top ten (10) security tips
DESCRIPTION
Simple ways to make security easier. TOP TEN (10) Security Tips. Karen McDowell, Ph.D., GCIH Information Security, Policy, and Records Office Office Technology Conference 2010. Security Tip #1. Don’t click on unsolicited email messages If in doubt, telephone the sender - PowerPoint PPT PresentationTRANSCRIPT
TOP TEN (10) SECURITY TIPSSimple ways to make security easier
Karen McDowell, Ph.D., GCIHInformation Security, Policy, and Records Office
Office Technology Conference 2010
Security Tip #1 Don’t click on unsolicited email
messages If in doubt, telephone the sender Use the 800 number on the back of
your credit or debit card Check the
UVa Security and Suspicious Alerts Page (updated hourly if necessary)
3Courtesy of Yale University
Old-Fashioned Trickery orSocial EngineeringHow shall I trick you?
Let me count the ways!1. Phishing2. Spear-phishing3. Vishing
4
How Do I Identify a Phishing message?1. Unsolicited – no reputable financial
institution will ask for your personally identifiable information (PII) – if someone asks, suspect trouble
2. Timing is a clue, though not always3. Words or tone of urgency 4. Web page or email message mimics
in almost every detail legitimate, commercial or social networking sites
5
Phishing with Masked Web Address If you clicked on this, you went to the
http://www.virginia.vbedu.net/info/v/
6
7Courtesy of Yale University
Spear Phishing Most Dangerous Spear phishing is a highly-targeted
attack directed to specific groups Addresses members by first name Conveys tone of intimacy
Spear phishers also create fake social networking login pages to lure us into sites, where we routinely enter PII (personally identifiable information)
Spear phishers lately tricking Fortune 500 senior execs who play Farmville
8
Spear Phishing Message
9
Attached document contained malware!
11
http://fret.bio.virginia.edu/icons/ii.html
Why Spear Phishing Works Success relies upon details used --
Apparent source is known, trusted individual, like HR or IT staff
Message information supports its validity
Request has a logical basis Anytime you see anything you think is
suspicious, go to the Alerts page at UVa, and check if posted
http://itc.virginia.edu/security/alerts12
13Courtesy of Yale University
Security Tip #2 Prepare for Rogue Antivirus, so you
know what to do if it hits you
Fake (Rogue) Antivirus Courtesy of Indiana University
RAV: Social Engineering Plague Rogue Antivirus popups appear to be
authentic copy of legitimate Windows screens
RAV tricks users into thinking their computer is infected with viruses Offer antivirus to help them clean it
Aggressive use of spam, online ads, and schemes to manipulate search engine results to infect Web users, searching for trends, like celebrity foibles, big breaking news, etc
16http://gadgetwise.blogs.nytimes.com/2010/04/15/threat-of-fake-anti-virus-software-grows/
17
18
19
What You Can Do Install and run Malwarebytes (legal on
home computer only) Stop using the computer immediately
Don’t click on any popups! Turn off wireless, or pull the high-
speed line out of the back Why we backup often
Security Tip #3 Avoid wireless hotspots, or modify
your computer use if you use them Don’t do anything that requires a
password Don’t login to your bank or email
The Evil Twin Wireless Insecurity
Home-made wireless access points masquerade as legitimate hot spots
Fairly easy to create an evil twin with a laptop 22
Security Tip #4 Use social networking sites like
Facebook, LinkedIn, and Twitter very carefully
Facebook Security Issues• Social network du jour• Attackers go where we go• Facebook members greater than
population of USA• Weak passwords or passphrases• Don’t use third-party applications• Check for mis-configured or unused
privacy settings
24
Facebook Instant PersonalizationReports that Facebook has once again
compromised users privacy settings by not only making the process more complex but by making it an opt-out process, instead of opt-in.
Don't post any information, like announcing you are going on vacation, on your blog or Facebook that could be used by identity thieves to target you, your family or friends, or UVa.
ZDNet 25 May 2010
Rogue Antivirus and Twitter Twitter hit with rogue anti-virus scam Flurry of tweets directed users to a
website promising "Best Video“ Appeared to offer content from YouTube,
but delivered a document infecting those using vulnerable versions of Adobe's Reader program
Victims then received urgent warning that their systems were infected and needed fraudulent security software cleaning
<theregister.co.uk> 6/2009 26
Link shorteners like TinyURL lead users to unknown destinations, though there’s a fix for this
Vulnerable to phishing attacks Users unwittingly give their
passwords to third-party applications Phishers use Twitter May 2009
Bogus accounts of “hot” women Tiny URLs obfuscated real sites
27
Twitter Security Issues
<gadgetwise.blogs.nytimes.com> 5/2009
Security Tip #5 Protect Smart Phones Passcode
Enable at least 4 digits but this also depends upon IT policies
Exceeding the number of allowed password attempts deletes all data
Auto-Lock Locks the screen after a pre-set time period
of non-use (consider 30 minutes or less) Passcode-lock enhances auto-lock By itself not exactly a security feature
but combined with passcode protection,it’s essential security
28
Security Tip #6 Use strong passwords or Try a passphrase if it is easier
for you to remember
Create Strong Passwords A 10-character password is not as hard to
remember as you think Make up a unique sentence, and use the first
letter of each word in the sentence Mix up the capitalization, and add a digit or
punctuation mark somewhere A sentence unique to you might be: “My
Chevy’s front muffler leaks too much” for the password “MCfml,t3m”
But don’t accidentally create a word, as in “How older US educators sit” for password “HoUSes”
Courtesy of Indiana University
Passphrases are just words Easy to remember “Mysonjusthitmefor1200dollars” “AvoidworkonMondaysifyoucan” Avoid famous sayings or quotes like
“give me liberty or give me death", “to be or not to be", or "four score and seven years ago", etc., because attackers makes lists of these
Courtesy of Indiana University
Security Tip #7 Update, update, update! Backup, backup, backup!
Update, Update, Update Secunia.com (home use only) Macintosh Security Update Microsoft Automatic Update
Backup, Backup, Backup Home Directory External hard drive
These mechanical systems can fail! Memory stick
Only for short term storage Drag and drop action
Security Tip #8 Check your free annual credit report
http://annualcreditreport.com Not freecreditreport.com Pull down your credit history, and
see what accounts have been opened in your name Check personal data for accuracy
You will not receive a credit score, unless you pay for it
Security Tip #9 Stay on Main Street when using the
Internet Don’t go down any dark alleys What’s a dark alley on the Internet?
Security Tip #10 Apply the same common sense rules
you use in the real world to protect institutional and personal data – Ask Ben Bernake’s wife
Regularly check your computer for sensitive data (Backup/remove files)
Use Secure Deletion Shredder Use Identity Finder at work