1 / 46

Securing Home Computers: vulnerabilities, threats, and controls Harris County Library Presentation

1. Securing Home Computers: vulnerabilities, threats, and controls Harris County Library Presentation. Dr. Wayne Summers TSYS School of Computer Science Columbus State University wsummers@ColumbusState.edu http://csc.ColumbusState.edu/summers. OUTLINE. THE PROBLEM Definitions

jsantini
Download Presentation

Securing Home Computers: vulnerabilities, threats, and controls Harris County Library Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 1 Columbus State University

  2. Securing Home Computers:vulnerabilities, threats, and controlsHarris County Library Presentation Dr. Wayne Summers TSYS School of Computer Science Columbus State University wsummers@ColumbusState.edu http://csc.ColumbusState.edu/summers

  3. OUTLINE THE PROBLEM Definitions Vulnerabilities Threats Controls Conclusions Q&A

  4. WHY IS INFORMATION SECURITY IMPORTANT?

  5. SQL Slammer (Fall 2002) 5 • “It only took 10 minutes for the SQL Slammer worm to race across the globe and wreak havoc on the Internet two weeks ago, making it the fastest-spreading computer infection ever seen.” • “The worm, which nearly cut off Web access in South Korea and shut down some U.S. bank teller machines, doubled the number of computers it infected every 8.5 seconds in the first minute of its appearance.” • It is estimated that 90% of all systems that fell victim to the SQL Slammer worm were infected within the first 10 minutes. Columbus State University

  6. DHS Fears a Modified Stuxnet Could Attack U.S. Infrastructure (Wired - July 26, 2011) • computer worm discovered in June 2010 • initially spreads via Microsoft Windows • targets Siemensindustrial software and equipment • first discovered malware that spies on and subverts industrial systems • first to include a programmable logic controller (PLC) rootkit Columbus State University

  7. FLAME 7 A frightening computer virus called Flame is on the loose in Iran and other parts of the Middle East, infecting PCs and stealing sensitive data. Now, the United Nations' International Telecommunications Union warns that other nations face the risk of attack. http://www.pcworld.com/article/256508/the_flame_virus_your_faqs_answered.htmlPCWorld    May 30, 2012 Columbus State University

  8. FLAME 8 • backdoor Trojan with worm-like features • point of entry is unknown – spear-phishing or infected websites are possibilities • spread through USB sticks / local networks • can sniff out information from input boxes, including passwords hidden by asterisks • record audio from a connected microphone • take screenshots of applications, such as IM programs • collects information about nearby discoverable Bluetooth devices • Uploads info to command and control servers Columbus State University

  9. Latest News 9 • “2013 will see more Stuxnet and Flame-like malware attacks, says AVG-CTO” [Computing.co.uk-2/6/13] • “Adobe releases emergency Flash security update to address malware attacks on OS X” [9To5Mac.com – 2/6/13] • “Facebook reveals attack by computer virus” [US News – 2/13/13] • “Apple Computers Hit by Sophisticated Cyberattack” [NY Times, Bits Blog – 2/19/13] • “After Facebook and Twitter announced that they were breached by sophisticated hackers in recent weeks, Apple said it had been attacked” Columbus State University

  10. What are the risks? • “MALWARE” erasing your entire system, • “HACKER” breaking into your system and altering files, • “HACKER” using your computer to attack others, • “HACKER” stealing your credit card information and making unauthorized purchases. Columbus State University

  11. Goals 11 • confidentiality - limiting who can access assets of a computer system. • integrity - limiting who can modify assets of a computer system. • availability - allowing authorized users access to assets. Columbus State University

  12. Privacy (Confidentiality) Limiting who can access your information. Columbus State University

  13. Identity Theft Using another’s identity for ones benefit (usually financial gain) social security number (32%) credit card account numbers date of birth driver’s license passport mother’s maiden name addresses Columbus State University

  14. Definitions 14 • vulnerability - weakness in the security system that might be exploited to cause a loss or harm (usually caused by programming errors in software.) • threats - circumstances that have the potential to cause loss or harm. (Threats typically exploit vulnerabilities.) • control - protective measure that reduces a vulnerability or minimize the threat. Columbus State University

  15. Definitions • Virus - computer program that attaches to other programs and replicating itself repeatedly, typically without user knowledge or permission. • Worm - parasitic computer programs that replicates • Trojan Horse - claims to be one thing while in fact doing something different behind the scenes. • Zombie - PC that has been infected with a virus or Trojan horse that puts it under the remote control of an online hijacker. • Time bomb - malicious action triggered at a specific date or time • Spam - unsolicited or undesired bulk email • Phishing - using social engineering techniques to fraudulently acquire other people’s personal information • Keyloggers - malicious programs that record the key strokes a user types. Columbus State University

  16. Vulnerabilities reported 16 The number of attacks is now so large and their sophistication so great, that many organizations are having trouble determining which new threats and vulnerabilities pose the greatest risk and how resources should be allocated to ensure that the most probable and damaging attacks are dealt with first. Exacerbating the problem is that most organizations do not have an Internet-wide view of the attacks. [http://www.sans.org/top-cyber-security-risks/] Columbus State University

  17. Vulnerabilities How many of you patch your software when requested? How many of you access the Internet from home? Wireless networks have become pervasive. How many of you have wireless networks at home? How many of you use wireless networks when you are “on the road”? How many of you have web-enabled cell phones? How many of you have networked PMPs? 17 10/30/2019 Columbus State University Columbus State University

  18. Vulnerabilities 18 • “Today’s complex Internet networks cannot be made watertight…. A system administrator has to get everything right all the time; a hacker only has to find one small hole. A sysadmin has to be lucky all of the time; a hacker only has to get lucky once. It is easier to destroy than to create.” • Robert Graham, lead architect of Internet Security Systems Columbus State University

  19. Types of Threats 19 • interception - some unauthorized party has gained access to an asset. • modification - some unauthorized party tampers with an asset. • fabrication - some unauthorized party might fabricate counterfeit objects for a computer system. • interruption - asset of system becomes lost or unavailable or unusable. Columbus State University

  20. Malware and other Threats Malware: 403 million new variants of malware were created in 2011, a 41% increase of 2010 [Symantec - http://www.symantec.com/security_response/] 1987-1995: boot & program infectors 1995-1999: Macro viruses (Concept) 1999-2003: self/mass-mailing worms (Melissa-Klez) 2001-???: Megaworms [blended attacks] (Code Red, Nimda, SQL Slammer, Slapper) 2005-???: Organized Crime 2010-???: Nation States 20 Columbus State University

  21. Social Engineering 21 • “we have met the enemy and they are us” - POGO • Social Engineering – “getting people to do things that they wouldn’t ordinarily do for a stranger” – The Art of Deception, Kevin Mitnick Columbus State University

  22. PayPal Phishing Site Arrives as Attachment Columbus State University

  23. IRS Phish 23 10/30/2019 Columbus State University Columbus State University

  24. 24 • E-mail from "Microsoft“ security@microsoft.com {Virus?} Use this patch immediately ! Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected! ================================================== • Vigilantes Go on the Offensive to Bait Net Crooks • http://www.npr.org/templates/story/story.php?storyId=4716843 • Scambaiter - http://www.419eater.com/ Columbus State University

  25. “Privacy is the future. Get used to it.” (Marc Rotenberg, Director, Electronic Privacy Information Centre - EPIC) (Fortune, 2001). Columbus State University

  26. Who is Wayne Summers? Google.com http://csc.columbusstate.edu/summers/ (resume) Linked.com, Jigsaw, ZoomInfo, EduCause Math geneology Naymz.com, classmates.com Blogger.com peoplefinders.com Age, Cities, parents, spouse, and children’s names & ages Columbus State University

  27. peoplefinders.com Comprehensive Background Report Name: SUMMERS, WAYNE Everything you need to know, all in one report. Aliases & Maiden Names Birth Date Address History Phone Numbers Marriages & Divorces Relatives & neighbors Property ownership and much more... $39.95 Click below to find out how to get this product for FREE. Columbus State University

  28. Who is Wayne Summers? Whitepages.com Home address Map of neighborhood Neighbors & home values (zillow.com) http://www.123people.com Photos Phone #s Email address Blogs Columbus State University

  29. Other personal data websites Addresses.com AnyWho.com Google InfoSpace Intelius MySpace PeopleFinders.com PublicRecordsNow.com USA People-Search US Search WhoWhere.com Yahoo! ZabaSearch ZoomInfo SPOKEO.com (Social Network Aggregator) Columbus State University

  30. Future ID Theft & Privacy Issues Minority Report Mall Scene (36 sec) Minority Report Scene Gap Store (16 sec) April 9, 2008 (Computerworld) “RFID keeps tabs on Vegas bartenders -- and soon could track you too” “The Smart Card Alliance isn't too keen on proposed enhanced driver licenses that the Department of Homeland Security is working on with several states bordering Canada and Mexico. The long range-reading RFID technology suggested by DHS raises privacy, security, and operational functionality issues, says the alliance.” Columbus State University

  31. Xanboo Online home watch Columbus State University

  32. “You have zero privacy anyway. Get over it.” (Scott McNealy, CEO, Sun Microsystems, 1999) 32 10/30/2019 Columbus State University Columbus State University

  33. Controls 33 • Reduce and contain the risk of security breaches • “Security is not a product, it’s a process” – Bruce Schneier [Using any security product without understanding what it does, and does not, protect against is a recipe for disaster.] • Security is NOT JUST installing a firewall. • 80%-90% of any/all security issues are INTERNAL ( not the outside world ) • There always is someone out there that can get in ... if they wanted to ... Columbus State University

  34. Computer Protection (Defense in Depth) Protect yourself Install firewalls, antivirus, anti-spyware Properly configure all devices Monitor logs Removed unneeded cookies Disable or secure file shares Use browser protection and search engines with URL safety rating Know what you are doing Do not enter personal information on a website over a non-encrypted connection Do not run programs of unknown origin Read EULAs THINK before you click 34 “Property has its duties as well as its rights.”— Thomas Drummond (1797-1840) 10/30/2019 Columbus State University

  35. Computer Protection (Defense in Depth) Keep patches up to date AV and security software Operating System Application software Browsers BACKUP- BACKUP- BACKUP 35 10/30/2019 Columbus State University

  36. USE STRONG PASSWORDS 36 • Online passwords are so insecure that one per cent can be cracked within 10 guesses, according to the largest ever sample analysis. http://www.cam.ac.uk/research/news/online-insecurity/ • POLICY • Minimum length of six-ten characters • at least three of the following: lowercase alpha, uppercase alpha, digit, and special character. • Alpha, number and special characters must be mixed up. • Do not use "dictionary" words. Columbus State University

  37. Home Network how many of you: protect your wireless device with a password? encrypt the data in your wireless device? employ any type of security with your wireless device? employ security with your wireless network? 37 10/30/2019 Columbus State University Columbus State University

  38. Safe Guards E-mail should be considered like a postcard Don’t transmit personal data unless it is encrypted Social networks (Facebook, Myspace) are open to others Don’t post personal data that could be used for identification Don’t post anything you would be ashamed of 38 10/30/2019 Columbus State University Columbus State University

  39. What Else Can You Do? Do not give your personal information out over the phone or Internet. Take all outgoing mail to a U.S. Postal Service mail box. Use a P.O. Box for all incoming mail. Buy a document/credit card/CD crosscut shredder. Columbus State University

  40. Credit Security Use one credit card exclusively for Internet purchases. Monitor activity on all credit cards closely. Checking your credit history at least twice a year. Your can buy identity theft recovery insurance. Columbus State University

  41. 10 Tips to Prevent Identity Theft 41 avoid spoofed websites where phishing is the gateway If you aren’t familiar with the eTailer don’t even bother clicking the links make sure the address you end up at is in fact the actual domain of the eTailer always look for HttpS is the address bar signifying it’s a secure page Beware of emails coming for eBay scammers look at the eBayers history pay close attention to your credit-card statements Don’t use a debit-card online Avoid paying by check Do business with those you know like and trust http://www.bloggernews.net/123204 10/30/2019 Columbus State University Columbus State University

  42. 42 • “The most potent tool in any security arsenal isn’t a powerful firewall or a sophisticated intrusion detection system. When it comes to security, knowledge is the most effective tool…” Douglas Schweizer – The State of Network Security, Processor.com, August 22, 2003. “Knowledge is power — Nam et ipsa scientia potestas est “ Francis Bacon (1561-1626) Columbus State University

  43. Resources 43 • http://www.sans.org • http://www.cert.org • http://www.cerias.purdue.edu/ • http://www.linuxsecurity.com/ • http://www.linux-sec.net/ • http://www.microsoft.com/security/ • Cuckoo’s Egg – Clifford Stoll • Takedown – Tsutomu Shimomura • The Art of Deception – Kevin Mitnick • 19 Deadly Sins of Software Security – Howard, Leblanc, Viega • http://www.us-cert.gov/reading_room/ Columbus State University

  44. Conclusions 44 “Security is, I would say, our top priority because for all the exciting things you will be able to do with computers.. organizing your lives, staying in touch with people, being creative.. if we don't solve these security problems, then people will hold back. Businesses will be afraid to put their critical information on it because it will be exposed.” Bill Gates 10/30/2019 Columbus State University Columbus State University

  45. COMPUTER SECURITY AWARENESS WEEK(http://infosec.columbusstate.edu/)October / November 2013 45 ACCENTUATE THE POSITIVE Columbus State University

  46. Questions? Dr. Wayne Summers CSU Center for Information Assurance Education TSYS School of Computer Science Columbus State University wsummers@ColumbusState.edu http://csc.columbusstate.edu/summers/workshop.html 10/30/2019 Columbus State University Columbus State University

More Related