Information Security Best Practices John R. Burnette Tuesday, December 9, 2008 Introduction Today there are e-mail viruses, Trojans, Internet worms, keystroke loggers (i.e. malware) and hackers.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Information Security Best Practices
John R. Burnette
Tuesday, December 9, 2008
Today there are e-mail viruses, Trojans, Internet worms, keystroke loggers (i.e. malware) and hackers.
Twenty years ago the first computer virus was written to protect floppy disk software from bootleggers.
1990s viruses were created for cyber vandalism
Michelangelo virus – 1990
SoBig-F virus – download programs from the web at a specific time
Delete a hard disk or corrupt a spreadsheet
2008 malware is created for securing financial assets
Keystroke logger – waits until a victim visits a banking website and then records the user’s account numbers and passwords and sends the information to a hacker.
Information Security Targets
All Businesses with monetary assets, Intellectual Property, and
personal identity information (i.e. identity theft)
All U.S. citizens and foreign nationals with monetary assets
Business and Personal BankAccounts
Checking and Savings Numbers
Business and Personal Checks
Business and Personal Computers
Business and Personal Data
Employee Addresses and TelephoneNumbers
Business and Personal Debit Cards
Business and Personal Credit Cards
Credit Card Receipts(i.e. carbon copy)
Credit Card Statements
Hackers, Phishing, E-Mail Scams, Trojans, Worms
Attacks originate from 106 countries – benefit of a prosperous global economy
China, People’s Republic of China
Eastern Block (i.e. Yugoslavia, Albania, Romania)
Korea, Democratic People’s Republic of (North Korea)
United States and Europe
Provide an air gap between your sensitive and non-sensitive data
Computer No. 1
Internet Usage – access web sites www.msn.com
Internet Explorer – search the world wide web
Computer No. 2
Vulnerable Business and Personal Information
Bank Account Numbers
Investment Account Numbers
Credit Card Numbers
Social Security Numbers and Personnel Information
Computers are standalones – no internet access or e-mail capability
Microsoft products are extremely vulnerable
Cost/Benefit Analysis – Second computer compared to compromised financial records.
Commercial CDs loaded with malware. Legitimate looking CDs that are freely available at trade shows, conventions, foreign travel.
Malware – uses e-mail and websites
Storm – 2007 “utilizes social engineering techniques to make its messages highly appealing to open and click through.”
2008 Internet Malware Trends, Cisco, IronPort.
The estimate is 50 million computers have been infected.
Use a strong password for your computer and password protect your documents. A strong password will have a variety of letters, numbers, and characters.
Use Encryption – PKI, PGP
Double Your Protection – use both a strong password and encryption for sending documents (both internal and external). The encryption provides both security and confidentiality for the sender and receiver.
Install antivirus/firewall software on your laptop computer
Use a physical lock for your laptop computer (i.e. business travel and college students)
Sanitize your laptop computer when returning from business or personal travel to a foreign country.
Never open e-mail from a party that you do not know.
Read the e-mail address carefully
Instead of firstname.lastname@example.org the address may read
E-mail client should be set to prevent attachments from being displayed or opened unless confirmed by the owner of the system
Attachments may contain executable and malicious software
Install a Spam blocker utility
Separate wireless from wired networks where practical
Separate security into two distinct problems: user (client) access security and wired network security. Breaking into the user network does not provide access to many information resources.
Business best practices
Make wireless access networks external to wired networks
Manage wireless network equipment out-of-band
Personal best practices
Use very strong (long) WPA/WPA2 personal passwords
Use secure (VPN/SSL) connections to email, websites
Maintain configuration of laptops (patches, anti-spyware, firewall)
Use a biometric fingerprint reader for your laptop computer.
Use good configuration management practices for all client devices (patches, anti-malware, host firewall, periodic vulnerability scans to verify)
Use “thin client” methods where possible (applications and data are on secure server not client computer)
Use removable USB thumb drives to store sensitive information in encrypted form (reduces exposure to threats)
OPSEC – Operations Security
Monitor and balance your monthly bank statements
Check for errors, overdraft charges, transfers
Balance your checkbook and savings accounts on a daily basis (i.e. Gesa Call 24)
Guard your passwords and account numbers – memorize instead of written on a Post-It Note hidden under the computer keyboard
Discrepancies – contact bank immediately
Shred all checkbook and savings account receipts (i.e. identity theft)
Mail all bills, birthday cards with checks at the post office instead of through your personal mailbox. Business and personal mailboxes are vulnerable to theft – ink on checks can be erased and rewritten.
E-Mail – Nigerian Scam – Please send me your bank account number, and I will deposit a large sum of money in your account.
Phishing – Gesa, Ebay – E-Mail, Telephone call
Many of the e-mail messages have the correct logo of the company and appear to be legitimate (i.e. U.S. DOE MSC announcement).
Check the e-mail address for accuracy.
Rule of Thumb – if the message is by e-mail or telephone immediately contact your bank/credit card company – do not use the telephone number provided in the message and do not provide any information to the caller.
Train your employees and family members in case of an attack.
Vulnerability – everyone
Easy targets – elderly, students
Trojans – Internet, E-Mail – infiltrate your computer and send your business and personal information to the sender – (i.e. Downloader)
Worms – Internet, E-Mail – Infiltrate your computer and send your business and personal information to the sender.
Guard your computer passwords – memorize
Do not give anyone your passwords
Lock your computer when leaving your desk –
Control Alt Delete Lock Computer
Screen saver has a ten minute lock
Keep your office door closed and locked when you are away from the building
Keep system patched
Use anti-virus and anti-spyware
Least permissions mode
Use due diligence (no magic bullet)
As the global economy continues to falter the number of cyber attacks will increase.