1 / 51

The key to security awareness is embedded in the word security.

The key to security awareness is embedded in the word security. U - R - IT. SEC- -Y. Welcome!. The University of Arizona. Security Awareness Series. Workshop Guidelines. It’s O.K. to:. Participate actively Ask questions Have fun Learn and teach others Disagree.

duena
Download Presentation

The key to security awareness is embedded in the word security.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The key to security awareness is embedded in the word security. U - R - IT SEC--Y

  2. Welcome! The University of Arizona Security Awareness Series

  3. Workshop Guidelines It’s O.K. to: • Participate actively • Ask questions • Have fun • Learn and teach others • Disagree • Be open to others’ ideas • Try, risk and make mistakes • Think unconventionally, creatively • Tell stories that support Security Awareness

  4. Agenda • Password construction and maintenance • Social engineering • Incident Response - what and how to report a breach

  5. Current SituationsHow would your behavior change if your wallets, homes, and mail boxes could be accessed from around the world like our computers can?

  6. Universal Access… • There are an estimated 304 million people with internet access • All 304 million of them can communicate with your U of A connected computer • Any of the 304 million can rattle the door to your computer to see if its locked

  7. Opportunities for Abuse… • To break into a safe, the safe cracker needs to know something about safes. • To break into a computer, the computer cracker only needs to know where to download a program written by someone else who knows something about computers. • Such programs are freely available all over the net.

  8. How Can the Situation Affect You?… • A compromised computer provides access to all accounts, keystrokes, and data. Account and keystroke information can be used to access other resources • Operational difficulties • Email and documents • Financial transactions • Identity theft • Criminal use of computer

  9. …Available Options… Eliminate access • If the bad guys can’t get to the computers, they can’t break in • Networks were created to communicate • Freedom to communicate is paramount in an academic community Nothing short of “no access” will provide 100% security

  10. Why AWARENESS? We can’t protect ourselves from a threat very well if we’re not aware of it Nobody can do it for us Our security depends upon our behavior …Unless we’re willing to give up some of that freedom

  11. What is Security Awareness? Security awareness is recognizing what types of security issues and incidents may arise and knowing which actions to take in the event of a security breach. Most security incidents can be prevented.

  12. What is Expected of You? During your typical day, you may be exposed to situations where you may become aware of an attempt to breach an area of security.You need to be prepared to: Protect Detect React

  13. So How Do We Start? Be aware or beware Know how to identify a potential issue Use sound judgment Learn and practice good security habits Incorporate secure practices into your everyday routine Encourage others to do so as well Report anything unusual Notify the appropriate contacts if you become aware of a suspected security incident

  14. Security Topics Password Construction and Management Social engineering Incident Reporting

  15. Password Construction and Management

  16. Real Life Example The former President of the United States, Bill Clinton, signed into law a bill which authorized and acknowledged electronic signatures on legal documents. As an example, the President also signed the bill electronically, using a smart card and his password. People world-wide watched as he entered the name of his dog “Buddy” as his password.

  17. Password Construction It can't be obvious. That is, it can't exist in a dictionary. Every word in an English language dictionary can be tried in minutes. • Using a dictionary word for a password is like using a lockernumber for a combination. • Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords. • Don't want the password to have any personal significance to you. • Any dictionary in any language.

  18. On systems that support them, passwords should contain at least one of each of the following characters: • Uppercase letters ( A-Z ) • Lowercase letters ( a-z ) • Numbers ( 0-9 ) • Punctuation  marks ( !@#$%^&*()_+=- )

  19. How, you may ask, am I ever going to remember such a complicated password?  Pick a sentence or verse in a song that reminds you of the password. : Now is the time for all good men (Nitt4agm) I can either eat or buy this $70.00 textbook (Iceeobt$7t) Summertime and the living is easy, Fish are jumping and the cotton is high (S&tlie,Faj&tcih)

  20. Password Construction The Vanity Plate Too late again = 2L8again MsikS4me Music is for me = Day after today = dayFter2day

  21. Password Construction Compound Words Used every day are easy to remember. Spice them up with numbers and special characters. Also, misspell one or both ofthe words and you'll get a great password. Deadbolt = Ded&bowlt8Blackboard = blaK4borDSeashore = Seee@SHorr

  22. Password Management We share offices, equipment and ideas. Do not share your password with anyone, anytime! If you ever receive a telephone call from someone claiming to need your password, report it immediately. When you receive technical assistance, enter your password yourself. Do not reveal it.

  23. It's probably safer to store a strong password in a place where someone would have to physically break in than to expose a weak password to 300,000,000 people on the internet. If you absolutely have to, record it in a secure location.

  24. Safeguard Your Strong Password Be careful about typing your password into a strange computer. • Does the computer have anti-virus protection enabled? • Is the owner trustworthy or are they perhaps running a keyboard logger recording your keystrokes? (It has happened). • Who was the last person to use it and what did they run on it?

  25. Be careful about typing your password into a strange program, web site, or server. • Why do they need it? • Are they authorized to ask for it? • A web site on the other side of the country should definitely not be asking for your U of A password over the network whenever possible. .

  26. Do not use the same password on an unofficial, entertainment, off-campus, OR uncritical service that you use for more critical services. • Pay attention to warnings from your browser or SSH client about problems with certificates or host keys.

  27. Replace Your Strong Password When It Wears Out • If our ATM card gets stolen, we know it. • If our keys get stolen, we'll probably miss them before someone manages to copy and return them.

  28. Unlike keys or ATM cards, passwords don't have to be physically taken to be copied or used and it is unlikely we'll know they've been compromised. Once they're compromised, they can be transferred all over the world in the blink of en eye. Until someone uses the password, we won't know it. Most of us won't even know it even when they're used unless some fairly drastic action is taken with our account(s).

  29. How Often? • Any password can be guessed if given enough time. • It is important to change your password within the amount of time it would take an attacker to guess it. • Change their password before those 60 days come to an end.

  30. Most people share passwords to accomplish a business objective or streamline a process. However, all the customary purposes for password sharing can be achieved through other means. Let’s look at a common situation. A PC is shared by multiple employees, sometimes concurrently (job share, shift work, a work process that requires multiple user involvement). With the intention of improving efficiency, co-workers share the same password.

  31. An alternative that provides a balance between production and protection is to: a) utilize individual passwords, b) toggle between different sessions for each user, and c) invoke your password protected screensaver before turning your PC over to another co-worker. If you need help in determining options that strike a balance between production and protection, contact bcis@u.arizona.edu 621-4482 or 626- 8232

  32. Social Engineering Can you spot a “Social Engineer” in this group?

  33. Social Engineering To most people this is a new term: A social engineer is a person who will deceive or con others into divulging information that they wouldn’t normally share.

  34. Social engineer Social Engineering is the acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of an inappropriate trust relationship with insiders. The goal of social engineering is to trick someone into providing valuable information or access to that information.

  35. Introduction Social engineering preys on qualities Of human nature: the desire to be helpful the tendency to trust people the fear of getting into trouble A truly successful social engineer receives information without raising any suspicion as to what they are doing.

  36. Human-based Impersonation - case studies indicate that Help desks are the most frequent targets of social engineering attacks Important user - A common ploy is to pretend be not only an employee, but a vice president

  37. Human-based Third-party authorization - the social engineer may have obtained the name of someone in the organization who has the authority to grant access toinformation Tech support - social engineer pretends to be someone from the infrastructure-support groups – System is having a problem – Needs them to log on to test the connection

  38. Human Based In person - the social engineer may enter the building and pretend to be an employee, guest or Service personnel – May be dressed in a uniform – Allowed to roam – Become part of the cleaning crew Dumpster diving Shoulder surfing

  39. Computer-based Popup windows - A window will appear on the Screen telling the user he has lost his Network Connection and needs to reenter their user Name and password – A program will then e-mail the intruder with the information

  40. Computer Based Mail attachments - programs can be hidden in E-mail attachments • Viruses • Worms • “I love you”

  41. Computer-based Spam, chain letters and hoaxes- these all rely on social engineering to be spread. sulfnbk or jdbmgr hoax (self -inflicted virus) – While they do not usually cause damage, they do cause a loss of productivity. – They use valuable network resources. Websites - A common ploy is to offer something free or a chance to win a sweepstakes on a Website. – To win requires an e-mail address and password. – Used with 401K come-on.

  42. Recognize the Signs Refusal to give contact information Rushing Name-dropping Intimidation Small mistakes Requesting forbidden information

  43. Recognize the Signs “I cannot be contacted” “I’m on my cell phone and the battery is about to die” The number they give you is a “call out only” number

  44. What can you do? • If someone telephones and asks you for information that is sensitive company, client, or personal data, don’t be afraid to ask them a few questions. • Ask for the correct spelling of their name. • Ask for a number where you can return their call. • Ask them why they need this information. • Ask them who has authorized the request and let • them know that you will verify the authorization. • Be prepared for the caller to use the name of a person of high authority to achieve their goal.

  45. Remember that passwords are sensitive. A Password for your personal account should Be known ONLY to you Systems administrators or maintenance technicians who need to do something to your account will not require your password.

  46. If you feel you have thwarted or perhaps been victimized by an attempt at social engineering, report the incident to your manager and to security personnel immediately

  47. Incident Response When you think of the words protect, detect and react in the realm of security, which areas do you think are the most important to you and to University of Arizona ?

  48. University of Arizona Contacts • Network Control (security related emergency) - 621-7999 • Information Security • bcis@u.arizona.edu 621-4482 or 626- 8232 • Security Incident Response Team (SIRT) • sirt@arizona.edu 626-0100 • Additional Resources • http://w3.arizona.edu/~policy Report All Virus Incidents Immediately to

  49. Final Thoughts The best defense against threats and vulnerabilities? • raising the bar of awareness • a sense of personal responsibility to protect yourself and university assets

  50. Final Thoughts Security Awareness mindset : “I understand that there is the potential for some people to deliberately or accidentally steal, damage or misuse the data that is stored within my computer systems and throughout our University. Therefore, it would be prudent of me to support the University by trying to stop that from happening.” SEC--Y U - R - IT

More Related