staying safe online - bucks county community college · keep cybersecurity software updated....
TRANSCRIPT
Staying Safe Online
What’s The Problem?Global cost of cyber crime in 2016: $445 billion
The typical 10,000 employee company spends $3.7 million per year dealing with phishing attacks
$5.3 Billion (USD) in actual and attempted losses from phishing emails
131 countries have been impacted by phishing scams
91% of compromises start with a phishing email (DHS)
30% of the answers to security questions (Gmail, Yahoo, AOL, Facebook, etc.) are available online (Thompson, 2015)
Most common password is: password123
1/10/2019 2
What’s my Password?
1/10/2019 3
Why Me?Herbert H. Thompson formulated something he calls “Hackernomics”
Used to describe why people get hacked, and who does it.
A social science concerned with description and analysis of attacker motivations, economics and business risk.
Characterized by five fundamental laws, and eight corollaries.
1/10/2019 4
HackernomicsLaw 1:
◦ Most attackers aren’t evil or insane; they just want something.
◦ Corollary 1a:◦ We don’t have the budget to protect against evil people but we can protect against people that will look for weaker targets.
Law 2:◦ Attackers may attack you; auditors will show up.
◦ Corollary2.a:◦ Security isn’t about protecting something completely; it’s about reducing a risk at some cost.
◦ Corollary 2.b:◦ In the absence of metrics, we tend to focus on risks that are either familiar or recent.
1/10/2019 5
HackernomicsLaw 3:
◦ Most costly breaches come from simple failures, not from attacker ingenuity.
◦ Corollary 3.a:◦ Bad guys, however, can be very creative if given incentive.
Law 4:◦ In the absence of security education or experience, people (developers, users, testers, designers) make
poor security decisions with technology.
◦ Corollary 4.a:◦ Software needs to be easy to use securely and difficult to use insecurely.
◦ Corollary 4.b:◦ Developers are smart people who want to do the right thing.
1/10/2019 6
HackernomicsLaw 5:
◦ Attackers usually don’t get in by breaching a security mechanism; they leverage functionality in some unexpected way.
◦ Corollary 5.a:◦ Security is as much about making functional code secure as it is about adding security controls.
1/10/2019 7
How?91% of compromises start with a phishing email (DHS)
What is spear phishing?◦ Targeted emails
◦ Common cause of data breaches
◦ Sent to small groups or specific individuals
◦ Uses social engineering
What is social engineering?◦ Hacking the human being
◦ Taking advantage of a person or persons nature to gain something
1/10/2019 8
Spear PhishingCommon methods include:
◦ File attachments that contain malware
◦ Links to web sites (click-bait)
◦ Links to websites that install malicious software
◦ Threats for money
◦ Trick you into logging onto what appears to be a legitimate web site
Several Types:◦ Highly Personalized
◦ Conversation
1/10/2019 9
Types – Highly PersonalizedIncludes:
◦ Your full name
◦ Mailing address
◦ Bank account number
◦ Name of your employer
◦ Part of your password
Body of email:◦ Looks legitimate
◦ May appear to come from someone you know
1/10/2019 10
Sample
1/10/2019 11
Type: ConversationUsually starts with a simple email:
◦ “Do you have time now to chat?”
◦ “Need to talk to you – hit me up when you can”
◦ “Are you available now”
Designed to build trust◦ Usually made to look like it came from someone you know
◦ Usually a person in authority
1/10/2019 12
Type: ConversationSecond email:
◦ Contains a malicious file
◦ Contains bad links
◦ Requests actions (like a bank transfer)
1/10/2019 13
Sample
1/10/2019 14
How to Identify Look for errors:
◦ Grammar
◦ Spelling
◦ Punctuation
◦ Syntax
Look for contextual clues:◦ Device
◦ Tone Signature
1/10/2019 15
How To Identify1. Impersonation
2. Appeals to emotions:◦ Greed
◦ Fear
3. Includes download or link
1/10/2019 16
How To Identify1. Impersonation of known brands
2. Domains don’t match◦ Look for one or two letters off
◦ Bnk instead of Bank
3. Dangerous file types:◦ .EXE or .COM files
◦ Scripts or DLL’s
◦ Java
1/10/2019 17
How To IdentifyLook for suspicious URL’s:
◦ www.citi-bank.com
◦ www.mygmail.com
◦ yahooo.com
◦ wwwchase.com
◦ http://chase.com.cc
◦ online.wellsfargo.wfosec.net
◦ http://www.chase.com-sweepstakes-2011a.info
◦ http://66.160.154.156/catalog/paypal
◦ http://bit.ly/2q3xxKU
1/10/2019 18
How to IdentifyAttachments are convenient.
Virtually any files can be attached.
Exercise caution before opening attachments.
Recognize imposters:◦ Check the sender’s name and email address.
◦ Check the subject.
◦ Verify that message is in character for the sender.
◦ Call the sender to verify if uncertain.
Be careful of dangerous attachment types like .zip, .exe., .js, or .docm.
1/10/2019 19
1/10/2019 20What to do?
What to DoVerify:
◦ Verify a link before clicking it.
◦ Verify the sender and recipient.
Enable a spam filter.
Keep cybersecurity software updated.
Disable macros.
Delete unsolicited emails and attachments.
Be cautious with your email password.
1/10/2019 21
What to DoEducate yourself about the latest scams.
Be wary of subject lines that try to draw you in.
Watch for inconsistencies in the sender’s domain.
Watch for unusual or atypical requests.
Do not allow yourself to be pressured into breaching protocol.
1/10/2019 22
Example
1/10/2019 23
Example
1/10/2019 24
Why Me?It’s not personal
◦ Most cyber crime is automated
If you◦ Have a job (work email address)
◦ Have a home (home/personal email address)
◦ You have data (you, your spouse, your kids),
Then you are a target!
1/10/2019 25
Why Me?Nothing is free
◦ Nothing is private
◦ Once it’s online, it’s always ONLINE
Online sites – YOU are the product◦ Google: $32.5 Billion (2017)
◦ Facebook: $40.6 Million (2017)
◦ Instagram: $6.84 Billion (2017)
◦ Snapchat: $825 Million (2017)
◦ Twitter: $731 Million (2017)
◦ VSCO: $234.6 Million (2017)
1/10/2019 26
1/10/2019 27Once It’s Online
What Can I DoThe following tips should help you stay safe online:
◦ Some are things you should know
◦ Some are things you should do
◦ They are in no particular order
◦ You can decide which ones are important
◦ They are not all inclusive
◦ Some may make sense to you, others may not work
This list is not complete…….◦ As technology changes, so will these
◦ You need to be smart and conscious of every action
1/10/2019 28
Online ShoppingUse a separate credit card with a fixed limit for online shopping
◦ Prepaid cards are great for this
Check your bank accounts daily!
Be selective with the web sites you use
Never, ever, ever let the web site save your credit card information
Never use your credit card from a device you don't own, or a network you didn't build
1/10/2019 29
PasswordsNever use a password – always use a passphrase
Use a pass phrase◦ “I love my dog!”
◦ “Work is done at 3:15!”
Never enter your passphrase when someone is looking over your shoulder
Never write your passphrase down where others can see it
Never share your passphrase with anyone
1/10/2019 30
Protect Your DevicesUSE anti-virus/anti-malware
◦ Windows 10 Defender is AWESOME – don’t disable it! And it’s free
◦ You can also use Forticlient – it’s also free and awesome◦ https://forticlient.com/downloads
If your device contains information that is important to you, PAY for anti-virus software◦ Make sure it uses heuristics and behavioral monitoring (like webroot)
If you use your phone for anything other then making phone calls and playing solitary, make sure it’s protected also
1/10/2019 31
Lock it upIf you aren’t actively using your device
◦ LOCK IT!
For desktops and phones, enable the auto lock function◦ Screensavers also
If you are traveling with a computer, out of sight = out of mind◦ That’s what the trunk is for, not your front seat
If you went on vacation, would you leave the doors and windows of your house unlocked?
1/10/2019 32
ListsMake a list of all the online accounts you have
◦ Rank them by importance – importance to you
◦ Rank them by the effect it would have if they were compromised
Now, take your list◦ And jot down your passwords
◦ Do they look secure enough to you, based on importance?
Think – what is someone had access to this account – how would it change my life?
1/10/2019 33
FuggetaboutitIf you haven’t been on a website in six months, shut down/close your account
If you haven’t used an app or program in six months (ok, tax programs are the exception), remove it – phones too!
If you don’t remember setting up an account, delete it!
1/10/2019 34
Don’t Take Candy from StrangersIf you find a USB drive or other device, let your brother-in-law check it out first
Never, ever, plug a device into your computer if you don’t know where it came from, or who touched it
1/10/2019 35
Google YourselfMake a list (and maintain it) of online accounts
Don’t accept a friend request if you don’t know who they are
Don’t be the first to accept a request from someone you don’t know
Keep your professional online presence separate from your personal online presence
1/10/2019 36
Being Paranoid Is OkIf everyone is out to get you!
◦ And everyone IS out to get you!
If it sounds or looks too good to be true, it’s probably not true
If the person was standing in front of you right now, saying the same things, would you believe them?
If it’s not something you would like printed on the front page of the newspaper, or displayed on the 6:00 news then don’t share it
1/10/2019 37
WIIFT (pronounced wift)What’s In It For Them (WIIFT)
Criminals are EXCELLENT at creating fake online personas◦ Why does that person want to be your friend?
◦ Why do they want to share that document/video/link with you?
You can fool some of the people all of the time; you can fool all of the people some of the time, but you can never fool all of the people all of the time. - P.T. Barnum
1/10/2019 38
No Time Like The PresentAccording to US CERT – 85% of attacks can be prevented by running updates
If you have an app that is no longer supported (no updates in 6 months) – STOP USING IT!
Ask yourself this simple question – which is more important:◦ The time it takes to update the system
◦ The time it takes to recover from a stolen identity
1/10/2019 39
Duplication is BAD
1/10/2019 40
Never, ever, ever use the same password for two different sites
Yes, each site gets it’s own passphrase
Yes, it’s a pain
Yes, it will keep you safe
Did I mention you should use a different password for every site/system?
You Have My Permission To LieEver see these questions?
◦ Where did you meet your spouse?
◦ What is your mother’s maiden name?
◦ What was the name of your first pet?
Don’t ever give them a true answer – pick something you will remember
◦ Where did you meet your spouse? Blue
◦ What is your mother’s maiden name? Circle
◦ What was the name of your first pet? Umbrella
Remember Sarah Palin?
1/10/2019 41
Remember to ListenIf your bank “calls” or emails you asking for account information
◦ Shouldn’t they already have this?
If your health care provider calls you – ok, this is just unrealistic
It’s ok to say “not right now, I’ll call you right back”◦ Then look up for yourself the number and ask why they called
This is social engineering = someone trying to trick you for your loss and their gain
1/10/2019 42
InsuranceYou probably have home owners insurance.
You probably have auto insurance.
Why aren’t you backing important files up?◦ Use a REMOVABLE USB drive
◦ And remove it when you are done backing things up
1/10/2019 43
Assume the WorstIt’s not if you will be hacked, it’s when you will be hacked
Backup your data frequently – to a separate drive you disconnect when it is not being used◦ Use thumb drives for vital information – store them in a home safe
Keep your system patched (run updates)
Scan your machine regularly◦ Once every six months is not regularly
◦ Quick scan daily, full scan weekly
1/10/2019 44
Practice AbstinenceNever trust attachments you were not expecting
If you just have to look at it:◦ Download it first
◦ Upload it to http://virustotal.com
◦ If they say it’s ok, then open it
If its an executable – ask someone before you run it ◦ That’s how ransomware spreads
1/10/2019 45
TMIThere is NO SUCH THING AS PRIVACY on the Internet
Once it’s online, it’s ALWAYS online
Never post personally identifiable information (PII) online
Always ask, when someone wants something:◦ Who is it for? Why do they need that?
◦ Exceptions are online applications – but these are limited in terms of access, right?
1/10/2019 46
Be SybilCreate multiple email addresses
◦ You probably already have one for work
◦ You probably have one for family
◦ Create one for shopping
◦ Create one for newsletters and associations
◦ Create a spare just because you can
This will reduce spam to your legitimate (family, work) accounts
1/10/2019 47
UnsubUnsubscribe from any unnecessary newsletters
Use filters and mark emails as spam to help your email provider block it more effectively
NEVER click on links in spam emails
NEVER download and open attachments in spam emails
Disable the automatic downloading of HTML graphics in your mails
When using social media, enhance your privacy settings so no one can see your email account
1/10/2019 48
Protect Your PhoneTurn on your screen lock and use it at all times.
Use encryption to protect confidential information stored on your phone.
Turn your Wi-Fi and Bluetooth off when you don’t use them.
Install an antivirus for smartphones (if your phone allows it – Android phones do).
Check permissions before installing an app.
Don’t install rogue apps.
Back up your data.
1/10/2019 49
Fortify Your BrowserUse an adblocker
◦ https://adblockplus.org/
Use a privacy blocker◦ https://www.eff.org/privacybadger
ALWAYS check your browsing history◦ Clear our cache
NEVER let your browser save your passwords
1/10/2019 50
Be A UserWhen you setup your machine at home, you most likely created a default user account
◦ And that account most likely has administrative privileges
◦ If you have administrative rights, so do the hackers
Most attacks are automated◦ Code scans for vulnerabilities, and usually exploits them as the current, logged in user
Create additional accounts◦ Standard user - log in as them and use that account for everyday
1/10/2019 51
Your Finger Is NOT Attached to Your MouseIt’s ok to stop, read the screen, put your hands in your lap, and think before you click
Hackers know if you are overwhelmed or frustrated, you will tend to click, click, click◦ They will embed bad links mixed with good
Never click on◦ Any short links, that you have no idea where they lead
◦ Any emails or attachments that you never requested
1/10/2019 52
It’s 9:00 PM – Where Are You?Turn off geocode
Turn off location services on your phone if you aren’t using it to navigate
Adam Savage didn’t and put his truck online for sale – with a picture – and wondered why people where showing up at his house
1/10/2019 53
Be PrivateTurn ON privacy settings
◦ Every app
◦ Every computer
Test them
Try to get to them not logged on◦ See if your kids can get to them
◦ See if you can get to your kids
1/10/2019 54
Be DefensiveUse a multi-layered approach to security
◦ Use a firewall
◦ Use anti-virus/anti-malware
◦ Use encryption – on your files and/or your hard drive
◦ Use SSL/TLS when you browse
◦ Only use WPA2 wireless
Track your web activity
Know what’s connected to your PC/phone
1/10/2019 55
Questions?
1/10/2019 56