November 2005 Hal Stepp/Melbourne HS
November 2005 Hal Stepp/Melbourne HS
NETS-T Standards AddressedI. Teachers demonstrate a sound understanding of technology operations
and concepts. Teachers: (A) demonstrate introductory knowledge, skills, and understanding of concepts related to technology (as described in the ISTE National Educational Technology Standards for Students); (B) demonstrate continual growth in technology knowledge and skills to stay abreast of current and emerging technologies.
V. Teachers use technology to enhance their productivity and professional practice. Teachers: (A) use technology resources to engage in ongoing professional development and lifelong learning; (B) continually evaluate and reflect on professional practice to make informed decisions regarding the use of technology in support of student learning; (C) apply technology to increase productivity;
VI. Teachers understand the social, ethical, legal, and human issues surrounding the use of technology in PK–12 schools and apply that understanding in practice. Teachers: (A) model and teach legal and ethical practice related to technology use; (D) promote safe and healthy use of technology resources; (E) facilitate equitable access to technology resources for all students.
November 2005 Hal Stepp/Melbourne HS
Objectives• You will understand that computer security
is important, especially for teachers!
• You will learn how to create and safeguard effective passwords.
• You will learn how to detect and counter “social engineering” attacks.
• You will learn how to defend against malicious software attacks.
November 2005 Hal Stepp/Melbourne HS
Overview• Is Security an Issue?• Physical Security
– Esp. Passwords!
• Behavioral Security– Social Engineering
• System Security– “Malware”
• Review• Resources
November 2005 Hal Stepp/Melbourne HS
The Problem in a Nutshell
• Computers don’t LOOK like a threat, so people don’t associate them with danger.
November 2005 Hal Stepp/Melbourne HS
An Idea to Ponder
• If your computer links you to the world…
• …then it also links the world to YOU!
November 2005 Hal Stepp/Melbourne HS
A Sample of What’s in Computers “Out There”
November 2005 Hal Stepp/Melbourne HS
And, the Holy Grail of Personal Info:
November 2005 Hal Stepp/Melbourne HS
The Real Lesson from Katrina
• People are unwilling to spend money or worry about “possible” threats
• Most real protective actions are only taken AFTER a major catastrophe has occurred… …when it’s TOO
LATE!!! AP Photo
November 2005 Hal Stepp/Melbourne HS
That’s where we are with computers…
• We are still in the early years of the Info Age
• The perceived threat is LOW
• The actual threat is VERY, VERY HIGH
November 2005 Hal Stepp/Melbourne HS
Symptoms of a Serious Problem
http://www.informationweek.com/story/showArticle.jhtml?articleID=60402074
November 2005 Hal Stepp/Melbourne HS
Symptoms of a Serious Problem
http://www.informationweek.com/showArticle.jhtml;jsessionid=QQXYNNLZFDL1IQSNDBCSKH0CJUMEKJVN?articleID=57702643
November 2005 Hal Stepp/Melbourne HS
Symptoms of a Serious Problem
http://www.informationweek.com/story/showArticle.jhtml?articleID=60401873
November 2005 Hal Stepp/Melbourne HS
Symptoms of a Serious Problem
http://www.informationweek.com/story/showArticle.jhtml;jsessionid=1WJUEBQ0ZLCUWQSNDBCSKHSCJUMEKJVN?articleID=60402295
November 2005 Hal Stepp/Melbourne HS
What’s Happened in 2005?
http://www.privacyrights.org/ar/ChronDataBreaches.htm
November 2005 Hal Stepp/Melbourne HS
What’s Happened in 2005?
http://www.privacyrights.org/ar/ChronDataBreaches.htm
November 2005 Hal Stepp/Melbourne HS
“There is no such thing as ‘paranoia’ in a combat zone, only a heightened state of awareness.”
- Murphy’s Laws of Combat
November 2005 Hal Stepp/Melbourne HS
3 Levels of Security:
• In order of importance:PhysicalBehavioralSystem
November 2005 Hal Stepp/Melbourne HS
PHYSICAL SECURITY
November 2005 Hal Stepp/Melbourne HS
What’s on YOUR Desktop?
• Grades (GradeQuick)
• Access to Student Info (DSDS)
• Access to Student Records (AS400)
• Access to Employee Pay Info (AS400)
• Access to Your Email– And ability to send email in YOUR name!
• Access to ALL Brevard County Resources
November 2005 Hal Stepp/Melbourne HS
What is Physical Security?• Denying an attacker
PHYSICAL ACCESS to your computer and/or network.
• This is the FIRST and MOST IMPORTANT line of defense!!!
November 2005 Hal Stepp/Melbourne HS
Practicing Physical Security• Make your PC a “no
student zone”.• Arrange classroom so
that keyboard and screen aren’t visible to students.
• Get to know what’s “normal” on and around your computer.
November 2005 Hal Stepp/Melbourne HS
A Physical Security Lapse…
November 2005 Hal Stepp/Melbourne HS
How he did it…
November 2005 Hal Stepp/Melbourne HS
“Worst Practice”• Logging in to your
computer and walking away from it.
• Like leaving your front door unlocked and open.– Not only is your computer at
risk, but you’ve allowed complete network access…
…in your name!
November 2005 Hal Stepp/Melbourne HS
A “Best Practice”• Make a habit: lock the
computer when you’re away.– CTRL + ALT + DEL– “k”
• All programs will stay running.
• To use your computer, just log on the way you normally do.
November 2005 Hal Stepp/Melbourne HS
Your Password• Part of physical
security• Only YOU are
authorized to know it!– Your “key” to the
school’s computer network.
– All transactions done using your username & password belong to YOU!
November 2005 Hal Stepp/Melbourne HS
Password “Don’ts”• If you must write it down,
don’t keep it near, at, on, in, or around your desk.
• Don’t use “easy guess” items, such as:– Birthdays– Your name, or variations
on family names– English words
November 2005 Hal Stepp/Melbourne HS
A VERY Easy Password• Your bank PIN =
4 digit number– 10X10X10X10 =
10,000 combinations– This can be
“cracked” almost instantaneously, if you have access to the right software!
November 2005 Hal Stepp/Melbourne HS
Letters: A Little Harder• 4 letters yield:
– 26X26X26X26 = 456,976 combinations
– This is about 46 times more difficult, but still simple for today’s computers.
November 2005 Hal Stepp/Melbourne HS
Letters: Making it Easier• Problem: Most people
use common English words – Much smaller subset:
20,000 commonly used*– Vulnerable to “Dictionary
Attack”– 23 times easier to crack!– Bottom line: using words
makes hacking easier!
*http://www.wordorigins.org/number.htm
November 2005 Hal Stepp/Melbourne HS
Anatomy of a Good Password• At least 8 characters• Combination of
– Letters (upper AND lower case)
– Numbers– “Special Characters”
• NOT English words• Memorable
– So you won’t need to write it down!
November 2005 Hal Stepp/Melbourne HS
Notice the Improvement• 26+26+10+33 = 95 possible
characters per position.• 95X95X95X95X95X95X95X95=
6,634,204,312,890,625
possible combinations! • Goal: Make it complicated
enough to send would-be hackers on to easier targets!
November 2005 Hal Stepp/Melbourne HS
Make it Memorable!
November 2005 Hal Stepp/Melbourne HS
• Every 90 days– New BCPS requirement!
• In case of possible compromise– Whenever someone
watched with interest as you logged in.
• At the end of each school year.
When to Change Your Password
November 2005 Hal Stepp/Melbourne HS
BEHAVIORAL SECURITY
November 2005 Hal Stepp/Melbourne HS
What is “Social Engineering”?
• The use of psychology to gain unauthorized access to information, a computer, or a computer network.
November 2005 Hal Stepp/Melbourne HS
The Problem• Most people tend
to be:
– Honest
– Law-abiding
– Trusting
– Sympathetic
– Unsuspecting
November 2005 Hal Stepp/Melbourne HS
In Other Words…
November 2005 Hal Stepp/Melbourne HS
Common Features of SE• Refusal to give contact information.• Rushing (“hurry or miss the deal”)• Name-dropping or intimidation• In email: misspellings, grammatical
errors, odd questions.• Appealing to GREED. • Requesting forbidden information. “Look for things that don’t quite
add up.” http://www.securityfocus.com/infocus/1533http://www.securityfocus.com/infocus/1533
November 2005 Hal Stepp/Melbourne HS
Handling SE Attacks in Person…
“Just say no!”http://www.reaganranch.org/RR_denim.jpg
November 2005 Hal Stepp/Melbourne HS
Handling SE Attacks in Person…
“Just say no!”http://www.reaganranch.org/RR_denim.jpg
November 2005 Hal Stepp/Melbourne HS
A Common “SE” Attack• Ever get one of
these?• This is called a
“phishing” attack…
• Legitimate businesses NEVER do this!
November 2005 Hal Stepp/Melbourne HS
Variation on a “Classic”
http://www.informationweek.com/story/showArticle.jhtml?articleID=60402243
November 2005 Hal Stepp/Melbourne HS
Most Phishing is Foreign…
November 2005 Hal Stepp/Melbourne HS
Shopping/Banking Online…NEVER transmit personal information by non-encrypted means!!!
-Look for https:// in the navigational window.
- There must also be a “lock” symbol in the bottom right hand corner of the screen.
November 2005 Hal Stepp/Melbourne HS
IMPORTANT NOTE!
• An encrypted page does NOT guarantee a legitimate business on the other end, BUT
• …a legitimate business will always have an encrypted page when sensitive information is being handled!
November 2005 Hal Stepp/Melbourne HS
System Security
November 2005 Hal Stepp/Melbourne HS
System Security• Hardware / software
defenses.• You have little to do
with this at work, but it is VERY important at home!!!
• Includes firewalls, antivirus software, and system updates.
November 2005 Hal Stepp/Melbourne HS
Biggest Threat: “Malware”• Malicious Code• Designed to perform
functions that are detrimental you, your computer, your network, or to someone else’s using your computer as the offensive agent.
November 2005 Hal Stepp/Melbourne HS
Types of Malware
• Viruses
• Worms
• Trojan Horses
• Blended Threats
• Adware/Spyware
• Spam
November 2005 Hal Stepp/Melbourne HS
Types of Malware
• Virus– A piece of code
that replicates itself by attaching to another object.
– Chief objective: self-replication on host computer.
Bott & Siechert, 295
November 2005 Hal Stepp/Melbourne HS
Types of Malware
• Worm– Independent
program that copies itself to other computers.
– Often spread by bogus email attachments.
Bott & Siechert, 295
November 2005 Hal Stepp/Melbourne HS
Types of Malware
• Trojan Horse– “Back door”
program that allows someone to remotely examine or control your computer.
Bott & Siechert, 296
November 2005 Hal Stepp/Melbourne HS
Blended Threats• A “working
combination” of virus, worm and/or Trojan Horse code.
• Some of these can be VERY, VERY BAD!
Bott & Siechert, 296
November 2005 Hal Stepp/Melbourne HS
Blended Threat: MyDoom WormMyDoom.as/au/bb has common characteristics with other
members of the family, including posing as an e-mail system error message, disguising the payload in a variety of file formats (including .zip), and most damaging, depositing a backdoor on the infected PC.
"The variant knocking at the front door is familiar, but it's leaving the backdoor open to something much more sinister," said CA's Curry. "It's creating a zombie network."
The backdoor Trojan, opens port 1034 and listens for commands from the controlling hacker.
"This is typical of worms and viruses," said Cluley. "Hackers try to download a backdoor component which they can then use to upload other programs to conduct spam or denial-of-service attacks."
http://www.informationweek.com/story/showArticle.jhtml?articleID=60401800
November 2005 Hal Stepp/Melbourne HS
Adware/Spyware• Technically not
“malware,” but can have the same effect.
• Generally loaded on your computer when you visit certain websites, or click on “pop-up” windows.
• MANY unresolved privacy issues!
November 2005 Hal Stepp/Melbourne HS
“Spam”• Mass-distributed “junk” email• Appeared when Monty Python
“spam” skit was popular.• Malware is frequently
distributed by spam!• NEVER OPEN spam!• NEVER CLICK links in spam!• If possible, use rules or a
spam filter to auto-delete.Picture: http://media.hormel.com/images/refimages/museum%20press%20kit/spam%20hero%20web%20ready.jpg
November 2005 Hal Stepp/Melbourne HS
Fighting Back!
USAF Photo
November 2005 Hal Stepp/Melbourne HS
#1 – Keep Windows UPDATED
• Weaknesses are continually being discovered in Windows and Internet Explorer.
• Failure to download “patches” = invitation to exploitation.
November 2005 Hal Stepp/Melbourne HS
#2 Make Updates AUTOMATIC
• Set your computer so that updates are automatically downloaded.
• Start-Control Panel-Automatic Update
• Your school computer does this at night.– Leave it running!
November 2005 Hal Stepp/Melbourne HS
#3 Use an Antivirus Program• On campus, we use
McAfee Enterprise.• If you can see the two
“shield” icons in the lower right corner, it’s running.
• Updates are automatic, and slow your computer down a lot when running!
November 2005 Hal Stepp/Melbourne HS
Antivirus Software – At Home• NEVER operate a
computer online without an antivirus (AV) program!
• Make sure that automatic update is enabled.
• AV software is useless without constant updates!
November 2005 Hal Stepp/Melbourne HS
Why Do You Need a Firewall? • AV software only
watches what comes INTO the computer.– Firewalls also monitor
what goes OUT.– A firewall is the only
defense against Trojan Horse programs.
November 2005 Hal Stepp/Melbourne HS
Handling Adware/Spyware• There are several free
anti-spyware programs available.
• Example: Spybot Search and Destroy– Free for download at home!– Updated frequently.– “Immunizes” your computer
against repeat infection.
• Whatever you choose, use it at least weekly!
http://www.spybot.info/en/index.html
November 2005 Hal Stepp/Melbourne HS
Some General “Best Practices”• Be VERY careful
about visiting Internet sites.
• Never click “popup” windows, use the “ _ ” to close them.
• NEVER open attachments or hyperlinks in email from unknown senders.
November 2005 Hal Stepp/Melbourne HS
One More Thing to Think About…
• Hackers seem to HATE Bill Gates and Microsoft products.
• Most attacks exploit weaknesses in Windows, Internet Explorer and Outlook/Outlook Express.
www.microsoft.com/billgates/bio.asp
November 2005 Hal Stepp/Melbourne HS
Get Out of the Bulls-eye!• Alternative Internet
and email programs• Example:
www.mozilla.org• Firefox 1.0
– “Safer” web browser– Good pop-up blocking
• Thunderbird 1.0– Email program– Excellent spam filter
November 2005 Hal Stepp/Melbourne HS
Review• Physical security
– The MOST IMPORTANT level of defense!– Make your computer a “no student” zone.– Arrange your screen and keyboard so that
they can’t be directly observed.– Lock your computer when it is unattended,
even for just a few minutes.– Get used to what’s “normal” in/around area.– Use good passwords:
• At least 8 mixed characters, not English words, memorable
• Change regularly or when compromise likely
November 2005 Hal Stepp/Melbourne HS
Review• Behavioral Security:
– “Social Engineering” is a psychological attack on you!.
– Goal is to gain unauthorized access to:• Information and/or• A computer and/or • A computer network.
– Look for: • Requests for forbidden information• Things which “don’t quite add up”
November 2005 Hal Stepp/Melbourne HS
Review• System Security:
Keep Windows current with automatic updates! ALWAYS use antivirus software and a firewall
Use the automatic update feature Yes, you need to renew the subscription!
Find an adware/spyware program you like These also requires regular updates Use frequently as part of your maintenance program
Consider non-Microsoft browser & email programs
November 2005 Hal Stepp/Melbourne HS
Review
• “Best Practices” Be VERY careful about the
sites you visit on the Internet. NEVER open email
attachments from unknown senders.
DON’T click on links in email from unknown senders.
November 2005 Hal Stepp/Melbourne HS
If You’d Like to Learn More…
http://melbourne.hs.brevard.k12.fl.us/SteppH/tutorials/security/index.htm
November 2005 Hal Stepp/Melbourne HS
November 2005 Hal Stepp/Melbourne HS
Bibliography/ResourcesBott, Ed, and Siechert, Carl. Microsoft Windows Security for
Windows XP and Windows 2000 INSIDE OUT. Redmond: Microsoft Press, 2003.
Granger, Sarah. "Social Engineering Fundamentals, Part I: Hacker Tactics." Security Focus. http://www.securityfocus.com/infocus/1527: 18 Dec 2001.
Granger, Sarah. "Social Engineering Fundamentals, Part II: Combat Strategies." Security Focus. http://www.securityfocus.com/infocus/1533: 9 Jan 2002.
Identity Theft Resource Center. http://www.idtheftcenter.org/index.shtml
Privacy Rights Clearing House. http://www.privacyrights.org/Spring, Tom. "Spam Wars Rage." PC World (April 2004): 24-25.