Fermilab Computer Security Awareness DayNovember 2012

Basic Computer Security

Why Computer Security?

Why Computer Security?

Fermilab is an attractive targetIt is constantly being scanned for weak or vulnerable

systems; new unpatched systems will be exploited within minutes.

High network bandwidth is useful for attackers who take over lab computers

Publicity value of compromising a .gov siteAttackers may not realize we have no information

useful to them

Why Computer Security?

To establish good computing habits Attacks on users (rather than systems) becoming

more frequent It is easier to trick a user than to break into a system

Why Computer Security?

Security depends on everyone, from management, to system administrators, to developers, to users, etc.As mentioned, phishing attacks are more prevalentThree DOE labs taken offline in 2011 due to phishing attacksA chain is only as strongest as its weakest link

Integrated Security ManagementPart and parcel of everything you do with computers○ Like safety, security is part of everyone’s responsibility

Not “one-size-fits-all” but appropriate for the needs and vulnerabilities of each system - in most cases, it is simply common sense + a little information and care

Spam Spam Spam

Everyone gets spam all the time In 2007, it was estimated that 85% of incoming

email was “abusive email” A 2010 survey of US and European email users

showed that 46% of recipients opened spam messages and 11% clicked on a link

From Spam to Scams

Nothing new – attempts by criminals to defraud you Direct monetary gain is primary motive Never reply to them!

Classic examples: Winning the lottery (which you never entered) Dignitary wanting to give you millions of dollars from his/her

country. Parcel mule scams

The Hitman Bribe Scam

From Scams to Phishing

One of the most common email attacks Fools user into giving up information Eventual monetary gain is a large motive but there are

others

Primary types of phishing: Harvesting information Controlling your computer via malicious links Controlling your computer via malicious attachments

Let’s take a look at some examples

Email: Phishing

Do any red flags jump out?

How about sender’s email address or what they are requesting?

Sometimes things are trickier than they seem – let’s look at another example.

Link goes to:

Email: Phishing

Phishing may be sophisticated and appear genuine: It may be addressed to specific individuals only It may be on topic with what the individuals work with The sender may be forged to appear from a coworker of those

individuals“Spear phishing”

What to do?

The purpose of sending spam or phishing generally comes down to money (now or eventually):Obtaining bank account informationObtaining login credentialsYour machine becomes compromised and becomes a

member of a botnetYour email account compromised to send more spam.

Be careful on what you click on and what you reply to!

What to do?

If after reading an e-mail you think it is a phishing attack or scam, simply delete the message. Here are some indications if an e-mail is an attack.

Be suspicious of any e-mail that requires immediate action or creates a sense of urgency.

Be suspicious of e-mails addressed to “Dear Customer” or some other generic salutation.

Be suspicious of grammar or spelling mistakes, most businesses proofread their messages very carefully.

What to do?

If a link in an e-mail seems suspicious, hover your mouse over the link. This (usually) will show you the true destination where you would go if you actually clicked it. The link that is written in the e-mail may be very different than where it will actually send you.

Do not click on links. Instead copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser. For example, if you get an email from UPS telling you your package is ready for delivery, do not click on the link. Instead, go to the UPS website and then copy and paste the tracking number.

What to do?

Be suspicious of attachments; only open attachments that you were expecting.

Just because you got an e-mail from your friend or coworker does not mean they sent it. Her/his computer may have been infected or their account may have been compromised, and malware is sending the e-mail to all of your friend’s contacts. If you get a suspicious email from a trusted friend or colleague, call them to confirm that they sent it.

What to do?

Ultimately, using e-mail safely is all about common sense. If something seems suspicious or too good to be true, it is

most likely an attack. Simply delete the e-mail.

What to do?

Fermilab personnel will NEVER ask you for your password.

Most outside companies/services should NOT as well.

Social Engineering

Not every method to give up electronic data is electronic.

Phone calls

In personOr physical media

One more thing about personal info

Protecting Personal Information at Fermilab course

If you handle Personally Identifiable Information, you may need to take Advanced PII course

Be cognizant of how personal, sensitive, or financial information is being transmitted (e.g., general email, etc.)

Browsing the web

We know that clicking a link in an email can be bad – this applies to general web browsing as well.

The primary difference is how an attacker might target you.

Browsing the web

Use a modern browser on a current operating system

Since many use a web browser to read email, the same rules apply (e.g., be suspicious of attachments, etc.)!

Don’t click on pop-up advertisements Be careful of web sessions involving personal

or financial data.

Browsing the web

Use common sense … Watch where you browse (note the “web

environment”). Be extra careful if you have administrative

privileges.

Browsing the web

What happens if you see the following screen when browsing the web at Fermi?

Browsing the web

Please do not click on Accept! Contact the Service Desk if you feel this is in

error.

If you see a similar message pop up on your machine by itself without having clicked on anything, please contact the Service Desk.

Incidental Computer Usage

Fermilab permits some non-business use of lab computers

Guidelines are at http://security.fnal.gov/ProperUse.htm

This is pretty much common sense

The top 10 worst Internet passwords:

Source: Splashdata

Passwords When you are typing a password for some reason (e.g.,

logging in to a service) – ask yourself what does this have access to?

2012 was a year for major password breaches: LinkedIn eHarmony LastFM Formspring

What if you used the same passwords everywhere?

Passwords

Always choose a complex passwordThe lab has a password policy that’s enforced, so it’s

difficult to choose a weak Fermi password, however:

Differentiate your passwords – don’t use the same passwords for Fermi services as personal services.

Fermi’s Kerberos, Windows, and Services passwords should all be different as well.

Change them periodically (yes, even passwords to personal accounts).

Fermilab and Central Authentication

All use of lab computing services requires central authentication

Avoid disclosure of passwords on the network No network services (logon or read/write ftp) visible on

the general internet can be offered with out requiring strongest authentication, currently Kerberos (unless a formal exemption is applied for and granted)

Kerberos provides a single sign in, minimizing use of multiple passwords for different systems

Lab systems are constantly scanned for violations of this policy

Remember:

Fermilab personnel will NEVER ask you for your password.

Most outside companies/services should NOT as well.

What happens if you notice a Computer Security incident?

Mandatory incident reportingReport all suspicious activity:○ If urgent to the Service Desk, x2345, 24x7○ Or to system manager (if immediately available)○ Non-urgent to computer_security@fnal.gov

Incidents investigated by Fermi Incident ResponseNot to be discussed!

Fermi Incident Response

Investigate (“triage”) initial reports Coordinate investigation overall Work with local system managers Call in technical experts May take control of affected systems - for an

undetermined amount of time Maintain confidentiality

Perimeter Controls

Certain protocols are blocked at the site border (email to anything other than lab mail servers; web to any but registered web servers; other frequently exploited services)

Temporary (automatic) blocks are imposed on incoming or outgoing traffic that appears similar to hacking activity; these blocks are released when the activity ceases (things like MySpace and Skype will trigger autoblocker unless properly configured)

Patching and Configuration Management

Baseline configurations exist for each major operating system (Windows, Linux, Mac)

All systems must meet the baseline requirements and be regularly patched (in particular running an up-to-date supported version of the operating system) UNLESS:A documented case is made as to why the older OS version

cannot be upgradedDocumentation exists to demonstrate that the system is

patched and managed a securely as baseline systemsAll non essential services (such as web servers) are turned

off All systems with Windows file systems must run anti virus Your system administrator should take care of this for your

desktop

Critical Vulnerabilities and Vulnerability Scanning

Certain security vulnerabilities are declared critical when they are (or are about to) being actively exploited and represent a clear and present danger

Upon notification of a critical vulnerability, systems must be patched by a given date or they will be blocked from network access

This network block remains until remediation of the vulnerability is reported to the TISSUE security issue tracking system (as are blocks imposed for other security policy violations)

Prohibited Activities

“Blatant disregard” of computer security Unauthorized or malicious actions

Damage of data, unauthorized use of accounts, denial of service, etc., are forbidden

Unethical behaviorSame standards as for non-computer activities

Restricted central servicesMay only be provided by approved service owners

Security & cracker toolsPossession (& use) must be authorized

See http://security.fnal.gov/policies/cpolicy.html

Activities to Avoid

Large grey area, but certain activities are “over the line” –IllegalProhibited by Lab or DOE policyEmbarrassment to the LaboratoryInterfere w/ performance of jobConsume excessive resources

Example: P2P (peer to peer) software like Skype and BitTorrent: not explicitly forbidden but very easy to misuse!

Questions?

nightwatch@fnal.gov for questions about security policy

Computer_security@fnal.gov for reporting security incident

http://security.fnal.gov/