Topics Covered Why Security? Liability Privacy Concerns

Information Security – Creating Awareness, Educating Staff, and Protecting Information

Topics Covered

Why Security?

• Liability

• Privacy Concerns

• Copyright Violations

• Identity Theft

• Resource Violations

• Reputation Protection

• Meet Expectations

• Laws & Regulations

Understanding Threats

• What is valuable?

• What is vulnerable?

• What can we do to safeguard and mitigate threats?

• What can we do to prepare ourselves?

• Most believe they will win lottery before getting hit by malicious code

Keep Sensitive Data Private

• Protecting Information like:

• Social Security Number

• Drivers license number

• Insurance numbers

• Passwords and PIN’s

• Banking information

Terminology

• Hackers

• white hat
• grey hat
• black hat

• DOS & DDOS

• 1337 (Leet) speak

• Warez

• Script kiddies

Spyware & Adware (Scumware)

• Spyware-Applications that monitor activity without express permission

• Adware-Applications that monitor activity with express permission

• Read the EULA

SPAM & SPIM

• SPAM-

• Junk email

• SPIM- SPAM has come to Instant Messaging

• Uncontrolled viewing (pop-up windows)
• Bot generated

Phishing

• Phishing is a computer scam that uses SPAM, SPIM & pop-up messages to trick us into disclosing private information (Social Security Number, Credit Cards, banking data, passwords, etc)

• Often sent from someone that we “trust” or are in some way associated with us
• Appears to be a legitimate website
• Embedded in links emails & pop-up message
• Phishing emails often contain spyware designed to give remote control to our computer or track our online activities

Passwords

• Select a good one

• At least 7 characters
• Mixture of upper and lowercase characters
• Mixture of alpha and numeric characters
• Don’t use dictionary words

• Keep passwords safe

• Change them often

• Don’t share or reuse passwords

• Two-factor authentication

Social Engineering

• Social Engineering is the art of prying information out of someone else to obtain access or gain important details about a particular system through the use of deception

Email & Chat Services

• Email and chat are sent in clear text over the Internet

• Data can easily be captured and read by savvy computer users and systems administrators

• Safeguards should be put into place prior to using these programs for sending/receiving sensitive information like Social Security Numbers

Enhance Our Work Area Security

• Secure workstations

• Lock our systems (Ctrl-Alt-Delete)
• Shut down
• Run up to date virus scanning software
• Password protect files
• Apply software patches
• Install cable locks
• Run a desktop firewall

Is Our Data Being Backed Up?

• Test backups

• Securely store backup media (offsite)

• Restrict access to who can perform restoration

Equipment Disposal

• What happens to old computer when they are replaced?

• Do those systems contain sensitive information?

• Several programs to securely remove data from computer systems are commercially available

Data Recovery

• DEMO

Dumpster Diving

• We never know who is looking in our trash

• Shred sensitive documents

• Secure shred barrels, and make sure that proper handling procedures are in place

Access Rights

• Only allow access that is absolutely required

• Don’t grant accounts based on the fact that access “may” be required

• Use least privilege access policies that state access will only be granted if required, not by default

• Are accounts removed and passwords changed when someone changes jobs or is terminated?

• Perform audits

Physical Security

• Who has access?

• Are sensitive documents secured?

Emerging Threats

• Wireless Technology

• Memory Devices-iPod, USB Keys, Coke cans, etc

• Camera phones

• P2P File Sharing

Incident Response

• Do you know what to do and who to contact if a security breach occurs?

Recent News

Creating Awareness

• Educate staff

• Train staff
• Document processes and outline expectations

• Research potential candidates

• Perform background & credit checks

• Track system changes

• Audit system access
• Audit system changes

• Create & communicate policies:

• Define document and system disposal processes
• Define backup procedures
• Define clean work area policies
• Define computer usage policies

Be Aware

• Report anything “strange”

• Don’t give private information out

• Properly dispose of sensitive information

• Run up to date virus protection & software

• Ask questions

Useful Links

• National Cyber Security Alliance

• http://www.staysafeonline.info/

• National Institute of Standards and Technology:

• http://csrc.nist.gov/sec-cert/

• Recent News

• High Profile Computer Compromise
• High Profile Computer Compromise

• A lot of Schools have great security resource pages, for example UC Davis and the University of Iowa websites:

• http://security.ucdavis.edu/security101.cfm

• http://cio.uiowa.edu/itsecurity/

Example Software References

• Some various applications mentioned in the presentation*

• Email Security

• PGP http://www.pgp.com
• Instant Messaging Security
• Simp http://www.secway.fr/products/all.php?PARAM=us,text
• Adware & Spyware Removal Applications
• Ad-aware http://www.lavasoftusa.com/software/adaware/
• Spybot http://www.safer-networking.org/en/download/

• Secure File Deletion

• Secure Delete http://www.sysinternals.com/ntw2k/source/sdelete.shtml

• System Disposal

• Secure Hard Drive cleaning http://www.accessdata.com/Product07_Overview.htm

Sample Policies

• Developing Security Policy

• http://www.sans.org/rr/papers/50/919.pdf

• Acceptable Use

• http://www.sans.org/resources/policies/Acceptable_Use_Policy.pdf

Questions?

• Please fill out the session evaluations & thank you for attending this session