contacts (April 6, 2010)
Foursquare's privacy loopholes (March 25, 2010)
Facebook Safety Center Sophos's recommendations for Facebook
settings Facebook Newbie | Good Practices
◦ Be careful of stuff sent to you, even by people you respect (their Facebook account may have been hacked)
◦ Limit or eliminate access to games and plugins◦ Think before you click
Let’s look at my FB page...
The Internet is fun but also dangerous People don’t know what they do and can
easily be duped The more cool stuff, the more risks Updates should be applied religiously Browsing to a site (ANY site) can infect your
computer
Source: Safe Computing Tips For All
You need to review and look at your various social media account settings
Be aware that what you post is there for everyone to see◦ bad folks to gather and sell◦ Google to cache◦ Library of Congress to archive (April 28, 2010)
Walk away from Social Media
Where are the threats coming from What can we do to shield ourselves What to do if infected
Malware authors attempt to evade detection by continually releasing new variants in an effort to outpace the release of new signatures by antivirus vendors
More than 126 million malicious samples were detected in the wild in 2nd half of 2009
Misc. Potentially Unwanted Software1st Half 09 2nd Half 09 Diff2,753,008 4,674,336 69.8%
Source: Microsoft Security Intelligence Report Volume 8 (Apr 2010)
Infection rates for more recently released operating systems are consistently lower than previous ones
For operating systems with service packs, each successive service pack has a lower infection rate than the one before it.
The infection rate for Windows XP with SP3 is less than half of that for SP2, and less than a third of that for SP1.
Source: Microsoft Security Intelligence Report Volume 8 (Apr 2010)
QuickTime (and iTunes) Sun Java (and remove old versions) Adobe Flash Player Firefox Real Player See
How To Download Latest Updates for Enterprise Dell Computers for a list
YOU NEED TO FIND THE TIME!!
Don’t click on, or attempt to close, any of the malware windows
SHUT DOWN Contact Ag IT Support at 814-865-1229 or
submit a Help Request from another machinehttp://agsci.psu.edu/it/help-request
Ag IT will ...◦ Attempt to clean the infection◦ Will back up the data and re-image the machine
Computers can be infected from any website THINK, THINK, THINK ... BEFORE YOU CLICK,
especially in search results If you receive a message from unrecognized
or unsolicited source, be wary Apply Windows updates and apply your 3rd
party updates◦ Subscribe to AgSci IT Tech Alerts◦ Read AgSci IT eNews
If infected, shut down, and contact Ag IT
What just happened What if the computer is infected
Don't panic Go to another computer and print
How To Respond to an "Antivirus" Pop-Up Ad
http://agsci.psu.edu/it/how-to/respond-to-an-antivirus-pop-up-ad
Let’s review the steps
Computers can be infected from any website
THINK, THINK, THINK ... BEFORE YOU CLICK Apply Windows updates and apply your 3rd
party updates◦ Subscribe to AgSci IT Tech Alerts◦ Read AgSci IT eNews
If infected, you can try these steps (or shut down, and contact Ag IT straightaway)
What are password rules for the College What are Penn State’s guidelines What are good passwords What are bad passwords How can you protect your passwords How can you remember your passwords What other tech hardware uses passwords
Questions ... Questions .... Questions
Use two numbers in the first eight characters. Pick long passwords, at least 8 characters in
length if the system allows it. Don't use a common dictionary word, a name,
a string of numbers, or your User ID. Certain special characters may be used.
Examples of permitted special characters are$ . , ! % ^ *
Source: http://its.psu.edu/password/bestpractices.html
Use a password based on a phrase phrase: "It was a dark and stormy night...".
password : iWadasn7method: Chose first letter from each word, followed by the age of nephew.
phrase: My Brother's Birthday Is april(4) Twenty Two Nineteen Sixty three(3)password : mbbi4tt19s3method: Chose first letter from most words, and substitute numbers for letters
Anything so complicated you have to write it down
Anything in all upper case or lower case Anything with the first or last character
uppercase and the rest lower case Anything you've come across as a textbook
example Anything containing letters of the alphabet
only
Interleave two words e.g. Penn State = PsEtNaNte
Interleave a word with a numeric string e.g. flash 978 = f9L7a0s8H
Concatenate two words, possibly with a symbol as delimiter e.g. egG^rIbBoN (read: egg^ribbon)
Source: Choosing Your Password (PDF)
Embed special characters or non-alphanumeric symbols ($ . , ! % ^ *)
Misspell (but consistently!) Unorthodox caPitaliZation Use a personally significant acronym e.g.
WaPSftG (We Are Penn State For The Glory) Replace letters with digits or equivalent
characters, and words with abbreviations e.g. $h0wprg^m or Eag!RnPH*LL
Don't re-use same password
Do not let anyone else know or use your password; this is a violation of University policy
For optimum security, don't write your password down. Don’t post it on your computer or anywhere around your desk.
If the URL does not begin with "https" then you should not use your Penn State Access Account password.
Source: http://its.psu.edu/password/bestpractices.html#misuse
Both Penn State and the College require that you update passwords at least once a year
For security reasons, it is recommended that you change these passwords every 6 months
Neither Penn State or the College will ever send you an E-mail asking for your password
Software allows you to create a “master” password to store passwords for all your other accounts
Encrypts your passwords Fill in remembers online forms Examples:
KeePass - http://keepass.info/LastPass - http://lastpass.com/RoboForm - http://www.roboform.com/
Home Routers with default passwordhttp://www.routerpasswords.com/
Multifunction devices with default passwordshttp://www.passwordsdatabase.com/vendor/xerox
Multifunction print, scan and fax deviceshave the ability to store faxes, scans & print jobs to memory, and can archive to hard diskA Security Assessment of the Ricoh Afcio 450E Multifunction Device (2003)
Password should be at least 8 characters Use a pass-phrase Use mixed case, embed at least 2 numbers
and one special character in your passwords
Change your Penn State and Ag passwords every 6 months
Don’t share your passwords (or write down) Don’t use your Penn State or Ag password
for any other purpose (like Facebook)
◦ What if an EN computer was stolen◦ What if you misplaced a USB drive with research
or sensitive information◦ What does the future hold for data safety on
University machines◦ Can you check your online identity
Report theft to local authorities Change Passwords IMMEDIATELY Report the theft to Ag IT Report the theft to Penn State Security Report the theft to Dell (if applicable)
Source: http://agsci.psu.edu/it/how-to/what-to-do-if-your-computer-is-stolen
If thief has physical access, they can gain access to the drive contents ... PERIOD
Reboot from a CD and reset the local Windows password on that machine
Reboot from a Linux CD (Ultimate Boot CD) and gain access to entire hard drive
Spend less than $50 on a hard drive caddy to mount your drive as an external device
Upside - small size, easy portability, durability, and low cost make them very popular
Downside – they are just as easy to swipe and to conceal as well as misplace or lose
Many horror stories involving missing USB drives
Record your EN computer’s Service Tag and Express Service Code (other computers record the serial number)
Physically secure the machine Do not leave laptops unattended in public Label your computer (laptops at least) with
name and contact information (but not your password)
More: How to deal with a lost or stolen laptop
Label the drive with “If Found” and a phone number
Create Rohos Mini Drive allows you to create a password-protected partition on USB driveshttp://www.rohos.com/products/rohos-mini-drive/
Demonstration
Operate computers in ‘least privilege’ mode◦ Better system security◦ Less obtrusive in Windows 7
Enable full disk encryption to protect data from thieves◦ Feature is built-in to Windows 7 Enterprise
Think security all the time With Windows 7 on EN machines, security
will be more stringent Check your online identity
202 total participants across all 5 sessions◦ 56 – Dangers of Social Networking◦ 56 - Best Practices to Prevent Malware◦ 31 - Respond to an 'Antivirus' Pop-Up◦ 26 - Better Passwords and Pass Phrases◦ 31 - Protecting Your Data
85 unique participants 34 (16 %) attended single session 51 (25%) attended more than one session 14 attended each of the sessions
Views of Recorded Sessionshttp://agsci.psu.edu/it/training/self-paced-learning/information-security-day-april-29-2010◦ 20 – Dangers of Social Networking◦ 10 - Best Practices to Prevent Malware◦ 4 - Respond to an 'Antivirus' Pop-Up◦ 11 - Better Passwords and Pass Phrases◦ 3 - Protecting Your Data
48 "additional" participantsOverall impact: 202 + 48 = 250
85 unique out of 202 is 42% 42% of 48 recorded watchers is 20105 total unique ~ 1400 full time faculty, staff, educators,
and tech service staff in College of Ag Sciences
Reached 7.5% of the College We DID ASK these people to carry the
message to co-workers
September 21 during ITChatter ITChatter Series is a monthly lunch
conversation about technologies ITChatter runs from 12:15 to12:50 We’ll do follow-up on all 5 topics Check out our Training Page
http://agsci.psu.edu/it/training/self-paced-learning/itchatter-series
Security and security awareness is NOT a once and done deal
We will continue to use eNews and Tech Alerts to keep awareness "in the face" of college faculty and staff
We must be vigilant and aware in our technology use each and every day
This message MUST be delivered .... each and every day if necessary
SECURITY DAY AS ONGOING SERIES