IT Security in a Scientific Research Environment

Computer Security
Awareness, Social
Engineering and
Physical Security in a
Scientific Research
Environment
-
Nicholas Davis
MBA, CISA, CISSP
DoIT Security
Nov 20, 2012
Free Powerpoint Templates
Page 1

Introduction
• Background
• Thank you for the invitation
• Today’s Topic, Security Awareness,
Computer Security, Physical Security
• Importance to scientific research field
• Identification vs. Authentication
• Social Engineering
• Pretexting
• Phishing
• QR Code Danger
• Social Networks
• Passwords
• Malware
• Baiting
• Identity Theft: How, Avoiding,
Responding
• Physical Security
• Sharing of information with the public
Page 2

Technology Is Not
The Answer
Strong computer security has two
components:

The Technology: passwords,
encryption, endpoint protection
such as anti-virus.

The People: You, your customers,
your business partners

Today, we will talk about both
components

Page 3

Social Engineering

The art of manipulating
people into performing actions
or divulging confidential
information

It is typically trickery or
deception for the purpose of
information gathering, fraud,
or computer system access

Page 4

Most Popular Type of
Social Engineering
Pretexting: An individual lies to obtain
privileged data. A pretext is a false motive.

Pretexting is a fancy term for impersonation

A big problem for computer Help Desks, in all
organizations

Example:

Some steps the UW-Madison Help Desk takes
to avoid pretexting

Page 5

Identification Without
Authentication
Rapidly establishing a
trust relationship, then
trying to exploit it

“I am Bucky Badger,
therefore you should let
me in to see Barry
Alvarez”
Ask yourself: Could this
person have a motivation
to be less than truthful?

Ask for ID. Does it look
legit?

Page 6

Identification by
Impression
Fake Badges
Uniforms
Logos
Confidence
Dress
Body Language
What could be
Tone of Voice learned by a
Knowledge of stranger, who
Specific observes your work
Information environment?
Examples from the
audience!
Page 7

Getting Access By Any
Means

Steal
Read
Modify
Deploy

Manipulate you to:
Reveal Information
Perform Actions
Page 8

How They Do It
User Interfaces
Phone
Email
Letters and Documents
Instant Messaging and
Phone Texting
Media, CDs, USB drives,
etc.

Page 9

Let’s Think of Electronic
Pretexting Example

Dear Windows User,
It has come to our attention that your Microsoft windows
Installation records are out of date. Every Windows
installation has to be tied to an email account for daily
update.
This requires you to verify the Email Account. Failure to
verify your records will result in account suspension.
Click on the Verify button below and enter your login
information on the following page to Confirm your records.

Thank you,

Microsoft Windows Team.

Page 10

Phishing

• Deception, but not just in
person
• Email
• Websites
• Facebook status updates
• Tweets
• Phishing, in the context of
the scientific research
working environment is
extremely dangerous

Page 11

Phishing History

• Phreaking, term for making
phone calls for free back in
1970s
• Fishing is the use bait to
lure a target
• Phreaking + Fishing =
Phishing

Page 12

Phishing 1995

• Target AOL users
• Account passwords = free
online time
• Threat level: low
• Techniques: Similar names,
such as www.ao1.com for
www.aol.com

Page 13

Phishling 2001

Target: Ebay and major banks
Credit card numbers and
account numbers = money
Threat level: medium
Techniques: Same in 1995, as
well as keylogger

Page 14

Keyloggers
• Tracking (or logging) the keys
struck on a keyboard, typically in
a covert manner so that the
person using the keyboard is
unaware that their actions are
being monitored
• Software or hardware based

Page 15

Phishing 2007

Targets are Paypal, banks,
ebay
Purpose to steal bank
accounts
Threat level is high
Techniques: browser
vulnerabilities, link
obfuscation

Page 16

Don’t Touch That QR Code

• Just as bad as clicking on an
unknown link
• Looks fancy and official, but
is easy to create

Page 17

Phishing in 2013

• Trends for the coming year

• Identity Information
• Personal Harm
• Blackmail

Page 18

Looking In the Mirror
• Which types of sensitive
information do you have access
to?
• What about others who share the
computer network with you?
• Think about the implications
associated that data being stolen
and exploited!

Page 19

What Phishing Looks Like
• As scam artists become more
sophisticated, so do their phishing
e-mail messages and pop-up
windows.
• They often include official-looking
logos from real organizations and
other identifying information
taken directly from legitimate
Web sites.

Page 20

Techniques For Phishing

• Employ visual elements from target site
• DNS Tricks:
• www.ebay.com.kr
• www.ebay.com@192.168.0.5
• www.gooogle.com
• Unicode attacks
• JavaScript Attacks
• Spoofed SSL lock Certificates
• Phishers can acquire certificates for
domains they own
• Certificate authorities make mistakes

Page 21

Social Engineering
Techniques
Often employed in Phishing, lower
your guard

1.Threats – Do this or else!
2.Authority – I have the authority
to ask this
3.Promises – If you do this, you
will get money
4.Praise – You deserve this

Page 22

How to Know if You Are
Being Socially Engineered
You know that what
you are doing is
wrong

The situation feels
weird or unusual to
you
You are being
You are in a rushed to do
situation in which something
you can’t contact a
person of authority, Lots of name
to make a decision dropping is going
on

You feel like you
might offend
someone if you
Free Powerpoint Templates don’t follow
through Page 23

Phishing
Techniques
• Socially aware attacks
• Mine social relationships from public
data
• Phishing email appears to arrive from
someone known to the victim
• Use spoofed identity of trusted
organization to gain trust
• Urge victims to update or validate their
account
• Threaten to terminate the account if the
victims not reply
• Use gift or bonus as a bait
• Security promises

Page 24

Let’s Talk About
Facebook
• So important, it gets its own slide!
• Essentially unauthenticated – discussion
• Three friends and you’re out! - discussion
• Privacy settings mean nothing – discussion
• Treasure Trove of identity information
• Games as information harvesters

Page 25

Socially Aware

Page 26

Context Aware

“Your bid on eBay has won!”
“The books on your Amazon wish
list are on sale!”

Page 27

Seems Suspicious

Page 28

419 Nigerian Email Scam

Page 29

Too Good to be True,
Even When It Is Signed

Page 30

Detecting
Fraudulent Email
Information requested is inappropriate for
the channel of communication:

"Verify your account."nobody should ask
you to send passwords, login names,
Social Security numbers, or other personal
information through e-mail.

Urgency and potential penalty or loss are
implied:

"If you don't respond within 48 hours,
your account will be closed.”

Page 31

Detecting Fraudulent
Email
"Dear Valued Customer."Phishing e-mail
messages are usually sent out in bulk and
often do not contain your first or last
name.

Page 32

Dectecting Fraudulent
Email
"Click the link below to gain access to
your account.“

This is an example or URL Masking (hiding
the web address)

URL alteration

www.micosoft.com
www.mircosoft.com
www.verify-microsoft.com

Page 33

How to Defend Against
Phishing Attacks
•Never respond to an email asking
for personal information
• Always check the site to see if it is
secure (SSL lock)
• Look for misspellings or errors in
grammar
• Never click on the link on the
email. Enter the web address
manually
• Keep your browser updated
• Keep antivirus definitions updated
• Use a firewall
• When in doubt, ask your Network
Administrator for their opinion
Page 34

A Note on Spear Phishing

• Designed especially for you
• Includes your name
• May reference an
environment or issue you
are aware of and familiar
with
• Asks for special treatment,
with justification for the
request

Page 35

Other Techniques
An ocean of Phishing techniques

•Clone Phishing - Discussion
•Whaling - Discussion
•Filter Evasion - Discussion
•Phone Phishing - Discussion
•Tabnabbing - Discussion
•Evil Twins - Discussion

Page 36

Passwords

Your password is your electronic
key to valuable resources, treat it
like your house key!

Sharing – Discussion
Theft – Discussion
Password Rotation - Discussion

Page 37

Creating a Strong
Password
Following two rules are bare minimal that
you should follow while creating a
password.

Rule 1 – Password Length: Stick with
passwords that are at least 8 characters in
length. The more character in the
passwords is better, as the time taken to
crack the password by an attacker will be
longer. 10 characters or longer are better.

Rule 2 – Password Complexity: At least 4
characters in your passwords should be
each one of the following:

Page 38

Creating a Strong
Password
1.Lower case alphabets
2.Upper case alphabets
3.Numbers
4.Special Characters

Use the “8 4 Rule”
8 = 8 characters minimum length
4 = 1 lower case + 1 upper case + 1
number + 1 special character.

Do not use a password
strength checking website!
Any ideas why this
is a bad idea?

Page 39

Adware, Malware,
Spyware
Adware – unwanted ad software which is
noticed
Malware – unwanted software which is
noticed and potentially causes harm
Spyware – unwanted software which goes
un-noticed and harvests your personal
information

Use endpoint protection!

Page 40

CIO.WISC.EDU/SECURITY

Page 41

Adware, Malware,
Spyware
How these get on your computer:
Email
Web pages
Downloaded software
CD, USB flash drive
Sometimes, out of the box

Page 42

Trojan Malware

Page 43

Baiting

Hey, look! A free USB drive!
I wonder what is on this confidential CD
which I found in the bathroom?

These are vectors for malware!
Play on your curiousity or desire to get
something for nothing

Don’t be a piggy!

Page 44

Social Engineering
Methods

Using the Out of Office
responder in a responsible
manner

Page 45

Synthetic Identity Theft

A variation of identity theft which has
recently become more common is
synthetic identity theft, in which identities
are completely or partially fabricated. The
most common technique involves
combining a real social security number
with a name and birthdate other than the
ones associated with the number.

Page 46

How Does Identity
Theft Happen
Let’s talk through the attached paper
handout, entitled:

“Techniques for obtaining and exploiting
personal information for identity theft”

Look through the list and think to yourself
“Could this apply to me?” If so, think
about taking steps to avoid it

Page 47

Tips To Avoid
Identity Theft
1. Only Make Purchases On Trusted Sites
2. Order Your Credit Report
3. Know How To Spot Phishing
4. Secure Your Network
5. Can the Spam
6. Don't Store Sensitive Information On Non-
Secure Web Sites
7. Set Banking Alerts
8. Don't Reuse Passwords
9. Use Optional Security Questions
10. Don't Put Private Information On Public
Computers

Page 48

If Your Identity Is Stolen
(WORK)
1. Contact your supervisor immediately
2. Report the incident to the Office of
Campus Information Security (OCIS)
http://
www.cio.wisc.edu/security-report.aspx
3. Contact the DoIT Help Desk
4. Contact UW Police, depending on
nature of incident. Consider your
personal safety! “Better safe, than
sorry”

Page 49

Physical Security

• The UW is a fairly open and shared
physical environment
• Seeing strangers is normal, we won’t
know if they are here as friend or foe
• Lock your office
• Lock your desk
• Lock your computer
• Criminals are opportunistic
• Even if you are just gone for a moment
• Report suspicious activity to your
administration and UW Police
• If you have an IT related concern,
contact the Office of Campus
Information Security

Page 50

Forget About Being Polite

Don’t hold the
security door
for anyone
and beware of
tailgaters

Be truthful,
explain
why….People
will
understand

Page 51

Sharing Information With
The Public
• The University of Wisconsin is an open
environment
• However, on occasion, this open nature
can be exploited by people with
nefarious intent
• Don’t volunteer sensitive information
• Only disclose what is necessary
• Follow records retention policies
• When in doubt, ask for proof, honest
people will understand, dishonest
people will become frustrated

Page 52

Publishing of
Information
Consider carefully
before publishing
and disseminating
information, such
as phone
directories and
business cards

Sadly, obituaries
are a great place
to learn the
answer to the
most annoying
password
recovery
question: “What is
your mother’s
maiden name?” Page 53

We Have So Much More
To Talk About
• Security Awareness matters not just to
you, but to the University of Wisconsin
as a whole
• Security Awareness is an important
facet of everyone’s work
• My actions impact you
• Your actions impact me
• Security Awareness is an ever changing
and evolving area, which requires
constant attention
• DoIT is here as a resource for you
• Let us know how we can help
• Let me know if I can help
• Don’t be afraid to ask questions
• Better safe than sorry

Page 54

A Picture Is Worth
1000 Words

Page 55

Questions and
Discussion
Nicholas Davis
ndavis1@wisc.edu
608-262-3837
facebook.com/nicholas.a.davis

Page 56

IT Security in a Scientific Research Environment

More Related Content

What's hot

Similar to IT Security in a Scientific Research Environment

More from Nicholas Davis

IT Security in a Scientific Research Environment