The University of Arizona

Security Awareness Brown Bag Series

Sponsored by Information Security Office

Email Threats, Precautions and Etiquette

Security Awareness Series

The key to security awareness is embedded in the word security

The key to security awareness is embedded in the word security

SEC- -Y

Question

How would your behavior change if your wallets, homes, and mail boxes could be accessed from around the

world like our computers can?

Opportunities for Abuse…

• To break into a safe, the safe cracker needs to know something about safes

• To break into your computer, thecomputer cracker only needs to know where to download a program written by someone else who knows something about computers

What is Security Awareness?

Security awareness is recognizing what types of security issues and incidents may arise and knowing which actions

to take in the event of a security breach.

Security awareness is recognizing what types of security issues and incidents may arise and knowing which actions

to take in the event of a security breach.

Most security incidents can be avoided

What is Expected of You?

During your typical day, you may be exposed to situations where you may become aware of an attempt to breach an area of security.

You need to be prepared to:

During your typical day, you may be exposed to situations where you may become aware of an attempt to breach an area of security.

You need to be prepared to:

Protect

Detect

React

Be aware or beware

Know how to identify a potential issue

Use sound judgment

Learn and practice good security habits

Incorporate secure practices into your everyday routine

Encourage others to do so as well

Report anything unusual

Notify the appropriate contacts if you become aware of a suspected security incident

So How Do We Start?

Workshop Guidelines

• Participate actively• Ask questions• Have fun• Learn and teach others• Disagree

It’s O.K. to:It’s O.K. to:

• Be open to others’ ideas• Try, risk and make mistakes• Think unconventionally,

creatively• Tell stories that support

Security Awareness

Agenda

• Email (Threats and Precautions)

• Email Etiquette

Why Should I Care About Email Information Security?

You:• may not consider your communications "top secret," but

you probably do not want strangers– reading your email– sending out forged mail using your name– or examining personal information stored on your

computer (such as financial statements)

• may also want to stop malicious people from using your computer to attack other systems, potentially causing damage for which you could be held responsible

The Email ThreatSome Things to Keep in Mind

About Email

• The name on an email message:– means nothing– is about as useful as the return address on

an envelope– can easily be forged by a virus or individual

The Email ThreatSome Things to Keep in Mind

About Email

• Be cautious about opening attachments, giving out personal information, or altering your computer based on information in the message

The Email Threat• A newly released email virus can travel around the

world and infect thousands of computers before anyone knows what is happening

• One in every 300 e-mails circulating now contains a virus, up from one in every 700 in October last year, according to e-mail security company Message Labs

• Anti-virus and personal firewall software will not protect against new viruses and may even be disabled by them

Precaution• Be cautious about opening email attachments• Save attachment to disk and scan for virus• Use good patch management practices

The Email Threat

• No reputable organization will send you an unsolicited email message with a program like a patch attached to it

• They'll always reference an official web site where you can download it

Precaution• Before doing so, make sure it is an official web site

and not something that just looks like one

Hidden file extensions

• Windows operating systems contain an option to "Hide file extensions for known file types"– Option is enabled by default, but a user may

choose to disable this option in order to have file extensions displayed by Windows

– Malicious programs have incorporate naming schemes for virus attachments

• The files attached to the email messages sent by viruses may appear to be harmless text (.txt), MPEG (.mpg), AVI (.avi) or other file types when in fact the file is a malicious script or executable (.vbs or .exe, for example)

e-Mail Security

e-Mail can be protected using the following “types” of controls

• Virus protection• Encryption• Firewalls• Hardware• Software• Policies, Procedures and Guidelines• Awareness

Steps for sending and receiving e-Mail

• E-mail addresses• CC or BCC recipients addresses• Subject line• Scan for viruses• Read text for security requirements• Encryption• Filing• Retention• Deleting

Sender

Recipient

Security Issues With e-Mail

Addresses

• You need to be concerned with:

– Wrong addresses

– General addresses

– Obsolete addresses

• Consider sending a “verification” e-mail to newaddresses before sending sensitive information the first time prior to opening an e-mail review the sender’s address

Addresses

• Do you know the person or organization

– Even if you know the sender, be alert due to “spoofing” capabilities

When in doubt – check it out

• Does the address look suspicious?

CC: Concerns

Very important when REPLYING to e-mails.

If the “reply to all” selection is made, and the sender has BCC’d the original message to others you may be replying to recipients you are unaware of.

Subject Line Concerns

•You need to be concerned with:

– Notification of security requirements,

– Agreed upon security definitions,

– Not using overly descriptive words.

•Include person’s name and security level. “Sensitive, confidential, for your eyes only”

•Include security information in the body of the e-mail, including retention times and deletion requirements.

•Do not use overly descriptive words e.i. “Board of Regent Plan, Student grades”.

Subject Matter Concerns

•You need to be concerned with:

• Confidentiality of content,

• Legal issues,

• Information leaks

•Sending SPAM, unsolicited e-mail, harassment, offensive, and/or pornographic material need to be controlled.

•It is possible that some classifications of information would be better sent through courier, snail mail, etc.

Scan For Viruses

•Virus protection software needs to be kept up to date, as new viruses are discovered every week

•Never open any e-Mail or attachment without using your virus protection software

•Consideration also needs to be given to the types and versions of any “compression” software used, i.e. WINZIP

Filing of e-Mail Concerns

•As with “paper documents” e-Mail needs to be stored within a structured filing system

• Consideration needs to be given to storage locations for e-mail that is not to be backed-up

•Consider setting up your e-Mail filing system to duplicate your “paper” filing methodology

Retention e-Mail Concerns

University business documents created or received on e-mail must be saved for the same length of time as their hard copy equivalents. There are two ways to comply with this:

•Create a folder in your e-mail account in which you save these messages. Back up your files appropriately; do not delete these messages. Save the e-mail message to your PC's hard disk as a file; or

•Print out a paper copy and save it in an appropriate file. In this case you do not need to save an electronic copy

Deleting e-Mail

Deleting Received e-Mails

Issues:

Is deleted e-Mail really deleted?

• What needs to be done to actually delete e-mail?

• Who will delete archived copies?

Encryption - What Is It?

Encryption is the process of scrambling data so that without a secret decryption key you cannot read it. It ensures privacy by keeping information concealed from anyone who is not

authorized to see it.

The Basic Encryption Process

The Basic Encryption Process

1. Mary wants to send an e-mail to Barry, but doesn't want anyone else to be able to read it.

2. Mary encrypts the plaintext message with an encryption key.

3. The encrypted message, called ciphertext, is then sent to Barry.

4. Barry decrypts the e-mail with the decryption key and is able to read the e-mail.

5. A hacker named Gerry wants to read the e-mail, but can't recover the plaintext without the decryption key.

.

This is plaintextThis is ciphertext

#$%)*&^<>

This is ciphertext#$%)*&^<> This is plaintext

Algorithm encrypt

Algorithm decrypt

Key

Key

The Basic Encryption Process

Encryption at the University of Arizona

Recommendations under review:

•"on the wire" encryption applications for data in transit and digital signature applications be used widely and without restriction

•the encryption of stored data be permitted at The University of Arizona at the discretion of the user

users be advised to give careful consideration to the possible risks involved

consult with legal counsel before implementing encryption systems.”

• Modern encryption techniques provide a mechanism to assure both theconfidentiality and the integrity of data and data communications.

• Encryption of stored data (e.g. Computer files on disk or on a tape) is controversial– Must be possible to retrieve public records in a

timely manner in response to a legitimate public records request

– Encryption introduces risk that they could become irrecoverable through loss of the encryption key. 

– Measures can be taken to protect keys against accidental loss, but loss of public records is a violation of state law even if accidental.

• Users must be aware that they are assuming a risk

• Arizona state law recognizes digital signatures as binding and as equivalent to traditional written signatures, at least in some cases

• A.R.S. 41-132 states: "Unless otherwise provided by law, an electronic signature that complies with this section may be used to sign a writing on a document that is filed with or by a state agency, board or commission and the electronic signature has the same force and effect as a written signature."

• The full text is available at:http://www.azleg.state.az.us/ars/41/00132.htm

Viruses in e-Mail

Computer viruses are one of the most prevalent threats.

Viruses enter through four primary ways:

•Files shared between computers •Files downloaded from the Internet•Files attached to e-Mails•Software programs

Virus Protection

The keys to protection from malicious software include:

Software - Key to the maximum protection from these software products, is that they are kept current and updated.

Awareness - The best software will be completely ineffective unless used properly. Sound security practices and behavior (i.e. all attachments will be scanned before opening, attachments from unknown sources are always initially be saved to disk, etc.) is critical for for maximum protection.

General e-Mail Information

e-Mail that has been sent to you either by mistake, part of a SPAM marketing campaign or

a hacker’s attack needs to be addressed differently.

Receiving Misdirected e-MailSPAM - The best thing to do with it is to simply delete it prior to opening. The sender’s address and subject line usually give a hint to what type of e-Mail is being sent.

Attack - Unsolicited e-Mail may also be an attempt to verify your e-Mail address using it as a “return receipt request” for future attacks or the gathering of information concerning you and your organization.

Scam - Recently a new email scam has been feeding on unsuspecting Internet users. The scam is a variation of the Nigerian scam that is hitting email accounts all over the world.

UAPD Recommendations

• Do not reply to it

• If you receive the solicitation via email and have suffered no financial loss, then forward this email to the united states secret service at 419.fcd@usss.treas.gov

UAPD Recommendations

• If you receive the solicitation via letter, you can notify the UAPD if the letter was received on campus, or the local law enforcement agency if received off campus

• If you have suffered a financial loss, the local united states secret service office needs to be contacted for their investigation

• Telephone number for the secret service office in Tucson is 670-4730

Forwarding E-Mail

Attachments and Contents - review all contents and any attachments and the information contained in email Viruses- Scanning e-Mail and attachments needs to be a common practice when opening, sending and forwarding e-Mails

Correct addresses - ensure you are using a correct e-Mail address to forward e-Mail

What You Need To Know

Overview of University of Arizona

E-mail Policies

General Use CautionsThe ability of a recipient to forward a message, or

accidentally respond to a listserv rather than an

individual, may broadcast an e-mail message

widely

Remember that there is no way to guarantee that

the purported sender of an e-mail message was in

fact the real sender of the message. It is relatively

easy to disguise an electronic identity

General Use CautionsPrinted e-mail official records should follow the hard-copy

record retention and disposition schedules

http://w3.arizona.edu/~records/retention.html

Public records are much more broadly defined than official

records and may be considered to include, in certain

circumstances, any information including all e-mail produced

or received on university provided systems. Public records,

including e-mail, may be subject to disclosure under state

public records law; Or other applicable law, including by

subpoena

General Use Cautions• Do comply with all state and federal laws• Do follow the normal standards of professional

courtesy and conduct• Do follow the official records retention and

disposition policies and schedules• Do respect copyright, proprietary rights,

privacy laws

Email Etiquette(Netiquette Do’s and Don'ts)

What to Do ...

Write carefully. Once you send an e-mailmessage, you cannot take it back or make itdisappear. The reality is that your messagesmay be saved for a very long time. They mayalso be read inadvertently by others, orforwarded to others without your knowledge

What to Do ...

Use upper and lowercase text. Using all uppercase letters means SHOUTING and can be offensive.

Sign your messages with at least your name. It's nice to add your e-mail address, too, since some e-mail programs make it difficult to see who the sender of the message was.

What to Do ... Address your messages carefully. Some addresses may

belong to a group, even though the address appears to belong to just one person.

Respect copyrights. E-mail messages and news posts are included in the types of works that can be copyrighted.

Indicate humor or jokes with a sideways smiley face. :-)The basic smiley is a colon, dash, and right parenthesis. There are many variations.) You can also include something like "<grin>" or "<sarcasm on>" to show your state of mind.

What to Do ... Be diplomatic. Criticism is always harsher when written, and

e-mail can be easily forwarded.

Be calm. You may have misunderstood what was meant. Don't reply while you're still angry (this is called "flaming").

Be brief. Don't include background images, pictures, animations, etc. unless they are critical to your message. When replying to a message, you don't have to include the entire text of the original message. Include just enough to give the context of your response.

What to Do ... Watch out for viruses in attached files. Attached files are a

common way to spread computer viruses. In Eudora, just receiving an attachment cannot infect your computer. But opening or running an attachment can.

If you don't know why you got an attachment, contact the sender directly to verify that it is what it appears to be. Some viruses can attach themselves without the sender even knowing it. It is also a good idea to scan all attachments with up-to-date antivirus software before opening them.

What Not to Do ... Don't forward chain mail! These messages tell you to send or

forward them to several other people. Don't -- starting or continuing chain mail violates university policy.

Don't get fooled by Internet hoaxes and computer virus myths. Before you forward a so-called virus alert to everyone you know, check with the CCIT Helpdesk or one of the web sites linked here to see if it's for real.

Don't send unwanted e-mail. It can be regarded as harassment, which is governed by university policies and codes. Sending e-mail that someone else perceives as abusive or threatening may constitute criminal harassment.

What Not to Do ... Don't send numerous unsolicited messages ("junk mail"). Most

people hate getting junk mail. It also slows down the networks and is generally a waste of valuable, limited resources.

Don't forge messages. Altering electronic communications to hide your identity or impersonate another person is considered forgery and violates university policy. Forgeries intended as pranks or jokes are still considered violations.

Don't forward e-mails unless you have the permission of the author. What they wrote may not have been intended for wider distribution, so it's always better to ask.

Usenet Newsgroups:"Netiquette"

"A Primer on How to Work With the Usenet Community," by Chuq Von Rospach

Never forget that the person on the other side is human

Don't blame system administrators for their users' behavior

Be careful what you say about othersBe briefYour postings reflect upon you; be proud of themThink about your audience

Be careful with humor and sarcasmUse e-mail if you want only the person you

are responding to view your messageRead all follow-ups and don't repeat what

has already been saidDouble-check follow-up newsgroups and

distributionsBe careful about copyrights and licensesCite appropriate referencesWhen summarizing, summarize

Use descriptive subjects in headers so that readers can avoid information they don't want (e.g. how a movie ends.)

Don't overdo signatures

Incident Response

When you think of the words protect, detect and react in the realm of security, which areas

do you think are the most important to you and

to University of Arizona ?

University of Arizona Contacts

Report All Virus Incidents Immediately to

Network Control (security related emergency) - 621-7999

Information Security

bcis@u.arizona.edu 621-4482 or 626- 8232

Security Incident Response Team (SIRT)

sirt@arizona.edu 626-0100

Additional Resources

http://security.arizona.edu/

Final ThoughtsSecurity Awareness mindset :

“I understand that there is the potential for some people to deliberately or accidentally steal, damage

or misuse the data that is stored within my computer systems and throughout our University.

Therefore, it would be prudent of me to support the University by trying to stop that from happening.”

SEC- -Y

If not you, who?

If not now, when?

If not you, who?

If not now, when?