An Auditor's Perspective on Frameworks for Information Systems Security in Higher Education
Why My Electronic Identity Needs to be Protected!
Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for
non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is
given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires
written permission from the author. Videos and specific graphics presented are not for public distribution.
Session Guide Erwin Chris Louis Carrow IT Audit Director; M.Div., MSIS, BM, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA,
LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup who cares?!)Board of Regents, University System of Georgia; Office of Internal Audit and Compliance
270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334
(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax
Email: firstname.lastname@example.org http://www.linkedin.com/in/thebishophttp://twitter.com/ecarrow
What I Do? Just a Glorified Geek High level IT Evaluations University System Wide
General focus Lack granularity of detail regarding day to day operations
Validate Assurance or Identify Vulnerabilities / Exploitation
Bottom line: Challenging Others to Apprehend IT Security and Operational Efficiency
Session AgendaKey Takeaways and Introductions
Basic Terminology, Context, & Methodology
Strategic Protection of YOUR and OTHERS Personal Information
What to Do to Be Safe / Limit Risk
Key TakeawaysAt the end of this session you should be able to:
Understand the RISK with YOUR and OTHERS Electronic Identity;
Understand the Motivation for Exploitation of YOUR or OTHERS PERSONAL INFORMATION
Identify Practical Considerations and Resourcesto mitigate associated RISK;
Apply Basic Precautions to mitigate potential LOSES;
Terminology, Context, & Who are the Key Players People Good (solution oriented), Bad (problem producers),
and Indifferent (folks who dont care /understand the problem) Technology Good (well managed), Bad (poorly managed),
and Indifferent (dont care or understand the problem) Services The Internet (Home, Work, or Public environment),
and associated resources, e.g., ISP, FaceBook, Games, email, etc. YOU Part of the S0lution or Part of the Problem, e.g., a
Recipient (Poor Slob that GOT HIT), Participant (inadvertently contributed either for or against), or Initiator (Johnny or Jill Hacker)?
Specific or Potential Risks Governments, Commerce, Health Organizations, Organized Crime Syndicates, Due Negligence, Hacker Exploits - Phishing attempts, Social Network vulnerabilities, etc.
What is E-Identity and Identity Theft?
E-Identity: an online informational profile about YOU and OTHERS!
Identity theft: the criminal act of stealing your personal information to clone your identity with the intent to use it without your knowledge or permission to commit fraud or other crimes.
You are Identified byWhat You Do Online or Otherwise! Commodities Banking / Income Tax Filing
Services: Hospitals, Gas Stations, etc.
Voyeur Site Participation (Porn)
Who Am I? I AM, how the world SEES me!
Threats and the Facts (Commercial - part 1)
October 19, Help Net Security - (International) Kaspersky download site hacked, redirecting users to fake AV. October 17, the KasperskysUSA download site provided download links that redirected users to a malicious Web page where windows telling them their computer was infected were popping up and they were encouraged to buy a fake AV solution. Source: www.net-security.org
October 19, V3.co.uk - (International) RealPlayer receives critical security update. Real Networks has issued a security update for RealPlayer, addressing flaws in versions . vulnerabilities ranging from buffer overflow and injection flaws to issues that could allow an attacker to remotely execute code on a targeted system. Source: www.v3.co.uk/v3/news
October 18, Computerworld - (International) Unprecedented wave of Java exploits hits users, says Microsoft. Microsoft said October 18 that an unprecedented wave of attacks are exploiting vulnerabilities . attempts to exploit Java bugs . IDS/IPS vendors ... have challenges with parsing Java code, the performance impact on a network IPS could be crippling. [So] the people that we expect to notice increases in exploitation might have a hard time seeing this. Call it Java-blindness. Source: www.computerworld.com
July 19, SCADA Systems Hard-Coded Password Circulated Online for Years - malware that targets command-and-control software installed in critical infrastructures uses a known default password that the software maker hard-coded into its system.. SCADA, short for supervisory control and data acquisition, systems are programs installed in utilities and manufacturing facilities to manage the operations. SCADA potentially vulnerable to remote attack by malicious outsiders who might want to seize control of utilities for purposes of sabotage, espionage or extortion. Default passwords are and have been a major vulnerability for many years, said Steve Bellovin, Its irresponsible to put them in, in the first place. If thats the way the Siemens systems works, they were negligent. Siemens did not respond to a request for comment. Source: www.wired.com
October 20, Softpedia - (International) Fake Firefox and Chrome warning pages distribute malware. Security researchers warn a new malware distribution campaign uses fake versions of the malicious site warnings commonly displayed by Firefox and Google Chrome. Security researchers from F-Secure now warn malware pushers are increasingly abusing the trust users associate with these warnings to infect them. Malicious Web sites that mimic both Firefoxs Reported Attack Page alert, as well as Chromes this site may harm your computer warning, have been spotted. The pages look exactly the same as the real thing, except for a button that reads Download Updates, suggesting that security patches are available for the browsers. The executable files served when these buttons are pressed install rogue antivirus programs the users who land on these latest sites discovered by F-Secure are also exposed to drive-by downloads via a hidden IFrame, which loads the Phoenix exploit kit. Source: news.softpedia.com
October 20, Trusteer - (International) Trusteer reports hackers improve Zeus Trojan to retain leadership in crimeware race. Trusteer reported October 20 it has captured and analyzed a new version (2.1) of the Zeus financial malware. New capabilities include: URL matching based on a full implementation of the Perl Compatible Regular Expressions (PCRE) library. This allows much more flexibility for Zeuss configuration to define targets. Source: www.trusteer.com
Threats and the Facts (Personal - part 2)
Personal Experience of Identity Theft (3 official separate times) and recently hacked this month at a military installation! 64x -8 process, 16 gigs RAM, 2x Terabyte HD, Dual Booted Windows 7
Pro and SUSE Linux, and multiple other system bells and whistles (bleeding edge laptop technology do not recommend)
Attacked and hacked while operating in Windows 7 environment through the Chrome Browser used a java / real player /buffer memory overflow exploit and then attempted to migrate and embed in the OSs
Gained currently loaded browser credentials and passwords Google Email account compromised (Google notified me and stated someone in Greece had accessed my account) at the same time of identified problem
Locked up the system, scrambled system settings (date changed to year 2076), locally used IDS/IPS rendered partially ineffective, polluted other partitions both Linux and Windows
Uncertainty of future protection due to complexity and immaturity of hardware and malware software protection
More of the Same Threats and the Facts But, What are the Results? Privacy Right Clearinghouse
Chronology of Data Record Breaches 13,678,437 (460 events, 2010) and 510,619,382 since January 2005 that have been reported [www.privacyrights.org/ar/ChronDataBreaches.htm]
Ponemon HRH 2008 Privacy Breach Index Survey (Sept 2008) Self evaluation of overall performance of organization: -- 9%
gave an A -- 31% gave a B -- 26% gave a C -- 29% gave a D 5% gave a F [www.HRH.com/privacy]
80 % believed their organizations experienced information system data breaches and loss of customer and personal information
50% Negligence, -- 29% Third-Party, 3% Hacker, --1% other criminal activity;
36% 1 to 4 breaches involving 100 or records; 32% 5 to 8; 31% 9 or more
The Various Ways whereby YOUR Information is LOST (data Leakage) Physical loss (PHYS) - Lost, discarded or stolen non-electronic records, such
as paper documents Portable device (PORT) - Lost, discarded or stolen laptop, PDA, smart-
phone, portable memory device, CD, hard drive, data tape, etc Stationary device (STAT) - Lost, discarded or stolen stationary electronic
device such as a computer or server not designed for mobility. Hacking or malware (HACK) - Electronic entry by an outside party, malware
and spyware. Payment Card Fraud (CARD) - Fraud involving debit and credit cards that is
not accomplished via hac