information security awareness 1 university of arizona security awareness campaign kelley bogart...

Post on 14-Jan-2016

217 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

1

Information Security Awareness

University of ArizonaSecurity Awareness Campaign

Kelley Bogart University

Information Security Coordinator

Gil SalazarNetwork

Administrator University of

Arizona

2

Information Security Awareness

Agenda

Why Awareness Challenges Solutions Benefits Costs Initiatives Demonstration

3

Information Security Awareness

Why Awareness?Campus Policy, Standards & Guidelines

Privacy Guidelines Acceptable Use Policy Security Policy – Draft Supporting Security Standards &

Guidelines Business Continuity & Disaster Recovery

Incident Reporting

Management Responsibilities for Security

Networked Device Security

4

Information Security Awareness

FERPA HIPPA GLBA State Legislation (House Bills)

Online Privacy Statement Misuse of State of Arizona Equipment

Many more to come

Why Awareness? (cont)

Heightened Activity Regulatory Drivers

5

Information Security Awareness

Why Awareness? (cont.)

Relationship of Privacy & Security

Roles and Responsibilities

6

Information Security Awareness

Where to start and how?

Step 4 - How will we monitor progress?Monitoring

Step 1: Where are we now? Current Situation Assessment

Step 2. Where do we want to be? Strategic Direction

Step 3 - How do we plan to get there? Implementation Planning

7

Information Security Awareness

Security Policies & Standards are minimal and may or may not be documented. Security Incidents are viewed as someone else's problem. Existing programs and services are perceived as sufficient. Security is viewed as an enforcer.

Realization that existing Information Security processes are fragmented. Executive level support and involvement is visible. Some Security Awareness interventions are implemented and are ongoing.

General acceptance of campus-wide standards based on Security Infrastructure and displayed through noticeable behavior change. Staff, faculty and students actively and visibly participate in the programs and services. Security incidents are reported immediately to the appropriate area.

The integration of Security programs and services in the campus departments is complete. Security is involved at the onset of projects. U of A is considered as a Security Awareness Best Practice campus.

Threats are continually reevaluated based on changing threat population and security incidents. Additional or more cost effective alternatives are continually identified. The practice of Security is considered a component of the campus culture. Security Awareness is viewed as a business enabler.

Level 4Level 4COMMON PRACTICECOMMON PRACTICE

Level 4Level 4COMMON PRACTICECOMMON PRACTICE

Level 5Level 5CONTINUOUS IMPROVEMENTCONTINUOUS IMPROVEMENT

Level 5Level 5CONTINUOUS IMPROVEMENTCONTINUOUS IMPROVEMENT

University of Arizona CharacteristicsUniversity of Arizona Characteristics

Level 3Level 3INTEGRATIONINTEGRATION

Level 3Level 3INTEGRATIONINTEGRATION

Level 2Level 2ACKNOWLEDGEMENTACKNOWLEDGEMENT

Level 2Level 2ACKNOWLEDGEMENTACKNOWLEDGEMENT

Level 1Level 1COMPLACENCYCOMPLACENCY

Level 1Level 1COMPLACENCYCOMPLACENCY

Goal: Set the stage for all security efforts by bringing about a change in attitudes, which will change the campus culture.

8

Information Security Awareness

AdministratorsStudentsStaff Faculty Technical vs. Non-technical

Challenges

Funding & ResourcesDiversity and DecentralizationVaried Audiences

9

Information Security Awareness

The What, How & Why or Want to do

Solutions

Timeline / Opportunities

Message vs. Delivery Method

Surveys Include WIIFM - What’s in it for me?

Include Knowledge, Skill and Attitude

10

Information Security Awareness

The following three slides are a consistent message we communicate or incorporate in our awareness / education efforts to help reinforce

the message that

Security is Everyone's responsibility!

That technology alone cannot keep us secure. People are the last layer of defense.

11

Information Security Awareness

SEC- -Y

The key to security is embedded in the word security.

YOU ARE IT!

12

Information Security Awareness

If not you, who?

If not now, when?

13

Information Security Awareness

During your typical day, you may be exposed to situations where you become aware of an attempt to breach an area of security.

You need to be prepared to:

ProtectDetect

React

14

Information Security Awareness

Increased reporting & requests

Benefits

Heightened Awareness

Key Partnerships formed

Campus wide understanding, acknowledgement and support

Recognition of Security Office

15

Information Security Awareness

Dedicated Staff

Costs

Pamphlets

Security Awareness Day

Posters

16

Information Security Awareness

Monthly “Brown Bag” Presentations

Customized group presentations

Redesigned Security Pagesecurity.arizona.edu

Campus Security Awareness Daysecurity.arizona.edu/awarenessday.html

New Employee Orientation Handout

Initiatives

17

Information Security Awareness

Initiatives (cont.)

Pamphlets Privacy Basics - Guide to Protecting Personal Information

Risk Reduction - Computer Protection and Prevention

Security Basics - Guide for Protecting Your Computer

Computer Security and Privacy Information - What everyone needs to know

Security Awareness Posterssecurity.arizona.edu/posters.html

18

Information Security Awareness

First Set

19

Information Security Awareness

First Set

20

Information Security Awareness

First Set

21

Information Security Awareness

Second Set

22

Information Security Awareness

Second Set

23

Information Security Awareness

Second Set

24

Information Security Awareness

Security Policies & Standards are minimal and may or may not be documented. Security Incidents are viewed as someone else's problem. Existing programs and services are perceived as sufficient. Security is viewed as an enforcer.

Realization that existing Information Security processes are fragmented. Executive level support and involvement is visible. Some Security Awareness interventions are implemented and are ongoing.

General acceptance of campus-wide standards based on Security Infrastructure and displayed through noticeable behavior change. Staff, faculty and students actively and visibly participate in the programs and services. Security incidents are reported immediately to the appropriate area.

The integration of Security programs and services in the campus departments is complete. Security is involved at the onset of projects. U of A is considered as a Security Awareness Best Practice campus.

Threats are continually reevaluated based on changing threat population and security incidents. Additional or more cost effective alternatives are continually identified. The practice of Security is considered a component of the campus culture. Security Awareness is viewed as a business enabler.

Level 4Level 4COMMON PRACTICECOMMON PRACTICE

Level 4Level 4COMMON PRACTICECOMMON PRACTICE

Level 5Level 5CONTINUOUS IMPROVEMENTCONTINUOUS IMPROVEMENT

Level 5Level 5CONTINUOUS IMPROVEMENTCONTINUOUS IMPROVEMENT

University of Arizona CharacteristicsUniversity of Arizona Characteristics

Level 3Level 3INTEGRATIONINTEGRATION

Level 3Level 3INTEGRATIONINTEGRATION

Level 2Level 2ACKNOWLEDGEMENTACKNOWLEDGEMENT

Level 2Level 2ACKNOWLEDGEMENTACKNOWLEDGEMENT

Level 1Level 1COMPLACENCYCOMPLACENCY

Level 1Level 1COMPLACENCYCOMPLACENCY

Goal: Set the stage for all security efforts by bringing about a change in attitudes, which will change the campus culture.

25

Information Security Awareness

Questions

26

ISO| ECAT

Kelley Bogart Information Security Coordinator

Gil Salazar UA Network Administrator

27

Information Security Awareness

28

Information Security Awareness

Agenda

•State of the Internet today

•Viruses, Worms & Spies!

•How to Protect Yourself

29

Information Security Awareness

State of the Internet Today

Internet goes thru your computer

30

Information Security Awareness

Some Local Statistics

University of Arizona Campus Cyber attacks per day

# of outside to inside attacks : 64,959

# of Inside to outside attacks : 60,040

# of Inside to Inside attacks : 6,941

Total of related victim machines : 593,734

31

Information Security Awareness

Threat Follows Value

The 1950s American bank robber Willie Sutton was asked why he robbed banks. He said he robbed banks because,

“That’s where the money is.”

Today, the money is in Cyberspace!

The Internet provides for criminals the two capabilities most required for the conduct of criminal activities:

Anonymity & Mobility

32

Information Security Awareness

Do The Math

Spam mailed to over 100 million inboxes

If 10% read the mail and clicked the link = 10 million people

If 1% of people who went to site signed up for 3-days free trial

= (100,000 people) x ($0.50) = $50,000

If 1% of free trials sign up for 1 year = (1,000 people) x ($144/yr) =

$144,000/yr

33

Information Security Awareness

Most attacks Most attacks occur hereoccur here

Situation: It is getting scary!

Product Product shipship

VulnerabilityVulnerabilityDiscovered Discovered ||Potential attackPotential attack

SoftwareSoftwareModifiedModified

Patch Patch releasedreleased

Patch Patch deployeddeployed

at at home/officehome/office

Why does this Why does this gap exist?gap exist?

34

Information Security Awareness

Exploit Timeline

• Days From Patch to Exploit– The average is now nine days

for a system to be reverse-engineered

Why does this Why does this gap exist?gap exist?

exploitexploitcodecodepatchpatch

Days between patch and exploitDays between patch and exploit

ZoTobZoTob

151151180180

331331

BlasterBlasterWelchia/ Welchia/ NachiNachi

NimdaNimda

2525SQL SQL

SlammerSlammer

1

35

Information Security Awareness

Exploit Survival Time

• The SANS Institute has studied what it calls the "survival time" of an unprotected computer hooked up to the Internet.

• A year ago, the average time before it was compromised was about 55 minutes.

• Today it's 20 minutes. • On the UA campus it can be less then

ONE MINUTE.

36

Information Security Awareness

Questions?

State of the Internet

• Why do criminals use the internet today?

•To be Anonymous & Mobile

37

Information Security Awareness

Viruses, Worms & Spies

38

Information Security Awareness

• Old “traditional” viruses usually required human interaction– You have to save it, run it, share floppy disks– E-mailing a program / document, without

knowing it is infected• Typically just attach themselves to programs &

documents, and then depend on humans to propagate

• This is changing…

Virus:

39

Information Security Awareness

How It Spreads

• E-mail

• Instant Messenger

• Networks

• P2P/Filesharing software

• Downloads

• Floppy disks, Flash Drives. CDs, etc.

40

Information Security Awareness

To: user@email.arizona.eduSubject: Notify about your e-mail account utilization. From: support@arizona.edu

Dear user of Arizona.edu gateway e-mail server,

Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information. For further details see the attach. For security reasons attached file is password protected. The password is "03406".

Best wishes, The Arizona.edu team http://www.arizona.edu

Sample E-Mail...................This has a virus attached!

41

Information Security Awareness

Questions?

Virus:

• What is the most common way viruses are spread today?

•E-Mail

42

Information Security Awareness

Worms:

• Sub-class of Virus• Replicated Automatically without

human help• Example is e-mail address book

attack• Bogs down networks and Internet• Zotob, Blaster are examples

43

Information Security Awareness

44

Information Security Awareness

Worms:

• Scary part – you don’t have to do anything but turn your computer on!

• Or make a simple click.

45

Information Security Awareness

Trojan Horse

• Program that appears to be a “good” program, but really isn’t

• Might do what it is supposed to, plus a whole lot more!

• programs installed in this category use several methods to enter the computer;– Web, e-mail, spyware

46

Information Security Awareness

•Botnets are networks of captive computers (often called zombies) that are created by trojans or worms that have infected unprotected PCs.

•These networks are frequently used to send spam and initiate distributed denial of service (DDoS) attacks.

Botnets or “Zombies”

47

Information Security Awareness

Questions?

Worms:

• What is it called when a program sneaks onto your computer?

•A Trojan

48

ISO| ECAT

49

Information Security Awareness

Have you ever received an email that says something like this?

“We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”

OR

“During our regular verification of accounts, we couldn’t verify your information.Please click here to update and verify your information.”

50

Information Security Awareness

This is a typical “phishing” attempt

51

Information Security Awareness

What is Phishing?

Phishing is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or legitmate business in an apparently official electronic communication, such as an email, pop-up window or an instant message.

http://en.wikipedia.org/wiki/Phishing#Phishing_technique

52

Information Security Awareness

Social engineering preys on qualities of human nature:

the desire to be helpful the tendency to trust people the fear of getting into trouble

Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes.

53

Information Security Awareness

EBAY

54

Information Security Awareness

EBAY

55

Information Security Awareness

EBAY

56

Information Security Awareness

EBAY

57

Information Security Awareness

PayPal

58

Information Security Awareness

PayPal

59

Information Security Awareness

PayPal

60

Information Security Awareness

Visa

61

Information Security Awareness

Visa

62

Information Security Awareness

Microsoft

63

Information Security Awareness

Stats from Anti-Phishing Working Group

64

Information Security Awareness

Stats from Anti-Phishing Working Group

65

Information Security Awareness

Stats from Anti-Phishing Working Group

66

Information Security Awareness

Arizona State Credit Union

67

Information Security Awareness

DM Federal Credit Union

68

Information Security Awareness

Recognizing Phishing

False Sense Of Urgency - Threatens to "close/suspend your account," or charge a fee.

Indirect invitation - "Dear valued customer", "Dear reader", "In attention to [service name here] customers“.

Misspelled or Poorly Written - Helps fraudulent e-mails avoid spam filters.

69

Information Security Awareness

Recognizing Phishing

Suspicious-Looking Links & Pop-Ups Links containing all or part of a real company's name asking you to submit personal information.

Hyperlinks spoofing You see the "http://www.yourbank/Login" link in the message, but if you hover the mouse cursor over the link, you will see that it points to "http://www.spoofedbanksite.com/Login"

70

Information Security Awareness

Discover Card Awareness

71

Information Security Awareness

Citibank

72

Information Security Awareness

Spyware or Phishing-based Trojans – Keyloggers ?

73

Information Security Awareness

Designed with the intent of collecting information on the end-user in order to steal those users' credentials.

Unlike most generic keyloggers, phishing-based keyloggers have tracking components which attempt to monitor specific actions (and specific organizations, most importantly financial institutions and online retailers and ecommerce merchants) in order to target specific information, the most common are; access to financial based websites, ecommerce sites, and web-based mail sites.

Phishing-based Trojans – Keyloggers

74

Information Security Awareness

Phishing-based Trojans – Keyloggers, Unique Variants

75

Information Security Awareness

Unique Websites Hosting Keyloggers

76

Information Security Awareness

Yet Another Form of Phishing to worry about

Unlike a scam which tries to trick you into providing personal information.

This:

executes code Changes your host file Redirects legitimate webpage to spoofed site

….and all you did was open an email or view it in a preview pane in programs like Microsoft Outlook

77

Information Security Awareness

Phishing-based Trojans – Redirectors

Designed with the intent of redirecting end-users network traffic to a location where it was not intended to go to. This includes crimeware that changes hosts files and other DNS specificinformation, crimeware browser-helper objects that redirect users to fraudulent sites, and crimeware that may install a network level driver or filter to redirect users to fraudulent locations.

This is particularly effective because the attackers can redirect any of the users requests at any time and the end-users have very little indication that this is happening as they could be typing in the address on their own and not following an email or Instant Messaging lure.

78

Information Security Awareness

79

Information Security Awareness

FTC suggestions to help avoid getting hooked by a phishing scam:

If you get an email or pop-up message that asks for personal or financial information, do not reply. And don’t click on the link in the message, either.

Use anti-virus software and a firewall, and keep them up to date.

Don’t email personal or financial information.

80

Information Security Awareness

Review credit card and bank account statements as soon as you receive them

Be cautious about opening any attachment or downloading any files from emails

Forward spam that is phishing for information to spam@uce.gov and to the company, bank, or organization impersonated in the phishing email.

FTC suggestions (cont’d)

81

Information Security Awareness

Additional Protection Tips

Treat all email with suspicion

Never use a link in an email to get to any web page

Ensure that all of your software is up to date

Use anti-spyware detection software on a regular basis

82

Information Security Awareness

If you must use your financial If you must use your financial information online, ensure that you have information online, ensure that you have adequate insurance against fraudadequate insurance against fraud

Be aware or beware.Be aware or beware.

Additional Protection Tips

83

Information Security Awareness

Questions?

• What does the term “Phishing” refer to?

•Attempt to gather information for illicit use

84

Information Security Awareness

Spyware

• Ever get pop-ups that constantly ask for you to click “OK” and won’t go away?

• This is most likely Spyware of some sort

85

Information Security Awareness

Spyware: What it is

• spyware is programming that is put in your computer to secretly gather information about You or your pc and relay it to advertisers or other interested parties

• adware pushes ads, track Internet habits and performs other sneaky tricks

86

Information Security Awareness

Spyware : How Do I know I have it?

• Computers slow down to a crawl

• Annoying Pop-ups appear

• Browser Start Page changes

• Unwanted toolbars, tray programs

• New programs are installed on your PC and show up on the desktop

87

Information Security Awareness

Spyware: why is it bad?

• Corrupt/alter the current software

• Steal passwords, information etc.

• Track browsing habits, sites

• interferes with system settings – (registry, startup)

• Even after removal, it can leave crumbs

which helps program re-install itself

88

Information Security Awareness

Spyware: How did I get it?

• Email

• Instant Messaging

• Internet Browsing

• P2P Software (kazaa, limewire, bearshare, AIM)

• Downloads and Installs – Potentially Unwanted Programs (PUPs)

89

Information Security Awareness

90

Information Security Awareness

91

Information Security Awareness

Spyware : Why do they do it?

• 0x80 is a hacker… he says: "Most days, I just sit at home and chat online while I make money," 0x80 says. "I get one check like every 15 days in the mail for a few hundred bucks, and a buncha others I get from banks in Canada every 30 days." He says his work earns him an average of $6,800 per month, although he's made as much as $10,000. Not bad money for a high school dropout.

92

Information Security Awareness

Questions?

• What are a couple things Spyware does?

•Create pop-ups, hijacks web pages, collect info, slow pc down.

Spyware:

93

Information Security Awareness

How to Protect Yourself

94

Information Security Awareness

Practice Good Surfing Sense

• You know there are bad parts of town that you don’t go to

• The Internet is the same way – be wary!

95

Information Security Awareness

Download Rules

• Never download or open something, if you don’t know what it is

• Even if you know the sender by name, check with them to see if they sent you something

96

Information Security Awareness

•True company-based e-mails never send attachments

•Make sure the link actually goes to their site & not a spoofed one!

•Only download what you trust, and even then be wary!

Download Rules

97

Information Security Awareness

Be Aware of Spoofing

• Have you ever received an e-mail telling you that you have a virus?

• It is possible that :– Your address could’ve been spoofed and

sent to someone else– It could be a trick to get you to install

some “anti-virus” or “patch” (which is really a virus itself!)

The Best Defense

99

Information Security Awareness

The Best Defense

• Use Strong Passwords– Passwords should contain 8 characters

including upper and lowercase, special characters (*^#) and numbers

• Don’t take downloads from strangers– Only install what you trust– “free” music & file sharing programs are wide

open doors for hackers

100

Information Security Awareness

• Check if your PC has any issues:

– Does your browser open to a new home page, or search page?

– Increase in advertisements & pop-ups?

– Computer seems sluggish?

– Know your system and what is installed

The Best Defense

101

Information Security Awareness

• Get a detect & removal tool for spyware• Ad-Aware: easiest to use, free for home use only• SpyBot: Free for any use, more advanced, has

automated protection features• Microsoft Anti-spyware: Free for any use, has

automated protection and updates.

• Use all three together for complete protection!

The Best Defense

102

Information Security Awareness

The Best Defense

• Install anti-virus software – (Sophos, Norton, McAfee etc…)

• Install a Firewall – (Windows built-in, Kerio, ZoneAlarm)

• Keep everything up-to-date!• Windows Automatic Updates, Anti-virus,

Spyware detection.

103

Information Security Awareness

104

Information Security Awareness

• Limit access to your computer• keep doors locked if your not around and

system is on• Thumb drives can be used to steal data

The Best Defense

105

Information Security Awareness

• At home use multiple user accounts when sharing computers and switch users/lock workstation when leaving system on when you are away from the desktop

Windows Key – for XP

The Best Defense

106

Information Security Awareness

Quote from a victim…

"Overall, you've got to realize that, just like if you don't secure your home, you run the risk of getting burglarized; if you're crazy enough to leave the door on your computer open these days, like I did, someone's gonna walk right in and make themselves at home."

~Pastor Michael White

107

Information Security Awareness

Questions?

The Best Defense

• What is the best way to keep passer bys from accessing your computer?

•Control-alt-delete or Windows-Key L

108

Information Security Awareness

Other Reminders….

• Back up your computer data.

• Keeping system patches updated

• Firewalls, pop-up blocker, spyware apps updated.

• Know your systems

109

Information Security Awareness

Now for any Final Q&A…

110

Information Security Awareness

Don’t let the computer control you!

Don’t ever give up!

If the situation seems hopeless:

top related