E N D
1. Information Security Orientation Luke Chretien
Operations Analysis 1
2. Purpose To provide UNL business users security information to help protect
Individuals
UNL information & assets
Third party information 2
3. Topics to Cover What is information security?
Why practice information security?
Physical & logical security safeguards
Where to get more information
What to do next
Summary 3
4. What is Information Security? Management, operational, & technical safeguards designed to satisfy following business requirements:
4
5. Why Practice Information Security? Information security involves combination of following to manage security risks:
People
Processes
Technology
Organization
Information security is everyones job
We can not just rely on technology to safeguard our information & systems.
5 1. Why should you practice information security?
People incorrectly believe information security is an IT issue
An organization only achieve adequate information security when people work with technology, processes, & management1. Why should you practice information security?
People incorrectly believe information security is an IT issue
An organization only achieve adequate information security when people work with technology, processes, & management
6. Why Practice Information Security? (continued) Help protect UNL information, computer hardware & software from
Unauthorized access
Unauthorized modification,
damage, or destruction
Help minimize adverse impact of these incidents on
UNL functions, credibility, & revenue
UNL associated third parties 6 1. People also incorrectly believe that when they are just checking their email or working on their project they are just affecting themselves.
In reality, we are part of the UNL network. Thus, our actions affect, not just selves and the information we are working on, but also others
Our actions do have consequences to others1. People also incorrectly believe that when they are just checking their email or working on their project they are just affecting themselves.
In reality, we are part of the UNL network. Thus, our actions affect, not just selves and the information we are working on, but also others
Our actions do have consequences to others
7. Why Practice Information Security? -- Possible Consequences 7 Data Types contain common types of organizational data
Risk/Incident Types are common incidents that could occur to Data Types in the left column
Possible Consequences there are common consequences when an incident occurs (e.g., legal liability, reputational damage, loss of business, disruption of business)Data Types contain common types of organizational data
Risk/Incident Types are common incidents that could occur to Data Types in the left column
Possible Consequences there are common consequences when an incident occurs (e.g., legal liability, reputational damage, loss of business, disruption of business)
8. Why Practice Information Security? -- Possible Consequences (continued) 8 1. If medical records have unauthorized modification (e.g., medication list or condition altered), safety of patient could be jeopardized1. If medical records have unauthorized modification (e.g., medication list or condition altered), safety of patient could be jeopardized
9. 9 Why Practice Information Security? -- Possible Consequences (continued)
10. 10 Why Practice Information Security? -- Possible Consequences (continued)
11. Why Practice Information Security? -- Costs of Breaches 2009 US organizational costs, per Ponemon Institute:
11 Average cost of $204 = $8 (detection & escalation) + $15 (notification) + $46 (ex-post response/legal defense) + $135 (lost business)
Legal defense costs have seen greatest growth in past five years
Data breaches involving lost or stolen laptops are more expensive that other incidents. $225 compared to $192.
Education institutions reported three percent turnover of customers resulting directly from data breaches. Lost business could also be lost research contracts.Average cost of $204 = $8 (detection & escalation) + $15 (notification) + $46 (ex-post response/legal defense) + $135 (lost business)
Legal defense costs have seen greatest growth in past five years
Data breaches involving lost or stolen laptops are more expensive that other incidents. $225 compared to $192.
Education institutions reported three percent turnover of customers resulting directly from data breaches. Lost business could also be lost research contracts.
12. Physical Security Safeguards Equipment access
Environmental
Media & output
Portable devices 12 1. These safeguards are all interconnected. They support each other1. These safeguards are all interconnected. They support each other
13. Physical Security Equipment Access Safeguards Do not
Lend your building keys or access cards to others
Do
Keep work area secure (e.g., lock door when away)
Protect your keys & access cards
Identify & escort non-resident individuals when they are around sensitive equipment or data 13 1. Goal is to manage physical access keep unauthorized individuals from accessing the computer and information1. Goal is to manage physical access keep unauthorized individuals from accessing the computer and information
14. Physical Security Equipment Access Safeguards (continued) Do (continued)
Lock computer when you are away for short period (e.g., break, meeting, lunch)
Windows: Ctrl ? Alt ? Delete or
Windows Key ? L
Macs: Name ? Login Window
Log Off or Shut Down computers when gone for extended period (e.g., overnight, weekend, vacation) 14 Unlocked computer lets anyone access it to do unauthorized things
To configure Macs locking feature, go to System Preferences | Accounts | Login Options | Turn on Fast User Switching with enabled passwordUnlocked computer lets anyone access it to do unauthorized things
To configure Macs locking feature, go to System Preferences | Accounts | Login Options | Turn on Fast User Switching with enabled password
15. Physical Security Environmental Safeguards Do not
Smoke, eat, or drink around
computers
Do
Keep computers clean & dust-free
Use surge protector with computer to manage power surges/spikes
Use uninterruptible power supply (UPS) with computer to facilitate graceful shutdown after power loss 15 1. Individuals can do the following to reduce amount of dust: limit amount of paper around a computer; wipe computer; buy keyboard cover & shell for laptops1. Individuals can do the following to reduce amount of dust: limit amount of paper around a computer; wipe computer; buy keyboard cover & shell for laptops
16. Physical Security Media & Output Safeguards Do
Lock following away when not in use:
Printed reports, work papers, or logs that contain confidential or sensitive information
Media (e.g., USB storage devices, CDs, DVDs) containing sensitive information
Position your computer monitor
so information is not easily
viewed by individuals passing by 16 1. Some organizations have a clean desk policy, which requires individuals to lock materials away at the end of the work day.1. Some organizations have a clean desk policy, which requires individuals to lock materials away at the end of the work day.
17. Physical Security Media & Output Safeguards (continued) Do (continued)
Remotely access sensitive information via secure network connection (e.g., VPN), vice carrying it or placing on public service (e.g., Google Docs)
Keep media away from environmental hazards (e.g., magnetic fields, heat, direct sunlight)
Destroy unneeded media & output in secure manner (e.g., shred documents, CDs, DVDs; hammer USB storage devices) 17 --
18. Physical Security Portable Device Safeguards Examples: laptops, tablets, smart phones, portable storage devices
Secure these devices:
When not in use
At office, home, or on road
When storing in car lock them in trunk
On airplane never check in luggage
Use password authentication, encryption, & remote tracking software whenever possible 18 Ponemon Institute estimates 800K data-sensitive devices are lost or stolen each year.
Two examples of remote tracking software are Find My iPhone/iPad app and Absolute Softwares LoJack for LaptopsPonemon Institute estimates 800K data-sensitive devices are lost or stolen each year.
Two examples of remote tracking software are Find My iPhone/iPad app and Absolute Softwares LoJack for Laptops
19. Physical Security Portable Device Safeguards (continued) USB flash drives
Vehicle for recent high profile international security incidents (e.g., Stuxnet, Conficker, agent.btz, WikiLeaks)
Do not
Pick up & use discovered USB device
Insert unknown USB flash drive in
computer
Trade USB flash drive
Do
Run antivirus scan on USB flash drive you use
Use encrypted flash drive whenever possible 19 Stuxnet computer worm targeted at industrial equipment (e.g., Siemens control systems) (2010)
Conficker computer worm targeting MS operating system. UK Ministry of Defence, Manchester City Council infected (2009)
agent.btz malware breach that affected US Central Command network, headquarters & combat zones (2008)
Wikileaks 400 thousand documents on military operations in Iraq & Afghanistan (2010)Stuxnet computer worm targeted at industrial equipment (e.g., Siemens control systems) (2010)
Conficker computer worm targeting MS operating system. UK Ministry of Defence, Manchester City Council infected (2009)
agent.btz malware breach that affected US Central Command network, headquarters & combat zones (2008)
Wikileaks 400 thousand documents on military operations in Iraq & Afghanistan (2010)
20. Logical Security Safeguards User IDs & passwords
Information & systems access
Backups
Malware (i.e., computer viruses & spyware) management
Email
Web browsing
Incident response 20 1. The next group of slides will cover these seven security safeguards1. The next group of slides will cover these seven security safeguards
21. Logical Security User IDs & Passwords Next to last line of defense
Passwords should be easy to remember but hard to guess
Should be long & complex (i.e., mixture of letters, numbers, & symbols)
Short, non-complex passwords can be quickly compromised via
Brute force attack attempt to crack every combination of letters, numbers, & characters
Dictionary attacks focused attack using lists of most common passwords, names, & words
21 1. User is last line of defense
1. User is last line of defense
22. Logical Security User IDs & Passwords (continued) How long & complex?
22 Literature recommends passwords greater than the traditional 6 8 characters. This is due to greater processing power available in computers
Literature recommends passwords greater than the traditional 6 8 characters. This is due to greater processing power available in computers
23. Logical Security User IDs & Passwords (continued) Avoid passwords that are easy to guess. For example:
Dictionary words
Easy to guess sequences
Words spelled backwards,
common misspellings, &
abbreviations
Personal information
Your user name
23
24. Logical Security User IDs & Passwords (continued) Good practices:
Use 12+ character, complex passphrase
Use 6 7 character, complex mnemonic. Repeat 2 3 times
Example: PrN2Ll0dPRNTL!od (16 characters)
University of Nebraska Password Generator at
https://csn.nebraska.edu/password-generator.html
Other suggestions at http://is.unl.edu/protectyourself/password.shtml
Microsoft password strength checker at https://www.microsoft.com/protect/fraud/passwords/checker.aspx?WT.mc_id=Site_Link
24 1. Mnemonic is a word, sentence, or song that helps people remember something1. Mnemonic is a word, sentence, or song that helps people remember something
25. Logical Security User IDs & Passwords (continued) Have different sets of passwords for personal & work accounts
Reduces risk of all accounts being compromised
Never share your user ID & password
You may be liable for actions of imposters
Avoid typing user ID & password on public computers (e.g., kiosks)
Compromised computer could steal your user ID & password
25
26. Logical Security User IDs & Passwords (continued) Regularly change passwords
Immediately change your password if you suspect others have learned it
Secure your passwords
26 Examples of password wallet = KeyPass, Roboform, 1Password Pro, eWallet, Safe, mSecure
This table states the traditional view that an individual should never write down password. However, as individuals accumulate longer and more complex passwords, individuals may be forced to use password wallets.Examples of password wallet = KeyPass, Roboform, 1Password Pro, eWallet, Safe, mSecure
This table states the traditional view that an individual should never write down password. However, as individuals accumulate longer and more complex passwords, individuals may be forced to use password wallets.
27. Logical Security Information & Systems Access Do not
Share sensitive information with any individual unless that individual is authorized & has need for the information
Do
Lock computer when away for short period (e.g., break, meeting, lunch)
Ctrl ? Alt ? Delete or Windows Key ? L
Macs: Name ? Login Window
27
28. Do (continued)
Log Off or Shut Down computers when gone for extended period (e.g., overnight, weekend, vacation)
Use remote access secure connection (e.g., VPN) to access sensitive information
Talk to IT desktop manager about feasibility of encrypting sensitive information on computer
28 Logical Security Information & Systems Access (continued)
29. Logical Security Backups Back-up critical files to manage risk of system failure, theft, & loss
29 1. Windows machines have Windows Backup Utility
2. Macintosh machines have Time Machine backup software1. Windows machines have Windows Backup Utility
2. Macintosh machines have Time Machine backup software
30. Logical Security Practices Malware Management Malware is continuous threat
Do
Have antivirus software installed, functioning, & configured to automatically receive updates
Run full scan with latest virus definitions
30 1. The periodicity of a full scan is related to the risk that a computer experiences. The greater the risk to a computer, the more it should be scanned.1. The periodicity of a full scan is related to the risk that a computer experiences. The greater the risk to a computer, the more it should be scanned.
31. Logical Security Practices Malware Management (continued) Do (continued)
Scan following, using approved UNL antivirus software, before using:
All computer media & portable devices
All files downloaded from Internet & file
transfer sites
All files attached to email
Keep operating system & application software updated with latest version, service pack, & patches
Good practice: Configure for automatic update 31 1. You should scan files downloaded from the Internet because it may contain malware.1. You should scan files downloaded from the Internet because it may contain malware.
32. Do (continued)
Use firewall to manage inbound
& outbound traffic
Talk with your IT desktop
manager about disabling Autorun
to stop virus transmission
Do not
Download any software without knowing what it is & without approval 32 Logical Security Practices Malware Management (continued) Autorun Windows utility that enables media & devices to launch programs by use of commands listed in autorun.inf file
Be careful when downloading software since you may be downloading vulnerable software or malware.Autorun Windows utility that enables media & devices to launch programs by use of commands listed in autorun.inf file
Be careful when downloading software since you may be downloading vulnerable software or malware.
33. Logical Security Email Source of spam & phishing
Do not
Open email, email attachments, or download files if you do not know sender or if To & Cc fields are empty
Safer to delete
Disable Preview pane to prevent
automatic opening
Reply to email or pop-up that requests personal or financial information 33 1. To disable the Preview pane in Lotus Notes, click View ? Preview Pane ? Uncheck Show Preview1. To disable the Preview pane in Lotus Notes, click View ? Preview Pane ? Uncheck Show Preview
34. Logical Security Email (continued) Do not (continued)
Call phone number on emails that ask you to update account
Do call the number on your financial statement or Web site
Email personal or financial information
Click on link in email
Type full address in Web browser
Reply to spam or try to opt-out from spam
34
35. Logical Security Email (continued) Do
Run anti-virus software with current virus definitions
Beware of spoofing. If you know sender, but are not expecting email, be careful
Inspect contents of domain name, subject, & message
If it too good to be true, it probably is
If in doubt, call the person who sent you the email before taking action 35 1. To view source code in Lotus Notes, open email ? click View ? Show ? Page Source
1. To view source code in Lotus Notes, open email ? click View ? Show ? Page Source
36. Logical Security Email (continued) Do (continued)
Try to send & receive email in plain text, vice HTML
Use UNL email address for business purposes. Use Web-based email
address for personal emails
(e.g., newsletters, coupons) 36 1. Use of UNL email address for business is consistent with Acceptable Use policy. Reduces cost of mail stores & filtering
To send plain text emails via Lotus Notes, click File ? Preferences ? User Preferences ? Mail ? Internet ? select Plain Text only
Per Microsoft (2010): If you are concerned that a virus or some other type of malicious script could execute through HTML or through Microsoft Outlook Rich Text Format (RTF), you can use the Read all standard mail in plain text option to display all standard e-mail messages in plain text format. The Read all standard mail in plain text option is for display purposes only. The original e-mail message is not converted to plain text format.
Per About.com, Sure, using fancy formatting in emails is nice, and all these stationery (for Outlook Express) and letter (for IncrediMail) creations are fascinating. But not everybody can or wants to receive rich text messages. Some email programs are not capable of rendering the HTML used for rich formatting in email messages. Others try, but fail miserably (or crash), rendering your message unaccessible to the recipient. Other recipients have email clients that can properly render HTML messages, but despise rich formatting in email for various reasons (purity of the medium, bandwidth issues, security and privacy among others). When in Doubt, Send Plain Text Email, Not Fancy HTML
So, whenever you are not sure a recipient appreciates email communication using rich and fancy HTML formatting, send plain text emails by default, especially if you have not previously talked to the recipient.
1. Use of UNL email address for business is consistent with Acceptable Use policy. Reduces cost of mail stores & filtering
To send plain text emails via Lotus Notes, click File ? Preferences ? User Preferences ? Mail ? Internet ? select Plain Text only
Per Microsoft (2010): If you are concerned that a virus or some other type of malicious script could execute through HTML or through Microsoft Outlook Rich Text Format (RTF), you can use the Read all standard mail in plain text option to display all standard e-mail messages in plain text format. The Read all standard mail in plain text option is for display purposes only. The original e-mail message is not converted to plain text format.
Per About.com, Sure, using fancy formatting in emails is nice, and all these stationery (for Outlook Express) and letter (for IncrediMail) creations are fascinating. But not everybody can or wants to receive rich text messages. Some email programs are not capable of rendering the HTML used for rich formatting in email messages. Others try, but fail miserably (or crash), rendering your message unaccessible to the recipient. Other recipients have email clients that can properly render HTML messages, but despise rich formatting in email for various reasons (purity of the medium, bandwidth issues, security and privacy among others). When in Doubt, Send Plain Text Email, Not Fancy HTML
So, whenever you are not sure a recipient appreciates email communication using rich and fancy HTML formatting, send plain text emails by default, especially if you have not previously talked to the recipient.
37. Logical Security Email (continued) Many phishing examples are at
phishing@listserv.unl.edu &
http://is.unl.edu/phishing/
37
38. Logical Security Web Browsing Do not
Cache passwords or save form information
Click links in pop-up windows. Close pop-up windows by clicking X icon
Do
Type Web site if you are going to enter personal information
Click No on untrusted Active X components or block completely
Consider using one browser
(e.g., IE, Firefox) for financial
transactions & one browser for
general Web surfing 38 1. Using two browsers reduces exposure, if one browser is exploited1. Using two browsers reduces exposure, if one browser is exploited
39. Logical Security Web Browsing (continued) Do (continued)
Talk with IT desktop administrator about browser security
Configure browser to keep updated with latest patches
Configure browser security (e.g., set to detect unauthorized downloads, turn on Phishing Filter)
Use non-Administrator account when browsing Web
Only use Administrator account when installing software 39
40. Logical Security Incident Response You may be the victim of a security incident if you experience the following:
Computer has applications your administrator or you did not install
See pop-up ads when you are not browsing the Web
Email Sent folder has strange emails you did not send
Extreme computer slowness
Odd computer behavior
Unexpected changes to your desktop
Event logs or alert showing incident
Information you are working on is on unauthorized Web site 40 1. Even if you practice good security, things happen. So you should be aware of symptoms of infections.1. Even if you practice good security, things happen. So you should be aware of symptoms of infections.
41. Logical Security If Incident Occurs Disconnect your computer from network or Internet
Notify your IT desktop administrator & supervisor immediately
Good practice: Notify them even if malware was quarantined or deleted by antivirus software
Provide them summary information
Day & time of incident
What you were doing
What information you were working on
Sensitive information could be at risk for compromise
41 1. Leave computer turned on, but disconnect it from network or Internet.1. Leave computer turned on, but disconnect it from network or Internet.
42. Logical Security If Incident Occurs (continued) If your machine was compromised & you believe
Change passwords on all online accounts from trusted computer 42
43. Where to Get More Information UNL Information Services Security Websites: http://security.unl.edu/ & http://is.unl.edu/protectyourself/
Security good practices
Links to resources
UNL computer use policies: http://www.unl.edu/ucomm/compuse/
UNL listserv: http://listserv.unl.edu/
Has several security lists
to subscribe
Your IT desktop manager
Your supervisor 43
44. Where to Get More Information (continued) If you want to learn more:
iTunes U > University of Nebraska - Lincoln > UNL Extension eTech Tips
Specific free podcasts
UNL Virtual Training Company (VTC)
Fundamentals of Computer Security free course 44
45. What to Do Next Bookmark & read
UNL computer use policies
UNL Security Web site practices & resources
Discuss department security practices with your department IT desktop manager & supervisor
Sign up for security alerts at UNL listserv or RSS feeds
Follow security safeguards 45
46. Summary Information security is everyones job
Increases protection of information, computer hardware & software
Minimizes adverse impact of security incidents
There are a number of physical & logical security safeguards you can follow to ensure
Confidentiality
Integrity
Availability
If you have any questions,
please ask 46
47. Supplemental Slides 47
48. Types of Malware 48
49. Why Practice Information Security? -- Costs of Breaches Other costs
Potential for increased oversight
Damage to reputation
Permanent inclusion in Web-based privacy breach databases
Privacy Rights Clearinghouse
DataLossdb
49 Average cost of $204 = $8 (detection & escalation) + $15 (notification) + $46 (ex-post response/legal defense) + $135 (lost business)
Legal defense costs have seen greatest growth in past five years
Data breaches involving lost or stolen laptops are more expensive that other incidents. $225 compared to $192.
Education institutions reported three percent turnover of customers resulting directly from data breaches.Average cost of $204 = $8 (detection & escalation) + $15 (notification) + $46 (ex-post response/legal defense) + $135 (lost business)
Legal defense costs have seen greatest growth in past five years
Data breaches involving lost or stolen laptops are more expensive that other incidents. $225 compared to $192.
Education institutions reported three percent turnover of customers resulting directly from data breaches.
50. Logical Security User IDs & Passwords (continued) Examples of time to compromise via brute force attack
50 This slides shows the results of a 2010 brute force attack. Note that it takes longer time to compromise longer passwords.
Due to increases in processing power, literature recommends individuals use a password that can withstand 1 -2 years of brute force attacks.
Sophos and Microsoft are now recommending password length of at least 14 charactersThis slides shows the results of a 2010 brute force attack. Note that it takes longer time to compromise longer passwords.
Due to increases in processing power, literature recommends individuals use a password that can withstand 1 -2 years of brute force attacks.
Sophos and Microsoft are now recommending password length of at least 14 characters
51. Logical Security User IDs & Passwords (continued)
51 This is another example of the results of a 2010 brute force attack. Note that it takes a longer time to compromise longer, complex passwords.
Due to increases in processing power, literature recommends individuals use a password that can withstand 1 -2 years of brute force attacks.
Sophos & Microsoft are now recommending password length of at least 14 charactersThis is another example of the results of a 2010 brute force attack. Note that it takes a longer time to compromise longer, complex passwords.
Due to increases in processing power, literature recommends individuals use a password that can withstand 1 -2 years of brute force attacks.
Sophos & Microsoft are now recommending password length of at least 14 characters
52. Logical Security User IDs & Passwords (continued) Examples of common compromised passwords
52 1. This slide shows the five most commonly used passwords that were disclosed during five data breaches. 1. This slide shows the five most commonly used passwords that were disclosed during five data breaches.
53. Logical Security User IDs & Passwords (continued) Example of time to compromise passwords via dictionary attack
Analysis of 2009 RockYou compromise of 32 million passwords revealed:
This equates to 1,000 accounts compromised in 17 minutes 53 1. This example shows it does not take long to compromise passwords. 1. This example shows it does not take long to compromise passwords.