Controls can be administrative, technical or physical
More on the goal of Information Security. Talk about the CIA Triad
Technology is only part of information security…..people and policy are just as (if not more) important than the technology itself. People at all levels……This includes: the IT people responsible for implementing, configuring, maintaining and monitoring the technology (do they have the required knowledge and understanding) the people in charge of policy and compliance. and lastly the end user. Personal computers comprise a large percentage of those 1.3 billion connected devices and have become an increasingly popular target for the bad guys. If you own, use or do business with someone that uses a computer you are the last layer of defense against the rapidly growing computer security threats in cyber space. The only way to ensure protection of your computer and/or sensitive/confidential or regulatory protected data is to take responsibility by understanding the threats as well as the layers to defend against That technology alone cannot keep us secure. People are the last layer of defense. Security is Everyone's responsibility! Sec-U-R-IT-y………You Are It!
Trojans – software downloads - Kaaza Viruses – Emails Zombies or Botnets Phishing (Identity Theft) Spyware Most incidents are unintentional and can be avoided.
Kelley: According to Internetworldstats.com, there are slightly over 1.3 billion internet users worldwide. Approx. 19% (18.9) or 237 million from North America that means the other 81% are from the rest of the world. Once connected to the internet your computer is accessible to those users. Car analogy: private driveway or road versus main highway. The 1950s American bank robber Willie Sutton was asked why he robbed banks. He said he robbed banks because, “ That’s where the money is.” Today it’s in Cyberspace. Also talk Physical crime (stealing a car) is one to one relationship. Cybercrime is one to a billion. B esides the one to billion ration, the criminal can be anonymous and located anywhere. It’s not about you, it’s about gaining access to your system to collect your personal information, or use your computer to launch attacks or simple to use your hard drive to store pirated movies and music files. A compromised computer provides access to all accounts, keystrokes, and data. Account and keystroke information can be used to access other resources Operational difficulties Email and documents Financial transactions Identity theft Criminal use of computer
Defense in Depth or Layers of Defense Equate this to home security- My house ( front wall with a gate, security iron on windows and doors, a large dog, 2 locks on door Versus My neighbor (No wall or gates in front, No security Iron and oh yeah and let’s not forget their Chihuahua) Which house would a thief be more likely to break into? If you have some (ideally all) of these measures in place (personal firewall, anti-virus, up to date software, strong passwords as well as education in now knowing that you really can’t trust everything you get via email) versus someone that does not have security practices, who is more likely to have their computer compromised? It’s the same as my house analogy, it’s not that they absolutely can’t get in it will just take more time and effort. Anti-Virus Installed, Running and Updated regularly Sitelicensed Anti-Virus (Sophos) free for faculty, staff and students Can only have one Anti-Virus application installed if you already have an anti-virus regardless even if it is not up to date Anti-Spyware (spyware use to be use for tracking browsing habits, today spyware can be much more malicious in intent. Keyloggers are the lates type of spyware, a keylogger when downloaded on your computer captures everything Several free versions listed on computer security resources handout Unlike anti-virus, you can and should consider having at least two. The first time you run it, it is not uncommon to find 200 – 300 instances. Many of which are cookies. Physical Security OS and Application Patches Auto Updates Session Controls Limited Use of Privileged accounts Encrypted Communications Strong Passwords I will talk in more detail on the next several slides about the last 4 elements as I believe these are currently the areas of greatest exposure to end users. This is because even if you have the others in place (the AV, anti-spyware, current OS patches,etc.) the lack of these last 4 safeguards can and will circumvent those. Also because ultimately the data is where the money is for cybercriminals.
Passwords…..if I could get you to think differently about one thing today it would be to have a better understanding as to the importance of creating (AND NOT SHARING) a strong password. A password is essentially the last layer of defense to your computer and personal information. You can have every other safeguard in place, if someone gets your password they are now able to access the information. Best example for students is sharing their Netid with a “friend” or “significant other” and sometime after that this relationship ends and now that person can access anything of yours with your netid and password. I have had multiple reports of students having their class canceled by these “friends” that are no longer “friends”. Do not log on as administrator on a daily basis. That is only needed when you need or want to install or update current software. If you log on with these privileges all the time that means when you visit a malicious website with malicious intent the bad guy can just as easily install malicious software. Lock your computer if you are going to be away from it so that anyone that wonders by cannot gain access to your computer and information.
WPA2 – Wi-Fi Protected Access PEAP - Protected Extensible Authentication Protocol , Protected EAP , or simply PEAP (pronounced &quot;peep&quot; ) Guest requires UA sponsorship (not bandwidth or port limited also not secure) Public (bandwidth and port limited also not secure)
If you have a wireless router set up at home you need to make sure that it is configured securely Airports, Hotels, Conferences Use of Unsecured Wireless “Hot Spots Limit what you do when connected Do not access anything sensitive unless secure (https instead of http) Use UA’s sitelicensed VPN client to connect to University Systems and Services
Isl awareness training
Information Security Liaison Awareness Training Kelley Bogart, CISSPSenior Information Security SpecialistUniversity Information Security Office
What is Information Security? Program Process (not a Project) Never 100% Risk Management Improve Security Posture Changing Security Landscape Threats (motives) Countermeasures
Goal of Information SecurityTo ensure theconfidentiality,integrity and Protected Confidentialavailability Information Information(CIA) of critical &systems and Critical Systemsconfidentialinformation
CIA Triad transmission To ensure To ensure the dis e rag protection accuracy and po sto s against completeness of al unauthorized information toaccess to or use protect university of confidential business information processes To ensure that information and vital services are assessible for use when required
Information Security Domains1. Access Control2. Application Security3. Business Continuity and Disaster Recovery Planning4. Cryptography5. Information Security and Risk Management6. Legal, Regulations, Compliance and Investigations7. Operations Security8. Physical (Environmental) Security9. Security Architecture and Design10. Telecommunications and Network Security
What is Security Awareness?Security awareness is the knowledge, skill and attitude an individualpossesses regarding the protection of information assets.Being Security Aware means you understand that there is the potentialfor some people to deliberately or accidentally steal, damage, ormisuse your account, computer or the data stored on your computer.Awareness of the risks and available safeguards is the first line ofdefense for the security of information, systems and networks.
Security AwarenessIncludes: Information about how to Protect Detect React Knowledge, Skill and Attitude The What The How The Why Include WIIFM What’s in it for me? Culture Change
Defense in Depth Anti-Virus Network Anti-Spyware Host Encrypted Session ControlsCommunication Application Limit Use of “Privileged” Strong Passwords Accounts OS and App Physical Patches Security
Account Access Controls Passwords Strong Not Shared Storage Accounts Limit use of Privileged Accounts Session Controls Password protected screensaver Ctrl-Alt Delete (enter) or Windows L
Wireless – On Campus Use only UAWifi (not public) Security (WPA2 & PEAP) No Rate or Port limitationhttp://uawifi.arizona.edu
Use of Other Wireless Home Change default admin username and password Configure to use encryption (avoid WEP, use WPA or WPA2) Do not Broadcast SSID Ask your computer savvy friend to help you configure your home wireless to use encryption Wireless Security Page (on Computer security resource hand out) Other Airports, Hotels, Conferences “Free” WiFi Hotspots
Surf Safely You know there are bad parts of town that you don’t go to The Internet is the same way – be wary!