November 2005Hal Stepp/Melbourne HS. November 2005Hal Stepp/Melbourne HS NETS-T Standards Addressed...

November 2005 Hal Stepp/Melbourne HS


NETS-T Standards AddressedI. Teachers demonstrate a sound understanding of technology operations

and concepts. Teachers: (A) demonstrate introductory knowledge, skills, and understanding of concepts related to technology (as described in the ISTE National Educational Technology Standards for Students); (B) demonstrate continual growth in technology knowledge and skills to stay abreast of current and emerging technologies.

V. Teachers use technology to enhance their productivity and professional practice. Teachers: (A) use technology resources to engage in ongoing professional development and lifelong learning; (B) continually evaluate and reflect on professional practice to make informed decisions regarding the use of technology in support of student learning; (C) apply technology to increase productivity;

VI. Teachers understand the social, ethical, legal, and human issues surrounding the use of technology in PK–12 schools and apply that understanding in practice. Teachers: (A) model and teach legal and ethical practice related to technology use; (D) promote safe and healthy use of technology resources; (E) facilitate equitable access to technology resources for all students.


Objectives• You will understand that computer security

is important, especially for teachers!

• You will learn how to create and safeguard effective passwords.

• You will learn how to detect and counter “social engineering” attacks.

• You will learn how to defend against malicious software attacks.


Overview• Is Security an Issue?• Physical Security

– Esp. Passwords!

• Behavioral Security– Social Engineering

• System Security– “Malware”

• Review• Resources


The Problem in a Nutshell

• Computers don’t LOOK like a threat, so people don’t associate them with danger.


An Idea to Ponder

• If your computer links you to the world…

• …then it also links the world to YOU!


A Sample of What’s in Computers “Out There”


And, the Holy Grail of Personal Info:


The Real Lesson from Katrina

• People are unwilling to spend money or worry about “possible” threats

• Most real protective actions are only taken AFTER a major catastrophe has occurred… …when it’s TOO

LATE!!! AP Photo


That’s where we are with computers…

• We are still in the early years of the Info Age

• The perceived threat is LOW

• The actual threat is VERY, VERY HIGH


Symptoms of a Serious Problem

http://www.informationweek.com/story/showArticle.jhtml?articleID=60402074



http://www.informationweek.com/showArticle.jhtml;jsessionid=QQXYNNLZFDL1IQSNDBCSKH0CJUMEKJVN?articleID=57702643



http://www.informationweek.com/story/showArticle.jhtml;jsessionid=1WJUEBQ0ZLCUWQSNDBCSKHSCJUMEKJVN?articleID=60402295


What’s Happened in 2005?

http://www.privacyrights.org/ar/ChronDataBreaches.htm


“There is no such thing as ‘paranoia’ in a combat zone, only a heightened state of awareness.”

- Murphy’s Laws of Combat


3 Levels of Security:

• In order of importance:PhysicalBehavioralSystem


PHYSICAL SECURITY


What’s on YOUR Desktop?

• Grades (GradeQuick)

• Access to Student Info (DSDS)

• Access to Student Records (AS400)

• Access to Employee Pay Info (AS400)

• Access to Your Email– And ability to send email in YOUR name!

• Access to ALL Brevard County Resources


What is Physical Security?• Denying an attacker

PHYSICAL ACCESS to your computer and/or network.

• This is the FIRST and MOST IMPORTANT line of defense!!!


Practicing Physical Security• Make your PC a “no

student zone”.• Arrange classroom so

that keyboard and screen aren’t visible to students.

• Get to know what’s “normal” on and around your computer.


A Physical Security Lapse…


How he did it…


“Worst Practice”• Logging in to your

computer and walking away from it.

• Like leaving your front door unlocked and open.– Not only is your computer at

risk, but you’ve allowed complete network access…

…in your name!


A “Best Practice”• Make a habit: lock the

computer when you’re away.– CTRL + ALT + DEL– “k”

• All programs will stay running.

• To use your computer, just log on the way you normally do.


Your Password• Part of physical

security• Only YOU are

authorized to know it!– Your “key” to the

school’s computer network.

– All transactions done using your username & password belong to YOU!


Password “Don’ts”• If you must write it down,

don’t keep it near, at, on, in, or around your desk.

• Don’t use “easy guess” items, such as:– Birthdays– Your name, or variations

on family names– English words


A VERY Easy Password• Your bank PIN =

4 digit number– 10X10X10X10 =

10,000 combinations– This can be

“cracked” almost instantaneously, if you have access to the right software!


Letters: A Little Harder• 4 letters yield:

– 26X26X26X26 = 456,976 combinations

– This is about 46 times more difficult, but still simple for today’s computers.


Letters: Making it Easier• Problem: Most people

use common English words – Much smaller subset:

20,000 commonly used*– Vulnerable to “Dictionary

Attack”– 23 times easier to crack!– Bottom line: using words

makes hacking easier!

*http://www.wordorigins.org/number.htm


Anatomy of a Good Password• At least 8 characters• Combination of

– Letters (upper AND lower case)

– Numbers– “Special Characters”

• NOT English words• Memorable

– So you won’t need to write it down!


Notice the Improvement• 26+26+10+33 = 95 possible

characters per position.• 95X95X95X95X95X95X95X95=

6,634,204,312,890,625

possible combinations! • Goal: Make it complicated

enough to send would-be hackers on to easier targets!


Make it Memorable!


• Every 90 days– New BCPS requirement!

• In case of possible compromise– Whenever someone

watched with interest as you logged in.

• At the end of each school year.

When to Change Your Password


BEHAVIORAL SECURITY


What is “Social Engineering”?

• The use of psychology to gain unauthorized access to information, a computer, or a computer network.


The Problem• Most people tend

to be:

– Honest

– Law-abiding

– Trusting

– Sympathetic

– Unsuspecting


In Other Words…


Common Features of SE• Refusal to give contact information.• Rushing (“hurry or miss the deal”)• Name-dropping or intimidation• In email: misspellings, grammatical

errors, odd questions.• Appealing to GREED. • Requesting forbidden information. “Look for things that don’t quite

add up.” http://www.securityfocus.com/infocus/1533http://www.securityfocus.com/infocus/1533

http://www.securityfocus.com/infocus/1533


Handling SE Attacks in Person…

“Just say no!”http://www.reaganranch.org/RR_denim.jpg


A Common “SE” Attack• Ever get one of

these?• This is called a

“phishing” attack…

• Legitimate businesses NEVER do this!


Variation on a “Classic”


http://www.secretservice.gov/alert419.shtml


Most Phishing is Foreign…


Shopping/Banking Online…NEVER transmit personal information by non-encrypted means!!!

-Look for https:// in the navigational window.

- There must also be a “lock” symbol in the bottom right hand corner of the screen.


IMPORTANT NOTE!

• An encrypted page does NOT guarantee a legitimate business on the other end, BUT

• …a legitimate business will always have an encrypted page when sensitive information is being handled!


System Security


System Security• Hardware / software

defenses.• You have little to do

with this at work, but it is VERY important at home!!!

• Includes firewalls, antivirus software, and system updates.


Biggest Threat: “Malware”• Malicious Code• Designed to perform

functions that are detrimental you, your computer, your network, or to someone else’s using your computer as the offensive agent.


Types of Malware

• Viruses

• Worms

• Trojan Horses

• Blended Threats

• Adware/Spyware

• Spam


Types of Malware

• Virus– A piece of code

that replicates itself by attaching to another object.

– Chief objective: self-replication on host computer.

Bott & Siechert, 295


Types of Malware

• Worm– Independent

program that copies itself to other computers.

– Often spread by bogus email attachments.



Types of Malware

• Trojan Horse– “Back door”

program that allows someone to remotely examine or control your computer.



Blended Threats• A “working

combination” of virus, worm and/or Trojan Horse code.

• Some of these can be VERY, VERY BAD!



Blended Threat: MyDoom WormMyDoom.as/au/bb has common characteristics with other

members of the family, including posing as an e-mail system error message, disguising the payload in a variety of file formats (including .zip), and most damaging, depositing a backdoor on the infected PC.

"The variant knocking at the front door is familiar, but it's leaving the backdoor open to something much more sinister," said CA's Curry. "It's creating a zombie network."

The backdoor Trojan, opens port 1034 and listens for commands from the controlling hacker.

"This is typical of worms and viruses," said Cluley. "Hackers try to download a backdoor component which they can then use to upload other programs to conduct spam or denial-of-service attacks."



Adware/Spyware• Technically not

“malware,” but can have the same effect.

• Generally loaded on your computer when you visit certain websites, or click on “pop-up” windows.

• MANY unresolved privacy issues!


“Spam”• Mass-distributed “junk” email• Appeared when Monty Python

“spam” skit was popular.• Malware is frequently

distributed by spam!• NEVER OPEN spam!• NEVER CLICK links in spam!• If possible, use rules or a

spam filter to auto-delete.Picture: http://media.hormel.com/images/refimages/museum%20press%20kit/spam%20hero%20web%20ready.jpg


Fighting Back!

USAF Photo


#1 – Keep Windows UPDATED

• Weaknesses are continually being discovered in Windows and Internet Explorer.

• Failure to download “patches” = invitation to exploitation.


#2 Make Updates AUTOMATIC

• Set your computer so that updates are automatically downloaded.

• Start-Control Panel-Automatic Update

• Your school computer does this at night.– Leave it running!


#3 Use an Antivirus Program• On campus, we use

McAfee Enterprise.• If you can see the two

“shield” icons in the lower right corner, it’s running.

• Updates are automatic, and slow your computer down a lot when running!


Antivirus Software – At Home• NEVER operate a

computer online without an antivirus (AV) program!

• Make sure that automatic update is enabled.

• AV software is useless without constant updates!


Why Do You Need a Firewall? • AV software only

watches what comes INTO the computer.– Firewalls also monitor

what goes OUT.– A firewall is the only

defense against Trojan Horse programs.

http://www.zonelabs.com/store/content/home.jsp


Handling Adware/Spyware• There are several free

anti-spyware programs available.

• Example: Spybot Search and Destroy– Free for download at home!– Updated frequently.– “Immunizes” your computer

against repeat infection.

• Whatever you choose, use it at least weekly!

http://www.spybot.info/en/index.html




Some General “Best Practices”• Be VERY careful

about visiting Internet sites.

• Never click “popup” windows, use the “ _ ” to close them.

• NEVER open attachments or hyperlinks in email from unknown senders.


One More Thing to Think About…

• Hackers seem to HATE Bill Gates and Microsoft products.

• Most attacks exploit weaknesses in Windows, Internet Explorer and Outlook/Outlook Express.

www.microsoft.com/billgates/bio.asp


Get Out of the Bulls-eye!• Alternative Internet

and email programs• Example:

www.mozilla.org• Firefox 1.0

– “Safer” web browser– Good pop-up blocking

• Thunderbird 1.0– Email program– Excellent spam filter

http://www.mozilla.org/


Review• Physical security

– The MOST IMPORTANT level of defense!– Make your computer a “no student” zone.– Arrange your screen and keyboard so that

they can’t be directly observed.– Lock your computer when it is unattended,

even for just a few minutes.– Get used to what’s “normal” in/around area.– Use good passwords:

• At least 8 mixed characters, not English words, memorable

• Change regularly or when compromise likely


Review• Behavioral Security:

– “Social Engineering” is a psychological attack on you!.

– Goal is to gain unauthorized access to:• Information and/or• A computer and/or • A computer network.

– Look for: • Requests for forbidden information• Things which “don’t quite add up”


Review• System Security:

Keep Windows current with automatic updates! ALWAYS use antivirus software and a firewall

Use the automatic update feature Yes, you need to renew the subscription!

Find an adware/spyware program you like These also requires regular updates Use frequently as part of your maintenance program

Consider non-Microsoft browser & email programs


Review

• “Best Practices” Be VERY careful about the

sites you visit on the Internet. NEVER open email

attachments from unknown senders.

DON’T click on links in email from unknown senders.


If You’d Like to Learn More…

http://melbourne.hs.brevard.k12.fl.us/SteppH/tutorials/security/index.htm

http://melbourne.hs.brevard.k12.fl.us/SteppH/tutorials/security/index.htm


Bibliography/ResourcesBott, Ed, and Siechert, Carl. Microsoft Windows Security for

Windows XP and Windows 2000 INSIDE OUT. Redmond: Microsoft Press, 2003.

Granger, Sarah. "Social Engineering Fundamentals, Part I: Hacker Tactics." Security Focus. http://www.securityfocus.com/infocus/1527: 18 Dec 2001.

Granger, Sarah. "Social Engineering Fundamentals, Part II: Combat Strategies." Security Focus. http://www.securityfocus.com/infocus/1533: 9 Jan 2002.

Identity Theft Resource Center. http://www.idtheftcenter.org/index.shtml

Privacy Rights Clearing House. http://www.privacyrights.org/Spring, Tom. "Spam Wars Rage." PC World (April 2004): 24-25.



http://www.idtheftcenter.org/index.shtml

http://www.idtheftcenter.org/index.shtml

http://www.privacyrights.org/



November 2005Hal Stepp/Melbourne HS. November 2005Hal Stepp/Melbourne HS NETS-T Standards Addressed...

Documents

Transcript of November 2005Hal Stepp/Melbourne HS. November 2005Hal Stepp/Melbourne HS NETS-T Standards Addressed...