Transcript Slide 1

Computer Security
What is Information Security?
• The protection of the information assets
stored within your computer, against
unauthorized access.
Personal Computer Security
• Theft
– The illegal taking of someone’s property.
• Physical – laptop, desktop
Remedies - LoJack, LaptopCop, and STOP.
• Electronic (hard to trace)
– Password protection, anti-virus, spyware, firewall
• Intellectual – “social engineering”
– Never disclose information to an unknown party
Electronic Theft
• Unauthorized Access - when a person who does not have
permission to connect to or use a computer, gains entry in a manner
unintended by the computer owner.
Responsibility of Users
“Security holes are discovered daily in operating systems and programs. A
secure system today may not be a secure system tomorrow.”
Maintain Operating System
– Stay current on security updates and patches
Check your system for viruses
– Scan your system everyday, and stay current on updates
Block Spyware and Identity Theft
– Keep your information private!
Responsibility of Users (cont.)
Use a correctly configured firewall
– A poorly configured firewall is almost worst than having nothing.
Practice safe computing
– Make sure that if you’re sending sensitive personal information that
your connection is secure (SSL); a closed padlock item appears on
the status bar and the address will start with https:// rather than
http://
– Use passwords to protect access to your PC and do change them
regularly.
– Make frequent back-up copies of your data and store in a safe place.
– DON’T open e-mail attachments if you don't know what's in the
attachment.
Stay involved in protecting your system!!!
Identity Theft
• Failure to be responsible about protecting your PC could
result in horrible loss.
• One online transaction using a debit card is all an attacker
needs.
– Use only credit cards to purchase online.
– ShopSafe® is a free service that allows you to create a
temporary card number each time you make an online
purchase. (Bank of America)
• Always sign-out of any online account after use and always
delete the “cookies” before exiting the web browser.
Wi-Fi SideJacking
SideJacking - the process of sniffing session cookies (which
stores user credentials), then replaying them to clone another
user's web session.
• This technique proves that attackers can not only sniff, but grab, a victim's
online account. i.e.
• The attacker can exploit the victim's previously-established site having the
access to change passwords, post mail messages, download files, or take
any other action offered by that website.
Protection - HotSpotVPN
SideJacking (cont.)
• SideJacking works only if the site catches a non-SSL (nonsecure) cookie, so any Web site that uses SSL exclusively
would be safe from SideJackers…or so we think.
is still vulnerable to SideJacking despite
SSL (being a secure site with a lock in the
bottom corner of the page and begins with https://)
Best Protection
Despite the possibility of still being SideJacked, Enabling the HTTPS
setting in Gmail is your best option. Directions are provided in Handout
Malicious Code
• Deliberate software attacks that occur
when an individual or group designs
software to attack a system
• They are designed to damage, destroy, or
deny service to the systems.
Email Hazards
• Email and attachments have become a
popular way of entrance into one’s
network/computer.
• There are many different methods to
obtaining this access.
Spyware
• Any technology that aids in gather information
about a person or organization without their
knowledge
• It is placed on a computer, gathers the
information, and transfers it back to the offender
• Examples include a tracking cookie which is
placed on the user’s computer to track the
activity on different Web Sites and creates a
detailed profile on them
Viruses
• A computer virus attaches itself to a program or
file enabling it to spread from one computer to
another, leaving infections as it travels
• Like a human virus, a computer virus can range in
severity: Can damage software or files
• Almost all viruses are attached to an executable
file, which means the virus may exist on your
computer but it actually cannot infect your
computer unless you run or open the malicious
program.
Viruses through Attachments
• The most common method of virus
transmission
• Opening e-mail attachment files
• Once opened it can replicate itself and
damage the entire operating system
Worms
• Similar to a virus by design and is considered to
be a sub-class of a virus
• Worms spread from computer to computer, but
unlike a virus, it has the capability to travel
without any human action
• The biggest danger with a worm is its capability
to replicate itself on your system. So it could send
thousands of copies of itself throughout your
system.
Spam
• Unsolicited commercial email.
• More of a nuisance than an attack
• The worst consequences are waste of the
computer and human resources.
Trojan Horse
• The Trojan Horse, at first glance will appear to be
useful software but will actually do damage once
installed or run on your computer
• The results can vary
• known to create a backdoor on your computer
that gives someone access to your system. Can
allow access to personal information.
Back doors
• Use a known or previously unknown and newly
discovered access mechanism to gain access to
a system or network resource.
• Very difficult to detect
• It can be a program installed on a computer .
• It can be entrance obtained by a previous attack
such as a worm.
Sniffers
• A program or device that can monitor data
traveling over a network.
• Can be used to steal information such as
passwords, the data inside files, and
screens full of sensitive data from
applications such as bank information.
Information Extortion
• Occurs when an attacker or trusted insider
steals information from a computer system
and demands something in return for it so
they do not disclose the information.
• Common with Credit Card theft
Password Attacks
• Attempting to reverse-calculate a password is
often called cracking.
• Completed when a copy of the Security Account
manager data file can be obtained
• Brute force attack is the application of computing
and network resources to try every possible
combination of options of a password.
Password Power
Password Power (cont.)
Do you recognize this picture?
You Should
Going Phishing…
Phishing - The attempt to fraudulently acquire sensitive
information by masquerading as a trustworthy person in a
seemingly official communication.
• Each one of these people accepted “Jimmy” as their friend and yet had
no idea who Jimmy was. Nor did they ask questions.
Incriminating Photos/Info
“Dad not going to lie to you. Some of
us are drunk today.”
“DAWSON: To be the best at every
possible thing. Including sex.”
“You know, get a couple of cocktails in me,
start a fire in someone's kitchen. Maybe go
to SeaWorld, take my pants off.”
While this photo looks innocent enough it
tells a lot about the individual. A predator
now knows that Emily is a cheerleader
for Eldorado and has better insight on
how to find her.
Information Gathering
We now know that Emily and Whitney are best friends, and that they
both like to sing in Geissler’s… Lets hear it!
Public Information
Watch Yourself
• Providing personal information to the public (Internet),
any person can maliciously use that content against you
whether for personal gain (identity theft), or intent to act
upon (sexual predator).
• MySpace revealed that 90,000 registered sex offenders
have been kicked off its site in the past two years.
Evidence suggests that a portion of them are now on
Facebook.
• Nearly 10 million Americans a year are victims of identity
theft.
http://www.techcrunch.com/2009/02/03/thousands-of-myspace-sex-offender-refugees-found-on-facebook/
Keep Watching Yourself
• Employers look at Myspace and Facebook
profiles for potential employees.
1) Identifying potential job candidates. Employers may use these
social electronic databases to search for individuals with a
certain level of education, work experience, personal
interests, and/or anything else that might be a company asset.
2) Background checking, where "disqualifying information" may
be available, such as proof of illegal drug use or behavior the
company would consider undesirable in an employee.
http://hubpages.com/hub/How_employers_look_at_Myspace_and_Facebook_pages
Final Thought
• THINK before you ACT.
– Information that is posted about you on the
Internet becomes public, even if this
information is stored on a private profile.
– Become aware of your activity on the Internet
and check for suspicious activity within your
accounts. i.e. Jimmy Smith
– Become a RESPONSIBLE USER!
Resources
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Whitman, Michael E., and Herbert J. Mattord. Principles of Information Security 3rd
Edtion. Printed in Canada, 2009.
http://profile.myspace.com/index.cfm?fuseaction=user.viewProfile&friendID=430629858
http://profile.myspace.com/index.cfm?fuseaction=user.viewProfile&friendID=81714953
http://www.helium.com/items/948377-basic-principles-of-computer-security?page=3
http://www.sysmod.com/free-home-computer-security.htm
http://news.cnet.com/8301-1009_3-10019710-83.html
http://www.washingtonpost.com/wp-dyn/content/article/2007/08/03/AR2007080301956.html
http://www.derkeiler.com/Mailing-Lists/securityfocus/pen-test/2009-02/msg00086.html
http://itmanagement.earthweb.com/secu/article.php/3694671
http://www.techcrunch.com/2009/02/03/thousands-of-myspace-sex-offender-refugees-foundon-facebook/
http://www.spamlaws.com/id-theft-statistics.html
http://hubpages.com/hub/How_employers_look_at_Myspace_and_Facebook_pages
http://arstechnica.com/business/news/2008/02/report-google-mail-vulnerable-to-sidejackingdespite-ssl.ars
http://itmanagement.earthweb.com/secu/article.php/3694671
Resources (cont.)
•
•
•
•
•
•
•
•
•
•
http://www.anchorfree.com/downloads/hotspot-shield/
http://www.hotspotvpn.com/
http://uk.trendmicro-europe.com/consumer/products/housecall_launch.php
http://free.grisoft.com/freeweb.php
http://www.avast.com/eng/free_virus_protectio.html
http://www.lavasoftusa.com/software/adaware/
http://www.stoptheft.com/site/index.php
http://www.laptopcopsoftware.com/
http://www.lojackforlaptops.com/
http://us.trendmicro.com/us/home/