Information Security Best Practices John R. Burnette Tuesday, December 9, 2008
Introduction Today there are e-mail viruses, Trojans, Internet worms, keystroke loggers (i.e. malware) and hackers. Twenty years ago the first computer virus was written to protect floppy disk software from bootleggers. 1990s viruses were created for cyber vandalism Michelangelo virus – 1990 SoBig-F virus – download programs from the web at a specific time Delete a hard disk or corrupt a spreadsheet 2008 malware is created for securing financial assets Keystroke logger – waits until a victim visits a banking website and then records the user’s account numbers and passwords and sends the information to a hacker.
Information Security Targets All Businesses with monetary assets, Intellectual Property, and personal identity information (i.e. identity theft) All U.S. citizens and foreign nationals with monetary assets Business and Personal BankAccounts Checking and Savings Numbers Business and Personal Checks Business and Personal Computers Business and Personal Data Social SecurityNumbers Employee Addresses and TelephoneNumbers Business and Personal Debit Cards Business and Personal Credit Cards Credit Card Receipts(i.e. carbon copy) Credit CardNumbers Credit Card Statements
Information Insecurity - Threat Hackers, Phishing, E-Mail Scams, Trojans, Worms Attacks originate from 106 countries – benefit of a prosperous global economy Algeria Armenia Azerbaijan Belarus China, People’s Republic of China Cuba Eastern Block (i.e. Yugoslavia, Albania, Romania) Georgia India Iran Iraq Israel Kazakhstan Korea, Democratic People’s Republic of (North Korea) Kyrgyzstan Libya Moldova Nigeria Pakistan Russia Sudan Syria Taiwan Tajikistan Turkmenistan Ukraine Uzbekistan United States and Europe
Information Security – Business and Personal Computers Provide an air gap between your sensitive and non-sensitive data Computer No. 1 Internet Usage – access web sites www.msn.com Internet Explorer – search the world wide web E-Mail Computer No. 2 Vulnerable Business and Personal Information Bank Account Numbers Investment Account Numbers Credit Card Numbers Tax Returns Social Security Numbers and Personnel Information Financial spreadsheets Computers are standalones – no internet access or e-mail capability Microsoft products are extremely vulnerable Cost/Benefit Analysis – Second computer compared to compromised financial records.
Information Insecurity - Malware Commercial CDs loaded with malware. Legitimate looking CDs that are freely available at trade shows, conventions, foreign travel. Malware – uses e-mail and websites Storm – 2007 “utilizes social engineering techniques to make its messages highly appealing to open and click through.” 2008 Internet Malware Trends, Cisco, IronPort. The estimate is 50 million computers have been infected.
Information Security – Best Practices Use a strong password for your computer and password protect your documents. A strong password will have a variety of letters, numbers, and characters. Use Encryption – PKI, PGP Double Your Protection – use both a strong password and encryption for sending documents (both internal and external). The encryption provides both security and confidentiality for the sender and receiver. Install antivirus/firewall software on your laptop computer Use a physical lock for your laptop computer (i.e. business travel and college students) Sanitize your laptop computer when returning from business or personal travel to a foreign country.
Information Security - Email Incoming e-mail Never open e-mail from a party that you do not know. Read the e-mail address carefully Instead of email@example.com the address may read firstname.lastname@example.org E-mail client should be set to prevent attachments from being displayed or opened unless confirmed by the owner of the system Attachments may contain executable and malicious software Install a Spam blocker utility
Information Security – Wireless Networking Separate wireless from wired networks where practical Separate security into two distinct problems: user (client) access security and wired network security. Breaking into the user network does not provide access to many information resources. Business best practices Make wireless access networks external to wired networks Manage wireless network equipment out-of-band Personal best practices Use very strong (long) WPA/WPA2 personal passwords Use secure (VPN/SSL) connections to email, websites Maintain configuration of laptops (patches, anti-spyware, firewall)
Information Security Best Practices Use a biometric fingerprint reader for your laptop computer. Use good configuration management practices for all client devices (patches, anti-malware, host firewall, periodic vulnerability scans to verify) Use “thin client” methods where possible (applications and data are on secure server not client computer) Use removable USB thumb drives to store sensitive information in encrypted form (reduces exposure to threats)
Information Security – Bank Accounts OPSEC – Operations Security Monitor and balance your monthly bank statements Check for errors, overdraft charges, transfers Balance your checkbook and savings accounts on a daily basis (i.e. Gesa Call 24) Guard your passwords and account numbers – memorize instead of written on a Post-It Note hidden under the computer keyboard Discrepancies – contact bank immediately Shred all checkbook and savings account receipts (i.e. identity theft) Mail all bills, birthday cards with checks at the post office instead of through your personal mailbox. Business and personal mailboxes are vulnerable to theft – ink on checks can be erased and rewritten.
Information Insecurity - Attacks E-Mail – Nigerian Scam – Please send me your bank account number, and I will deposit a large sum of money in your account. Phishing – Gesa, Ebay – E-Mail, Telephone call Many of the e-mail messages have the correct logo of the company and appear to be legitimate (i.e. U.S. DOE MSC announcement). Check the e-mail address for accuracy. Rule of Thumb – if the message is by e-mail or telephone immediately contact your bank/credit card company – do not use the telephone number provided in the message and do not provide any information to the caller. Train your employees and family members in case of an attack. Vulnerability – everyone Easy targets – elderly, students Trojans – Internet, E-Mail – infiltrate your computer and send your business and personal information to the sender – (i.e. Downloader) Worms – Internet, E-Mail – Infiltrate your computer and send your business and personal information to the sender.
Information Security - Computers Guard your computer passwords – memorize Do not give anyone your passwords Lock your computer when leaving your desk – Control Alt Delete Lock Computer Screen saver has a ten minute lock Keep your office door closed and locked when you are away from the building
Best Practices Keep system patched Use anti-virus and anti-spyware Least permissions mode Use due diligence (no magic bullet) As the global economy continues to falter the number of cyber attacks will increase.