Information Security Session October 23, 2006

1
Information Security SessionOctober 23, 2006

• Bill Eaheart
• Network Security Coordinator
• DePaul University

2
Information Security at DePaul

• Who we are
• Information Services - Business Continuity and
  Security Group (BCS)
• Web Site
• http//is.depaul.edu/security/information_security
  /
• Email Addresses for BCS team
• Bill Eaheart - weaheart_at_depaul.edu
• Arlene Yetnikoff ayetniko_at_depaul.edu
• Reporting security incidents
• security_at_depaul.edu
• abuse_at_depaul.edu

3
Today

• Provide practical information
• General guidelines for secure computing
• Question and Answer
• Presentation available on this web page
• http//is.depaul.edu/security/information_securit
  y/presentations.asp

4
Truths about computers

• Computers (all operating systems) is vulnerable
  to attacks
• Connecting a computer to the Internet allows the
  Internet to connect to your computer
• Good news real time access to news,
  collaboration, information, videos, applications
  
• Bad news vulnerable to attacks from viruses,
  worms and individuals

5
Survival Time

• http//isc.sans.org/survivalhistory.php

6
Types of Attacks

• Coordinated
• Your computer is specifically targeted
• Opportunistic
• Software available to conduct
• Random scans looking for Windows open file and
  printer shares
• Searches for known vulnerabilities and unsecured
  services
• Allows individuals to
• Exploit vulnerabilities
• Crack passwords
• Most attacks for home users are opportunistic
• Easy steps to avoid opportunistic attacks
• Coordinated attacks are difficult to stop

7
Typical Day at DePaul

• Timestamp -- 2006-10-x
• Possible External Hosts unauthorized scans
• Count Src Addr Port
• --------------------------------------------------
  --
• 38600 81.115.44.75 5900
• 41160 81.244.148.101 135
• 38599 218.247.185.218 22
• 2393 59.112.85.220 139
• 2094 59.112.85.220 445

8
What can we do?

• Protecting your Computer
• Windows Update
• Virus and Spyware Protection
• Use a Host Based Firewall
• Account and Password Security
• Microsoft Baseline Security Analyzer
• Using Public Computers
• Social Engineering
• Email
• Downloads
• Peer to Peer Sharing

9
Windows Update

• Microsoft provides security patches and updates
• Check for updates at least once per month
• Security fixes released on the second Tuesday of
  each month
• Manual Update
• Open Internet Explorer ? http//windowsupdate.micr
  osoft.com
• Windows Automatic Updates makes this easy
• Start ? Control Panel ? Automatic Updates
• DePaul makes it even easier
• Software Update Services (SUS) server

10
Virus and Spyware Protection

• Malware (MALicious softWARE) designed to make
  life unhappy (virus, trojan horse)
• Install Anti-virus software
• Regularly update anti-virus signatures
• Available products
• Commercial
• McAfee Antivirus - http//www.mcafee.com/us/
• Norton Antivirus - http//www.symantec.com/
• Commercial/Freeware
• Avast! - http//www.avast.com/
• AVG http//www.grisoft.com/us/us_index.php
• DePaul makes it even easier
• McAfee Anti-virus and McAfee ePolicy Orchestrator
  (ePO)
• Student download - http//netauth.depaul.edu/virus
  scan/
• Spyware
• Gathers information without your knowledge
• Available products
• Ad-aware - http//www.lavasoftusa.com/

11
Host Based Firewall

• Best PC firewalls
• Track incoming and outgoing traffic
• Allow you to set up rules
• Windows XP
• Internet Connection Firewall (ICF)
• Inspects incoming traffic only
• Start ? Control Panel ? Network Connections ?
  Change Windows Firewall settings
• Commercial Products
• Sygate Personal Firewall
• ZoneAlarm
• Tiny Personal Firewall
• Norton Personal Firewall
• BlackIce PC Protection

12
Account and Password Security

• All accounts must have strong passwords
• http//www.microsoft.com/athome/security/privacy/p
  assword.mspx
• Weak or no password accounts are an open
  invitation to hackers
• If possible do not run your computer as
  administrator
• Disable any used accounts
• Strong passwords
• Special characters (!) mixed with letters and
  numbers
• Mixed upper- and lower-case letters and
  Punctuation characters
• Nonsense words that are easy to pronounce but
  aren't in any dictionary
• Eight or more characters
• Use a password sentence or passphrase
• I need to visit the Kmart at 400 ? In2vtK_at_4
• My 1 Password!
• Do not use either of these passwords ?

13
Microsoft Security Analyzer

• Microsoft Baseline Security Analyzer
• http//www.microsoft.com/technet/security/tools/mb
  sahome.mspx
• Free, vulnerability assessment tool for the
  Microsoft platform
• Download Software
• Installation Wizard
• Scan your computer

14
Using Public computers Security

• Public Computers
• Use caution when using public computers - cannot
  trust
• Do not save your logon information
• Do not leave the computer unattended
• Erase your tracks
• Watch for over-the-shoulder snoops
• Do not enter sensitive information
• http//www.microsoft.com/athome/security/privacy
  /publiccomputer.mspx
• Wireless Networks
• Wireless traffic can be captured
• Man in the middle attacks
• Should not transmit sensitive data
• http//www.microsoft.com/athome/security/privacy
  /wirelessnetwork.mspx

15
Social Engineering

• What is Social Engineering
• Collection of techniques used to manipulate
  people into performing actions or divulging
  confidential information
• Social Engineering Attacks
• By phone, office visits, email, web sites,
  instant messaging, irc
• Do not be a victim
• Be suspicious of unsolicited phone calls, visits
  or email messages
• Do not provide personal information or
  organizational information
• Do not reveal personal or financial information
  in an email and do not respond to email
  solicitations
• Dont send sensitive information over the
  Internet before checking a web sites security
• Pay attention to web sites malicious sites look
  legit
• If you have any doubts contact the company
  directly
• Web Sites
• http//www.snopes.com/
• http//www.antiphishing.org/
• http//hoaxbusters.ciac.org/

16
References

• Home Computer Security and Privacy by Patrick
  Crispen

17
The End!

• Thank you
• Any questions
• weaheart_at_depaul.edu