Title: Security Awareness
1Security Awareness
- Virginia Community College System
- System Office
2Why Security Awareness?
- Security Awareness is one of the thirteen
security components required in the COV ITRM
Standard SEC2001-01.1 with which all State
agencies must comply.
3Why Security Awareness?
- The Virginia Information Technologies Agency
(VITA) maintains directives for all Commonwealth
of Virginia (COV) agencies to establish
Information Technology Security Awareness and
Training Programs via the Information Technology
Security ITRM Policy 90-1. -
- Section I of this policy states
- The Commonwealth relies heavily on the
application of information technology for the
effective management of governmental programs.
Rapid and continuing technical advances have
increased the dependence of State agencies on
information systems. The value of State
information, software, hardware,
telecommunications, and facilities must be
recognized by agencies as an important State
resource, and be protected through agency
security programs.
4What are Your Responsibilities?
- All employees, including owners, custodians, and
users, are responsible for the adequate
protection of VCCS information technology
resources (desktop computers, notebook computers,
PDA, software, etc.) within their control or
possession. - Each employee must receive Security Awareness
Training annually at a minimum. - All employees must sign and return a System
Office (SO) Information Technology Security
Awareness and Training Receipt and Acceptance
Form.
5What is Security Awareness?
- Security awareness refers to those practices,
technologies and/or services used to promote user
awareness, user training, and user responsibility
with regard to security risks, vulnerabilities,
methods, and procedures related to information
technology resources.
6Goals of Security Awareness Training
- To provide information on security requirements
and procedures that will enable employees to
perform their job responsibilities in a manner
that safeguards the VCCS and System Office IT
resources and information. - To promote information technology (IT) security
so that each employee will be responsible for the
adequate protection of information technology
resources within their control or possession.
7 Why Should You Worry About Security?
- Today many users have the misconception that
technology alone can solve all the security
problems. - All users need to understand and be aware of the
existence of internal and external threats. - Many users lack understanding about the risks of
using technology resources. - IT security routinely is often more of an
afterthought.
8Why Should You Worry About Security?
- Personal Privacy
- Professional Privacy
- Legal Liability
- Loss of Data and Equipment
9Why Should Your Computer Be Protected?
- Does your computer have sensitive or confidential
information sitting in your email boxes, files,
etc? - Does your computer have sensitive or confidential
information that contains personnel data, or
credit information that could be used in identity
theft or credit card fraud? - Is there someone (maybe a Hacker) who would
prefer to have access to your physical computer
system and not necessarily the information that
it contains?
10What Does a Possible Hacker Look Like?
11Why Would a Hacker Want Your Computer?
- What illegal purposes might the hacker want to
use your - computer for?
- Does the hacker want to use your computer to
store pirated software, music, movies, etc? -
- Does the hacker need a zombie computer to hide
his identity and use your computer as a platform
to crack stolen passwords or to distribute denial
of service attacks?
12What Problems Could a Hacker Cause?
- Could a hacker intrusion to your computer create
a legal liability or public embarrassment for the
VCCS or System Office? - Could you be held liable for what a hacker does
with your computer? - If your computer is used in the commission of a
crime, it could be confiscated as evidence by the
investigating authority. How long would it take
you to restore your computer data to its previous
state if your computer was seized?
13What Tools Can Hackers Use to Compromise Your
Computer?
- Viruses/Worms/Trojans/Bots
- Denial of Service and Distributed Denial of
Service Attacks (DOS, DDOS) - Network Scanners and Probes
- Password Crackers
- Remote Administrator Tools
14Viruses
- Virus - A virus is software that gets
installed on your computer usually without your
knowledge. Usually you get infected by accessing
something that is already infected with a
particular virus. Some examples of sources of
infection are infected file(s), a floppy disk, a
website, an email message, etc.
15Worms
- Worm - A worm is software that actively
tries to spread itself to infect other computers.
The worm software could actively scan networks
to infect others. Worms can also be spread by
email applications that use the infected
computers address book or outbox to obtain
additional email addresses to further spread the
worm.
16Trojans
- Trojan - A Trojan is damaging software that
hides its identity by posing as something else
such as a screen saver or a greeting card. The
Trojan, once installed, gives the attacker a back
door into your system that can be used by the
hacker as needed.
17Bots
- Bot - A bot is remote access software that
allows the hacker to remotely access your
computer to do whatever he wants. Bot is a
favorite tool that hackers use for DoS (Denial of
Service) attacks. The computers comprised by
this bot software are sometimes referred to as
zombies. Viruses, worms, and trojans are the
usual means by which Bots are installed. It is
often the case that a trojan is installed on your
computer for months or years before it is used by
hackers.
18Denial of Service Attacks (DOS)
- A Denial of Service (DoS) is an attack which
attempts to disable a computer the computer is
not actually broken into. The hacker then uses
this computer to send a specially constructed URL
to a web site server on the world wide web. This
URL when received by the web server causes the
web server software to consume its memory,
causing it to stop responding to future requests
from legitimate web site users. -
19Distributed Denial of Service Attacks (DDOS)
- A Distributed Denial of Service (DDoS) attack
is when the hacker has installed bots on hundreds
or thousands of computers and has taken ownership
of these computers. The hacker then has all of
these pirated computers hit the web server or
other servers with hundreds of legitimate
requests every second. These hits cause the web
server or other servers to stop responding to
future requests from legitimate web site users.
20 Network Scanners and Probes
- A Network Scanner browses the Internet or a
particular LAN looking for a particular
vulnerability. Once detected by the scanner,
these vulnerabilities can be exploited to suit
the hackers purpose. - A Probe scans a single computer looking for known
vulnerabilities.
21Remote Administrator Tools
- The hacker can use a Remote Administrator Tool to
allow the hacker to observe a users desktop and
take over control of their mouse and keyboard. - PCAnywhere and VNC are legitimate examples of
remote administrator software. -
- Hackers can use a dangerous tool called Back
Orifice which allows the hacker to capture your
keystrokes as you type, download files, and turn
on your web cam. If a hacker can gain this type
of access to your computer, he can see you on
your web cam, see your computer desktop, steal
your passwords, and obtain your information
(credit card, ssn, etc.) .
22Minimizing Your Exposure - Passwords
- The primary purpose of a password is to
authenticate a user granting access to a secured
resource. - A password is also used to secure information or
a resource. - A password is the first layer of protection
between your computer and the rest of the world.
23Weak Passwords
- Weak passwords are passwords that are easy to
guess, simple to derive, or likely to be found in
a dictionary attack. Some examples are as
follows - Anybodys name (human, pet, fantasy character,
etc) - Name of operating system, hostname of your
computer, user name - Any Number (phone, social security, license
plate, birth date, etc) -
- Name (person, place, noun, or thing)
- Any information that is easily obtained about you
- Blank Password
24More Examples of Weak Passwords
- A word in English or foreign dictionaries
- Words such as god, wizard, guru, gandalf, and so
on. - Slang or jargon
- Passwords of all the same letter
- Simple patterns on the keyboard, like qwerty
- Any of the above spelled backwards
- Any of the above preceded or followed by one or
two digits
25Are you Guilty?
- Writing down a password on a sticky note placed
on or near your computer. - Using a word found in a dictionary. That's right,
a dictionary. Any dictionary! - Using a word from a dictionary followed by 2
numbers. - Using the names of people, places, pets, or other
common items. - Sharing your password with someone else.
- Using the same password for more than one
account, and for an extended period of time. - Using the default password provided by the vendor.
26Dont Become An Easy Target
- Chances are, if you are anything like the
majority of computer users, you answered yes to
one or more of the questions. The problem is,
hackers are aware of these user weakness and will
target those who don't take appropriate
precautions.
Dont Be a Target
27Why Is There a Problem?
- Users find it hard to remember difficult
passwords consisting of numbers and weird
characters. - The number of passwords required by a single
individual is growing constantly. How many do
you have? -
- Software is available to hackers that contains
complete dictionaries from several different
languages, as well as popular words from todays
culture, movies, and books.
28Why Is There a Problem?
- Hackers like to attack peoples weaknesses.
- Hackers know that once a long, difficult password
is chosen, most users will often use that same
password for several accounts. - There is also a problem with keeping the same
password too long. This allows the attacker that
much more time to gain access to a system. - If a hacker compromises your computer, remember
he now has the same privileges as the currently
logged on user.
29What You Can Do?
- Use stronger passwords that are longer and more
complex, making them more difficult to crack. -
Strong Passwords
- Choose passwords that are difficult or impossible
to guess. - Assign unique passwords to each accounts.
30How Can You Set a Strong Password?
- There are some basic techniques that users can
employ to set a password. - Set your password to a phrase that you will
remember. - Example Phase "The cat in the hat."
- Choose a date that you will remember.
- Example date 3/4/04.
- Take the first letter of the phrase and interlace
it with the chosen date to make something similar
to t3c4i0t4h. - This technique creates a password that will not
be found in any dictionary and is unique to the
user who created it. - t c i t h t3c4i0t4hup arrow Up arrow Up
arrow Up arrow3 4 0 4
The Cat in the Hats Birthday.
31What Additional Techniques Can You Use?
- If your system will allow, below are some
additional techniques that users can employ to
set even stronger passwords. - Make passwords six to ten characters in length.
- You should include one or more capital letters
(AZ). - You should include one or more lower case letters
(az). - You should include one or more numbers (0-9).
- You should include one or more special characters
(!, , , , , ,_at_).
32What Else Can You Do? Best Practices
-
- Any password can be guessed if given enough time.
So a user must - change their password within a reasonable amount
of time. - Passwords should not be easy. If you have a
password that is easy to remember, it is probably
easy for hackers to guess. - Passwords should not be spoken, written,
e-mailed, hinted at, shared, or in any way known
to anyone other than the user involved. - Passwords should not to be your name, address,
date of birth, username, nickname, or any term
that could be guessed easily by someone who is
familiar with you. -
33What Else Can You Do? Best Practices
- Never display or conceal passwords in your work
area, no matter how well-hidden you think they
are. - If you feel that your password has been
compromised in any way, change it immediately. - Do not let others see you key in your password.
- Do not use the same password more than once.
34A Good Way to Think About Treating Your Password!
- Change yours often!
- Dont leave yours lying around!
- The longer the better!
- Dont share yours with friends!
- Be mysterious!
35How Your Computer Can Be Compromised
- Email
- Network intrusion
- Unsecured location
- Social engineering
36 - Email is a huge concern and probably the most
common method of delivering a virus, bot, trojan,
or other means to compromise your computer.
Hacker tools can be disguised in many ways as
email clients offer more robust scripting and
features. - Do not open e-mail attachments from anyone who is
a stranger the subject line or attachment name
is often meant to be enticing. - Do not open e-mail attachments that arrive
unexpectedly. It is possible that the e-mail was
sent without the senders knowledge from an
address book of an infected computer. - Do not open executable attachments with an
extension of exe, vbs, bat, scr, com, pif, etc.
37- There are some things that you can do to
practice safe email sending. - If sending email attachments notify the recipient
of the impending email attachments, so they will
be expecting the attachments. - If at all possible do not send executable
attachments with extensions ending in .exe, .vbs,
.bat, .scr, .com, .pif etc - Take a moment and scan the attachment before
emailing it to an email recipient.
38- Be aware of other exposures and dangers with
email. -
- Unwanted email (Spam) or abusive email.
- Email that is a request for confidential
information. -
- Email used for forgery purposes.
- The sender of an email can easily misaddress the
sender address, hiding his identity. - Email and instant messages sent across the
Internet can be easily intercepted and read by
hackers. (Do not send passwords, credit card
numbers, or other access information via e-mail
or instant messaging.)
39 Best Practices
- Do not hesitate to call the help desk
(804-819-4799) anytime you feel unsure about a
suspicious email. - It is a good practice to disable HTML
viewing/sending on your email client, because
malicious scripting can occur by just viewing
the e-mail (no attachment needed) if the email is
in HTML format. Consult your email client
documentation. - Disable macros for all documents (you can
re-enable if need to run a macro).
40Network Intrusion
- Today, most computers are connected to some sort
of - network providing access to the world. The
following are - ways to protect your computer from being
compromised - Do not keep computers online when not in use. The
best way to do this is either power them down or
physically disconnect them from the Internet. -
- Always logout of your computer whenever possible
if you anticipate extended periods of non-use.
41Network Intrusion
- Lock your desktop to prevent access to your
computer. This will allow programs to continue
running. - Use virus protection software that is constantly
updated with latest virus signatures. - Regularly download security patches.
42Unsecured Location
- If your computer is located in an unsecured
physical location such as an unlocked office and
with an unlocked computer, the resulting damages
could be data theft. If you have an office with a
door, shutting or locking it while you are out
may help prevent unauthorized access. - An unattended unsecured computer left alone even
for a few minutes can give the hacker enough
seconds needed to copy a hacker tool from a
floppy disk to provide access to your computer.
Use a password protected screensaver. - Any unsecured computer is a potential target for
having the hard drive removed. It only takes a
matter of minutes with the new thumb screws
used to secure computer covers.
43Social Engineering
- Social engineering is when an intruder attempts
to pose as someone else to gain unauthorized
access to your computer. - The intruder is often a smooth-talker that tries
to gain your confidence by possibly posing as
someone from the IT department to get you to
reveal your passwords or personal information. -
- The intruder may be attempting to gain
unauthorized access, unauthorized use, or
unauthorized disclosure of an information system,
network or data. - The intruder may be trying to modify the system
configuration.
44Social Engineering
- The intruder may do this in person, by email, or
over the phone. -
- Beware of what you throw in the trash intruders
often participate in dumpster-diving by digging
or scavenging in the trash area for useful
information. Shred important information. - The intruder may try to prey on unsuspecting help
desks or support areas, or receptionist/administra
tive areas by pretending to be a user needing
assistance to gain unauthorized accesses. -
- The hacker uses the information gathered from
social engineering to launch his attack.
45REVIEW - What Can You Do to Practice Safe
Security?
- Keep Passwords Secure.
- Change Passwords Regularly.
- Use Strong Passwords.
- Use Unique Passwords for Each System.
- Log Out/Lock Desktop When Appropriate.
- Use a Password Protected Screen Saver.
- Use Power On Passwords to Secure Your Computer at
Boot Up.
46REVIEW - What Can You Do to Practice Safe
Security?
- Secure Your Office Area As Much As Possible.
- Use and Update Antivirus Software.
- Use Safe Email Practices.
- Beware of Intruder Social Engineering.
- Backup Your Important Data.
- Keep System and Applications Updated with Latest
Patches.
47Truths of Security
- Absolute security is unattainable, but lets
reach for the sky! - A disaster could take place at any time
regardless of the precautions taken. - Recovering from any type of attack is most likely
going to be time-consuming and expensive! - Backup your important critical data on a regular
basis. - Backup your data but more importantly implement
and test your backup procedure.
48Facts of Security
- Each and every one of us has to share in the
responsibility for security! - As users we all must be proactive!
- No one has all the answers!
- We need your help!
49Conclusion
As our Internet usage continues to grow at a
rapid rate, so does the need to protect our
systems and information from unauthorized access.
- We as users must practice safe security measures
collectively we can play a large role in keeping
our organization secure. - There is no one security practice that is enough
to keep us secure. - Layers of security must be built to make our
computer/network unappealing to hackers.
50Conclusion
- Security awareness for our organization must
change as the needs within the organization
change. Changes in new technology must be
examined for security impacts to the organization
and the people who work for it. - Do not hesitate to call the help desk
(804-819-4799) at anytime if you have a security
concern or problem. Please report all computer
security issues (many discussed previously) and
viruses to the help desk.
51