Information Security in Todays WorldCasey W. OBrienAssociate Professor & Network Technology Program CoordinatorCommunity College of Baltimore County

Protecting Your PC, Privacy and SelfThe minute you dial in to your Internet service provider or connect to a DSL or cable modem, you are casting your computer adrift in a sea of millions of other computers all of which are sharing the world's largest computer network, the Internet. Most of those computers are cooperative and well behaved, but some are downright nasty. Only you can make sure your computer is ready for the experience. Daniel Appleman, Always Use Protection, A Teen's Guide to Safe Computing, (2004 Apress)

Purpose of This DiscussionProvide an overview of:What information security isThe challenges to InfoSecThe latest trendsBest practices to help protect your digital assetsThe need for Information Security professionalsCyberWATCH

What Is Information Security?Process by which digital information assets are protectedTopic areas: Policies and procedures, authentication, attacks, remote access, E-mail, Web, wireless, devices, media/medium, secure architectures, IDSes/IPSes, operating systems, secure code, Cryptography, physical security, digital media analysis

Understanding the Importance of Information SecurityPrevents data theftAvoids legal consequences of not securing informationMaintains productivityFoils cyberterrorismThwarts identity theft

ChallengesA number of trends illustrate why security is becoming increasingly difficult:Speed of attacksSophistication of attacksFaster detection of weaknessesDistributed attacksDifficulties of patching

Latest TrendsIdentity theftMalwarePatch Management failuresDistributed Denial of Service

Latest Trends - Identity TheftCrime of the 21st centuryInvolves using someones personal information, such as social security numbers, to establish bank or credit card accounts that are then left unpaid, leaving the victim with the debts and ruining their credit ratingNational, state, and local legislation continues to be enacted to deal with this growing problem:The Fair and Accurate Credit Transactions Act of 2003 is a federal law that addresses identity theft

Latest Trends - Identity Theft - continuedPhishing is a method used by identity thieves to obtain financial information from a computer userThe word phishing was made up by hackers as a cute word to use for the concept of fishing for informationOne of the most lucrative forms of spammingOften used in conjunction with spoofed Web sites

Latest Trends - Identity Theft - continuedAccording to the Identity Theft Resource Center, a victim of identity theft spends an average of more than 600 hours and $1,400 of out-of-pocket expenses restoring their credit by contacting credit bureaus, canceling credit cards, and negotiating with creditors

Latest Trends - Malicious Software (Malware)Designed to operate without the computer users permissionMay change or destroy dataMay operate hardware without authorizationCan hijack your Web browserMight steal information or otherwise aggravate a computer user or organization

Malware: 2006 at a Glance1 in 91 E-mails is viral (2006); down from 1 in 44 (2005)New Trojans outweigh Windows viruses & worms 4:1

Top 10 Malware Threats in 2006 January-June*W32/Sober-Z: 22.4% (at its peak accounted for 1 in every 13 emails)W32/Netsky-P: 12.2% (hardest hitting virus in 2004)W32/Zafi-B: 8.9%*W32/Nyxem-D: 5.9%W32/Mytob-FO: 3.3%W32/Netsky-D: 2.4%W32/Mytob-BE: 2.3%W32/Mytob-EX: 2.2%W32/Mytob-AS: 2.2%W32/Bagle-Zip: 1.9%Others: 36.3%*Worms

Malware TrendsSpywareKeyloggersRootkitsMobile malwareCombined attack mechanisms

Malware Trends - SpywareAdvertisement-focused applications that, much like computer worms, install themselves on systems with little or no user interactionWhile such an application may be legal, it is usually installed without the users knowledge or informed consentA user in an organization could download and install a useful (often free) application from the Internet and in doing so, unwittingly install a spyware component

Malware Trends Spyware - continuedApart from privacy concerns, the greatest issue presented by spyware is its use of your computers resources and bandwidthThis translates into lost work as you wait for your computer to finish a task, lost time as you slowly browse the Internet, and can even necessitate a call for service by a technicianThe time and money lost while eradicating spyware often exceeds all other forms of malware and spam combined

Malware Trends - KeyloggersUsed to capture users keystrokes:AKA Keystoke LoggingHardware and software-basedUseful purposes:Help determine sources of errors on systemMeasure employee productivity on certain clerical tasks

Malware Trends - RootkitsIs a set of software tools intended to conceal running processes, files or system data, thereby helping an intruder to maintain access to a system while avoiding detectionOften modify parts of the operating system or install themselves as drivers or kernel modulesAre known to exist for a variety of operating systemsAre difficult to detect

Malware Trends - Mobile MalwareIncrease in the number of mobile phone viruses being writtenInsignificant compared to the much larger number of viruses being written which target Windows desktop computers

Malware Trends - Combined Attack MechanismsSpeed at which malware can spread combined w/a lethal payloadSPAM with spoofed Web sitesTrojans installing bot softwareTrojans installing backdoors

Latest Trends - Patch Management FailuresShift towards patching versus testingIn the next few years, it is estimated that 90% of cyber attacks will continue to exploit known security flaws for which a fix is available or a preventive measure known

Latest Trends - Patch Management Failures - continuedWhy? Doesnt scale well and isnt cost-effective:A survey by the Yankee Group found that the average annual cost of patching ranges from $189-$254 per patch for each computerThe cost is primarily a result of lost productivity while the patch is applied and for technician installation costs. Patching costs in large organizations can exceed $50 million per year

Latest Trends - SPAMJanuary 24, 2004 - Bill Gates predicted that spam would be a thing of the past within two years the threat remains aliveNo end in sight:According to Ferris Research, by 2007, the percentage of spam E-mails will increase to 70% of the total E-mail messages sent

Latest Trends - Vulnerability ExploitationOperating system attacks still in vogue:VistaMac OS XIncrease in attacks taking advantage of security holes in other products:Desktop toolsAlternative Web browsersMedia applicationsMicrosoft Office applications

Latest Trends - RansomwareType of malware that encrypts the victims data, demanding ransom for its restorationCryptovirology predates ransomware

Latest Trends - Distributed Denial of Service (DDoS)Use hundreds of infected hosts on the Internet to attack the victim by flooding its link to the Internet or depriving it of resourcesA PC becomes a zombie when a bot, or automated program, is installed on it, giving the attacker access and control and making the PC part of a zombie network, or botnet

Latest Trends - DDoS - continuedOne of the most high profile botnets of 2005 was created by the Zotob worm which achieved worldwide notoriety in August when leading media organizations including ABC, The Financial Times, and The New York Times fell prey to it

Best Practices to Help Protect Your Digital AssetsAnti-virus softwareAnti-spyware softwareWindows and applications updatesSecurity bundlesPersonal firewallsWirelessOther best practices

Anti-Virus SoftwareInstall and maintain anti-virus software. Use the software regularly Microsoft claims that fewer than 30% of all users have up-to-date anti-virus software installedMost AV manufacturers have information and alert pages where you can find "primers" on malware, as well as alerts to the most current threats

Anti-Virus Software VendorsMcAfee: Virus ScanSymantec: Norton Anti-VirusComputer Associates: eTrust EZ AntiVirusTrend Micro: PC-cillianGrisoft: AVG Anti-Virus (freeware)Alwil Software: Avast! AntiVirus (freeware)eset: NOD32 (freeware)

Anti-Spyware SoftwareInstall and maintain anti-spyware softwareUse the software regularly Sunbelt Software: CounterSpyWebroot Software: Spy SweeperTrend Micro: Anti-SpywareHijackThis (freeware)Lavasoft: Ad-Aware SE Personal (freeware)Spybot: Search & Destroy (freeware)Microsoft: Windows Defender (freeware)

Updating Windows and Other ApplicationsMicrosoft Update: Web site where users can download updates for various Windows-related productsFor the most part, its automatedCheck to see its working properlyInstall vendor-specific patches for applications (e.g., iTunes, Google Desktop)

Security BundlesCan include: Anti-virus software, personal firewall software, anti-spyware software, content filtering/parental control, pop-up blockers, anti-spam capabilitiesCan be difficult for the average user to setup:Leads to incorrect configurations providing a false sense of security

Security Bundles - continuedMcAfee: Internet Security SuiteSymantec: Norton Internet SecurityComputer Associates: eTrust EZ ArmorTrend Micro: PC-cillian Internet SecurityZoneAlarm: Internet Security SuiteF-Secure: Internet SecurityMicroWorld: eScan Internet Security SuitePanda Software: Panda Internet SecuritySoftwin BitDefender Professional EditioneXtendia Security Suite

Personal FirewallsSoftware installed on an end-user's PC which controls communications to and from the user's PCPermits or denies communications based on a security policy the user setsUse for handheld devices as well (Airscanner, Bluefire)

Personal Firewall ProgramsZone LabsSymantecs Norton Personal FirewallSunbelts Kerio Personal FirewallTiny Softwares Tiny Personal FirewallMac OS XWindows XP (with Service Pack 2)

Living in a Wireless WorldBy 2007, >98% of all notebooks will be wireless-enabledSerious security vulnerabilities have been created by wireless data technology:Unauthorized users can access the wireless signal from outside a building and connect to the networkAttackers can capture and view transmitted data (including encrypted data) Employees in the office can install personal wireless equipment and defeat perimeter security measures

Wireless Security Best PracticesImplement MAC-address filteringTurn off unnecessary services (telnet, HTTP)Change default SSID/Disable SSID broadcastsChange default channelDisable DHCP on access pointUse encryption (usually not enabled by default on most access pointsChange default admin username and passwordSpecify the number of clients that can connect to the access point

Other Best PracticesWhen not using your PC, turn it offView your E-mail as text only; disable the function that automatically views E-mail as HTMLDo not automatically open attachmentsDo not run software programs of unknown originDelete chain E-mails and junk mail. Do not forward or reply to any of them

Other Best Practices - continuedNever reply back to an E-mail to "unsubscribe" or to remove yourself from an unknown list. This lets the spammers know that they have reached a live E-mail address and your spam mail will increase Back up your critical data and documents regularly thumb drives and CDs are cheap

The Need for Information Security ProfessionalsNo matter how hard we try to do the aforementioned, there will still be the need for information security professionalsInformation security personnel are in short supply; those in the field are being rewarded well

The Need for Information Security Professionals continuedSecurity budgets have been spared the drastic cost-cutting that has plagued IT since 2001Companies recognize the high costs associated with weak security and have decided that prevention outweighs cleanupRegulatory compliance is also driving the need for more qualified professionals

CyberWATCHCybersecurity: Washington Area Technician and Consortium HeadquartersNSF ATE-funded 4 year project that includes community colleges, four-year schools, high schools, local, state, and federal government agencies, and businesses in the Baltimore, Washington D.C., and Northern Virginia regions

CyberWATCH - continuedAddressing the challenges and concerns in education and the business industry:The shortage of security professionalsA perceived lack of business and team-work skills among IT professionalsThe lack of a cybersecurity curriculum at many higher education institutions

CyberWATCH - continuedProfessional development for faculty, high school teachers, students, and staff will benefit populations that are traditionally least likely to major in fields requiring a cybersecurity/information security component

CyberWATCH Getting InvolvedContact Casey OBrien at (410) 780-6139

-Source: http://www.sophos.com/security/top-10/200606summary.html-Source: http://www.sophos.com/security/top-10/200606summary.html-Sober-Z: masqueraded as an email from the FBI or CIA claiming that the recipient is believed to have accessed illegal Websites.-Nyxem-D: (AKA Kama Sutra); spread via email posing as obscene pictures and sex movies.Source: Sophos Security Threat Management Report, 2005Source: Sophos Security Threat Management Report, 2005