Information Security Awareness
description
Transcript of Information Security Awareness
Information Security Awareness
The Need for Information Security In Small Businesses
• In United States, small businesses make up 95% of all businesses.
• These small businesses produce 50% of all the Gross National Products (GNP) and provide 50% of all new jobs in the country.
• All the large scale businesses employ people, technology and resources to make all activities secure. This leads cyber criminals to attack less secure small businesses.
• The average cost of informing a customer about a security breach that happened in your organization is well over $130. This means that if you have a client base of 1000 and a security breach takes place, you would end up in spending more than $1,30,000.
2008 CSI/FBI Computer Crime and Security Survey
• The most expensive computer security incidents are those involving financial fraud, with an average loss of $500,000.
• Frequency of occurrence :– Viruses 49%– Insider abuse of the network 44%– Theft of laptops and mobile devices 42%
The Problem of Network Security• The Internet allows an attacker to attack from anywhere in the
world from their home desk.• They just need to find one vulnerability: a security analyst need
to close every vulnerability.• According to www.SANS.org , the top vulnerabilities available for
a cyber criminal are – Web Browser– IM Clients– Web Applications– Excessive User Rights
Computer Virus• A virus attaches itself to a program,
file, or disk• When the program is executed, the
virus too is executed• When the program is given away
(floppy/email) the virus spreads• The virus may be benign or malignant
but executes its load pay at some point (often upon contact)
• Viruses result in crashing of computers and loss of data.
• In order to recover/prevent virus attacks:
– Security Firewalls i.e. Comodo– Re-install operating system– Virus Protection.
• Freeware i.e. Avast Antivirus, AVG
Cough Cough!Don’t come
close!
ProgramA
Extra Code
ProgramA
infects
WormIndependent program which replicates itself and sends copies from computer to computer across network connections. Upon arrival the worm may be activated to replicate.
Logic BombTrojan Horse
Logic Bomb: Malware logic will execute upon certain conditions. It is used for more legitimate reasons but could be used for nefarious purposes.
• Software which will malfunction if maintenance fee is not paid• Employee triggering a database erase when he is fired.Trojan Horse: Malware has malicious purpose in addition to functional
purpose• Social Engineering: “Try this game…it is so cool”
– Game also emails password file.– The word Trojan war has a piece of history attached to it. (In Greek mythology, the Trojan
War was waged against the city of Troy by the Achaeans (Greeks) after Paris of Troy stole Helen from her husband Menelaus, the king of Sparta. )
– More importantly, a large horse was given as a gift/peace offering and allowed inside the gates of the fortress and once inside enemy soldiers exited and defeated them. The moral being that you should beware of gifts that look too good.
Phishing (Fake Email)
• Phishing is portraying yourself as a trustworthy entity by an e-mail and asking for sensitive information such as SSN, credit card numbers, login IDs and passwords.
• Recent example that was in news : 10,000 Hotmail passwords revealed by a user on PasteBin. Believe it not, the password that was used the most was “123456” (a total of 64 times).
Pharming (Fake web pages)
Pharming : An Example
The link provided in the e-mail leads to a fake webpage which collects all the important information and submits it to the owner.
CrackersCracker:Computer-savvy programmer createsattack software
Script Kiddies:Know how toexecute programs
Hacker Bulletin BoardSql Injection
Buffer overflowPassword Crackers
Password Dictionaries
Successful attacks!Crazyman broke into …CoolCat penetrated…
Criminals:Create & sell bots -> spamSell credit card numbers,…
System AdministratorsSome scripts are usefulto protect networks…
Malware package=$1K-2K1 M Email addresses = $810,000 PCs = $1000
Social Engineering
This is John, the System
Admin. What is your
password?
Email:
ABC Bank has
noticed a
problem with
your account…I have come
to repair your
machine…and have some
software patches
What ethnicity are you? Your
mother’s maiden name?
Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access.
How easy social engineering attacks are : An example
Hacking NetworksWar Driving: • Can I find a wireless network?War Dialing: • Can I find a modem to connect to?• What IP addresses exist, and what
ports are open on them?• What versions of software are
implemented on devices?
Man-In-The-Middle AttackMan in the middle attacks occur when an attacker pretends to be your final destination on the network. As in the figure, if a person is trying to connect to a specific web server, an attacker can mislead him to his computer, pretending to be that web server. MITM also result in spoofing.
Root Kit
Root Kit• Upon penetrating a computer,
a hacker installs a root kit• May enable:
– Easy entrance for the hacker (and others)
– Keystroke logger• Eliminates evidence of break-
in• Modifies the operating system• Example : Sony BMG CD
Protection scandal.
Backdoor entry Keystroke Logger Hidden user
Password Cracking:Dictionary Attack & Brute Force
Pattern Calculation
Result Time to Guess(2.6x1018/month)
Personal Info: interests, relatives 20 Manual 5 minutesSocial Engineering 1 Manual 2 minutes American Dictionary 80,000 < 1 second4 chars: lower case alpha 264 5x105
8 chars: lower case alpha 268 2x1011
8 chars: alpha 528 5x1013
8 chars: alphanumeric 628 2x1014 3.4 min.
8 chars alphanumeric +10 728 7x1014 12 min.
8 chars: all keyboard 958 7x1015 2 hours
12 chars: alphanumeric 6212 3x1021 96 years
12 chars: alphanumeric + 10 7212 2x1022 500 years
12 chars: all keyboard 9512 5x1023
16 chars: alphanumeric 6216 5x1028
Dictionary Attack & Brute Force : How easy it is!
Creating a Good PasswordMerry ChristmasBad
Password
Good Password
Merry Xmas
mErcHr2yOu
MerryChrisToYou
MerChr2You
MerryJul
MaryJul
Mary*Jul,stuzc,sd Jq46Sjqw
(Keypad shiftRight …. Up)
(Abbreviate)
(Lengthen)
(convert vowelsto numeric)
M5rryXm1s
MXemrays
(IntertwineLetters)
GladJesBirth
(Synonym)
Creating A Good Password
Combine 2 unrelated words
Mail + phone = m@!lf0n3
Abbreviate a phrase My favorite color is blue=Mfciblue
Music lyric He was a scrawny calf, who looked rather woozyNo one suspected he was packing an UziCows with guns=Hwascwlrwnoshwpaucwg
Good Practicesto Prevent Attacks
Security: Defense in Depth• Defense in depth is a strategy to place multiple layers of defense on a system
to address all the technical, personnel and operational issues.
• It is an approach conceived by NSA in order to ensure information and electronic security.
Protected Computer is…
Computer fortified against attackers
• Applications turned off• Operating system patched• Security configuration
tightened– Authorization– Authentication– Physical Access
• Using appropriate measures to stop malware, viruses, worms.
A Firewall is a Filter
A firewall, as the name suggests acts as a wall between your computer/private network and the internet. There are all sorts of things on the internet that include malicious content. A firewall only lets “good” content to pass through and blocks the malicious code.
Attacking the Network
The Internet
Web Pages
Private Network
Border Router/Firewall
Router/FirewallWLAN
How could access control be improved?
Protecting the Network
The Internet
De-MilitarizedZone
Private Network
Border Router: Packet Filter
Bastion Hosts
Proxy server firewallWLAN
Password Recommendations• Change the default passwords on firewalls• Never use ‘admin’ or ‘root’ or ‘administrator’ as a login for the admin
– Use a software firewall on each computer system, with antivirus & antispyware.• A good password is:
– private: it is used and known by one person only – secret: it does not appear in clear text in any file or program or on a piece of paper pinned
to the terminal – easily remembered: so there is no need to write it down – at least 8 characters– a mixture of at least 3 of the following: upper case letters, lower case letters, digits
and punctuation– not guessable by any program in a reasonable time, for instance less than one week.
Why you must change passwords• Even if you choose a good password, it can still be discovered: someone may see
you typing it or capture it by snooping on the computer or network. If you accidentally type your password in place your login name, it may appear in system log files
Patching/Updates• Microsoft regularly issues patches or updates to solve security problems in
their software. If these are not applied, it leaves your computer vulnerable to hackers.
• The Windows Update feature built into Windows 98, Me, NT, 2000, XP, Vista and Windows 7 can check your PC against a common database of patches
• More recent versions of windows have an Automatic Update feature
Combat Viruses• Maintain Operating System Updates• Install anti-virus, anti-spyware software
There are many freeware and paid options available in the market.• Beware of opening unknown attachments• Do not open email on your main server• In case you are infected with a virus there are various options
available : system restore, virus removal tool, re-install OS.
Wisconsin 134.98Data Breach Notification Law
Restricted data includes:• Social Security Number• Driver’s license # or state ID #• Financial account number (credit/debit) and
access code/password• DNA profile (Statute 939.74)• Biometric dataNational HIPAA protects:• Health status, treatment, or payment
Combat Information Theft• What information is valuable to you?• Who has access to that information? • Is your back-up:
Recent?Off-site & Secure?
Not with your System Administrator?Process Documented?
Tested?Encrypted?
Recognizing a Break-in or Compromise
Symptoms:• Antivirus software detects a
problem• Pop-ups suddenly appear
(may sell security software)• Disk space disappears• Files or transactions appear
that should not be there• System slows down to a
crawl• Stolen laptop (1 in 10 stolen
in laptop lifetime)• Often not recognized
Problem:• Many computer affected
at once; all must be reloaded
• Law: Personally Identifiable Information disclosed: Must notify individual
• Accepted figures: – $200/record tangible cost– $6.3M per Breach
(Ponemon Institute)
Security Audit
Our Network Security Class will:• Audit your server or network for security holes• Talk to you about secure computer network
policies
• Train your System Administrator
Class expected to run Fall ’10