Dec 25, 2015
Information Assurance @ UNM
Anderson faculty members have developed a program that is unique in the country, if not the world, with the following characteristics and
benefits to students:
• An AACSB accredited program with an emphasis in the management of information security, fraud and forensic accounting and an interdisciplinary focus on behavioral problems in protecting information.
• A designation from the National Security Agency (NSA) and the Department of Homeland Security (DHS) as a center of academic excellence in IA (CAEIA).
• A partnership with the FBI and its Regional Computer Forensics Lab (RCFL), housed at UNM, through training, and student internships and co-ops.
• A partnership with the Department of Energy's first satellite office for the Center for Cyber Defenders through Sandia National Laboratories.
• The Metro Law Enforcement Internship program designed for students to work with local white collar crime units.
http://ia.mgt.unm.edu/
What is IA?
The NSA defines Information Assurance (IA) as:
– The protection of information systems against unauthorized access to, or modification of, information, whether in storage, processing or transit, and protection against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.
10 Most Dangerous Things Users Do Online
1. Opening email attachments from unknown senders.
2. Installing unauthorized applications
3. Turning off or disabling automated security tools
– Firewalls– Virus updates / security updates– Password change requests
10 Most Dangerous Things Users Do Online
4. Opening email (Hypertext Mark-up Language or plain text) messages from unknown senders
5. Surfing gambling, porn, or other legally-risky sites
6.Giving out passwords, tokens or smart cards
7. Random surfing of unknown, untrusted Websites
10 Most Dangerous Things Users Do Online
8. Attaching to an unknown WiFi Network- Use WPA and not WAP - Turn on personal firewall - Disable wireless card when not “in use”
9. Filling out Web scripts, forms or registration pages
10. Participating in chat rooms or social networking sites
Viruses Worms Trojan Horses Spyware
Leading Threats to PC Security
Viruses/WormsSoftware programs
designed to invade your computer, and copy,
damage or delete your data Trojan HorsesViruses that pretend to be programs that help you while destroying
your data and damaging your computer Spyware
Software that secretly watches and records your online activities or send you endless pop-up adshttp://cnettv.cnet.com/deadliest-computer-viruses/9742-1_53-50005771.htm
l
http://www.youtube.com/watch?v=HQU9WJKmsc4
Online Security Versus Online Safety
Security: We must secure our computers with technology in the same way that we secure the doors to our offices
Safety: We must act in ways that protect us against the risks and threats that come with Internet use
Four Steps To Protect Your Computer
Turn on an Internet firewall
Keep your operating system up to date
Install and maintain antivirus software
Install and maintain antispyware software
Keep Your Operating System Updated
Install all security updates as soon as they are availableAutomatic updates provide the best protection
Install Antivirus Software
Antivirus software can detect and destroy computer viruses before they can cause damage
Just like flu shots, for antivirus software to be effective, you must keep it up to date
Install And Maintain Antispyware Software
Use antispyware software so unknown people cannot lurk on your computer and potentially steal your information
Top Antispyware Software:
Spy Sweeper, CounterSpy, STOPzilla, Malwarebytes Anti Malware
Other Ways to Protect Your PC
Back up your files regularly Think before you click
Read website privacy statements Close pop-ups using red “X”
Close Pop-ups Using Red “X”
Always use the red “X” in the corner of a pop-up screenNever click “yes,” “accept” or even “cancel”, because it could be a trick that installs software on your PC
Rogue Security Software
• “Scareware” is a new type of malicious software that pretends to protect your computer
• Scareware has increased more than 600% in the last two years.
• Found on popular Websites, YouTube, Twitter• Microsoft Malicious Software Removal Tool
http://news.cnet.com/8301-19518_3-10466253-238.html
USB Thumb Drives
- One of the highest security liabilities- Easily used for information theft- Infections brought into networks i.e. Trojans
and viruses
- Encryption
- Keep it in sight
- Sanitize / format
- A new type of social engineering
Mobile Phones & PDAs
Survey findings by Credant Technologies in UK– Out of 600 commuters at London railway stations
80% of phone users store information on their phone that could be used to steal their identities
– 16 % store bank account information– 24% store PINs and passwords – 10% save credit card information– 99% of mobile phone users use their phone for
business tasks– 40% of these users do not have any encryption or
password protection
Home NetworkWireless Security
5 Steps for Securing your wireless
Step 1: Change the Router’s Default Administrator Password
Step 2: Change the Default SSID and Disable SSID Broadcast
Step 3: Change the IP Address Setting
Step 4: Set Up Your Router to Use Encryption
Step 5: Use the MAC Address Filter
http://www.youtube.com/watch?v=vCy78oss4oE
Simple Email Security
- Never assume email is secure, or that it will always reach it’s intended recipient
- Never send confidential information via email Password protect any attachments containing sensitive
information
- Beware of email phishing scams
- Do not open suspicious email or messages received from an unknown sender
Simple Email Security, cont.
- Scan all attachments before opening
- Do not open attachments in a message received from an unknown sender
- Do not click on links received in email messages; type the website address into your web browser
- Do not open .zip files or .exe files received via email unless you know the sender and are expecting the attachment.
Phishing Lures
Phishing is a type of deception designed to steal your personal information
Phishing scams in various places Email (friend or foe) Social Networking Websites Fake Websites (charitable sites that accept
donations) IM program Websites that spoof familiar sites Cell phones & mobile devices
Spear Phishing
Do you think you are safe?
• Experiments show a success rate of over 70% for phishing attacks on social networks.
• In a June 2004 experiment with spear phishing, 80% of 500 West Point cadets who were sent a fake e-mail were tricked into revealing personal information.
http://online.wsj.com/public/article/SB112424042313615131z_8jLB2WkfcVtgdAWf6LRh733sg_20060817.html?mod=blogs
Good advice
• No company will ever try to verify your info from an email!
• If you are unsure, contact the company to make sure the email is legit.
How fast will you get hacked?
Password Length
All Characters
Only Lowercase
3 0.86 0.02 seconds4 1.36 .046 seconds5 2.15 hours 11.9 seconds6 8.51 days 5.15 minutes7 2.21 years 2.23 hours8 2.10 2.42 days9 20 millennia 2.07 months
10 1,899 4.48 years11 180,365 1.16 centuries12 17,184,705 3.03 millennia13 1,627,797,06 78.7 millennia
Strong passwords are a must
Rockyou.com top 20
Here are some password tips:
• Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
• Whenever possible, use at least 14 characters or more.
• Randomly throw in capital letters (i.e. – Mod3lTF0rd)
• Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
• Maybe your favorite vacation spot, or a specific car, an attraction from a vacation, or a favorite restaurant?
• You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
Hacker Croll
• Built a profile of Twitter by using info freely available on the Web.
• Exploited the password reset feature in Gmail.
• Exploited the Hotmail “feature” of deleting inactive email accounts.
• Exploited human security mistakes.http://news.softpedia.com/news/Social-Engineering-Used-to-Compromise-Twitter-117172.shtml
Creating a password exercise
• 1.Think of a sentence that you can remember. This will be the basis of your strong password. Use a memorable sentence, such as “May the force be with you.”
• 2. Convert it to a password. Take the first letter of each word of the sentence that you've created to create a new word. Using the example above, you'd get: mtfbwy
• 3.Add complexity by mixing uppercase and lowercase letters and numbers. For example from the above MtFbWU
• 4.Finally, substitute some special characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, turn the phrase “You talking to me?” into “Uta!k!ng2Me?”
Questions?