Cyber Security 101 -...
Transcript of Cyber Security 101 -...
CYBER SECURITY 101
Originally presented by Steve Andrews
Systems Administrator
Southwest Kansas Library System
Janelle Mercer
Technology Trainer
Southwest Kansas Library System
NECESSARY KNOWLEDGE 2017
NORTH CENTRAL KANSAS LIBRARY SYSTEM
•Data privacy day is January 28th
https://staysafeonline.org/data-privacy-day/about
•October is National Cyber Security Awareness Month
https://www.dhs.gov/national-cyber-security-
awareness-month
BRUCE SCHNEIER – SCHNEIER ON SECURITY
• I am regularly asked what average Internet users can do to ensure their safety. My
first answer is usually, “Nothing – you’re screwed.”
• But that's not true, and the reality is more complicated. You're screwed if you do
nothing to protect yourself, but there are many things you can do to increase your
security on the Internet.
• Bruce Schneier CNET News.com December 9, 2004 -
https://www.schneier.com/essays/archives/2004/12/who_says_safe_comput.html
DATA BREACHES
• http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-
breaches-hacks/
• https://www.privacyrights.org/data-breaches
• https://haveibeenpwned.com/PwnedWebsites
KNOW YOUR ANTIVIRUSTEST FILE : HTTP://WWW.EICAR.ORG/85-0-DOWNLOAD.HTML
AV ALERT - VIPRE
ANTIVIRUS PROGRAMS ARE NOT BULLET-PROOF
• User actions can circumvent antivirus programs
• Bad Actors (virus creators) are constantly working to circumvent AV products
• Too many attack vectors to cover
• The end of the Anti-Virus era?
• http://www.computerworld.com/article/3146996/malware-vulnerabilities/is-antivirus-
software-dead-at-last.html
ZERO-DAY VULNERABILITY
• A zero-day attack happens once that flaw, or software/hardware
vulnerability, is exploited and attackers release malware before a developer
has an opportunity to create a patch to fix the vulnerability—hence “zero-
day.”
UPDATING YOUR DEVICESCOMPUTERS, PHONES, TABLETS, LAPTOPS, ROUTERS, IOT (INTERNET OF THINGS) STUFF
INTERNET OF THINGS (IOT)
http://www.businessinsider.com/what-is-the-internet-of-things-definition-2016-8?IR=T
https://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-
that-anyone-can-understand/#274c71f1d091
FitbitAmazon Echo
THE IMPORTANCE OF UPDATES
• Operating System (Windows, OS-X, Android, etc.)
• Applications (Adobe Reader, Office, WordPress, etc.)
• Web Browsers (Chrome, Firefox, etc.)
• Platforms, Plugins, Programming Languages
• Java
• Flash
• Antivirus Programs
Java
FLASH
ELECTRONIC MAIL
EMAIL PIVOT ATTACKS
SENSITIVE DATA IN EMAILS
• Account Login credentials (username & password)
• SSN
• Birthday
• Address
• Phone numbers
GENERAL EMAIL TIPS
• Email clients (local i.e. Outlook) vs web-based email
• Deleting old e-mails
• Message retention - someone with ten years' worth of data to dig through is naturally going to reveal
more about themselves than someone who only has six months of messages.
• Password hints could be scraped (high school reunion, mother’s maiden name, etc.)
• Beware of unsolicited email
• Never click on links from unknown senders
• Never open attachments from unknown senders
• Be cautious of password reset emails
• URL shorteners
• http://getlinkinfo.com/
CHECK THE EMAIL HEADER
PHISHING
PHISHING PART DEUX
NETFLIX PHISH
• Email telling you your Netflix account has been suspended due to a problem
with your billing information.
• Link in email takes you to landing page that looks like Netflix.
• Asks you to enter in username, password. Takes you to page to enter credit
card information. Some versions have asked for other personal information.
• https://www.wired.com/story/netflix-phishing-scam/
SUBJECT: FEDEX TRACKING NUMBER N4815347
• From: "Fedex Manager, Willis Grabinger"
• Dear. Unfortunately we failed to deliver the postal package you have sent on
the 27th of July in time because the recipient's address is erroneous. Please
print out the invoice copy attached and collect the package at our office. *
This site is protected by copyright and trademark laws under US and
International law.
• ATTACHMENT: FEDEXInvoiceEE057100OP.zip
CRYPTO VIRUS
PHISHING TEST CAMPAIGNS
• Sophos Phish Test - https://www.sophos.com/en-us/products/phish-threat.aspx
• Duo Insight - https://duo.com/resources/duo-insight
BROWSING THE WEB
WEBSITE SECURITY - HTTPS
• Demonstration of https webpage - https://www.bankofamerica.com
• Never enter credentials (login username / password) in unsecured (http) web
pages
• Getting a security warning? Check your clock!
• Hover on links before clicking to see where they go
WEBSITE MALWARE
FAKE ANTIVIRUS MESSAGES IN WEB BROWSERS (SCARE-WARE)
EXAMPLES (GOOGLE IMAGE SEARCH)
• Can look very legitimate
• Can contain information such as your ISP or geographic location
• Don’t click on anything!
• Restart computer or Ctl-Alt-Del and end browser process
• Tech Support Scam
• Unsolicited phone calls for tech support
MALVERTISING
• Malicious advertising that spreads malware
• https://blog.malwarebytes.com/threat-analysis/2016/03/large-angler-malvertising-
campaign-hits-top-publishers/
• According to Heimdal Security, 90% of web attacks are delivered through advertising
• Consider using an ad-blocker (added bonus: use less bandwidth)
• uBlock Origin
• Adblock Plus
• Ghostery
UNTRUSTED NETWORKSPUBLIC WI-FI VS. SECURED WI-FI
WIRELESS
• Public Wifi & Default SSIDs
• Cellphones have a bad habit of connecting to WiFi on their own
• Use free / public wifi with extreme caution
• Does your home wifi require a password?
PASSWORDS
GENERAL PASSWORD TIPS
• Don’t use simple passwords
• https://howsecureismypassword.net
• Don’t re-use passwords
• Check for breeched credentials
• https://haveibeenpwned.com
• Don’t enter credentials on unsecured web pages (http vs. https)
• Consider using two-factor authentication
GENERAL PASSWORD TIPS
• Password managers (as opposed to sticky notes on your monitor)
• Keepass
• LastPass
• Don’t save critical login info in your browser
• Password hints
DEFAULT PASSWORDS ON EQUIPMENT
• Wireless Routers
• Security / Video Cameras
• Devices Internet of Things Devices (IoT)
• Printers
• IoT botnets have transformed the threat landscape, resulting in a big increase in the size of
DDoS attacks from 500Gbps in 2015 up to 800Gbps last year. (DDoS = Distributed Denial
of Service)
• Hackers have been able to "weaponise" digital video recorders, webcams and other IoT
devices due to inherent security vulnerabilities.
@ YOUR LIBRARY
• Importance of library staff computers (especially circulation) in regards to securing patron
data.
• Make sure staff understand that they are handling sensitive information in regards to patron
information
• Never let patrons or non-staff persons access secured WiFi
• Ask to see identification from anyone wanting access to staff areas for maintenance or
inspection work
• Educate all your staff.
• Including part-time staff, volunteers, and/or subs
BACKUPS
• Be sure your data is being backed up on a regular basis
• Consider air-gapping (isolating) your backup device when not in use
• Test your backups !!!
REVIEW
REVIEW
• Know your Antivirus
• Keep your devices up to date
• Practice safe emailing
• Be careful when browsing the web
• Be mindful of open wifi
• Practice good password use
• Practice good backup techniques
RESOURCES
INFORMATION RESOURCES
• FTC Info - https://www.consumer.ftc.gov/topics/online-security
• KeePass - http://keepass.info/
• Have I Been Pwned - https://haveibeenpwned.com/
• Heimdal Cybersecurity Course - https://cybersecuritycourse.co/
• DHS Toolkit - https://www.dhs.gov/stopthinkconnect-toolkit
• Cybrary - https://www.cybrary.it/
• Tech Support Scams - https://www.consumer.ftc.gov/articles/0346-tech-support-scams
• Sophos Phish Test - https://www.sophos.com/en-us/products/phish-threat.aspx
• Duo Insight - https://duo.com/resources/duo-insight