Security Awareness - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

Security Awareness

Description:

The worm software could actively scan networks to infect others. ... [up arrow] [Up arrow] [Up arrow] [Up arrow] 3 4 0 4. The Cat. in the. Hats Birthday. ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 52
Provided by: ValuedGate2338
Category:

less

Transcript and Presenter's Notes

Title: Security Awareness


1
Security Awareness
  • Virginia Community College System
  • System Office

2
Why Security Awareness?
  • Security Awareness is one of the thirteen
    security components required in the COV ITRM
    Standard SEC2001-01.1 with which all State
    agencies must comply.

3
Why Security Awareness?
  • The Virginia Information Technologies Agency
    (VITA) maintains directives for all Commonwealth
    of Virginia (COV) agencies to establish
    Information Technology Security Awareness and
    Training Programs via the Information Technology
    Security ITRM Policy 90-1.
  • Section I of this policy states
  • The Commonwealth relies heavily on the
    application of information technology for the
    effective management of governmental programs.
    Rapid and continuing technical advances have
    increased the dependence of State agencies on
    information systems. The value of State
    information, software, hardware,
    telecommunications, and facilities must be
    recognized by agencies as an important State
    resource, and be protected through agency
    security programs.

4
What are Your Responsibilities?
  • All employees, including owners, custodians, and
    users, are responsible for the adequate
    protection of VCCS information technology
    resources (desktop computers, notebook computers,
    PDA, software, etc.) within their control or
    possession.
  • Each employee must receive Security Awareness
    Training annually at a minimum.
  • All employees must sign and return a System
    Office (SO) Information Technology Security
    Awareness and Training Receipt and Acceptance
    Form.

5
What is Security Awareness?
  • Security awareness refers to those practices,
    technologies and/or services used to promote user
    awareness, user training, and user responsibility
    with regard to security risks, vulnerabilities,
    methods, and procedures related to information
    technology resources.

6
Goals of Security Awareness Training
  • To provide information on security requirements
    and procedures that will enable employees to
    perform their job responsibilities in a manner
    that safeguards the VCCS and System Office IT
    resources and information.
  • To promote information technology (IT) security
    so that each employee will be responsible for the
    adequate protection of information technology
    resources within their control or possession.

7

Why Should You Worry About Security?
  • Today many users have the misconception that
    technology alone can solve all the security
    problems.
  • All users need to understand and be aware of the
    existence of internal and external threats.
  • Many users lack understanding about the risks of
    using technology resources.
  • IT security routinely is often more of an
    afterthought.

8
Why Should You Worry About Security?
  • Personal Privacy
  • Professional Privacy
  • Legal Liability
  • Loss of Data and Equipment

9
Why Should Your Computer Be Protected?
  • Does your computer have sensitive or confidential
    information sitting in your email boxes, files,
    etc?
  • Does your computer have sensitive or confidential
    information that contains personnel data, or
    credit information that could be used in identity
    theft or credit card fraud?
  • Is there someone (maybe a Hacker) who would
    prefer to have access to your physical computer
    system and not necessarily the information that
    it contains?

10
What Does a Possible Hacker Look Like?
11
Why Would a Hacker Want Your Computer?
  • What illegal purposes might the hacker want to
    use your
  • computer for?
  • Does the hacker want to use your computer to
    store pirated software, music, movies, etc?
  • Does the hacker need a zombie computer to hide
    his identity and use your computer as a platform
    to crack stolen passwords or to distribute denial
    of service attacks?

12
What Problems Could a Hacker Cause?
  • Could a hacker intrusion to your computer create
    a legal liability or public embarrassment for the
    VCCS or System Office?
  • Could you be held liable for what a hacker does
    with your computer?
  • If your computer is used in the commission of a
    crime, it could be confiscated as evidence by the
    investigating authority. How long would it take
    you to restore your computer data to its previous
    state if your computer was seized?

13
What Tools Can Hackers Use to Compromise Your
Computer?
  • Viruses/Worms/Trojans/Bots
  • Denial of Service and Distributed Denial of
    Service Attacks (DOS, DDOS)
  • Network Scanners and Probes
  • Password Crackers
  • Remote Administrator Tools

14
Viruses
  • Virus - A virus is software that gets
    installed on your computer usually without your
    knowledge. Usually you get infected by accessing
    something that is already infected with a
    particular virus. Some examples of sources of
    infection are infected file(s), a floppy disk, a
    website, an email message, etc.

15
Worms
  • Worm - A worm is software that actively
    tries to spread itself to infect other computers.
    The worm software could actively scan networks
    to infect others. Worms can also be spread by
    email applications that use the infected
    computers address book or outbox to obtain
    additional email addresses to further spread the
    worm.

16
Trojans
  • Trojan - A Trojan is damaging software that
    hides its identity by posing as something else
    such as a screen saver or a greeting card. The
    Trojan, once installed, gives the attacker a back
    door into your system that can be used by the
    hacker as needed.

17
Bots
  • Bot - A bot is remote access software that
    allows the hacker to remotely access your
    computer to do whatever he wants. Bot is a
    favorite tool that hackers use for DoS (Denial of
    Service) attacks. The computers comprised by
    this bot software are sometimes referred to as
    zombies. Viruses, worms, and trojans are the
    usual means by which Bots are installed. It is
    often the case that a trojan is installed on your
    computer for months or years before it is used by
    hackers.

18
Denial of Service Attacks (DOS)
  • A Denial of Service (DoS) is an attack which
    attempts to disable a computer the computer is
    not actually broken into. The hacker then uses
    this computer to send a specially constructed URL
    to a web site server on the world wide web. This
    URL when received by the web server causes the
    web server software to consume its memory,
    causing it to stop responding to future requests
    from legitimate web site users.

19
Distributed Denial of Service Attacks (DDOS)
  • A Distributed Denial of Service (DDoS) attack
    is when the hacker has installed bots on hundreds
    or thousands of computers and has taken ownership
    of these computers. The hacker then has all of
    these pirated computers hit the web server or
    other servers with hundreds of legitimate
    requests every second. These hits cause the web
    server or other servers to stop responding to
    future requests from legitimate web site users.

20
Network Scanners and Probes
  • A Network Scanner browses the Internet or a
    particular LAN looking for a particular
    vulnerability. Once detected by the scanner,
    these vulnerabilities can be exploited to suit
    the hackers purpose.
  • A Probe scans a single computer looking for known
    vulnerabilities.

21
Remote Administrator Tools
  • The hacker can use a Remote Administrator Tool to
    allow the hacker to observe a users desktop and
    take over control of their mouse and keyboard.
  • PCAnywhere and VNC are legitimate examples of
    remote administrator software.
  • Hackers can use a dangerous tool called Back
    Orifice which allows the hacker to capture your
    keystrokes as you type, download files, and turn
    on your web cam. If a hacker can gain this type
    of access to your computer, he can see you on
    your web cam, see your computer desktop, steal
    your passwords, and obtain your information
    (credit card, ssn, etc.) .

22
Minimizing Your Exposure - Passwords
  • The primary purpose of a password is to
    authenticate a user granting access to a secured
    resource.
  • A password is also used to secure information or
    a resource.
  • A password is the first layer of protection
    between your computer and the rest of the world.

23
Weak Passwords
  • Weak passwords are passwords that are easy to
    guess, simple to derive, or likely to be found in
    a dictionary attack. Some examples are as
    follows
  • Anybodys name (human, pet, fantasy character,
    etc)
  • Name of operating system, hostname of your
    computer, user name
  • Any Number (phone, social security, license
    plate, birth date, etc)
  • Name (person, place, noun, or thing)
  • Any information that is easily obtained about you
  • Blank Password

24
More Examples of Weak Passwords
  • A word in English or foreign dictionaries
  • Words such as god, wizard, guru, gandalf, and so
    on.
  • Slang or jargon
  • Passwords of all the same letter
  • Simple patterns on the keyboard, like qwerty
  • Any of the above spelled backwards
  • Any of the above preceded or followed by one or
    two digits

25
Are you Guilty?
  • Writing down a password on a sticky note placed
    on or near your computer.
  • Using a word found in a dictionary. That's right,
    a dictionary. Any dictionary!
  • Using a word from a dictionary followed by 2
    numbers.
  • Using the names of people, places, pets, or other
    common items.
  • Sharing your password with someone else.
  • Using the same password for more than one
    account, and for an extended period of time.
  • Using the default password provided by the vendor.

26
Dont Become An Easy Target
  • Chances are, if you are anything like the
    majority of computer users, you answered yes to
    one or more of the questions. The problem is,
    hackers are aware of these user weakness and will
    target those who don't take appropriate
    precautions.

Dont Be a Target
27
Why Is There a Problem?
  • Users find it hard to remember difficult
    passwords consisting of numbers and weird
    characters.
  • The number of passwords required by a single
    individual is growing constantly. How many do
    you have?
  • Software is available to hackers that contains
    complete dictionaries from several different
    languages, as well as popular words from todays
    culture, movies, and books.

28
Why Is There a Problem?
  • Hackers like to attack peoples weaknesses.
  • Hackers know that once a long, difficult password
    is chosen, most users will often use that same
    password for several accounts.
  • There is also a problem with keeping the same
    password too long. This allows the attacker that
    much more time to gain access to a system.
  • If a hacker compromises your computer, remember
    he now has the same privileges as the currently
    logged on user.

29
What You Can Do?
  • Use stronger passwords that are longer and more
    complex, making them more difficult to crack.

Strong Passwords
  • Choose passwords that are difficult or impossible
    to guess.
  • Assign unique passwords to each accounts.

30
How Can You Set a Strong Password?
  • There are some basic techniques that users can
    employ to set a password.
  • Set your password to a phrase that you will
    remember.
  • Example Phase "The cat in the hat."
  • Choose a date that you will remember.
  • Example date 3/4/04.
  • Take the first letter of the phrase and interlace
    it with the chosen date to make something similar
    to t3c4i0t4h.
  • This technique creates a password that will not
    be found in any dictionary and is unique to the
    user who created it.
  • t c i t h t3c4i0t4hup arrow Up arrow Up
    arrow Up arrow3 4 0 4

The Cat in the Hats Birthday.
31
What Additional Techniques Can You Use?
  • If your system will allow, below are some
    additional techniques that users can employ to
    set even stronger passwords.
  • Make passwords six to ten characters in length.
  • You should include one or more capital letters
    (AZ).
  • You should include one or more lower case letters
    (az).
  • You should include one or more numbers (0-9).
  • You should include one or more special characters
    (!, , , , , ,_at_).

32
What Else Can You Do? Best Practices
  • Any password can be guessed if given enough time.
    So a user must
  • change their password within a reasonable amount
    of time.
  • Passwords should not be easy. If you have a
    password that is easy to remember, it is probably
    easy for hackers to guess.
  • Passwords should not be spoken, written,
    e-mailed, hinted at, shared, or in any way known
    to anyone other than the user involved.
  • Passwords should not to be your name, address,
    date of birth, username, nickname, or any term
    that could be guessed easily by someone who is
    familiar with you.

33
What Else Can You Do? Best Practices
  • Never display or conceal passwords in your work
    area, no matter how well-hidden you think they
    are.
  • If you feel that your password has been
    compromised in any way, change it immediately.
  • Do not let others see you key in your password.
  • Do not use the same password more than once.

34
A Good Way to Think About Treating Your Password!
  • Change yours often!
  • Dont leave yours lying around!
  • The longer the better!
  • Dont share yours with friends!
  • Be mysterious!

35
How Your Computer Can Be Compromised
  • Email
  • Network intrusion
  • Unsecured location
  • Social engineering

36
  • Email is a huge concern and probably the most
    common method of delivering a virus, bot, trojan,
    or other means to compromise your computer.
    Hacker tools can be disguised in many ways as
    email clients offer more robust scripting and
    features.
  • Do not open e-mail attachments from anyone who is
    a stranger the subject line or attachment name
    is often meant to be enticing.
  • Do not open e-mail attachments that arrive
    unexpectedly. It is possible that the e-mail was
    sent without the senders knowledge from an
    address book of an infected computer.
  • Do not open executable attachments with an
    extension of exe, vbs, bat, scr, com, pif, etc.

37
  • There are some things that you can do to
    practice safe email sending.
  • If sending email attachments notify the recipient
    of the impending email attachments, so they will
    be expecting the attachments.
  • If at all possible do not send executable
    attachments with extensions ending in .exe, .vbs,
    .bat, .scr, .com, .pif etc
  • Take a moment and scan the attachment before
    emailing it to an email recipient.

38
  • Be aware of other exposures and dangers with
    email.
  • Unwanted email (Spam) or abusive email.
  • Email that is a request for confidential
    information.
  • Email used for forgery purposes.
  • The sender of an email can easily misaddress the
    sender address, hiding his identity.
  • Email and instant messages sent across the
    Internet can be easily intercepted and read by
    hackers. (Do not send passwords, credit card
    numbers, or other access information via e-mail
    or instant messaging.)

39

Best Practices
  • Do not hesitate to call the help desk
    (804-819-4799) anytime you feel unsure about a
    suspicious email.
  • It is a good practice to disable HTML
    viewing/sending on your email client, because
    malicious scripting can occur by just viewing
    the e-mail (no attachment needed) if the email is
    in HTML format. Consult your email client
    documentation.
  • Disable macros for all documents (you can
    re-enable if need to run a macro).

40
Network Intrusion
  • Today, most computers are connected to some sort
    of
  • network providing access to the world. The
    following are
  • ways to protect your computer from being
    compromised
  • Do not keep computers online when not in use. The
    best way to do this is either power them down or
    physically disconnect them from the Internet.
  • Always logout of your computer whenever possible
    if you anticipate extended periods of non-use.

41
Network Intrusion
  • Lock your desktop to prevent access to your
    computer. This will allow programs to continue
    running.
  • Use virus protection software that is constantly
    updated with latest virus signatures.
  • Regularly download security patches.

42
Unsecured Location
  • If your computer is located in an unsecured
    physical location such as an unlocked office and
    with an unlocked computer, the resulting damages
    could be data theft. If you have an office with a
    door, shutting or locking it while you are out
    may help prevent unauthorized access.
  • An unattended unsecured computer left alone even
    for a few minutes can give the hacker enough
    seconds needed to copy a hacker tool from a
    floppy disk to provide access to your computer.
    Use a password protected screensaver.
  • Any unsecured computer is a potential target for
    having the hard drive removed. It only takes a
    matter of minutes with the new thumb screws
    used to secure computer covers.

43
Social Engineering
  • Social engineering is when an intruder attempts
    to pose as someone else to gain unauthorized
    access to your computer.
  • The intruder is often a smooth-talker that tries
    to gain your confidence by possibly posing as
    someone from the IT department to get you to
    reveal your passwords or personal information.
  • The intruder may be attempting to gain
    unauthorized access, unauthorized use, or
    unauthorized disclosure of an information system,
    network or data.
  • The intruder may be trying to modify the system
    configuration.

44
Social Engineering
  • The intruder may do this in person, by email, or
    over the phone.
  • Beware of what you throw in the trash intruders
    often participate in dumpster-diving by digging
    or scavenging in the trash area for useful
    information. Shred important information.
  • The intruder may try to prey on unsuspecting help
    desks or support areas, or receptionist/administra
    tive areas by pretending to be a user needing
    assistance to gain unauthorized accesses.
  • The hacker uses the information gathered from
    social engineering to launch his attack.

45
REVIEW - What Can You Do to Practice Safe
Security?
  • Keep Passwords Secure.
  • Change Passwords Regularly.
  • Use Strong Passwords.
  • Use Unique Passwords for Each System.
  • Log Out/Lock Desktop When Appropriate.
  • Use a Password Protected Screen Saver.
  • Use Power On Passwords to Secure Your Computer at
    Boot Up.

46
REVIEW - What Can You Do to Practice Safe
Security?
  • Secure Your Office Area As Much As Possible.
  • Use and Update Antivirus Software.
  • Use Safe Email Practices.
  • Beware of Intruder Social Engineering.
  • Backup Your Important Data.
  • Keep System and Applications Updated with Latest
    Patches.

47
Truths of Security
  • Absolute security is unattainable, but lets
    reach for the sky!
  • A disaster could take place at any time
    regardless of the precautions taken.
  • Recovering from any type of attack is most likely
    going to be time-consuming and expensive!
  • Backup your important critical data on a regular
    basis.
  • Backup your data but more importantly implement
    and test your backup procedure.

48
Facts of Security
  • Each and every one of us has to share in the
    responsibility for security!
  • As users we all must be proactive!
  • No one has all the answers!
  • We need your help!

49
Conclusion
As our Internet usage continues to grow at a
rapid rate, so does the need to protect our
systems and information from unauthorized access.
  • We as users must practice safe security measures
    collectively we can play a large role in keeping
    our organization secure.
  • There is no one security practice that is enough
    to keep us secure.
  • Layers of security must be built to make our
    computer/network unappealing to hackers.

50
Conclusion
  • Security awareness for our organization must
    change as the needs within the organization
    change. Changes in new technology must be
    examined for security impacts to the organization
    and the people who work for it.
  • Do not hesitate to call the help desk
    (804-819-4799) at anytime if you have a security
    concern or problem. Please report all computer
    security issues (many discussed previously) and
    viruses to the help desk.

51
  • Any Questions?
Write a Comment
User Comments (0)
About PowerShow.com