1. Security Awareness:�Asking the Right Questions�to Protect Information Keith A. Watson, CISSP
Research Engineer
Center for Education and Research and Information Assurance and Security
3. A Brief Intro to Information Security Information Security� is the Process of Protecting�Information and Information Resources
4. Information Security Intro Information assets are the most critical and most valuable
Applies to information in electronic and physical forms
Three primary goals
Confidentiality
Integrity
Availability
5. Information Security Examples (Confidentiality) What would happen if sample information were accidentally published to web site?
(Integrity) How reliable would sample information be if it could be modified by anyone on the network?
(Availability) How would you get any work done if all the mice disappeared?
6. Responsibility Who?
Why?
7. Who is Responsible? Are you responsible for the security of your system?
Is the system administrator responsible?
Do you have the administrator password for your system?
8. Answers You �Might Not Like You are at least partly responsible for the security of the information on the system.
The system administrator might be responsible for the security of the system.
If you have the administrator password, then you are probably responsible for everything.
9. But wait, Im not an admin
Find someone else to be in charge of the security of the system
Someone who will take an active part in managing the system
Give up your admin password and live the life of a lowly user
10. Why am I in charge? You have no system admin
No budget for one
Cant find one (industry pays better)
You have one, but he cant be trusted
Policy puts you in charge
You create it, you manage it (functional data owner policy)
Decentralized control
You manage the system. The admin answers your questions.
11. Knowledge What?
How?
12. The Bare Minimum Update that System!
Back it Up!
Worms, Viruses, Spyware, Oh My!
*#@^%$&!
Shields Up!
13. Update that System! Is your system up to date?
Windows (and Mac)
Run software update tools at least on the second Tuesday of the month (Windows patch release day)
Turn on auto updates (catch off-cycle patches)
Linux
Check for updates at least weekly (yum, RHN, etc)
If you dont manage updates, make sure your admin follows these guidelines
14. Back it Up! Back up strategy:
Critical/Important data daily
Systems at least weekly
Methods:
External drives (USB/Firewire)
Tapes
Servers
15. Worms, Viruses, Spyware, Oh My! You should have anti-virus/spyware software installed and updating daily
Scan every
Attachment
File downloaded
If you didnt install and configure the anti-virus/spyware software, find out who did
Make sure it is enabled and auto updating
16. *#@^%$&!�Strong Passwords We have too many passwords to remember
The Music Method:
Chose the words from a song:
Mary had a little lamb whose fleece was
Select the first letters of the words:
M h a l l w f w
Change some of the letters to numbers:
M4a1lwfw
Change some letters to upper case:
M4A1lWfw
17. *#@^%$&!�Stronger Passwords We have too many systems to use
The Variations on a Theme Method:
Using your MM password, modify the trailing characters for different systems:
M4A1lWnP ==> network password
M4A1lWw5 ==> web site password
M4A1lWSv ==> server password
18. Shields Up!�Screen Locks On Enable screensavers with passwords
Lock the screen when you step away
Use an idle timeout to auto lock it
10 minutes is probably good enough
19. Shields Up!�Firewalls Software On Desktop firewall software prevents some network-based inbound attacks
Some limit outbound connections as well
Modern operating systems have a firewall
Turn it on
Enable/Allow the net services that you use
20. Shields Up!�Unnecessary Stuff Off Remove unneeded software
Fewer vulnerabilities to worry about
Save some disk space too
Turn off unnecessary services
Fewer ways an attacker can get to you
Improve performance too
21. Some Extra Stuff Above the Bare Minimum Encrypt that Data!
Lock that Door, Desk, and Cabinet!
Glue that Computer Down!
22. Encrypt that Data! Disk encryption
Stolen hardware has interesting info on it
Windows XP EFS
Mac OS X FileVault
PGP Disk
Email encryption
Email is like a postcard, anyone can read it
PGP or GPG
S/MIME (most modern mail tools support it)
23. Lock that Door, �Desk, and Cabinet! Better Physical Security needed
Have rules about locking labs and offices
Move your sensitive paperwork into file cabinets before you go home
Lock up your expensive gizmos in a desk
24. Glue that�Computer Down! Computers are getting smaller and sprouting legs
Laptops
Get a cable lock
Use it at the office and when you travel
Desktops
Get a steel cage lock box or cable kit
Two-sided carpet tape works too!
25. Contacts Who?
Why?
26. Who do I contact? If a law has been broken, call the police
Ask for an officer responsible for computer crimes
They may refer you to other agencies (FBI, Secret Service, state police, etc.)
Be aware that they may take your system away for analysis
27. Who do I contact? If there is a problem with your system, unplug it from the network
Do NOT turn it off!
Call the admin and/or your local security person
28. Contact Pitfalls No one knows what to do
No one wants to do anything
Next steps (before you plug it into the network):
Reinstall system from original media (update)
Configure security options (FW, AV/S, etc)
Restore user/project data from backup
29. Summary Information is critical to the mission of the NPDN
Determine responsibility for security.
Improve the security of your systems.
Find out what to do when things go wrong.
