0
Computer Security                  Awareness, Social                   Engineering and                 Physical Security i...
Introduction•   Background•   Thank you for the invitation•   Today’s Topic, Security Awareness,    Computer Security, Phy...
Technology Is Not           The AnswerStrong computer security has twocomponents:The Technology: passwords,encryption, end...
Social EngineeringThe art of manipulatingpeople into performing actionsor divulging confidentialinformationIt is typically...
Most Popular Type of        Social EngineeringPretexting: An individual lies to obtainprivileged data. A pretext is a fals...
Identification Without    AuthenticationRapidly establishing atrust relationship, thentrying to exploit it“I am Bucky Badg...
Identification by              ImpressionFake BadgesUniformsLogosConfidenceDressBody Language                What could be...
Getting Access By Any           MeansStealReadModifyDeploy              Manipulate you to:              Reveal Information...
How They Do ItUser InterfacesPhoneEmailLetters and DocumentsInstant Messaging andPhone TextingMedia, CDs, USB drives,etc. ...
Let’s Think of Electronic  Pretexting Example   Dear Windows User,   It has come to our attention that your Microsoft wind...
Phishing• Deception, but not just in  person• Email• Websites• Facebook status updates• Tweets• Phishing, in the context o...
Phishing History• Phreaking, term for making  phone calls for free back in  1970s• Fishing is the use bait to  lure a targ...
Phishing 1995• Target AOL users• Account passwords = free  online time• Threat level: low• Techniques: Similar names,  suc...
Phishling 2001Target: Ebay and major banksCredit card numbers andaccount numbers = moneyThreat level: mediumTechniques: Sa...
Keyloggers• Tracking (or logging) the keys  struck on a keyboard, typically in  a covert manner so that the  person using ...
Phishing 2007Targets are Paypal, banks,ebayPurpose to steal bankaccountsThreat level is highTechniques: browservulnerabili...
Don’t Touch That QR Code• Just as bad as clicking on an  unknown link• Looks fancy and official, but  is easy to create  F...
Phishing in 2013• Trends for the coming year• Identity Information• Personal Harm• Blackmail   Free Powerpoint Templates  ...
Looking In the Mirror• Which types of sensitive  information do you have access  to?• What about others who share the  com...
What Phishing Looks Like• As scam artists become more  sophisticated, so do their phishing  e-mail messages and pop-up  wi...
Techniques For Phishing•   Employ visual elements from target site•   DNS Tricks:•   www.ebay.com.kr•   www.ebay.com@192.1...
Social Engineering       TechniquesOften employed in Phishing, loweryour guard1.Threats – Do this or else!2.Authority – I ...
How to Know if You Are    Being Socially EngineeredYou know that whatyou are doing iswrongThe situation feelsweird or unus...
Phishing              Techniques•   Socially aware attacks•   Mine social relationships from public    data•   Phishing em...
Let’s Talk About                  Facebook•   So important, it gets its own slide!•   Essentially unauthenticated – discus...
Socially AwareFree Powerpoint Templates                            Page 26
Context Aware“Your bid on eBay has won!”“The books on your Amazon wishlist are on sale!”   Free Powerpoint Templates      ...
Seems SuspiciousFree Powerpoint Templates                            Page 28
419 Nigerian Email Scam Free Powerpoint Templates                             Page 29
Too Good to be True,Even When It Is SignedFree Powerpoint Templates                            Page 30
Detecting        Fraudulent EmailInformation requested is inappropriate forthe channel of communication:"Verify your accou...
Detecting Fraudulent            Email"Dear Valued Customer."Phishing e-mailmessages are usually sent out in bulk andoften ...
Dectecting Fraudulent            Email"Click the link below to gain access toyour account.“This is an example or URL Maski...
How to Defend Against     Phishing Attacks•Never respond to an email askingfor personal information• Always check the site...
A Note on Spear Phishing• Designed especially for you• Includes your name• May reference an  environment or issue you  are...
Other TechniquesAn ocean of Phishing techniques•Clone Phishing - Discussion•Whaling - Discussion•Filter Evasion - Discussi...
PasswordsYour password is your electronickey to valuable resources, treat itlike your house key!Sharing – DiscussionTheft ...
Creating a Strong           PasswordFollowing two rules are bare minimal thatyou should follow while creating apassword.Ru...
Creating a Strong            Password1.Lower case alphabets2.Upper case alphabets3.Numbers4.Special CharactersUse the “8 4...
Adware, Malware,          SpywareAdware – unwanted ad software which isnoticedMalware – unwanted software which isnoticed ...
CIO.WISC.EDU/SECURITYFree Powerpoint Templates                            Page 41
Adware, Malware,         SpywareHow these get on your computer:EmailWeb pagesDownloaded softwareCD, USB flash driveSometim...
Trojan MalwareFree Powerpoint Templates                            Page 43
BaitingHey, look! A free USB drive!I wonder what is on this confidential CDwhich I found in the bathroom?These are vectors...
Social Engineering            MethodsUsing the Out of Officeresponder in a responsiblemanner   Free Powerpoint Templates  ...
Synthetic Identity TheftA variation of identity theft which hasrecently become more common issynthetic identity theft, in ...
How Does Identity          Theft HappenLet’s talk through the attached paperhandout, entitled:“Techniques for obtaining an...
Tips To Avoid                Identity Theft1.    Only Make Purchases On Trusted Sites2.    Order Your Credit Report3.    K...
If Your Identity Is Stolen           (WORK)1. Contact your supervisor immediately2. Report the incident to the Office of  ...
Physical Security•   The UW is a fairly open and shared    physical environment•   Seeing strangers is normal, we won’t   ...
Forget About Being PoliteDon’t hold thesecurity doorfor anyoneand beware oftailgatersBe truthful,explainwhy….Peoplewillund...
Sharing Information With           The Public•   The University of Wisconsin is an open    environment•   However, on occa...
Publishing of          InformationConsider carefullybefore publishingand disseminatinginformation, suchas phonedirectories...
We Have So Much More          To Talk About•   Security Awareness matters not just to    you, but to the University of Wis...
A Picture Is Worth       1000 WordsFree Powerpoint Templates                            Page 55
Questions and        DiscussionNicholas Davisndavis1@wisc.edu608-262-3837facebook.com/nicholas.a.davis    Free Powerpoint ...
Upcoming SlideShare
Loading in...5
×

IT Security in a Scientific Research Environment

349

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
349
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "IT Security in a Scientific Research Environment"

  1. 1. Computer Security Awareness, Social Engineering and Physical Security in a Scientific Research Environment - Nicholas Davis MBA, CISA, CISSP DoIT Security Nov 20, 2012Free Powerpoint Templates Page 1
  2. 2. Introduction• Background• Thank you for the invitation• Today’s Topic, Security Awareness, Computer Security, Physical Security• Importance to scientific research field• Identification vs. Authentication• Social Engineering• Pretexting• Phishing• QR Code Danger• Social Networks• Passwords• Malware• Baiting• Identity Theft: How, Avoiding, Responding• Physical Security• Sharing of information with the public Free Powerpoint Templates Page 2
  3. 3. Technology Is Not The AnswerStrong computer security has twocomponents:The Technology: passwords,encryption, endpoint protectionsuch as anti-virus.The People: You, your customers,your business partnersToday, we will talk about bothcomponents Free Powerpoint Templates Page 3
  4. 4. Social EngineeringThe art of manipulatingpeople into performing actionsor divulging confidentialinformationIt is typically trickery ordeception for the purpose ofinformation gathering, fraud,or computer system access Free Powerpoint Templates Page 4
  5. 5. Most Popular Type of Social EngineeringPretexting: An individual lies to obtainprivileged data. A pretext is a false motive.Pretexting is a fancy term for impersonationA big problem for computer Help Desks, in allorganizationsExample:Some steps the UW-Madison Help Desk takesto avoid pretexting Free Powerpoint Templates Page 5
  6. 6. Identification Without AuthenticationRapidly establishing atrust relationship, thentrying to exploit it“I am Bucky Badger,therefore you should letme in to see BarryAlvarez”Ask yourself: Could thisperson have a motivationto be less than truthful?Ask for ID. Does it looklegit? Free Powerpoint Templates Page 6
  7. 7. Identification by ImpressionFake BadgesUniformsLogosConfidenceDressBody Language What could beTone of Voice learned by aKnowledge of stranger, whoSpecific observes your workInformation environment?Examples from theaudience! Free Powerpoint Templates Page 7
  8. 8. Getting Access By Any MeansStealReadModifyDeploy Manipulate you to: Reveal Information Perform ActionsFree Powerpoint Templates Page 8
  9. 9. How They Do ItUser InterfacesPhoneEmailLetters and DocumentsInstant Messaging andPhone TextingMedia, CDs, USB drives,etc. Free Powerpoint Templates Page 9
  10. 10. Let’s Think of Electronic Pretexting Example Dear Windows User, It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update. This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to Confirm your records. Thank you, Microsoft Windows Team.Free Powerpoint Templates Page 10
  11. 11. Phishing• Deception, but not just in person• Email• Websites• Facebook status updates• Tweets• Phishing, in the context of the scientific research working environment is extremely dangerous Free Powerpoint Templates Page 11
  12. 12. Phishing History• Phreaking, term for making phone calls for free back in 1970s• Fishing is the use bait to lure a target• Phreaking + Fishing = Phishing Free Powerpoint Templates Page 12
  13. 13. Phishing 1995• Target AOL users• Account passwords = free online time• Threat level: low• Techniques: Similar names, such as www.ao1.com for www.aol.com Free Powerpoint Templates Page 13
  14. 14. Phishling 2001Target: Ebay and major banksCredit card numbers andaccount numbers = moneyThreat level: mediumTechniques: Same in 1995, aswell as keylogger Free Powerpoint Templates Page 14
  15. 15. Keyloggers• Tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored• Software or hardware based Free Powerpoint Templates Page 15
  16. 16. Phishing 2007Targets are Paypal, banks,ebayPurpose to steal bankaccountsThreat level is highTechniques: browservulnerabilities, linkobfuscation Free Powerpoint Templates Page 16
  17. 17. Don’t Touch That QR Code• Just as bad as clicking on an unknown link• Looks fancy and official, but is easy to create Free Powerpoint Templates Page 17
  18. 18. Phishing in 2013• Trends for the coming year• Identity Information• Personal Harm• Blackmail Free Powerpoint Templates Page 18
  19. 19. Looking In the Mirror• Which types of sensitive information do you have access to?• What about others who share the computer network with you?• Think about the implications associated that data being stolen and exploited! Free Powerpoint Templates Page 19
  20. 20. What Phishing Looks Like• As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.• They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites. Free Powerpoint Templates Page 20
  21. 21. Techniques For Phishing• Employ visual elements from target site• DNS Tricks:• www.ebay.com.kr• www.ebay.com@192.168.0.5• www.gooogle.com• Unicode attacks• JavaScript Attacks• Spoofed SSL lock Certificates• Phishers can acquire certificates for domains they own• Certificate authorities make mistakes Free Powerpoint Templates Page 21
  22. 22. Social Engineering TechniquesOften employed in Phishing, loweryour guard1.Threats – Do this or else!2.Authority – I have the authorityto ask this3.Promises – If you do this, youwill get money4.Praise – You deserve this Free Powerpoint Templates Page 22
  23. 23. How to Know if You Are Being Socially EngineeredYou know that whatyou are doing iswrongThe situation feelsweird or unusual toyou You are beingYou are in a rushed to dosituation in which somethingyou can’t contact aperson of authority, Lots of nameto make a decision dropping is going on You feel like you might offend someone if you Free Powerpoint Templates don’t follow through Page 23
  24. 24. Phishing Techniques• Socially aware attacks• Mine social relationships from public data• Phishing email appears to arrive from someone known to the victim• Use spoofed identity of trusted organization to gain trust• Urge victims to update or validate their account• Threaten to terminate the account if the victims not reply• Use gift or bonus as a bait• Security promises Free Powerpoint Templates Page 24
  25. 25. Let’s Talk About Facebook• So important, it gets its own slide!• Essentially unauthenticated – discussion• Three friends and you’re out! - discussion• Privacy settings mean nothing – discussion• Treasure Trove of identity information• Games as information harvesters Free Powerpoint Templates Page 25
  26. 26. Socially AwareFree Powerpoint Templates Page 26
  27. 27. Context Aware“Your bid on eBay has won!”“The books on your Amazon wishlist are on sale!” Free Powerpoint Templates Page 27
  28. 28. Seems SuspiciousFree Powerpoint Templates Page 28
  29. 29. 419 Nigerian Email Scam Free Powerpoint Templates Page 29
  30. 30. Too Good to be True,Even When It Is SignedFree Powerpoint Templates Page 30
  31. 31. Detecting Fraudulent EmailInformation requested is inappropriate forthe channel of communication:"Verify your account."nobody should askyou to send passwords, login names,Social Security numbers, or other personalinformation through e-mail.Urgency and potential penalty or loss areimplied:"If you dont respond within 48 hours,your account will be closed.” Free Powerpoint Templates Page 31
  32. 32. Detecting Fraudulent Email"Dear Valued Customer."Phishing e-mailmessages are usually sent out in bulk andoften do not contain your first or lastname. Free Powerpoint Templates Page 32
  33. 33. Dectecting Fraudulent Email"Click the link below to gain access toyour account.“This is an example or URL Masking (hidingthe web address)URL alterationwww.micosoft.comwww.mircosoft.comwww.verify-microsoft.com Free Powerpoint Templates Page 33
  34. 34. How to Defend Against Phishing Attacks•Never respond to an email askingfor personal information• Always check the site to see if it issecure (SSL lock)• Look for misspellings or errors ingrammar• Never click on the link on theemail. Enter the web addressmanually• Keep your browser updated• Keep antivirus definitions updated• Use a firewall• When in doubt, ask your NetworkAdministrator for their opinion Free Powerpoint Templates Page 34
  35. 35. A Note on Spear Phishing• Designed especially for you• Includes your name• May reference an environment or issue you are aware of and familiar with• Asks for special treatment, with justification for the request Free Powerpoint Templates Page 35
  36. 36. Other TechniquesAn ocean of Phishing techniques•Clone Phishing - Discussion•Whaling - Discussion•Filter Evasion - Discussion•Phone Phishing - Discussion•Tabnabbing - Discussion•Evil Twins - Discussion Free Powerpoint Templates Page 36
  37. 37. PasswordsYour password is your electronickey to valuable resources, treat itlike your house key!Sharing – DiscussionTheft – DiscussionPassword Rotation - Discussion Free Powerpoint Templates Page 37
  38. 38. Creating a Strong PasswordFollowing two rules are bare minimal thatyou should follow while creating apassword.Rule 1 – Password Length: Stick withpasswords that are at least 8 characters inlength. The more character in thepasswords is better, as the time taken tocrack the password by an attacker will belonger. 10 characters or longer are better.Rule 2 – Password Complexity: At least 4characters in your passwords should beeach one of the following: Free Powerpoint Templates Page 38
  39. 39. Creating a Strong Password1.Lower case alphabets2.Upper case alphabets3.Numbers4.Special CharactersUse the “8 4 Rule”8 = 8 characters minimum length4 = 1 lower case + 1 upper case + 1number + 1 special character.Do not use a passwordstrength checking website!Any ideas why thisis a bad idea? Free Powerpoint Templates Page 39
  40. 40. Adware, Malware, SpywareAdware – unwanted ad software which isnoticedMalware – unwanted software which isnoticed and potentially causes harmSpyware – unwanted software which goesun-noticed and harvests your personalinformationUse endpoint protection! Free Powerpoint Templates Page 40
  41. 41. CIO.WISC.EDU/SECURITYFree Powerpoint Templates Page 41
  42. 42. Adware, Malware, SpywareHow these get on your computer:EmailWeb pagesDownloaded softwareCD, USB flash driveSometimes, out of the box Free Powerpoint Templates Page 42
  43. 43. Trojan MalwareFree Powerpoint Templates Page 43
  44. 44. BaitingHey, look! A free USB drive!I wonder what is on this confidential CDwhich I found in the bathroom?These are vectors for malware!Play on your curiousity or desire to getsomething for nothingDon’t be a piggy! Free Powerpoint Templates Page 44
  45. 45. Social Engineering MethodsUsing the Out of Officeresponder in a responsiblemanner Free Powerpoint Templates Page 45
  46. 46. Synthetic Identity TheftA variation of identity theft which hasrecently become more common issynthetic identity theft, in which identitiesare completely or partially fabricated. Themost common technique involvescombining a real social security numberwith a name and birthdate other than theones associated with the number. Free Powerpoint Templates Page 46
  47. 47. How Does Identity Theft HappenLet’s talk through the attached paperhandout, entitled:“Techniques for obtaining and exploitingpersonal information for identity theft”Look through the list and think to yourself“Could this apply to me?” If so, thinkabout taking steps to avoid it Free Powerpoint Templates Page 47
  48. 48. Tips To Avoid Identity Theft1. Only Make Purchases On Trusted Sites2. Order Your Credit Report3. Know How To Spot Phishing4. Secure Your Network5. Can the Spam6. Dont Store Sensitive Information On Non- Secure Web Sites7. Set Banking Alerts8. Dont Reuse Passwords9. Use Optional Security Questions10. Dont Put Private Information On Public Computers Free Powerpoint Templates Page 48
  49. 49. If Your Identity Is Stolen (WORK)1. Contact your supervisor immediately2. Report the incident to the Office of Campus Information Security (OCIS) http:// www.cio.wisc.edu/security-report.aspx3. Contact the DoIT Help Desk4. Contact UW Police, depending on nature of incident. Consider your personal safety! “Better safe, than sorry” Free Powerpoint Templates Page 49
  50. 50. Physical Security• The UW is a fairly open and shared physical environment• Seeing strangers is normal, we won’t know if they are here as friend or foe• Lock your office• Lock your desk• Lock your computer• Criminals are opportunistic• Even if you are just gone for a moment• Report suspicious activity to your administration and UW Police• If you have an IT related concern, contact the Office of Campus Information Security Free Powerpoint Templates Page 50
  51. 51. Forget About Being PoliteDon’t hold thesecurity doorfor anyoneand beware oftailgatersBe truthful,explainwhy….Peoplewillunderstand Free Powerpoint Templates Page 51
  52. 52. Sharing Information With The Public• The University of Wisconsin is an open environment• However, on occasion, this open nature can be exploited by people with nefarious intent• Don’t volunteer sensitive information• Only disclose what is necessary• Follow records retention policies• When in doubt, ask for proof, honest people will understand, dishonest people will become frustrated Free Powerpoint Templates Page 52
  53. 53. Publishing of InformationConsider carefullybefore publishingand disseminatinginformation, suchas phonedirectories andbusiness cardsSadly, obituariesare a great placeto learn theanswer to themost annoyingpasswordrecoveryquestion: “What isyour mother’s Free Powerpoint Templatesmaiden name?” Page 53
  54. 54. We Have So Much More To Talk About• Security Awareness matters not just to you, but to the University of Wisconsin as a whole• Security Awareness is an important facet of everyone’s work• My actions impact you• Your actions impact me• Security Awareness is an ever changing and evolving area, which requires constant attention• DoIT is here as a resource for you• Let us know how we can help• Let me know if I can help• Don’t be afraid to ask questions• Better safe than sorry Free Powerpoint Templates Page 54
  55. 55. A Picture Is Worth 1000 WordsFree Powerpoint Templates Page 55
  56. 56. Questions and DiscussionNicholas Davisndavis1@wisc.edu608-262-3837facebook.com/nicholas.a.davis Free Powerpoint Templates Page 56
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×