Security

R. Scott StudhamChief Information Officer

Computer Security

Agenda

• Ethics• CyberSecurity

• What do hackers want?• Social Engineering

• Privacy: Reputation Management• How can you protect yourself?

“A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila.”

— Mitch Ratliff

CyberSecurity

Before …

After

Who wants this Information?

http://securitylabs.websense.com/content/CrimewarePhishing.aspx

Updated 12/2/09

FBI: Infragard

Targets

Targets

Resources

Three Major Goals:

• Information• Username and password.• Bank Information

• Resources• Computing• Networking

• Money!

Stolen Credit Card Numbers

Credit Card Applications

• Name• Address• Social Security Number

Four components of security

November 2009 Phishing

Sent: Thursday, November 12, 2009 10:34 AMSubject: Utk.edu Post Update

Dear subscriber,

Your e-mail account needs to be upgraded with our new F-Secure R HTK4S anti-virus/anti-spam 2009 version.

Fill the columns below and click reply and send back or your account will be Suspended from our services.

E-mail address: Password:

* Please note that your password will be encrypted with 1024-bit RSA keys for increased security.

Thank you for your cooperationManagement

1

2

3

4

5

6

7

Hacked Site

Real Site

SpearphishingTo: John Doe <[email protected]>From: Scott Studham <[email protected]>Subject: CyberSecurity Presentation SlidesAttachment: CyberSecurity.pptx (7.5mb)

Hello John,

Your instructor asked me to send everyone a copy of the slides from my presentation. See attached.

Best regards,Scott

Bob Hacker1234 Pwned LaneSilly Rabbit, HA

Phishing• Don’t reveal personal or financial

information• Contact the sender before you

respond or open any attached files.• Never click links in an e-mail

message.• Report phishing campaigns to your

company or ISP.• Use tools with “Phishing Filters”

(Philters?)

Spear Phishing

• Personalized phishing attack• Social attack

• Appears genuine• Someone you’ve had contact with• Someone from HR, IT, etc.• Users of a particular website

• Goal: compromise an organization

“It is better to keep your mouth closed and let people think you are a fool than

to open it and remove all doubt.”-- Mark Twain

Reputation Management

Social Networks

Facebook

• 42 coworkers• Including:

• Direct reports• Former boss

• School program?

Google Hacking

Drunken Pirate (May 2006)

• “Arrrrggghhh, I need a job!”• Denied Degree and Teaching

Certificate by Millersville University

• University Officialsreported that the photowas “unprofessional.”

• She lost court battle(Dec 2008)

Cisco Fatty (March 2009)Connor Riley on Twitter:“Cisco just offered me a job!

Now I have to weigh the utility of a fatty paycheck against the daily commute to San Jose and hating the work.”

“Who is the hiring manager? I’m sure they would love to know that you will hate the work. We here at Cisco are versed in the web.

http://www.theconnor.net/

Sick Day, Part 1From: Kevin Colvin [mailto: REDACTED]Sent: Wednesday, October 31, 2007 3:55PMTo: Jill Thompson (North America)CC: Paul Davis (North America)Subject:

Paul/Jill –

I just wanted to let you know that I will not be able to come into work tomorrow. Something came up at home and I had to go to New York this morning for the next couple of days. I apologize for the delayed notice.

Kind regards,

Kevin

Sick Day, Part 1From: Paul Davis (North America)Sent: Thursday, November 01, 2007 4:54 PMTo: Kevin Colvin; Jill Thompson (North America); Kevin Colvin (North America)Subject: RE:

Kevin,

Thanks for letting us know—hope everything is ok inNew York. (cool wand)

Cheers,PCD

Sick Day, Part 2

From: Niresh Regmi Sent: Wednesday, 27 August 2008 9:35 a.m. To: Kyle Doyle Subject: Absence on Thursday 21st 2008

Hi Kyle,

Please provide a medical certificate stating a valid reason for your sick leave on Thursday 21st 2008.

Thank YouNIRESH REGMI Real Time Manager, Workforce Operations

Sick Day, Part 2From: Kyle Doyle Sent: Wednesday, 27 August 2008 9:38 a.m. To: Niresh Regmi Subject: RE: Absence on Thursday 21st 2008

Niresh,

1 day leave absences do not require a medical certificate as stated in my contract, provided I have stated that I am on leave for medical reasons.

Thanks

Regards, Kyle Doyle Resolutions Expert - Technical

Sick Day, Part 2

From: Niresh Regmi Sent: Wednesday, 27 August 2008 9:39 a.m. To: Kyle Doyle Subject: RE: Absence on Thursday 21st 2008

Hi Kyle,

Usually that is the case, as per your contract. However please note that leave during these occasions is only granted for genuine medical reasons. You line manager has determined that your leave was not due to medical reasons and as such we cannot grant leave on this occasion.

NIRESH REGMI

Sick Day, Part 2

From: Kyle Doyle Sent: Wednesday, 27 August 2008 9:43 a.m. To: Niresh Regmi Subject: RE: Absence on Thursday 21st 2008

Hi Niresh,

My leave was due to medical reasons, so you cannot deny leave based on a line manager's discretion, with no proof, please process leave as requested.

Thanks

Regards,Kyle Doyle

Sick Day, Part 2

From: Niresh Regmi Sent: Wednesday, 27 August 2008 9:50 a.m. To: Kyle Doyle Subject: RE: Absence on Thursday 21st 2008

Hi Kyle, I believe the proof that you are after is below

Sick Day, Part 2 (Epilogue)

From: Kyle Doyle Sent: Wednesday, 27 August 2008 9:55 a.m. To: Niresh Regmi Subject: RE: Absence on Thursday 21st 2008

HAHAHA LMAO epic fail

No worries man

Regards,Kyle Doyle

http://www.theregister.co.uk/2008/10/23/sickie_woo/

James Karl Buck sent a single word:

“Arrested”

Witness Protection

“I talked to Jen today, she is having fun at the beach in West Palm, I hate her :)”

Can Happen to Anyone

1st Possible Response

2nd Possible Response

Contact Poster/Content Owner

Social Networks

Hosting Service or ISP

Online Reputation

?

Raise Your Stock

Online Reputation Management

Prevention

• Beware what you post

• Control access

Google Alerts

• Create query of choice• Be specific

• site:utk.edu “Studham”• site:utk.edu filetype:xls ssn• site:tennessee.edu filetype:ppt OR

filetype:pdf

“By trying we can easily endure adversity. Another man's, I mean.”

-- Mark Twain

Protecting Yourself

Five Good Practices

1. Don’t click email links.

2. Use strong passwords.

3. Use protection software.

4. Manage your online reputation

5. Keep your software updated.

Don’t Click Email Links

• Copy & paste• Type it manually

BAD Passwords• Dictionary words & combos (BadIdea)• Family members or pets• Sports teams (GoVols!)• Nicknames (princess)• Word or username reversals (terces)• Sequential (aaaaaaaa or hijklmnop)• Letter replacement (P@$$w0rd)• Any password mentioned in this

presentation!Hackers guess easy passwords!

Strong Passwords

• Think passphrases• Upper and lowercase letters• Punctuation & numbers• At least eight characters• Should appear random• Easy for you to remember• Phrase acronyms: Y(t@Bbic!

Use protection software

• Anti-Spyware• Anti-Virus

• Microsoft SecurityEssentials (FREE!)

• Firewall (built in!)

Keep this software updated!

Be Careful what Info you Provide

• Join top Social Networks• Minimal placeholder• Setup privacy controls

• Monitor mentions• Early warnings

• Watch out for mentions of yourself• Don’t overreact: squeaky wheel, etc.

• Internet can be a good or bad advertisement … especially if its funny

Keep software updated!

• Software updates• Microsoft Update

• OS & Applications• Office (Outlook!), etc.

• Other software packages• Acrobat and Flash

• Virus & Spyware definitions

If you do nothing else …

1. Don’t click email links2. Use strong passwords3.Use protection software4.Be careful what you

post.5.Keep software

updated!

… but remember that’s not all.

Review

• CyberSecurity• What do hackers want?• Social Engineering

• Privacy: Reputation Management• How can you protect yourself?

Thank you!

Most slides were stolen from

Office of Information TechnologyInformation Security Office

Questions?