1

Computer Security Awareness and Training (CSAT) Seminar

TTU QEPService Learning Project

By Blue Team Students – Computer Science Department

CSC 4575/5575Information Assurance and Security

Spring 2011

Cost of Security Incidents in USA In 2009, dollar loss reported for Internet crime reached

all time high ~$560 million Internet Crime (IC3) Annual Report – March 2010

60 percent of financial losses were due to non-malicious actions by insiders Computer Crime and Security Survey, 2009

Perpetrator Map65.4% perpetrators in United States

Internet Crime (IC3) Annual Report – March 2010

What’s up for sale in the Cyber Black Market?

http://www.symantec.com/content/en/us/enterprise/white_papers/b-symc_intelligence_qtrly_july_to_sept_WP_21157366.en-us.pdf

Who is hit hardest?

http://www.symantec.com/content/en/us/enterprise/white_papers/b-symc_intelligence_qtrly_july_to_sept_WP_21157366.en-us.pdf

6

Goal of the CSAT Seminar

To inform on issues most closely related to the handling of sensitive/non-sensitive data with emphasis on TTU policies and general proper practicesSensitive Data: Social Security numbers, Credit

Cards, Birthdates, Medical information, Passwords, etc.

7

Topics To CoverSpywareAnti-VirusEmail Spam

Top 10 ScamsPhishing

Social EngineeringPasswordsHTTPSWireless Fidelity (Wi-Fi)

8

SpywareType of malware that collects user data from

their computer without them knowingCommon Spyware:

Fake Anti-VirusKeyloggers

9

SpywareScareware/

Ransomware: Fake Anti-VirusUses convincing

names: “Antivirus 2010”, “PC Antispy”, “Spyware Protect”, “Win Defender”

Constant pop-ups saying you are not protected

Will disable common programs

KeyloggersRecords keystrokes

and reports them to a program or person

Can be obtained through many bad practices

10

Features of SpywareSpyware has many common features

Requires system resourcesChanges computer settings to lock commonly

used featuresAttempts to disable Anti-VirusRedirects web browser

11

Anti-VirusWhat is Anti-Virus Software?

“Antivirus software is a computer program that detects, prevents, and takes action to disarm or remove malicious software programs, such as viruses and worms” – Microsoft

Who provides it?Symantec – The software used by TTU CampusMcAfeeAVGMicrosoft

12

Anti-VirusHow do you know if

it’s working?Check your task-bar

at the bottom-right of your desktop

Windows Security Center

Be sure to note:Make sure you have

the option to real-time scan

Keep the software up to date

TTU Policy1: Updates are automatic, but users are responsible for notifying ITS if there are complications with the update

1 http://www.tntech.edu/itspolicies/viruspolicy/

13

Free Anti-VirusSome things to consider about free Anti-

Virus:Be sure to download from reputable

distributers such as AVG, AntiVir, AVASTDon’t download these from a 3rd party site

Easy questions to ask before downloadingDo I want to pay or get free protection?What am I protecting?Is the software going to slow my system down?

Some distributer’s sites provide statistics

14

Email SpamJunk email or unsolicited bulk e-mailExamples we all know

Free giftsWeight lossDebt help

“36 Million Americans report purchasing drugs from unlicensed online sellers” – Sophos Security Threat Report 2011

15

16

Stay protected!Tips to avoiding scams:

Protect your personal informationKnow who you’re dealing withTake your time – Stop.Think.ConnectAlways read the fine printNever pay for “free gift”

IF IT SEEMS TOO GOOD TO BE TRUE, IT PROBABLY IS!

17

Top 10 Email Scams1. “Nigerian” Email Scam

- Message claiming to need a large amount of money to be transferred out of their country. Usually offering you a percentage.

2. Email or popup claiming to be a business you may deal with

3. Work-At-Home Scams- Get rich quick by stuffing envelopes, assembling products, data entry, etc.

4. Weight Loss Claims

5. Foreign Lotteries

6. Cure-All Products

7. Check Overpayment - Receive a check overpaying

what was owed and asked to wire back what was overpaid. The check then bounces.

8. Pay-in-Advance Credit Offers

9. Debt Relief

10. Investment Scamshttp://www.onguardonline.gov/topics/email-scams.aspx

18

Dealing With Email SpamReporting the spam!Forward the spam to

Microsupport@tntech.eduIf the email appears to be impersonating a

bank or company forward the message to the actual organization

19

PhishingAttempting to acquire sensitive information

such as passwords, credit cards, social security numbers through legitimate sounding offers and warnings

Phishing reports have risen over 100% in last two years - Sophos Security Threat Report 2011

20

Phishing – January 2011 # Brand Name % Deviation

from December in %

1 Paypal 36.84 52.68

2 Ebay 27.12 92.65

3 Others 19.18 100.00

4 Facebook 4.68 63.05

5 Yahoo 3.46 97.28

6 Chase Bank 2.43 38.76

7 Visa 1.82 4.12

8 Commonwealth Bank 1.67 62.92

9 Banco Santander 1.43 69.74

10 World of Warcraft 1.35 11.11Source: http://techblog.avira.com/2011/02/22/phishing-spam-and-malware-statistics-for-january-2011/en/

21

Dealing With PhishingTips to avoid Phishing scams:

Don’t email personal or financial informationBe cautious with opening or downloading

attachments received in email, especially on university computers

Report the emails to Microsupport@tntech.eduUse proper Anti-VirusCheck links inside emails before clicking themNever enter personal information into a pop-up

22

Checking links on web pages

23

Social Engineering“You could spend a fortune purchasing

technology and services… and your network infrastructure could still remain vulnerable to old-fashioned manipulation”

- Kevin Mitnick

24

Social EngineeringDumpster Diving

Pretexting

Gimmies

Quid pro Quo

Carelessly disposing of sensitive information

Using pre-mediated scenario to persuade a target

Exploiting curiosity/carlessness to deliver malware

Trading for information

25

Social EngineeringShoulder Surfing

Smoking Area

Phishing

Someone you would not suspect looking over your shoulder

Socializing at a company’s designated break area

26

Poll:My password is ab1234 or abcdef or abc123. (True/False)

I have not yet changed the default password given to me. (True/False)

I use the same password for multiple sites. (True/False)

I never change my password. (True/False)

I have written down the password “somewhere”. (True/False)

I have given my password to “X”. (True/False)

27

PasswordsThings to consider:

Usernames and passwords are designed for personal use

Try not to use the same password for multiple logins

Do not write down passwords in easy to find locations

Have a strong password

28

PasswordsMaking a strong password

Include letters, numbers, special characters, capitalization

Should be 8 to 12 characters longTry not to include wordsDo not reuse passwords

29

PasswordsLength of Password

Number of Possible Combinations Average Computer

Multiple Pc's Working Together Super computer What the password Contains

8 100 Million 10 Seconds Instant Instant Numerals123456789

8 53 Trillion 62 Days 6 Days 15 Hours Mixed Alpha

AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz

8 218 Trillion 253 Days 25¼ Days 60½ HoursMixed Alpha and

Numerals

0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz

8 7.2 Quadrillion 23 Years 2¼ Years 83½ DaysMixed Alpha,

Numerals & Symbols

0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz <SP>!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

www.lockdown.co.uk

30

ITS Password PolicyUser Type Login To Password/PIN

Change Frequency

Faculty/StaffINB (Internet Native Banner) (Regular Access)

Every 90 days

Faculty/Staff INB (Privileged Access) Every 30 days

Faculty/Staff/Student SSB (Self Service Banner) Every 180 days

Faculty/Staff Oracle (Regular Access) Every 90 days

Faculty/Staff Oracle (Privileged Access) Every 30 days

Faculty/Staff/Student TTU Domain/PC Lab Domain/Email Every 90 days

Special Logins Every 90 days

http://www.tntech.edu/itspolicies/password-policy/

31

HTTPSHypertext Transfer Protocol SecureA protocol that creates a secure connection

between your computer and the web site you are connecting to

32

HTTPSITS Policy1

Encryption is recommended when sending non-public or internal data.

Encryption is required if any data is confidential or restricted

How do I know it’s in use?Internet Explorer

Firefox

Chrome

1 http://www.tntech.edu/itspolicies/datasecuritypolicy/

33

Wireless FidelityNote1: “Confidential University business

should not be conducted via the wireless network due to data security issues.”

FiresheepPacket snifferSimplified stealing information

1 www.tntech.edu/its/wirelessaccess

34

Wireless FidelityWay to protect yourself on an open network

Use HTTPSWays to protect your network at home

Use WPA2 with a pre-shared key to secure your router

35

Additional Resources

Can be found athttp://users.csc.tntech.edu/~jlnorris21/csat

36

CreditsAlan ObergShaun TiptonBret HumanMichael Altom Jay PatelNicolas Castellani Jeffrey NorrisHassan AlslameKenison VrabcakPatrick BirdwellRyan Flood

Team Leader / Content DeliveryContent Delivery / Post AssessmentContent Delivery / Content ManagementTeam Leader / Needs AssessmentPost Assessment / Event CoordinationNeeds Assessment / WebsiteWebsite / Content DevelopmentContent Development / Content

ManagementEvent Coordination / Content

ManagementContent Management / WebsiteAdvertisement

37

Acknowledgement

QEP CommitteeComputer Science DepartmentValerie Nash

38

Thank you for your time

Please remember to take our Post Survey at:http://users.csc.tntech.edu/~jlnorris21/csatCertificate - needs to be done by April 29th!