Information Assurance @ UNM Anderson faculty members have developed a program that is unique in the country, if not the world, with the following characteristics.

Information Assurance @ UNM

Anderson faculty members have developed a program that is unique in the country, if not the world, with the following characteristics and

benefits to students:

• An AACSB accredited program with an emphasis in the management of information security, fraud and forensic accounting and an interdisciplinary focus on behavioral problems in protecting information.

• A designation from the National Security Agency (NSA) and the Department of Homeland Security (DHS) as a center of academic excellence in IA (CAEIA).

• A partnership with the FBI and its Regional Computer Forensics Lab (RCFL), housed at UNM, through training, and student internships and co-ops.

• A partnership with the Department of Energy's first satellite office for the Center for Cyber Defenders through Sandia National Laboratories.

• The Metro Law Enforcement Internship program designed for students to work with local white collar crime units.

http://ia.mgt.unm.edu/

What is IA?

The NSA defines Information Assurance (IA) as:

– The protection of information systems against unauthorized access to, or modification of, information, whether in storage, processing or transit, and protection against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.

10 Most Dangerous Things Users Do Online

1. Opening email attachments from unknown senders.

2. Installing unauthorized applications

3. Turning off or disabling automated security tools

– Firewalls– Virus updates / security updates– Password change requests

10 Most Dangerous Things Users Do Online

4. Opening email (Hypertext Mark-up Language or plain text) messages from unknown senders

5. Surfing gambling, porn, or other legally-risky sites

6.Giving out passwords, tokens or smart cards

7. Random surfing of unknown, untrusted Websites

10 Most Dangerous Things Users Do Online

8. Attaching to an unknown WiFi Network- Use WPA and not WAP - Turn on personal firewall - Disable wireless card when not “in use”

9. Filling out Web scripts, forms or registration pages

10. Participating in chat rooms or social networking sites

Viruses Worms Trojan Horses Spyware

Leading Threats to PC Security

Viruses/WormsSoftware programs

designed to invade your computer, and copy,

damage or delete your data Trojan HorsesViruses that pretend to be programs that help you while destroying

your data and damaging your computer Spyware

Software that secretly watches and records your online activities or send you endless pop-up adshttp://cnettv.cnet.com/deadliest-computer-viruses/9742-1_53-50005771.htm

l

http://www.youtube.com/watch?v=HQU9WJKmsc4

Online Security Versus Online Safety

Security: We must secure our computers with technology in the same way that we secure the doors to our offices

Safety: We must act in ways that protect us against the risks and threats that come with Internet use

Four Steps To Protect Your Computer

Turn on an Internet firewall

Keep your operating system up to date

Install and maintain antivirus software

Install and maintain antispyware software

Keep Your Operating System Updated

Install all security updates as soon as they are availableAutomatic updates provide the best protection

Install Antivirus Software

Antivirus software can detect and destroy computer viruses before they can cause damage

Just like flu shots, for antivirus software to be effective, you must keep it up to date

Install And Maintain Antispyware Software

Use antispyware software so unknown people cannot lurk on your computer and potentially steal your information

Top Antispyware Software:

Spy Sweeper, CounterSpy, STOPzilla, Malwarebytes Anti Malware

Other Ways to Protect Your PC

Back up your files regularly Think before you click

Read website privacy statements Close pop-ups using red “X”

Close Pop-ups Using Red “X”

Always use the red “X” in the corner of a pop-up screenNever click “yes,” “accept” or even “cancel”, because it could be a trick that installs software on your PC

Rogue Security Software

• “Scareware” is a new type of malicious software that pretends to protect your computer

• Scareware has increased more than 600% in the last two years.

• Found on popular Websites, YouTube, Twitter• Microsoft Malicious Software Removal Tool

http://news.cnet.com/8301-19518_3-10466253-238.html

USB Thumb Drives

- One of the highest security liabilities- Easily used for information theft- Infections brought into networks i.e. Trojans

and viruses

- Encryption

- Keep it in sight

- Sanitize / format

- A new type of social engineering

Mobile Phones & PDAs

Survey findings by Credant Technologies in UK– Out of 600 commuters at London railway stations

80% of phone users store information on their phone that could be used to steal their identities

– 16 % store bank account information– 24% store PINs and passwords – 10% save credit card information– 99% of mobile phone users use their phone for

business tasks– 40% of these users do not have any encryption or

password protection

Home NetworkWireless Security

5 Steps for Securing your wireless

Step 1: Change the Router’s Default Administrator Password

Step 2: Change the Default SSID and Disable SSID Broadcast

Step 3: Change the IP Address Setting

Step 4: Set Up Your Router to Use Encryption

Step 5: Use the MAC Address Filter

http://www.youtube.com/watch?v=vCy78oss4oE

Simple Email Security

- Never assume email is secure, or that it will always reach it’s intended recipient

- Never send confidential information via email Password protect any attachments containing sensitive

information

- Beware of email phishing scams

- Do not open suspicious email or messages received from an unknown sender

Simple Email Security, cont.

- Scan all attachments before opening

- Do not open attachments in a message received from an unknown sender

- Do not click on links received in email messages; type the website address into your web browser

- Do not open .zip files or .exe files received via email unless you know the sender and are expecting the attachment.

Phishing Lures

Phishing is a type of deception designed to steal your personal information

Phishing scams in various places Email (friend or foe) Social Networking Websites Fake Websites (charitable sites that accept

donations) IM program Websites that spoof familiar sites Cell phones & mobile devices

Spear Phishing

Do you think you are safe?

• Experiments show a success rate of over 70% for phishing attacks on social networks.

• In a June 2004 experiment with spear phishing, 80% of 500 West Point cadets who were sent a fake e-mail were tricked into revealing personal information.

http://online.wsj.com/public/article/SB112424042313615131z_8jLB2WkfcVtgdAWf6LRh733sg_20060817.html?mod=blogs

Good advice

• No company will ever try to verify your info from an email!

• If you are unsure, contact the company to make sure the email is legit.

How fast will you get hacked?

Password Length

All Characters

Only Lowercase

3 0.86 0.02 seconds4 1.36 .046 seconds5 2.15 hours 11.9 seconds6 8.51 days 5.15 minutes7 2.21 years 2.23 hours8 2.10 2.42 days9 20 millennia 2.07 months

10 1,899 4.48 years11 180,365 1.16 centuries12 17,184,705 3.03 millennia13 1,627,797,06 78.7 millennia

Strong passwords are a must

Rockyou.com top 20

Here are some password tips:

• Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)

• Whenever possible, use at least 14 characters or more.

• Randomly throw in capital letters (i.e. – Mod3lTF0rd)

• Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.

• Maybe your favorite vacation spot, or a specific car, an attraction from a vacation, or a favorite restaurant?

• You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.

Hacker Croll

• Built a profile of Twitter by using info freely available on the Web.

• Exploited the password reset feature in Gmail.

• Exploited the Hotmail “feature” of deleting inactive email accounts.

• Exploited human security mistakes.http://news.softpedia.com/news/Social-Engineering-Used-to-Compromise-Twitter-117172.shtml

Creating a password exercise

• 1.Think of a sentence that you can remember. This will be the basis of your strong password. Use a memorable sentence, such as “May the force be with you.”

• 2. Convert it to a password. Take the first letter of each word of the sentence that you've created to create a new word. Using the example above, you'd get: mtfbwy

• 3.Add complexity by mixing uppercase and lowercase letters and numbers. For example from the above MtFbWU

• 4.Finally, substitute some special characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, turn the phrase “You talking to me?” into “Uta!k!ng2Me?”

Questions?