420 likes | 711 Views
Simple ways to make security easier. TOP TEN (10) Security Tips. Karen McDowell, Ph.D., GCIH Information Security, Policy, and Records Office Office Technology Conference 2010. Security Tip #1. Don’t click on unsolicited email messages If in doubt, telephone the sender
E N D
Simple ways to make security easier TOP TEN (10) Security Tips Karen McDowell, Ph.D., GCIH Information Security, Policy, and Records Office Office Technology Conference 2010
Security Tip #1 • Don’t click on unsolicited email messages • If in doubt, telephone the sender • Use the 800 number on the back of your credit or debit card • Check the UVa Security and Suspicious Alerts Page (updated hourly if necessary)
Old-Fashioned Trickery orSocial Engineering How shall I trick you? Let me count the ways! • Phishing • Spear-phishing • Vishing
How Do I Identify a Phishing message? • Unsolicited – no reputable financial institution will ask for your personally identifiable information (PII) – if someone asks, suspect trouble • Timing is a clue, though not always • Words or tone of urgency • Web page or email message mimics in almost every detail legitimate, commercial or social networking sites
Phishing with Masked Web Address • If you clicked on this, you went to the http://www.virginia.vbedu.net/info/v/
Spear Phishing Most Dangerous • Spear phishing is a highly-targeted attack directed to specific groups • Addresses members by first name • Conveys tone of intimacy • Spear phishers also create fake social networking login pages to lure us into sites, where we routinely enter PII (personally identifiable information) • Spear phishers lately tricking Fortune 500 senior execs who play Farmville
Spear Phishing Message Attached document contained malware!
Phishing with Masked Web Address • If you clicked on the URL below, you went to xxx@bongfaschist.de
Why Spear Phishing Works • Success relies upon details used -- • Apparent source is known, trusted individual, like HR or IT staff • Message information supports its validity • Request has a logical basis • Anytime you see anything you think is suspicious, go to the Alerts page at UVa, and check if posted • http://itc.virginia.edu/security/alerts
Security Tip #2 • Prepare for Rogue Antivirus, so you know what to do if it hits you
Fake (Rogue) Antivirus Courtesy of Indiana University
RAV: Social Engineering Plague • Rogue Antivirus popups appear to be authentic copy of legitimate Windows screens • RAV tricks users into thinking their computer is infected with viruses • Offer antivirus to help them clean it • Aggressive use of spam, online ads, and schemes to manipulate search engine results to infect Web users, searching for trends, like celebrity foibles, big breaking news, etc http://gadgetwise.blogs.nytimes.com/2010/04/15/threat-of-fake-anti-virus-software-grows/
What You Can Do • Install and run Malwarebytes (legal on home computer only) • Stop using the computer immediately • Don’t click on any popups! • Turn off wireless, or pull the high-speed line out of the back • Why we backup often
Security Tip #3 • Avoid wireless hotspots, or modify your computer use if you use them • Don’t do anything that requires a password • Don’t login to your bank or email
The Evil Twin Wireless Insecurity • Home-made wireless access points masquerade as legitimate hot spots • Fairly easy to create an evil twin with a laptop
Security Tip #4 • Use social networking sites like Facebook, LinkedIn, and Twitter very carefully
Facebook Security Issues • Social network du jour • Attackers go where we go • Facebook members greater than population of USA • Weak passwords or passphrases • Don’t use third-party applications • Check for mis-configured or unused privacy settings
Facebook Instant Personalization Reports that Facebook has once again compromised users privacy settings by not only making the process more complex but by making it an opt-out process, instead of opt-in. Don't post any information, like announcing you are going on vacation, on your blog or Facebook that could be used by identity thieves to target you, your family or friends, or UVa. ZDNet 25 May 2010
Rogue Antivirus and Twitter • Twitter hit with rogue anti-virus scam • Flurry of tweets directed users to a website promising "Best Video“ • Appeared to offer content from YouTube, but delivered a document infecting those using vulnerable versions of Adobe's Reader program • Victims then received urgent warning that their systems were infected and needed fraudulent security software cleaning <theregister.co.uk> 6/2009
Twitter Security Issues • Link shorteners like TinyURL lead users to unknown destinations, though there’s a fix for this • Vulnerable to phishing attacks • Users unwittingly give their passwords to third-party applications • Phishers use Twitter May 2009 • Bogus accounts of “hot” women • Tiny URLs obfuscated real sites <gadgetwise.blogs.nytimes.com> 5/2009
Security Tip #5 Protect Smart Phones • Passcode • Enable at least 4 digits but this also depends upon IT policies • Exceeding the number of allowed password attempts deletes all data • Auto-Lock • Locks the screen after a pre-set time periodof non-use (consider 30 minutes or less) • Passcode-lock enhances auto-lock • By itself not exactly a security feature but combined with passcode protection,it’s essential security
Security Tip #6 • Use strong passwords or • Try a passphrase if it is easier for you to remember
Create Strong Passwords • A 10-character password is not as hard to remember as you think • Make up a unique sentence, and use the first letter of each word in the sentence • Mix up the capitalization, and add a digit or punctuation mark somewhere • A sentence unique to you might be: “My Chevy’s front muffler leaks too much” for the password “MCfml,t3m” • But don’t accidentally create a word, as in “How older US educators sit” for password “HoUSes”
Passphrases are just words • Easy to remember • “Mysonjusthitmefor1200dollars” • “AvoidworkonMondaysifyoucan” • Avoid famous sayings or quotes like “give me liberty or give me death", “to be or not to be", or "four score and seven years ago", etc., because attackers makes lists of these
Security Tip #7 • Update, update, update! • Backup, backup, backup!
Update, Update, Update • Secunia.com (home use only) • Macintosh Security Update • Microsoft Automatic Update
Backup, Backup, Backup • Home Directory • External hard drive • These mechanical systems can fail! • Memory stick • Only for short term storage • Drag and drop action
Security Tip #8 • Check your free annual credit report http://annualcreditreport.com • Not freecreditreport.com • Pull down your credit history, and see what accounts have been opened in your name • Check personal data for accuracy • You will not receive a credit score, unless you pay for it
Security Tip #9 • Stay on Main Street when using the Internet • Don’t go down any dark alleys • What’s a dark alley on the Internet?
Security Tip #10 • Apply the same common sense rules you use in the real world to protect institutional and personal data – • Ask Ben Bernake’s wife • Regularly check your computer for sensitive data (Backup/remove files) • Use Secure Deletion Shredder • Use Identity Finder at work