Cyber SecurityValerie MercerSummer 2012

What is Cyber Security?Cyber security involves protecting information by

preventing, detecting, and responding to attacks.

http://www.us-cert.gov/cas/tips/ST04-001.html

True or False?The first virus was created in 1986. Its origin is in Pakistan, and its creators are still around today.

True or False?Phishing was a fad of the 1990s. With the rise of Google, the fad has faded.

True or False?Geotagging is a way to geographically locate a picture’s origin through the code in that picture.

True or False?Keylogger is a game played through xBOX Kinect.

True or False?The password “badhairday” is an outstanding password example. It’s so exemplary that you should share it with friends so that they can use it, too.

What can you do?

Recognize RisksEducate Yourself and Your Students

Stay Protected

Remember, YOUR information IS on the Internet….

• www.browsys.com/finder/index.php

• www.peekyou.com • www.pipl.com• www.spokeo.com• www.tineye.com• www.123people.com• http://www.melissadata.com/lo

okups/index.html

WayBackMachine• Visit www.archive.org. You will see

“waybackmachine” and a text box with “http://” near the center of the page. Type ‘www.yahoo.com’ (or another website of your choice) in the textbox and click on the button that says “Take Me Back”.

• Remember: What got put on the internet in the 1990s? It is still out there…

Why is it important to remember that the internet is public?

• Never anonymous!• Easy to forget that there are ways to find out

about others.• We’re comfortable, so we adopt practices that

make us vulnerable.• Once it is online, it can be accessed by a world

of strangers, and you have no idea what they might do with that information.

TED Presentation Yesterday’s Viruses and Tomorrow’s Viruseshttp://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html

Also consider: TED Presentation Three Types of Online Attacks http://www.ted.com/talks/mikko_hypponen_three_types_of_online_attack.html

Publishing Info on the Internet• View the internet as a magazine, not a diary - Make sure you

are comfortable with anyone seeing the information you put online.

• Be careful what you advertise – Personal information is available online, especially because people are creating personal web pages with information about themselves.

• Realize that you can't take it back - Once you publish something online, it is available to other people and to search engines. You can change or remove information after something has been published, but it is possible that someone has already seen the original.

Spam, Spam Everywhere• Don't give your email address out arbitrarily !• Check privacy policies - Before submitting your email address online, look

for a privacy policy. • Be aware of options selected by default - When you sign up for some

online accounts or services, there may be a section that provides you with the option to receive email about other products and services.

• Use filters - Many email programs offer filtering capabilities that allow you to block certain addresses or to only allow email from addresses on your contact list. Some ISPs offer spam "tagging" or filtering services, but legitimate messages misclassified as spam might be dropped before reaching your inbox.

• Report messages as spam - Most email clients offer an option to report a message as spam or junk. If your has that option, take advantage of it. Reporting messages as spam or junk helps to train the mail filter so that the messages aren't delivered to your inbox.

Spam, Spam Everywhere• Don't follow links in spam messages - If you click a link within an

email message or reply to a certain address, you are just confirming that your email address is valid.

• Disable the automatic downloading of graphics in HTML mail - Many spammers send HTML mail with a linked graphic file that is then used to track who opens the mail message—when your mail client downloads the graphic from their web server, they know you've opened the message.

• Consider opening an additional email account – Use a gmail or hotmail or other “free” account for online purchasing or correspondence with those you don’t know.

• Don't spam other people - Some people consider email forwards a type of spam, so be selective with the messages you redistribute.

What is a phishing attack?• Phishing attacks use email or malicious websites to solicit

personal information by posing as a trustworthy organization.

• Phishing attacks may appear to come from organizations such as charities. Attackers often take advantage of current events and certain times of the year, such as…– natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)– epidemics and health scares (e.g., H1N1)– economic concerns (e.g., IRS scams)– major political elections– holidays

How do you avoid being a victim?• Be suspicious of unsolicited phone calls, visits, or email messages from

individuals asking about employees or other internal information. • Don't send sensitive information over the Internet before checking a

website's security. Look for a lock and/or “https” at the front of the web address.

• Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.

• Take advantage of any anti-phishing features offered by your email client and web browser.

• Popup blocker – never surf without one!

What do you do if you think you are a phishing attack victim?

• If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators.

• If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.

• Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.

• Watch for other signs of identity theft including bills for products you have never used.

• Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).

Proactive CyberSecurity Measures• Do business with reputable companies - Before providing any personal or financial

information, make sure that you are interacting with a reputable, established company. Some attackers may try to trick you by creating malicious web sites that appear to be legitimate, so you should verify the legitimacy before supplying any information .

• Take advantage of security features - Passwords and other security features add layers of protection if used appropriately .

• Check privacy policies - Take precautions when providing information, and make sure to check published privacy policies to see how a company will use or distribute your information.

• Be careful what information you publicize - Attackers may be able to piece together information from a variety of sources. Avoid posting personal data in public forums. Going on vacation? Don’t publish that on Facebook!

• Use and maintain anti-virus software and a firewall - Protect yourself against viruses and Trojan horses that may steal or modify the data on your own computer and leave you vulnerable by using anti-virus software and a firewall .

• Be aware of your account activity - Pay attention to your statements, and check your credit report yearly. You are entitled to a free copy of your credit report from each of the main credit reporting companies once every twelve months.

Virus Protection

• Apple versus Microsoft?– It’s a myth that MacIntosh computers don’t

get viruses!• Too much virus protection might not be a

good thing– Yes, you need antivirus software, but you

don’t need three different kinds running simultaneously.

• Got Malware?– You may need a separate program to

protect your device from malware• Don’t forget about all of your devices!

– Cell Phone– Tablet– MP3 Player– Gaming Device

Tools to Know• http://www.howsecureismypassword.net• http://www.grc.com – Click on “shields up” and then run the shields test

and port probe test.– Make sure antivirus is up-to-date first!

• http://privacy.net/analyze– Tests your machine and tells you how much

information you are providing to others

How safe are we?• Cloud computing brings a whole new

dimension to cybersecurity.• Mobile devices bring new possibilities for

hackers.• Google (in data published on June 19 via

http://www.cioinsight.com) indicates that the company is finding approximately 9500 malicious or compromised sites per day.

Geotagging • Lots of names: Location, Places, Check-in-GPS,

GeoNotification, GeoLocation• Way to find your exact location within the code behind a

picture or image.• Social media accounts should be set to the highest “private”

settings available• Disable GPS settings in cameras• Also, remember to check settings of GPS on individual apps.• You can upload photos to http://regex.info/exif.cgi to view

the GPS information.

Social Networking Cyber Security• http://www.fbparents.org This is a great

resource for parents and teachers to use to acclimate to the features of Facebook

• Be cautious about messages you receive on social networking sites that contain links.Links from friends can sometimes contain malware or be part of a phishing attack!

• Use privacy settings on social networking sites - Social networking sites allow you to choose who has access your email address.

Cybersecurity maxims to incorporate into lessons…

• Have sound passwords• Be careful when forwarding email!• Virus Protection – it’s a must!• Malware Protection – you might need a separate

program for that in addition to virus protection.• If you wouldn’t give it to a stranger, then don’t

tell it online• Remember, you create an online activity “tattoo”

that follows you throughout your life.