Cyber Security for Everybody

simple steps for defensive surfing

Plans for today

• Introduction• Internet ‘101’• Steps to prevent cyber crime

• Keep your PC clean (OS, Browser, security updates)• Know about Browser security • Never Trust Emails• Manage your Passwords Wisely• Defensive Online Shopping • Mind Open Access Points

• Resources

Introduction• Cyber security is much like real life security, the same

rules apply, e.g.: • Lock the doors• Don’t give away your keys• Stay away from dangerous places• Don’t talk to strangers• Don’t give your contact information to random acquaintances

Internet “plumbing” – quick 101

browser

DNS Server

www.google.com

174.125.19.103

2

Web Server

HTTP request(s)

3

HTTP response(s)

4

plugins5

What is HTTPS?Web

ServerHTTP request(s)

HTTP response(s)

S

S

SSL

Protect your PC!

Data source: McAfee; NCSA

Regularly check OS and S/W patches Install anti-virus/spyware/phishing/spam S/W Enable Firewalls Change H/W default passwords Download software only from trusted sources

Update software on a regular basis!

Be aware of Browser (in)security

browser

plugins

! Browser is on the ‘frontline’ of our Internet adventure

! The HTML pages are not static documents anymore

! Browser scripting is very powerful but also poses a serious security threat

It is possible to stay secure and get maximum features via:

tuning your browser’s security settings regular clearing up browser’s file caches and

cookies explicitly logoff your (bank, retail etc.) account as

soon as you are done using a different browser for ‘adventurous surfing’

Don’t trust Emails (and phone calls, too)

! Emails are another ‘door’ to you computer – just like web sites – with the exception that you don’t even have to initiate the action

! Emails are easily faked – including the sender’s name and the reply-to address

! Most emails are easily ‘sniffed’! Malicious emails are widely used to:

! make you give away sensitive information (passwords, bank account numbers, SSN etc.)

! infect your computer with viruses! SPAM you

‘Phishing’ – the most popular way to steal your valuable data

Some ‘Phishing’ examples

Fighting phishing…

Email: reducing the threat

Never send sensitive information (e.g.: passwords, SSN, credit card number) via email

Never open an email attachment if you are not sure about the email’s origin

Never click on links directly from emails (if you clicked) Always pay attention to the address bar to

see the real address of the site you are redirected toUse anti-phishing tools – toolbars or IE7Use different account name and password for your email

addressKeep low profile – use your email address judiciously;

use ‘lightweight’ email providers as a substitute

Manage your Passwords wisely

! Passwords are often the only way of identifying us ! Passwords can be ‘phished’, stolen, guessed…! By taking over your password the fraudsters take over

your cyber-identity

Minimize the risk by following: Avoid simple passwords (never a single word from dictionary!),

use special signs, digits, both upper and lower cases Use at least 6-10 characters long passwords Don’t use password as a super/sub-string of your login name Come out with your own password policy Don’t use the same password on multiple accounts Change your passwords regularly (at least once in 3 months) Whenever possible use two-factor authentication

Two-factor authentication

There are three universally recognized factors for authenticating individuals: 'Something you know‘ (e.g.: password, PIN). 'Something you have‘ (e.g.: physical credit card, mobile

phone, security token) 'Something you are‘ (e.g.: fingerprint, a retinal scan)

A system is said to leverage Two-factor authentication when it requires at least two of the authentication form factors

Two-factor authentication is virtually bullet-proof

Defensive Online Shopping Poorly secured online stores may lose your credit card/financial data!

Know your online merchantCheck if the URL you post the sensitive data into uses secure

connectionDon’t provide more information than needed for a transactionKeep good recordsUse one-time generated credit card numbers whenever

possible

Some online stores may be fake – temporary sites setup to collect your valuable data

Defensive Online Shopping on

Check the feedback - any feedback lower than 98% is a riskCarefully read the item's descriptionContact the seller if you have any doubtsPrefer items under eBay/PayPal cash back protectionAlways prefer paying by PayPal - avoid Instant Cash Transfer

ServicesIf received Second Chance Offer in the mailbox - always check

its validity by logging into your eBay account's inboxBe careful with 'unusual' requests coming from other users -

most probably it's a fraud

Completely avoid off-eBay transactions

Mind Open Access Points

! Web traffic going via non-secure connection is easily readable by anybody else who shares the connection

When setting up your own wireless network at home be sure to turn on the encryption (WPA, not WEP)

When using public access points use VPN (Virtual Private Network) services to encrypt all the traffic –

Resources Cyber Security Glossary

http://www.staysafeonline.org/basics/glossary.htmlBrowsers:

IE7 http://microsoft.com/windows/downloads/ie/getitnow.mspx Firefox http://www.mozilla.com/en-US/ Safari http://www.apple.com/safari/download/ Opera http://www.opera.com/

Tuning security zones on IE: http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm#security

Trusted software download site: http://www.download.com/ Lightweight e-mailbox provider - http://mailinator.com/PayPal/eBay security key http://ebay.com/securitykey or

http://paypal.com/securitykeyPayPal plugin https://www.paypal.com/us/cgi-bin/webscr?cmd=_vdc-hubeBay security tips http://pages.ebay.com/securitycenter/mrkt_safety.htmlVPN solutions http://anonymizer.com/, http://hotspotvpn.com,

http://publicvpn.com/

Final words…

Internet is a cyber-jungle! You are responsible for your own protection!

You can achieve reasonable security by following simple rules!

Any questions?