Security News Computer spyware is newest weapon in Syrian conflict A U.S.-based antivirus software maker, which analyzed one of the viruses at CNNs request, said that it was recently written for a specific cyberespionage campaign and that it passes information it robs from computers to a server at a government-owned telecommunications company in Syria. Virus infects computer at CCSU (Central CT State Univ.) The virus, which perpetrated the infection, was a variant of the malevolent software, ZBot said James Estrada, Spokesman of the university. According to him, except for the Social Security Numbers, no other private detail was compromised. Ctpost.com reported this on February 16, 2012. Computer Infections to Rise During #Oscars ? NORIS system shut down over virus A critical computer network is down after falling victim to a sophisticated worm. Friday, that system is down for the third day, impacting about 200 different agencies, including police departments, jails and courts all over northwest Ohio. High School student blamed for uploading virus to school PC 4-8% of computers in China have viruses
The List ….Latest 5 virus alerts2/27/12 W32/Autorun-BUY2/27/12 Troj/ZBot-BNF2/27/12 Troj/ZBot-BNE2/27/12 Troj/JavaSMS-L2/27/12 Mal/ZboCheman-ASource: Sophos Anti-Virus Top 5 viruses in October 2010 1 Troj/Invo-Zip 2 W32/Netsky 3 Mal/EncPk-EI 4 Troj/Pushdo-Gen 5 Troj/Agent-HFU Source: Sophos Anti-Virus
Security Myths Why should I care? I have nothing to hide. There is nothing on my computer that anyone would want. I have the best security set-up. I have a firewall/virus program. Hackers usually go after big companies. I use a MAC!
Quick Check!On your own (5 minutes) – on the cards1. Your name2. What is computer security?3. List 2 ways in which users put themselves at risk4. On a scale of 1-10 (1=never safe, 10=totally secure), how safe do you feel from computer threats (viruses, worms, hackers, etc.)?5. On a scale of 1-10 (1=never, 10=always), how often do you protect your computer from viruses?6. On a scale of 1-10 (1=never, 10=always), how often do you provide personal information on the web
What is the goal of Computer Security? To prevent and detect unauthorized actions by users of the system How do you achieve Computer Security? – Security principles/concepts: explore general principles/concepts that can be used as a guide to design secure information processing systems – Security mechanisms: explore some of the security mechanisms that can be used to secure information processing systems – Physical/Organizational security: consider physical & organizational security measures (policies) Take a class in SECURITY Get certified – CISSP
Security Defined What is Computer Security (in reality)? – Confidentiality: prevent unauthorized disclosure of information – Integrity: prevent unauthorized modification of information – Availability: prevent unauthorized withholding of information CIA model is the basis of Information Assurance Additional criteria: • Authenticity, accountability, reliability, safety, dependability, survivability, currency, etc.
Security Defined (CIA) Confidentiality: prevent unauthorized disclosure of information • privacy: protection of private data • secrecy: protection of organizational data • https:// pgp ssh ipsec Integrity: prevent unauthorized modification of information • Preventing unauthorized writing or modifications • Access control Availability: prevent unauthorized withholding of information • Services are accessible and useable (without undue delay) whenever needed by an authorized entity • 24/7 – no DOS
Security Defined (CIA) Confidentiality Secure Integrity Availability
Beyond CIA Accountability – Actions affecting security must be traceable to the responsible party (audits) – Audit information must be kept and protected (compliance with SOX) – Access control is needed Reliability – deals with accidental damage (do you get consistent performance) Dependability – reliance can be justifiably placed on the system (similar to integrity) Survivability/Disaster Recovery/Business Continuity – deals with the recovery of the system after massive failure (especially after 9/11)
Finding a Balance• Security policies interfere with working patterns, and can be very inconvenient• Require a focus on new workflows• Security mechanisms need additional computational resources• Security should be a forethought• Managing security requires additional effort and costs• ROI is hard to determine• Ideally, there should be a trade-off
Finding a Balance Application Software | |User ---------------------------|-------------------- Resource(subject) | (object) | Hardware The Dimensions of Computer Security
Asking the Right Questions Should protection focus on data, operations, or users? (See the onion.) In which layer should we place security? Could we place it in all layers? Should security focus on simplicity (i.e., complexity, assurance, one password entry, lots of passwords)? Should security control tasks be given to a central entity, or left to individual components (i.e., people, departments, divisions, etc. )? Who controls the security policy? Hardware OS Services Applications
Hardware Hardware is more visible to criminals It is easier to add/remove/change hardware devices, intercept traffic, flood devices with traffic, and in general control hardware devices’ functionality Hardware is ignored in security training Hardware can also be removed – VA laptop, DOD laptop, hard drives lost, etc. EX: UNC Since Jan. 1, the Chapel Hill Police Department has received reports of the theft of 45 laptops. Some were reportedly stolen in residential or business break-ins, others were taken during armed robberies or when their owners left them unattended.
Software Interruption (deletion): surprisingly easy! Modification: – Logic bomb – failure occurs when certain conditions are met – Buffer overflow – similar to logic or programming error – Virus – a specific Trojan horse that can be used to spread its “infection” – Worm – self-reproducing program (usually spreads through e-mails) – Trapdoor – a program that has a specific entry point Interception (theft): unauthorized copying
Software Phishing Ex.: During the 12 months that ended in May 2005, 73 million American adults who use the Internet said that they "definitely" received or "thought they received" an average of more than 50 phishing e-mails. That number was 28 percent higher than the previous year. Where do they originate?
Data Data are readily accessible Attacks on data are more widespread Data are everywhere …. We give it away to everyone! Fill out a credit card application, get a free water bottle/coffee cup/t-shirt What’s your zip code, your phone number, etc?
Who is ptwhitelabel.comJonathan Harris, a UC Davis graduate whoruns the Web site Pooltracker.com fromhis Placerville home
Attacks United States Department of Commerce has compiled a list of the general categories of computer attacks (Security Glossary): •Remote or Local Penetration •Remote or Local DOS •Scanning (Ethereal) •Password Crackers •Sniffers
Protections Basics – Firewall (Zone Alarm, Norton, hardware solutions) – Anti-virus (McAfee, Norton, Symantec) – Patches (automatic updates) – Strong passwords (> 20 characters) – Where is your data? How is it protected? Do you have it backed up?
Looking for Security News Sans Pulse Shadow Cert
Risk Assessment A process of ……… – Including a Business Impact Analysis – Identifying assets and ranking them – Identifying risks and ranking them – Associating specific risks with critical assets – Recommending actions to be taken See http://security.fsu.edu
Risk Assessment Don’t assume physical security!!!! VA laptop, DOD laptop, Los Alamos HD issue Why steal just the data when you can steal the hardware? Faculty offices, student laptops in libraries
Risk Assessment Use strong passwords on all accounts – More than 20 characters – Limited by keyboard – Under 14 characters is “crackable” Your password is a very important secret Select one you can remember (new rules) You can remember a long password (Peter Henry Thesis)
Risk Assessment Passwords – Change yours often! – Dont leave yours lying around! – The longer the better! – Dont share yours with friends! – FYI – in healthcare, people write down passwords all the time – CHECK! (# passwords 1, 2, 3, 4, 5, 6, recycle)
Technology Approaches Operating system software – Keep it updated with necessary patches Patching – Make sure your computer has the latest operating system release – Auto setting is the best! – New security bugs are discovered all the time – Remember the CERT website
Technology Approaches Firewall (hardware or software) – permits passage of data based on security policies Virtual private Network (VPN) – private communications over public networks (secured through authentication, cryptography, tunneling protocols) using Ipsec (IP Security), SSL (tunneling), and others …
Technology Approaches• Hardware can be replaced - Keep serial numbers in a secure location• Application software can be reloaded - Know what you have installed• Data could be gone forever• Data could be gone forever• Data could be gone forever• Data could be gone forever• Ensure that adequate backups for your systems are done on a regular basis
REMINDER!DATA COULD BE GONE FOREVER!DONT BE ME!
Web Sites Understand that e-mail is not secure. KaZaA, etc. turned your computer into a distributor so that people can download from your machine! – NOTE: 45% of free files collected by KaZaA contained viruses, Trojan horse programs and backdoors. Sometimes you dont even know you are responsible for security violations – your computer gets hacked and is used to hack others (you have no idea its being done).
E-mail & Social Engineering E-mail: – A day-to-day necessity in our educational environment – We take it for granted Social Engineering – “Smooth-talking your way into a system” – Common types of social engineering: • Impersonation / Important user / Pre-texting • You can find out information on Facebook / MySpace • Surplus equipment, Tallahassee (Cash for Trash) • War-driving & dumpster diving
Solutions None! (Well, none that are completely secure.) Assume you will be compromised. The task is to get back up and running. http://security.fsu.edu/ Reporting Setting up VPN at FSU Subscribe to CERT Subscribe to US-CERT
Getting a JOB Computer Security (Network Security) Information Assurance – The technical and managerial measures designed to ensure the confidentiality, possession/control, integrity, authenticity, availability, and utility of information and information systems. This term originated with government usage and is sometimes synonymous with information security. – Become a CISSP