1 / 52

Information Security Orientation

nhung
Download Presentation

Information Security Orientation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Information Security Orientation Luke Chretien Operations Analysis 1

    2. Purpose To provide UNL business users security information to help protect Individuals UNL information & assets Third party information 2

    3. Topics to Cover What is information security? Why practice information security? Physical & logical security safeguards Where to get more information What to do next Summary 3

    4. What is Information Security? Management, operational, & technical safeguards designed to satisfy following business requirements: 4

    5. Why Practice Information Security? Information security involves combination of following to manage security risks: People Processes Technology Organization Information security is everyones job We can not just rely on technology to safeguard our information & systems. 5 1. Why should you practice information security? People incorrectly believe information security is an IT issue An organization only achieve adequate information security when people work with technology, processes, & management1. Why should you practice information security? People incorrectly believe information security is an IT issue An organization only achieve adequate information security when people work with technology, processes, & management

    6. Why Practice Information Security? (continued) Help protect UNL information, computer hardware & software from Unauthorized access Unauthorized modification, damage, or destruction Help minimize adverse impact of these incidents on UNL functions, credibility, & revenue UNL associated third parties 6 1. People also incorrectly believe that when they are just checking their email or working on their project they are just affecting themselves. In reality, we are part of the UNL network. Thus, our actions affect, not just selves and the information we are working on, but also others Our actions do have consequences to others1. People also incorrectly believe that when they are just checking their email or working on their project they are just affecting themselves. In reality, we are part of the UNL network. Thus, our actions affect, not just selves and the information we are working on, but also others Our actions do have consequences to others

    7. Why Practice Information Security? -- Possible Consequences 7 Data Types contain common types of organizational data Risk/Incident Types are common incidents that could occur to Data Types in the left column Possible Consequences there are common consequences when an incident occurs (e.g., legal liability, reputational damage, loss of business, disruption of business)Data Types contain common types of organizational data Risk/Incident Types are common incidents that could occur to Data Types in the left column Possible Consequences there are common consequences when an incident occurs (e.g., legal liability, reputational damage, loss of business, disruption of business)

    8. Why Practice Information Security? -- Possible Consequences (continued) 8 1. If medical records have unauthorized modification (e.g., medication list or condition altered), safety of patient could be jeopardized1. If medical records have unauthorized modification (e.g., medication list or condition altered), safety of patient could be jeopardized

    9. 9 Why Practice Information Security? -- Possible Consequences (continued)

    10. 10 Why Practice Information Security? -- Possible Consequences (continued)

    11. Why Practice Information Security? -- Costs of Breaches 2009 US organizational costs, per Ponemon Institute: 11 Average cost of $204 = $8 (detection & escalation) + $15 (notification) + $46 (ex-post response/legal defense) + $135 (lost business) Legal defense costs have seen greatest growth in past five years Data breaches involving lost or stolen laptops are more expensive that other incidents. $225 compared to $192. Education institutions reported three percent turnover of customers resulting directly from data breaches. Lost business could also be lost research contracts.Average cost of $204 = $8 (detection & escalation) + $15 (notification) + $46 (ex-post response/legal defense) + $135 (lost business) Legal defense costs have seen greatest growth in past five years Data breaches involving lost or stolen laptops are more expensive that other incidents. $225 compared to $192. Education institutions reported three percent turnover of customers resulting directly from data breaches. Lost business could also be lost research contracts.

    12. Physical Security Safeguards Equipment access Environmental Media & output Portable devices 12 1. These safeguards are all interconnected. They support each other1. These safeguards are all interconnected. They support each other

    13. Physical Security Equipment Access Safeguards Do not Lend your building keys or access cards to others Do Keep work area secure (e.g., lock door when away) Protect your keys & access cards Identify & escort non-resident individuals when they are around sensitive equipment or data 13 1. Goal is to manage physical access keep unauthorized individuals from accessing the computer and information1. Goal is to manage physical access keep unauthorized individuals from accessing the computer and information

    14. Physical Security Equipment Access Safeguards (continued) Do (continued) Lock computer when you are away for short period (e.g., break, meeting, lunch) Windows: Ctrl ? Alt ? Delete or Windows Key ? L Macs: Name ? Login Window Log Off or Shut Down computers when gone for extended period (e.g., overnight, weekend, vacation) 14 Unlocked computer lets anyone access it to do unauthorized things To configure Macs locking feature, go to System Preferences | Accounts | Login Options | Turn on Fast User Switching with enabled password Unlocked computer lets anyone access it to do unauthorized things To configure Macs locking feature, go to System Preferences | Accounts | Login Options | Turn on Fast User Switching with enabled password

    15. Physical Security Environmental Safeguards Do not Smoke, eat, or drink around computers Do Keep computers clean & dust-free Use surge protector with computer to manage power surges/spikes Use uninterruptible power supply (UPS) with computer to facilitate graceful shutdown after power loss 15 1. Individuals can do the following to reduce amount of dust: limit amount of paper around a computer; wipe computer; buy keyboard cover & shell for laptops1. Individuals can do the following to reduce amount of dust: limit amount of paper around a computer; wipe computer; buy keyboard cover & shell for laptops

    16. Physical Security Media & Output Safeguards Do Lock following away when not in use: Printed reports, work papers, or logs that contain confidential or sensitive information Media (e.g., USB storage devices, CDs, DVDs) containing sensitive information Position your computer monitor so information is not easily viewed by individuals passing by 16 1. Some organizations have a clean desk policy, which requires individuals to lock materials away at the end of the work day.1. Some organizations have a clean desk policy, which requires individuals to lock materials away at the end of the work day.

    17. Physical Security Media & Output Safeguards (continued) Do (continued) Remotely access sensitive information via secure network connection (e.g., VPN), vice carrying it or placing on public service (e.g., Google Docs) Keep media away from environmental hazards (e.g., magnetic fields, heat, direct sunlight) Destroy unneeded media & output in secure manner (e.g., shred documents, CDs, DVDs; hammer USB storage devices) 17 --

    18. Physical Security Portable Device Safeguards Examples: laptops, tablets, smart phones, portable storage devices Secure these devices: When not in use At office, home, or on road When storing in car lock them in trunk On airplane never check in luggage Use password authentication, encryption, & remote tracking software whenever possible 18 Ponemon Institute estimates 800K data-sensitive devices are lost or stolen each year. Two examples of remote tracking software are Find My iPhone/iPad app and Absolute Softwares LoJack for LaptopsPonemon Institute estimates 800K data-sensitive devices are lost or stolen each year. Two examples of remote tracking software are Find My iPhone/iPad app and Absolute Softwares LoJack for Laptops

    19. Physical Security Portable Device Safeguards (continued) USB flash drives Vehicle for recent high profile international security incidents (e.g., Stuxnet, Conficker, agent.btz, WikiLeaks) Do not Pick up & use discovered USB device Insert unknown USB flash drive in computer Trade USB flash drive Do Run antivirus scan on USB flash drive you use Use encrypted flash drive whenever possible 19 Stuxnet computer worm targeted at industrial equipment (e.g., Siemens control systems) (2010) Conficker computer worm targeting MS operating system. UK Ministry of Defence, Manchester City Council infected (2009) agent.btz malware breach that affected US Central Command network, headquarters & combat zones (2008) Wikileaks 400 thousand documents on military operations in Iraq & Afghanistan (2010)Stuxnet computer worm targeted at industrial equipment (e.g., Siemens control systems) (2010) Conficker computer worm targeting MS operating system. UK Ministry of Defence, Manchester City Council infected (2009) agent.btz malware breach that affected US Central Command network, headquarters & combat zones (2008) Wikileaks 400 thousand documents on military operations in Iraq & Afghanistan (2010)

    20. Logical Security Safeguards User IDs & passwords Information & systems access Backups Malware (i.e., computer viruses & spyware) management Email Web browsing Incident response 20 1. The next group of slides will cover these seven security safeguards1. The next group of slides will cover these seven security safeguards

    21. Logical Security User IDs & Passwords Next to last line of defense Passwords should be easy to remember but hard to guess Should be long & complex (i.e., mixture of letters, numbers, & symbols) Short, non-complex passwords can be quickly compromised via Brute force attack attempt to crack every combination of letters, numbers, & characters Dictionary attacks focused attack using lists of most common passwords, names, & words 21 1. User is last line of defense 1. User is last line of defense

    22. Logical Security User IDs & Passwords (continued) How long & complex? 22 Literature recommends passwords greater than the traditional 6 8 characters. This is due to greater processing power available in computers Literature recommends passwords greater than the traditional 6 8 characters. This is due to greater processing power available in computers

    23. Logical Security User IDs & Passwords (continued) Avoid passwords that are easy to guess. For example: Dictionary words Easy to guess sequences Words spelled backwards, common misspellings, & abbreviations Personal information Your user name 23

    24. Logical Security User IDs & Passwords (continued) Good practices: Use 12+ character, complex passphrase Use 6 7 character, complex mnemonic. Repeat 2 3 times Example: PrN2Ll0dPRNTL!od (16 characters) University of Nebraska Password Generator at https://csn.nebraska.edu/password-generator.html Other suggestions at http://is.unl.edu/protectyourself/password.shtml Microsoft password strength checker at https://www.microsoft.com/protect/fraud/passwords/checker.aspx?WT.mc_id=Site_Link 24 1. Mnemonic is a word, sentence, or song that helps people remember something1. Mnemonic is a word, sentence, or song that helps people remember something

    25. Logical Security User IDs & Passwords (continued) Have different sets of passwords for personal & work accounts Reduces risk of all accounts being compromised Never share your user ID & password You may be liable for actions of imposters Avoid typing user ID & password on public computers (e.g., kiosks) Compromised computer could steal your user ID & password 25

    26. Logical Security User IDs & Passwords (continued) Regularly change passwords Immediately change your password if you suspect others have learned it Secure your passwords 26 Examples of password wallet = KeyPass, Roboform, 1Password Pro, eWallet, Safe, mSecure This table states the traditional view that an individual should never write down password. However, as individuals accumulate longer and more complex passwords, individuals may be forced to use password wallets.Examples of password wallet = KeyPass, Roboform, 1Password Pro, eWallet, Safe, mSecure This table states the traditional view that an individual should never write down password. However, as individuals accumulate longer and more complex passwords, individuals may be forced to use password wallets.

    27. Logical Security Information & Systems Access Do not Share sensitive information with any individual unless that individual is authorized & has need for the information Do Lock computer when away for short period (e.g., break, meeting, lunch) Ctrl ? Alt ? Delete or Windows Key ? L Macs: Name ? Login Window 27

    28. Do (continued) Log Off or Shut Down computers when gone for extended period (e.g., overnight, weekend, vacation) Use remote access secure connection (e.g., VPN) to access sensitive information Talk to IT desktop manager about feasibility of encrypting sensitive information on computer 28 Logical Security Information & Systems Access (continued)

    29. Logical Security Backups Back-up critical files to manage risk of system failure, theft, & loss 29 1. Windows machines have Windows Backup Utility 2. Macintosh machines have Time Machine backup software1. Windows machines have Windows Backup Utility 2. Macintosh machines have Time Machine backup software

    30. Logical Security Practices Malware Management Malware is continuous threat Do Have antivirus software installed, functioning, & configured to automatically receive updates Run full scan with latest virus definitions 30 1. The periodicity of a full scan is related to the risk that a computer experiences. The greater the risk to a computer, the more it should be scanned.1. The periodicity of a full scan is related to the risk that a computer experiences. The greater the risk to a computer, the more it should be scanned.

    31. Logical Security Practices Malware Management (continued) Do (continued) Scan following, using approved UNL antivirus software, before using: All computer media & portable devices All files downloaded from Internet & file transfer sites All files attached to email Keep operating system & application software updated with latest version, service pack, & patches Good practice: Configure for automatic update 31 1. You should scan files downloaded from the Internet because it may contain malware.1. You should scan files downloaded from the Internet because it may contain malware.

    32. Do (continued) Use firewall to manage inbound & outbound traffic Talk with your IT desktop manager about disabling Autorun to stop virus transmission Do not Download any software without knowing what it is & without approval 32 Logical Security Practices Malware Management (continued) Autorun Windows utility that enables media & devices to launch programs by use of commands listed in autorun.inf file Be careful when downloading software since you may be downloading vulnerable software or malware.Autorun Windows utility that enables media & devices to launch programs by use of commands listed in autorun.inf file Be careful when downloading software since you may be downloading vulnerable software or malware.

    33. Logical Security Email Source of spam & phishing Do not Open email, email attachments, or download files if you do not know sender or if To & Cc fields are empty Safer to delete Disable Preview pane to prevent automatic opening Reply to email or pop-up that requests personal or financial information 33 1. To disable the Preview pane in Lotus Notes, click View ? Preview Pane ? Uncheck Show Preview1. To disable the Preview pane in Lotus Notes, click View ? Preview Pane ? Uncheck Show Preview

    34. Logical Security Email (continued) Do not (continued) Call phone number on emails that ask you to update account Do call the number on your financial statement or Web site Email personal or financial information Click on link in email Type full address in Web browser Reply to spam or try to opt-out from spam 34

    35. Logical Security Email (continued) Do Run anti-virus software with current virus definitions Beware of spoofing. If you know sender, but are not expecting email, be careful Inspect contents of domain name, subject, & message If it too good to be true, it probably is If in doubt, call the person who sent you the email before taking action 35 1. To view source code in Lotus Notes, open email ? click View ? Show ? Page Source 1. To view source code in Lotus Notes, open email ? click View ? Show ? Page Source

    36. Logical Security Email (continued) Do (continued) Try to send & receive email in plain text, vice HTML Use UNL email address for business purposes. Use Web-based email address for personal emails (e.g., newsletters, coupons) 36 1. Use of UNL email address for business is consistent with Acceptable Use policy. Reduces cost of mail stores & filtering To send plain text emails via Lotus Notes, click File ? Preferences ? User Preferences ? Mail ? Internet ? select Plain Text only Per Microsoft (2010): If you are concerned that a virus or some other type of malicious script could execute through HTML or through Microsoft Outlook Rich Text Format (RTF), you can use the Read all standard mail in plain text option to display all standard e-mail messages in plain text format. The Read all standard mail in plain text option is for display purposes only. The original e-mail message is not converted to plain text format. Per About.com, Sure, using fancy formatting in emails is nice, and all these stationery (for Outlook Express) and letter (for IncrediMail) creations are fascinating. But not everybody can or wants to receive rich text messages. Some email programs are not capable of rendering the HTML used for rich formatting in email messages. Others try, but fail miserably (or crash), rendering your message unaccessible to the recipient. Other recipients have email clients that can properly render HTML messages, but despise rich formatting in email for various reasons (purity of the medium, bandwidth issues, security and privacy among others). When in Doubt, Send Plain Text Email, Not Fancy HTML So, whenever you are not sure a recipient appreciates email communication using rich and fancy HTML formatting, send plain text emails by default, especially if you have not previously talked to the recipient. 1. Use of UNL email address for business is consistent with Acceptable Use policy. Reduces cost of mail stores & filtering To send plain text emails via Lotus Notes, click File ? Preferences ? User Preferences ? Mail ? Internet ? select Plain Text only Per Microsoft (2010): If you are concerned that a virus or some other type of malicious script could execute through HTML or through Microsoft Outlook Rich Text Format (RTF), you can use the Read all standard mail in plain text option to display all standard e-mail messages in plain text format. The Read all standard mail in plain text option is for display purposes only. The original e-mail message is not converted to plain text format. Per About.com, Sure, using fancy formatting in emails is nice, and all these stationery (for Outlook Express) and letter (for IncrediMail) creations are fascinating. But not everybody can or wants to receive rich text messages. Some email programs are not capable of rendering the HTML used for rich formatting in email messages. Others try, but fail miserably (or crash), rendering your message unaccessible to the recipient. Other recipients have email clients that can properly render HTML messages, but despise rich formatting in email for various reasons (purity of the medium, bandwidth issues, security and privacy among others). When in Doubt, Send Plain Text Email, Not Fancy HTML So, whenever you are not sure a recipient appreciates email communication using rich and fancy HTML formatting, send plain text emails by default, especially if you have not previously talked to the recipient.

    37. Logical Security Email (continued) Many phishing examples are at phishing@listserv.unl.edu & http://is.unl.edu/phishing/ 37

    38. Logical Security Web Browsing Do not Cache passwords or save form information Click links in pop-up windows. Close pop-up windows by clicking X icon Do Type Web site if you are going to enter personal information Click No on untrusted Active X components or block completely Consider using one browser (e.g., IE, Firefox) for financial transactions & one browser for general Web surfing 38 1. Using two browsers reduces exposure, if one browser is exploited1. Using two browsers reduces exposure, if one browser is exploited

    39. Logical Security Web Browsing (continued) Do (continued) Talk with IT desktop administrator about browser security Configure browser to keep updated with latest patches Configure browser security (e.g., set to detect unauthorized downloads, turn on Phishing Filter) Use non-Administrator account when browsing Web Only use Administrator account when installing software 39

    40. Logical Security Incident Response You may be the victim of a security incident if you experience the following: Computer has applications your administrator or you did not install See pop-up ads when you are not browsing the Web Email Sent folder has strange emails you did not send Extreme computer slowness Odd computer behavior Unexpected changes to your desktop Event logs or alert showing incident Information you are working on is on unauthorized Web site 40 1. Even if you practice good security, things happen. So you should be aware of symptoms of infections.1. Even if you practice good security, things happen. So you should be aware of symptoms of infections.

    41. Logical Security If Incident Occurs Disconnect your computer from network or Internet Notify your IT desktop administrator & supervisor immediately Good practice: Notify them even if malware was quarantined or deleted by antivirus software Provide them summary information Day & time of incident What you were doing What information you were working on Sensitive information could be at risk for compromise 41 1. Leave computer turned on, but disconnect it from network or Internet.1. Leave computer turned on, but disconnect it from network or Internet.

    42. Logical Security If Incident Occurs (continued) If your machine was compromised & you believe Change passwords on all online accounts from trusted computer 42

    43. Where to Get More Information UNL Information Services Security Websites: http://security.unl.edu/ & http://is.unl.edu/protectyourself/ Security good practices Links to resources UNL computer use policies: http://www.unl.edu/ucomm/compuse/ UNL listserv: http://listserv.unl.edu/ Has several security lists to subscribe Your IT desktop manager Your supervisor 43

    44. Where to Get More Information (continued) If you want to learn more: iTunes U > University of Nebraska - Lincoln > UNL Extension eTech Tips Specific free podcasts UNL Virtual Training Company (VTC) Fundamentals of Computer Security free course 44

    45. What to Do Next Bookmark & read UNL computer use policies UNL Security Web site practices & resources Discuss department security practices with your department IT desktop manager & supervisor Sign up for security alerts at UNL listserv or RSS feeds Follow security safeguards 45

    46. Summary Information security is everyones job Increases protection of information, computer hardware & software Minimizes adverse impact of security incidents There are a number of physical & logical security safeguards you can follow to ensure Confidentiality Integrity Availability If you have any questions, please ask 46

    47. Supplemental Slides 47

    48. Types of Malware 48

    49. Why Practice Information Security? -- Costs of Breaches Other costs Potential for increased oversight Damage to reputation Permanent inclusion in Web-based privacy breach databases Privacy Rights Clearinghouse DataLossdb 49 Average cost of $204 = $8 (detection & escalation) + $15 (notification) + $46 (ex-post response/legal defense) + $135 (lost business) Legal defense costs have seen greatest growth in past five years Data breaches involving lost or stolen laptops are more expensive that other incidents. $225 compared to $192. Education institutions reported three percent turnover of customers resulting directly from data breaches.Average cost of $204 = $8 (detection & escalation) + $15 (notification) + $46 (ex-post response/legal defense) + $135 (lost business) Legal defense costs have seen greatest growth in past five years Data breaches involving lost or stolen laptops are more expensive that other incidents. $225 compared to $192. Education institutions reported three percent turnover of customers resulting directly from data breaches.

    50. Logical Security User IDs & Passwords (continued) Examples of time to compromise via brute force attack 50 This slides shows the results of a 2010 brute force attack. Note that it takes longer time to compromise longer passwords. Due to increases in processing power, literature recommends individuals use a password that can withstand 1 -2 years of brute force attacks. Sophos and Microsoft are now recommending password length of at least 14 charactersThis slides shows the results of a 2010 brute force attack. Note that it takes longer time to compromise longer passwords. Due to increases in processing power, literature recommends individuals use a password that can withstand 1 -2 years of brute force attacks. Sophos and Microsoft are now recommending password length of at least 14 characters

    51. Logical Security User IDs & Passwords (continued) 51 This is another example of the results of a 2010 brute force attack. Note that it takes a longer time to compromise longer, complex passwords. Due to increases in processing power, literature recommends individuals use a password that can withstand 1 -2 years of brute force attacks. Sophos & Microsoft are now recommending password length of at least 14 charactersThis is another example of the results of a 2010 brute force attack. Note that it takes a longer time to compromise longer, complex passwords. Due to increases in processing power, literature recommends individuals use a password that can withstand 1 -2 years of brute force attacks. Sophos & Microsoft are now recommending password length of at least 14 characters

    52. Logical Security User IDs & Passwords (continued) Examples of common compromised passwords 52 1. This slide shows the five most commonly used passwords that were disclosed during five data breaches. 1. This slide shows the five most commonly used passwords that were disclosed during five data breaches.

    53. Logical Security User IDs & Passwords (continued) Example of time to compromise passwords via dictionary attack Analysis of 2009 RockYou compromise of 32 million passwords revealed: This equates to 1,000 accounts compromised in 17 minutes 53 1. This example shows it does not take long to compromise passwords. 1. This example shows it does not take long to compromise passwords.

More Related