Information Security Awareness - University of Wisconsin ...

Information Security Awareness - University of Wisconsin ...

User Awareness and Practices The internet allows an attacker to attack from anywhere on the planet. Risks caused by poor security knowledge and practice: Identity Theft Monetary Theft Legal Ramifications (for yourself and companies)

Termination if company policies are not followed According to , the top vulnerabilities available for a cyber criminal are: Web Browser IM Clients Web Applications Excessive User Rights Security: We must protect our computers and data in the same way that we secure the doors to our homes. Safety: We must

behave in ways that protect us against risks and threats that come with technology. System Administrators Some scripts are useful to protect networks Cracker: Computer-savvy programmer creates attack software Script Kiddies: Unsophisticated computer users who know how to execute programs Criminals: Create & sell bots -> spam

Sell credit card numbers, Hacker Bulletin Board SQL Injection Buffer overflow Password Crackers Password Dictionaries Successful attacks! Crazyman broke into CoolCat penetrated Malware package=$1K-2K 1 M Email addresses = $8 10,000 PCs = $1000

Virus Worm Trojan Horse / Logic Bomb Social Engineering Rootkits Botnets / Zombies A virus attaches itself to a program, file, or disk When the program is executed, the virus activates and replicates itself The virus may be benign or malignant but executes its payload at some point (often upon contact)

Viruses result in crashing of computers and loss of data. Program A Extra Code infects In order to recover/prevent virus/attacks: Avoid potentially unreliable websites/emails System Restore Re-install operating system Anti-virus (i.e. Avira, AVG, Norton) Program B

Independent program which replicates itself and sends copies from computer to computer across network connections. Upon arrival the worm may be activated to replicate. To Joe To Ann To Bob Email List: [email protected] [email protected] [email protected] Logic Bomb: Malware logic executes upon certain conditions. Program is often used for legitimate reasons.

Software which malfunctions if maintenance fee is not paid Employee triggers a database erase when he is fired. Trojan Horse: Masquerades as beneficial program while quietly destroying data or damaging your system. Download a game: Might be fun but has hidden part that emails your password file without you knowing. Social engineering manipulates people into performing actions or divulging confidential information. Similar to a confidence trick or simple fraud, the term applies to the use of deception to gain information, commit fraud, or access computer systems. Phone Call: This is John, the System

Admin. What is your password? Email: ABC Bank has noticed a problem with your account In Person: What ethnicity are you? Your mothers maiden name? and have some software patches

I have come to repair your machine Phishing: a trustworthy entity asks via e-mail for sensitive information such as SSN, credit card numbers, login IDs or passwords.

The link provided in the e-mail leads to a fake webpage which collects important information and submits it to the owner. The fake web page looks like the real thing Extracts account information A botnet is a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a denial of service attack. The compromised computers are called zombies An attacker pretends to be your final destination on the network. If a person tries to connect to a specific WLAN access point or web

server, an attacker can mislead him to his computer, pretending to be that access point or server. Upon penetrating a computer, a hacker installs a collection of programs, called a rootkit. May enable: Easy access for the hacker (and others) Keystroke logger Eliminates evidence of break-in

Modifies the operating system Backdo or entry Keystro ke Logg er r e s u en d Hid Pattern Calculati

on Personal Info: interests, relatives Social Engineering American Dictionary Result Time to Guess (2.6x1018/month) 20 Manual 5 minutes 1 Manual 2 minutes 80,000

< 1 second 4 chars: lower case alpha 264 5x105 8 chars: lower case alpha 268 2x1011 8 chars: alpha 528 5x1013

8 chars: alphanumeric 628 2x1014 3.4 min. 8 chars alphanumeric +10 728 7x1014 12 min. 8 chars: all keyboard 958

7x1015 2 hours 12 chars: alphanumeric 6212 3x1021 96 years 12 chars: alphanumeric + 10 7212 2x1022 500 years

12 chars: all keyboard 9512 5x1023 16 chars: alphanumeric 6216 5x1028 Restricted data includes: Social Security Number Drivers license # or state ID # Financial account number (credit/debit) and

access code/password DNA profile (Statute 939.74) Biometric data In US, HIPAA protects: Health status, treatment, or payment Symptoms: Antivirus software detects a problem Pop-ups suddenly appear (may sell security software) Disk space disappears Files or transactions appear that should not be there System slows down to a crawl Unusual messages, sounds, or displays on your monitor

Stolen laptop (1 in 10 stolen in laptop lifetime) Your mouse moves by itself Your computer shuts down and powers off by itself Often not recognized Spyware symptoms: Change to your browser homepage/start page Ending up on a strange site when conducting a search System-based firewall is turned off automatically Lots of network activity while not particularly active Excessive pop-up windows New icons, programs, favorites which you did not add Frequent firewall alerts about unknown programs trying to access the Internet Bad/slow system performance

Defense in depth uses multiple layers of defense to address technical, personnel and operational issues. Anti-virus software detects malware and can destroy it before any damage is done Install and maintain anti-virus and antispyware software Be sure to keep anti-virus software updated Many free and pay options exist

A firewall acts as a wall between your computer/private network and the internet. Hackers may use the internet to find, use, and install applications on your computer. A firewall prevents hacker connections from entering your computer. Filters packets that enter or leave your computer Microsoft regularly issues patches or updates to solve security problems in their software. If these are not applied, it leaves your computer vulnerable to hackers. The Windows Update feature built into Windows can be set up to automatically download and install updates. Avoid logging in as administrator

Merry Christmas Bad Password (Lengthen) Merry Xmas MerryChrisToYou (Synonym) (Intertwine Letters) (convert vowels to numeric) MerryJul (Abbreviate) MaryJul

MXemrays Good Password MerChr2You (Keypad shift Right . Up) Glad*Jes*Birth ,stuzc,sd M5rryXm1s Jq46Sjqw Mary*Jul mErcHr2yOu Combine 2 unrelated Mail + phone = [email protected]!lf0n3

words Abbreviate a phrase My favorite color is blue= Mfciblue Music lyric Happy birthday to you, happy birthday to you, happy birthday dear John, happy birthday to you. hb2uhb2uhbdJhb2u Never use admin or root or administrator as a login for the admin

A good password is: private: it is used and known by one person only secret: it does not appear in clear text in any file or program or on a piece of paper pinned to the terminal easily remembered: so there is no need to write it down at least 8 characters, complex: a mixture of at least 3 of the following: upper case letters, lower case letters, digits and punctuation not guessable by any program in a reasonable time, for instance less than one week. changed regularly: a good change policy is every 3 months Beware that someone may see you typing it. If you accidentally type

your password instead of your login name, it may appear in system log files Do not open email attachments unless you are expecting the email with the attachment and you trust the sender. Do not click on links in emails unless you are absolutely sure of their validity. Only visit and/or download software from web pages you trust.

Always use secure browser to do online activities. Frequently delete temp files, cookies, history, saved passwords etc. https:// Symbol showing enhanced security No security measure is 100% What information is important to you? Is your back-up: Recent? Off-site & Secure? Process Documented?

Tested? Encrypted? Organizations lose 5-6% of revenue annually due to internal fraud = $652 Billion in U.S. (2006) Average scheme lasts 18 months, costs $159,000 25% costs exceed $1M

Smaller companies suffer greater average $ losses than large companies Internal Fraud Recovery $0 Recovered Recovery<=25% Substantial Recovery Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons % How Fraud is Discovered 40 35 30

25 20 15 10 5 0 Tip By Accident Internal Audit Internal Controls External Audit Notified by Police Tips are most common way fraud is discovered. Tips come from:

Employee/Coworkers 64%, Anonymous 18%, Customer 11%, Vendor 7% Essentials of Corporate Fraud, T L If you notice possible fraud, CONTACT: ?????????? Coenen, 2008, John Wiley & Sons Additional Slides to insert

How is information security confidentiality to be handled? Show table of how information confidentiality is categorized and treated. Is there specific legal actions all employees should be concerned with? Physical security how are the rooms laid out and how is security handled? Handling information at home on home computer any special restrictions? On fraud slide, specify contact if fraud is suspected. These are best practices involving Information Security. Most of these practices are from the National Institute of Standards and Technology.

Use these practices at home and at work to keep safe and secure. Employers have policies and procedures regarding secure practices. Be sure to understand them and adhere to them. It will protect you, your employer and your customers.

Recently Viewed Presentations

  • Plane Geometry - the Kv Power Point

    Plane Geometry - the Kv Power Point

  • Indiana Department of Veterans Affairs

    Indiana Department of Veterans Affairs

    Ethics Training. All Veteran service officers and employees of that office should complete ethics training every year. This is many times not required this often, but in our line of work it is best to stay sharp and not become...
  • United Nations Conference on Trade and Development Inter-Agency

    United Nations Conference on Trade and Development Inter-Agency

    at WTO Geneva, 18th May 2009 ... Possible Change in World Prices from Doha Round Data for agricultural trade Data Sources "Three Pillars" Domestic Support OTDS and AMS de minimis Blue box Green Box Market Access Bound tariffs Applied tariffs...
  • Sociolinguistics - University of Miskolc

    Sociolinguistics - University of Miskolc

    Sociolinguistics How to capture variety in language as a multifaceted social phenomenon Approaches of Theoretical Linguistics: idiolect studied under carefully controlled circumstances idealised competence rather than observable performance (Chomsky) biased data (educated speakers on formal occasions) Problems with the Chomskyan...
  • Semantic Geometric Features: A Preliminary Investigation of ...

    Semantic Geometric Features: A Preliminary Investigation of ...

    Arial MS Pゴシック Default Design Semantic Geometric Features: A Preliminary Investigation of Automobile Identification Agenda Overview The Experiments The Vehicles Experiments used Euclidean Distance as the Measure Experiments used Euclidean Distance as the Measure Manufacturers Specifications First Experiment Boundary Description...
  • What Causes Atherosclerosis: From Lipids to Inflammation First

    What Causes Atherosclerosis: From Lipids to Inflammation First

    The Apo B-containing lipoproteins are present on several lipoproteins, as I mentioned before: LDL, VLDL, IDL, and lipoprotein(a). The cholesterol cargo in these Apo B lipoproteins can be calculated by the non-HDL cholesterol fraction, so non-HDL cholesterol is a surrogate...
  • Evaluating Evaluating Sketch Sketch Query Query Interfaces Interfaces

    Evaluating Evaluating Sketch Sketch Query Query Interfaces Interfaces

    Evaluating Sketch Query Interfaces for a 3D Model Search Engine Patrick Min Joyce Chen, Tom Funkhouser Princeton Workshop on Shape-Based Retrieval and Analysis of 3D Models
  • Lesson 3-5: Derivatives of Trig Functions

    Lesson 3-5: Derivatives of Trig Functions

    Consider the function We could make a graph of the slope: slope Now we connect the dots! The resulting curve is a cosine curve. We can do the same thing for slope The resulting curve is a sine curve that...