The document provides information about IT security and the internet. It begins with the author's background and then covers topics such as how the internet works, domain name system address translation, what is needed to make the internet work, threats to security, and steps individuals can take to help improve security. It notes that hacking is common and attackers are financially motivated to steal personal and corporate data, which is then sold on black markets. The document emphasizes being aware of security risks and taking steps like using antivirus software and strong passwords.

1. Is anything
more boring??IT SECURITY

2.  Joel Cardella
 jscardella@pobox.com
 BS in English from Eastern Michigan University
 involved in IT since 1992
 Began in IT as a network administrator of 3 PCs in the
“Windows For Workgroups [3.11]” days
 In 1997, went to work for America Online (ANS), and started
to ride the dot-com boom
 Began IT career-track as a network operator – fixing low level
issues
ABOUT ME

3. THE INTERNET

4.  The internet is like a global neighborhood where everyone has
a house address
 Your data knocks on doors until it finds out the right address,
and then settles there
 It knows what doors to knock on, because the people who own
the networks (neighborhoods) that you need to look in have
agreed to let your data pass through, and give it direction
 Without these peering arrangements, the data would not get
to its destination
HOW DOES THE INTERNET WORK?

5.  Domain Name Services are used to render crazy Internet
addresses into real world words
 www.google.com is really
 Addresses: 2607:f8b0:400f:801::1010
 74.125.225.209
 74.125.225.208
 74.125.225.211
 74.125.225.212
 74.125.225.210
 So who knows this? Who do I ask?
DNS ADDRESS TRANSLATION

6.  The internet is a giant social network!
 However, instead of reply on humans to transmit the
messages, we use computers, routers, DNS, peer
arrangements, etc
SOCIALLY SPEAKING

7.  Power
 Copper cable
 Fiber optic cable
 Switches
 Routers
 Operating Systems
 Buildings
 DNS
 Agreements with neighbors
 SECURITY!
SO WHAT DO WE NEED TO MAKE THE
INTERNET WORK?

8. WHAT IS IT SECURITY?

9. WHAT IS EFFECTIVE SECURITY?
(Offense) (Defense)
Likelihood Impact
THREATS X VULNERABILITIES = RISK
Reduces Risk
Drives risk calculation
Threats increase risk
Dealing with vulnerabilities reduces risk
When a threat connects with a vulnerability, there is impact

10.  IT Security is about managing risk, very similar to an
insurance model
 Risk Strategies
 Accept – based on relative low value, low frequency of occurrence, or
low impact
 Mitigate – Implement controls to reduce risk
 Transfer – Transfer risk to other entity (outsource)
 Deny – Dispute the reality of the risk
 Denying risk is considered by some courts as not applying Due
Care
RISK MANAGEMENT

11.  IT Security has been a focus of law and review, and some
legal terms have migrated to IT Security
 These terms have precedent and have been used
successfully to both prosecute and defend in courts
 Due care – steps are taken to show the company has protections in
place
 Due diligence – continual activities – people are doing activities to
monitor and maintain protection, and these are ongoing
 Non-repudiation - one party of a transaction cannot deny having
received a transaction nor can the other party deny having sent a
transaction
CROSSOVERS WITH LAW

12.  Confidentiality - prevent the
disclosure of information to
unauthorized individuals or
systems
 Integrity – protect data from
modification
 Availability - systems used
to store and process the
information, the security
controls used to protect it,
and the communication
channels used to access it
must all be functioning
correctly
SECURITY PRINCIPLES

13.  Separation of duties – ensures that an individual cannot
complete a critical task by themselves
 Least privilege - an individual, program or system process is
not granted any more access privileges than are necessary to
perform the task
 Access based on need to know (Access Control) – information
is segregated and only available to individuals who have a
need to consume it
SECURITY BEST PRACTICES

14. SECURITY PITFALLS

15.  Failing to install anti-virus, keep its signatures up to date, and apply it
to all files.
 Opening unsolicited e-mail attachments without verifying their source
and checking their content first, or executing games or screen savers or
other programs from untrusted sources.
 Failing to install security patches-especially for Microsoft Office,
Microsoft Internet Explorer, Firefox, and Safari…Opera, Netscape, etc
 Not making and testing backups.
 Being connected to more than one network such as wireless and a
physical Ethernet or using a modem while connected through a local
area network.
 Reusing the same username and password across multiple websites
 Linking accounts across the internet to a single point of failure (one
email address)
SEVEN WORST SECURITY MISTAKES
END USERS MAKE

16. CLOUDY DAYS AND
RAINY NIGHTS

17.  What is the cloud?
 What can you do with it?
 Why is it useful?
CLOUDS OR FOG?

18. Apple is working hard to get all of its
customers to use iCloud.
Google’s entire operating system is cloud-
based.
Windows 8, the most cloud-centric operating
system yet, will hit desktops by the tens of
millions in the coming year or two.
WHO USES THE CLOUD?

19. Password-based security
mechanisms — which can be
cracked, reset, and socially
engineered — no longer suffice in the
era of cloud computing
CLOUD SECURITY IS STILL
A WORK IN PROGRESS

20. MAT HONAN’S RIDE THROUGH HELL

21. ABOUT.ME/MATHONAN

22.  “I realized something was wrong at about 5 p.m. on Friday. I
was playing with my daughter when my iPhone suddenly
powered down. I was expecting a call, so I went to plug it back
in.”
 “It then rebooted to the setup screen. This was irritating, but I
wasn’t concerned. I assumed it was a software glitch. And, my
phone automatically backs up every night. I just assumed it
would be a pain in the ass, and nothing more. I entered my
iCloud login to restore, and it wasn’t accepted. Again, I was
irritated, but not alarmed. ”
THE SYMPTOMS APPEAR

23.  “I went to connect the iPhone to my computer and restore from
that backup — which I had just happened to do the other day.
When I opened my laptop, an iCal message popped up telling me
that my Gmail account information was wrong. Then the screen
went gray, and asked for a four-digit PIN.”
 “I didn’t have a four-digit PIN.”
 “By now, I knew something was very, very wrong. For the first
time it occurred to me that I was being hacked. Unsure of exactly
what was happening, I unplugged my router and cable modem,
turned off the Mac Mini we use as an entertainment center,
grabbed my wife’s phone, and called AppleCare, the company’s
tech support service, and spoke with a rep for the next hour and
a half.”
FROM BAD TO WORSE

24.  His first call was to AppleCare – but according to them it was
not his first time calling!
 Someone had called at 4:33 claiming to be Mat, saying he
could not get to his Me.Com email
 In response, Apple issued a temporary password. It did this
despite the caller’s inability to answer security questions Mat
had set up. And it did this after the hacker supplied only two
pieces of information that anyone with an internet connection
and a phone can discover.
WHITHER GOES MAT?

25.  It turns out, a billing address and the last four digits of a
credit card number are the only two pieces of information
anyone needs to get into your iCloud account. Once supplied,
Apple will issue a temporary password, and that password
grants access to iCloud.
 Once someone has access to iCloud, they have access to your
AppleID
 A hacker, going by the name Phobia, was able to track down
this information easily
WHAT HAD HAPPENED

26.  “After coming across my account, the hackers did some
background research. My Twitter account linked to my personal
website, where they found my Gmail address. Guessing that this
was also the e-mail address I used for Twitter, Phobia went to
Google’s account recovery page. He didn’t even have to actually
attempt a recovery. This was just a recon mission.
 Phobia could view the alternate e-mail Mat had set up for
account recovery. Google partially obscures that information,
starring out many characters, but there were enough characters
available, m••••n@me.com. Jackpot.
 This was how the hack progressed. If I had some other account
aside from an Apple e-mail address, or had used two-factor
authentication for Gmail, everything would have stopped here.
 But using that Apple-run me.com e-mail account as a backup told
the hacker I had an AppleID account, which meant I was
vulnerable to being hacked.”
THE HACK

27.  All you need to access someone’s AppleID is
 the associated e-mail address,
 a credit card number,
 the billing address,
 and the last four digits of a credit card on file
 Phobia had gone to Google and requested a password
recovery
 Google had shown him that it was using a @me.com email
 Phobia knows Mat has an AppleID and now needs access
 So Phobia knew part of the email address – how did he get
the other pieces?
IT’S ALL YOU NEED!

28.  He got the billing address by doing a whois search on Mat’s
personal web domain. If someone doesn’t have a domain, you
can also look up his or her information on Spokeo,
WhitePages, and PeopleSmart.
 First you call Amazon and tell them you are the account
holder, and want to add a credit card number to the account.
 All you need is the
 name on the account,
 an associated e-mail address,
 and the billing address.
 Amazon then allows you to input a new credit card. (Wired
used a bogus credit card number from a website that
generates fake card numbers that conform with the industry’s
published self-check algorithm.) Then you hang up.
AMAZIN AMAZON

29.  Next you call back, and tell Amazon that you’ve lost access to
your account.
 Upon providing a name, billing address, and the new credit
card number you gave the company on the prior call, Amazon
will allow you to add a new e-mail address to the account.
 From here, you go to the Amazon website, and send a
password reset to the new e-mail account. This allows you to
see all the credit cards on file for the account — not the
complete numbers, just the last four digits.
 But, as we know, Apple only needs those last four digits!
MORE DATA THAN YOU CAN EAT

30.  Any waiter or waitress in a restaurant where you paid for your
meal
 Any cashier at any store who took your credit card as payment
 Any 16-year old kid working anywhere that accepts credit cards,
with enough sense to memorize 4 digits and a last name –
especially an easy one
 So Phobia calls AppleCare and gives them his name
 “Mat Honan”
 His billing address
 Found using internet search tools
 Last 4 of the credit card
 Found from the email from Amazon
 And now Apple resets Mat’s iCloud account, giving Phobia access
WHO ELSE HAS THE LAST 4 OF YOUR
CREDIT CARD?

31.  Phobia accesses Mat’s account, gets access to his @me.com
password- then a race ensues
 4:50 p.m., a password reset confirmation arrived in my @me.com
inbox. They then were able to follow the link in that e-mail to
permanently reset my AppleID password.
 4:52 p.m., a Gmail password recovery e-mail arrived in my me.com
mailbox. Two minutes later, another e-mail arrived notifying me that
my Google account password had changed.
 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone.
 5:02 p.m., they reset my Twitter password.
 5:05 they remotely wiped my MacBook. Around this same time, they
deleted my Google account.
 5:10, I placed the call to AppleCare.
 5:12 the attackers posted a message to my account on Twitter taking
credit for the hack.
PWNED

32. DONE AND DONE

33.  Mat says:
 They could have used my e-mail accounts to gain access to my
online banking, or financial services.
 They could have used them to contact other people, and
socially engineer them as well.
 As Ed Bott pointed out on TWiT.tv, my years as a technology
journalist have put some very influential people in my address
book. They could have been victimized too.
COULDA BEEN WORSE!

34.  Why did it happen?
 What was the reason he got hacked, his personal info erased,
moments from his life gone forever?
 What was the reason?
 He had a 3 character Twitter user name, and they thought it
was cool and wanted it
WHY?

35.  Mat was able to get some data back
 He sent his machine to a firm called DriveSavers, who have
custom hardware and software which can recover data from
hard drives (even SSDs)
 They recovered about 75% of the data, including most of his
digital pictures
 The cost: $1,690
HE GOT SOME DATA BACK

36.  2 factor authentication means you need 2 things to prove who
you are
 Something you know [a password]
 Something you have [a cell phone]
 If Mat had enabled Google’s 2nd factor authentication, this
would not have happened
 Duo Security makes a product which can be used for free –
you can get SMS, iPhone push, phone call, software token
generation
2 FACTOR AUTHENTICATION

37. SECURITY AT HOME AND
AT WORK

38.  Security is a behavior, and it applies to you everywhere
 Your phone, cell- or smart-
 Your other mobile devices
 Your computer at work
 Your computer at home
 Your personal documents & assets
 Your company assets
 Everything about security has overlap in all the spaces you
live in and move through
 So security awareness applies to everything you do in life: at
work, at home, with family & friends
 We will show you good behaviors to use wherever you are
SECURITY APPLIES TO EVERYTHING IN YOUR
LIFE

39.  Hacking is happening all the time:
 Sony – over a dozen data breaches and 100,000,000 Playstation
Network (PSN) records stolen
 Zappos.com – 24,000,000 customer records stolen
 LinkedIn – 6,500,000 emails and records stolen
 Sutter Physicians Services – 3,300,000 patient records containing
medical details stolen from a physical desktop theft
 This one is concerning because it could have data about you and me that
could be used to steal identities
DATA BREACHES ARE MORE COMMON THAN
PEOPLE THINK
Source: privacyrights.org

40.  “Hacking” used to be about challenge and bragging rights.
Now, attackers have a monetary incentive to steal your data
 Black market data dealing operations worldwide buy and sell
names, social security numbers, credit card and debit card
numbers, email addresses and other information very cheaply
 Cybercrime now sits at $1 Trillion per year according to
McAfee – this is mostly profit!
 Whether it’s personal data or corporate data, everything
about you is for sale!
ATTACKERS WANT YOUR DATA
(1)Symantec.com “Ponemon Cost of a Data Breach” (2) Eurostat Feb 2011 (3) RSA

41.  Take necessary safeguards to ensure you are secure
 Be aware! Know that your data could be at risk
 Reboot your machine periodically – every day is encouraged – At
home and at work
 Make your password strong and easy to remember
 When on the phone with someone you don’t know, do not give any
personal or company details, even if they give details about the
company – much of this information could be easily found on public
websites
 On your home PCs, follow these steps
 Use antivirus software, and keep it updated all the time
 You can use multiple programs, and several frees ones
 If programs like Java, Firefox, Chrome, Abode, etc ask you if you want
the latest update say YES and accept it
WHAT CAN YOU DO TO HELP?

42.  NEVER USE THE WORD PASSWORD IN YOUR PASSWORD!
 Keep your password to yourself, and lock your PC when it is
unattended
 Never write your password down or store it on or near your
computer or laptop
 Use password management software, like KeePass
 Ensure that you change the initial passwords supplied to you
as soon as possible.
 Passwords must not be communicated to anybody. In
particular, ensure that you do not e-mail your password or use
the automatic password saver within an Internet browser.
PASSWORD RULES!

43.  Passwords are usually kept in a scrambled format,
so they can’t be read
 When passwords are stolen, hackers use password
cracking programs which guess your password
 The guesses are based on dictionaries of words,
found at universities everywhere – including almost
all languages
 Hackers feed the dictionaries into the password
crackers, and the crackers scramble the guess just
like the password
 They then look for matches, and when they find one
it is cracked
HOW ARE PASSWORDS CRACKED?

44.  From a list of 860,160 posted on the internet
ACTUAL CRACKED PASSWORDS
Patterns too easy to detect
They all use the word password in
them. NEVER use the word
password in your password
Keyboard patterns – too easy to
detect
Real words – never use real
words in any language! Password
which look like real words are
generally bad passwords

45.  The best passwords are pass phrases but not all applications
can support them
 “I was married on November 5th.”
 “And the cow jumped over the moon!”
 “I got friends in low places, says Garth Brooks.”
 If you can’t do a passphrase, use the first letter from each
word in the phrase – add a number and symbol if you need it
 IwmoN5th.
 Atcjotm!2
 Igfilp,sGB.7
 Use a song, movie quote, book quote, anything that is easy to
remember. Songs can yield several years worth of passwords!
BEST PASSWORDS ARE PASS PHRASES
I was married on November 5th.
And the cow jumped over the moon!2
I got friends in low places, says Garth Brooks .7

46.  Try for 14 characters – if you can get to 10 that is very good,
but more is always better
 They need 4 things: an uppercase letter, a lowercase letter, a
number and a symbol - anything on top keyboard row -
!@#$%^&*()_+
 avoid semi-colon (;) and apostrophe (‘) as these can break IT
systems
 At home, create one strong, special password for your online
banking – you only ever use this password for this, and never
use it anywhere else
 Use this technique to make as many distinct passwords as you
can – one for each website or program you use is your goal!
FOR ALL PASSWORDS, AT HOME AND AT
WORK

47.  Are these strong passwords? Why or why not?
 Cindy2012
 No! Too many patterns too easily guessed
 Fisherman
 NO! Real word in the dictionary
 GoTigers!4
 No, this password is too easily guessed
 Don’t use sports teams or players in your password!
 P@ssw0rd#1
 No. These substitution tricks are too common – looks too
much like a real world, easily guessed – has the word
password in it
 H,dyhtstmbgitw?1
 Yes! It doesn’t look like any words and it has enough
complexity
 It has special characters which break up the password
 It has 16 characters!
 Can you remember Hey, did you happen to see the most beautiful girl in the
world?
PASSWORD QUIZ!

48. OTHER GOOD PASSWORDS

49. LOCK YOUR PC WHEN IT IS UNATTENDED
Pressing the Windows Logo key + L
key at the same time, will lock the
computer instantly

50.  In the same way you should safeguard your password and its
value, you should also safeguard your PC and the data on it
 Train yourself into pressing Win + L each time you leave your
PC, even for a moment
 You will need to log back in each time, but remember this is
because you are safeguarding the value of your business
process – this is the key you are using to unlock your
valuables
 Just as you would lock the door to your house when you leave
it to protect your values, lock your PC
LOCKING YOUR PC SECURES THE DATA
ON IT

51.  Take all precautions to protect your IT devices and
data assets from damage or loss
 Treat your laptop and mobile device like cash.
 Be on guard in airports and hotels.
 Don’t leave your device unattended — even for just a
moment.
 Don’t leave your laptop visible in the car, put it in the trunk –
or cover valuables with a blanket, make them unseen
 Don’t keep passwords with your laptop or in its case.
 Backup your files on the network drives.
 Remember that the information contained in a laptop or
mobile device is more valuable than the hardware.
PROTECT YOUR IT DEVICES AND DATA

52.  Secure and hide your laptop & other valuables in your vehicles
– cover them with blankets or make them otherwise not
noticeable by passersby
 Do not leave your smartphone unattended, especially when
it’s powering up at a charging station
 Always have your bags in contact with your body
 If bags are on ground, step your foot through the loop of a carry bag,
or have contact with your wheeled bag
 Do not store your passwords with your laptop (do not write
them down!)
 Theft is a crime of opportunity – limit the opportunities
available and the odds are in your favor
TRAVELING SECURITY

53.  Beware of security risks when using e-mail or the
internet
 Do not reveal personal or financial information in emails,
and do not respond to email solicitations for this
information.
 If it sounds too good to be true, it is.
 Be wary of pop-up windows and advertisements for free
downloadable software—they may be disguising spyware
 Forwarded emails can contain viruses or other malicious
activity. Open attachments only from those you trust.
 Don’t click email web links, or copy-paste them - choose
from your favorites
 Pay attention to the address of a website.
 Your browser can help tell you what website you are on
BEWARE OF SECURITY RISKS

54.  PIN lock your smart phones (mobile devices) – this is a
tradeoff between convenience and security
 Remember this stops someone from snooping through your device
 Apps that access your data will be easily accessible by someone who
“finds” your device– many apps never log you out
 Your identity could be stolen, and you could be impersonated
by someone using your device with all of your apps available
to them
 Before you download that cool app – think, “Do I really want
this to have access to my personal data?”
SMART PHONE SECURITY

55. CURIOSITY PWNS THE LOSER
Operation Honey Stick
50 smartphones were
distributed in Silicon Valley,
Washington, D.C., New York,
Los Angeles, and Ottawa. The
devices, loaded with a buffet of
juicy, fake data, were left in
restaurants, elevators,
convenience stores, and
student unions. Symantec
equipped them with monitoring
software that let its security
gurus track where the devices
were taken once found, and
what type of information was
accessed by the finders.

56.  Don’t Assume that public Wi-Fi networks are secure – they
aren’t - EVER
 So what can you do to protect your information? Here are a
few tips:
 When using a Wi-Fi hotspot, only log in or send personal information
to websites that you know are fully encrypted (https or vpn). VPNs
encrypt traffic between your computer and the internet, even on
unsecured networks
 Don’t stay permanently signed in to accounts. When you finished
using an account, log out.
 If you use a smartphone to connect to a wifi hotspot, all your activity
will be on the network – so beware of what you browse, email or text!
PUBLIC WI-FI

57.  Applying real-world judgment can help minimize risks.
 The danger of social networks is the reason they are social in the
first place! Linked data gives bad guys easier ways to steal from
you
 One innocent post of Facebook saying “We are at a movie!” can
actually post all of the following:
 Where I am, with maps to the movie theatre
 How long I will be gone from my house, because of the show times listed
 Who I am with (We are at a movie!)
 This is an invitation to get robbed, or worse
 Tell your kids, your SOs, your friends, everyone…
 BE CAREFUL OF THE INFORMATION YOU GIVE AWAY
 BE AWARE YOU COULD BE GIVING AWAY MORE THAN YOU THINK
SOCIAL NETWORKS

58.  Security is not about technology
 Security is about YOU
 Your behaviors
 Your use of tools like computers and smart phones
 Your attitude toward how you value your data
 Be secure at home and at work
 Free tools are available to help you keep track of passwords
 Antivirus programs which are up-to-date are critical to maintaining a
secure PC, especially with older operating systems – and many of
these are free!
 Unfortunately, IT cannot assure 100% security – so we rely on
you to fill in the gaps
SECURITY IS NOT EQUAL TO TECHNOLOGY

59.  KeePass – a free way to help you manage and track all your
passwords - http://keepass.info/
 For those using Microsoft Windows, you can download and install
Microsoft Security Essentials, a free antivirus program – other free
antivirus programs are SpyBot, MalwareBytes, Avira, AVG, Avast!
and many more
 These should be downloaded *only* from their source sites, or
trusted sites like sourceforge.net – do not use Download.com or other
sites for antivirus downloads
 TrueCrypt is an encryption program to help secure data on your PC –
http://truecrypt.org/
 Fbackup is a program which can back your local files up to the
network, like your G: or H: drive - http://www.fbackup.com/
 There are many others available: if you ever have any questions,
please email jscardella@pobox.com for help or information with any
PC security question whether at work or at home
FREE TOOLS RESOURCES

60.  Microsoft Security Essentials –
 http:// windows.microsoft.com/mse
 Avira (free version)
 http://www.avira.com/en/for-home
 AVG
 http://free.avg.com/us-en/homepage
 Avast!
 http://www.avast.com/en-us/index
 Malware Bytes
 http://www.malwarebytes.org/products/malwarebytes_free
 SpyBot
 http://www.safer-networking.org/en/download/index.html
 Many more available
FREE PC ANTI-VIRUS PROGRAMS FOR
HOME USE

61. INTERESTED IN
SECURITY?

62.  Employers Will Be Looking for These Hot Tech Skills
 In 2012, skills in key computer technologies, especially in
software, will be in much demand. “At IT firms, virtualization,
business intelligence and mobile app developers are really
strong,” Reed says. “App developers are really hot right now,
then .Net, Java, PHP, Silverlight and SharePoint.”
 Bass adds to the list of in-demand technology jobs: sales
application engineers, CRM specialists, security experts, backup
and recovery technicians, field application support specialists
and service technicians.
 Source: http://career-advice.monster.com/job-search/company-
industry-research/it-jobs-outlook-2012/article.aspx
IT SKILLS NEEDED!

63.  The 20 Coolest Jobs in Information Security
 #1 Information Security Crime Investigator/Forensics Expert
 #2 System, Network, and/or Web Penetration Tester
 #3 Forensic Analyst
 #4 Incident Responder
 #5 Security Architect
 #6 Malware Analyst
 #7 Network Security Engineer
 #8 Security Analyst
 #9 Computer Crime Investigator
 #10 CISO/ISO or Director of Security
 #11 Application Penetration Tester
 #12 Security Operations Center Analyst
 #13 Prosecutor Specializing in Information Security Crime
 #14 Technical Director and Deputy CISO
 #15 Intrusion Analyst
 #16 Vulnerability Researcher/ Exploit Developer
 #17 Security Auditor
 #18 Security-savvy Software Developer
 #19 Security Maven in an Application Developer Organization
 #20 Disaster Recovery/Business Continuity Analyst/Manager
COOL SECURITY JOBS