Intermediate Users

1
Welcome
Presented by David Husnian CIO/CTO Web inSights

• Intermediate Users
• Special Interest Group
• October 21, 2002

2
Overview

• What is it?

• What is it?
• Why is it important?

• Why is it important?
• What am I securing? Why?

• What am I securing? Why?
• What steps can be taken?

3
What is it?

• Preventing Unauthorized Use

• Preventing Unauthorized Use
• Detecting Unauthorized Use

Help stop intruders from accessing your computer
Determine whether someone has attempted to
break into your computer and, if they have, what
they have done.
4
Why is it important?

• Many types of attacks
• Viruses, etc

• Many types of attacks
• Viruses, etc.
• Hackers/Crackers
• More than just one computer
• Home Networks

A program that infects files on a computer and
attaches copies of itself to other files and
e-mails.
Hacker expert programmer who enjoys playing with
computers and sharing knowledge sometimes
circumventing security measures. Cracker a
hacker with malicious intent.
A virus or other intrusions will open
vulnerabilities on all the other computer in your
home.
A virus or attacker may be able to use e-mail to
gain access to your family, friends and business
associates.
Your company computer are also at risk if you
send e-mail to co-workers or access company
computers from home.

• Viruses, etc.
• Hackers/Crackers

• Home Networks
• Family and Friends

• Family and Friends
• Accessing Company Computers

5
What am I securing and why?

• A lot to lose
• Privacy

• A lot to lose
• Privacy
• Software
• Information
• Innocence
• Illegal usage

Personal information Web site visits Online
purchases Identity
Software you rely on could be stolen and/or
vandalized leaving you unable to use it.
Tax records Business proposal Your
novel Passwords Photos
What types of things do you want you young child
to be exposed to? Do you want your teenager
becoming a hacker? Some pry on the uninformed
and innocent.
Store stolen information Launch attacks on other
computers Library of stolen software for
download A blind for illegal activities

• Privacy
• Software

• Software
• Information

• Information
• Innocence

6
What steps can be taken?

• Microsoft defines 7 steps
• Assessment

Assess your risk of intrusion.
Install, update and USE anti-virus software.
Keep your operating system, Web browser, mail
client and productivity software up-to-date with
the latest patches.
Make sure you software settings are protecting
you as best as they can.
Put a technological barrier between you and
intruders.
Your passwords are the keys to your personal and
private information.
Schedule periodic maintenance for your computer
to keep it secure.

• Assessment
• Use anti-virus software

• Use anti-virus software
• Keep software up-to-date

• Keep software up-to-date
• Software settings

• Software settings
• Use a firewall

• Use a firewall
• Use strong passwords

• Use strong passwords
• Periodic Maintenance

7
Step 1 Assessment - Who

• Who uses your computer?
• You

Do you know what to do and not do?
Is your spouse educated on protecting your
computer?
Children and very curious but not very wise.
Even if you know how to protect do your friends
and family who use your computer?

• You
• Spouse

• Spouse
• Children their friends

• Children their friends
• Your friends family

8
Step 1 Assessment - How

• How do you connect?
• Always on broadband

Always on connections are primarily broadband
connections. Broadband is a high-speed network
connection, most frequently using DSL or a cable
modem.
As needed connections are primarily dial-up
connections. Dial-up is a low-speed network
connection using a modem speeds are up to 53kps
although usually slower.

• Always on broadband
• As needed dial-up

9
Step 1 Assessment - What

• What do you do?
• Shop and finance

• Look for
• Valid and current authenticating icon.
• Uses secure connections.
• Good privacy policy.
• Call them if desired.
• Periodically check financial records.

• Make sure you
• Keep software updated.
• Use security settings.
• Use anti-virus software.
• Dont open unexpected attachments.
• Encrypt sensitive e-mail.

• Remember
• Chat rooms are NOT private.
• IM software is a hole into your system.

• Vulnerabilities
• ActiveX control games.
• Java applet games.
• Receiving files from fellow gamers.

• Beware of
• Downloaded files.
• Incorrect information.
• Web bugs and other advertising.

• Shop and finance
• E-mail

• E-mail
• Chat and Instant Messaging

• Chat and Instant Messaging
• Entertainment

• Entertainment
• Research

10
Step 2 Use Anti-Virus Software

• What can viruses do?
• Copy themselves

Viruses by definition make copies of themselves
Viruses attach themselves to something files,
boot sectors, e-mail, etc.
Viruses primary mode of infection is now via
e-mail
Viruses can use computer time and memory slowing
down everything youre doing.
Viruses can send connect to back to its creator
and send things. These things can be files,
your system information or even every keystroke
you type!
Viruses can destroy some or all of your files,
even to the point that your system is not usable.
By its actions, like using memory and destroying
files, viruses can make your computer system very
unstable.
In addition to using run-time resources, viruses
can use your hard disk and connection bandwidth.
Viruses can install programs that can be used to
launch attacks from your computer.

• Copy themselves
• Attach to files and e-mail

• Attach to files and e-mail
• Send themselves via e-mail

• Send themselves via e-mail
• Steal run-time resources

• Steal run-time resources
• Phone home

• Phone home
• Destroy files

• Destroy files
• Increase instability

• Increase instability
• Use up disk space and bandwidth

• Use up disk space and bandwidth
• Launch attacks

11
Step 2 Use Anti-Virus Software

• What can you do?
• Install anti-virus software

• What can you do?
• Install anti-virus software
• Keep it updated!
• Run in the background
• Schedule periodic scans
• Notify others if infected
• Software Vendors

Number 1 thing to do is have anti-virus software
installed on EVERY computer.
Number 2 thing to do is have anti-virus software
KEEP IT UPDATED!!!!
Set your anti-virus software to always be running
in the background so it scan files they are
accessed and e-mail as they are sent or received.
Run periodic scans of your computer with your
anti-virus software to make sure nothing has
breached your defenses.
If you do get infected by a virus you should
notify every one who youve give files or is in
your computer address book.

• Norton Anti-Virus
• VirusScan
• Sophos Anti-Virus
• PC-cillin 2002
• eTrust Antivirus

• Install anti-virus software
• Keep it updated!

• Keep it updated!
• Run in the background

• Run in the background
• Schedule periodic scans

• Schedule periodic scans
• Notify others if infected

12
Step 3 Keep Up-to-Date

• Most successful attacks could be thwarted!

• Most successful attacks could be thwarted!
• What to update
• Anti-virus software

Most successful intrusions are due to software
that has not been updated.
As mentioned keep your anti-virus software
updated every day is NOT too much.
Use the Windows Update feature if you use
Windows. Make sure you watch for and use
operating system updates if you use a different
operating system.
Whether you use Internet Explorer, Netscape
Navigation, Opera, AOL or another Web browser,
keep it updated.
Since so many attacks are use e-mail it is
critical to keep your e-mail client updated.
As software becomes more connected it important
to keep your productivity software (Microsoft
Office, Quicken, etc.) updated.

• Anti-virus software
• Operating system

• Operating system
• Web browser

• Web browser
• E-mail client

• E-mail client
• Productivity software

13
Step 4 Software Settings

• Critical software has important security
  settings.
• Web browser and e-mail client.

Your critical software Web browser and e-mail
client is also vulnerable. Settings security
values properly is important.
14
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Open Dialog Box Tools-gtOptions and go to the
  Security tab.

Open the Internet Options dialog box and go to
the Security section.
15
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Open the Security Settings dialog box click on
  Custom Level.

Click on the Custom Level button to display the
Security Settings dialog box.
16
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Download signed ActiveX controls

Can IE download an ActiveX control that has been
signed? Choices are disable, enable and prompt.
An ActiveX control is a Windows software part
and is the primary software architecture
component for Windows systems.
Signed is just one of two parts to what is
necessary but is used as shorthand for both.
To guarantee an ActiveX control is from whom it
purports to be a digital certificate from a
Certification Authority is attached to the
control. This is the signing part and is like
using a notary public.
Just because you know who it came from does NOT
mean it wasnt changed along the way. To
guarantee this the digital certificate is
encrypted.

• Choose Disable to never allow this.
• Choose Enable to always allow this.
• Choose Prompt to decide on a case-by-case basis.
  This provides a good balance between convenience
  and security.

• Download signed ActiveX controls
• Whats an ActiveX control?

• Whats an ActiveX control?
• What is signed?

• What is signed?
• Who is it from?
• Was it changed?
• Do I want to allow this?

• What is signed?
• Who is it from?

• Who is it from?
• Was it changed?

17
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Download unsigned ActiveX controls

Can IE download an ActiveX control that has not
been signed? Choices are disable, enable and
prompt.
18
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Initialize and script ActiveX controls not marked
  as safe

Can IE initialize and allow scripting of an
ActiveX control that has not been marked as
safe? Choices are disable, enable and prompt.
Developer has said the ActiveX control wont do
specific things, like modify the registry or
write to the disk. Key point developer has
said.
Initialize is when the control first starts up
upon page load. Script is when a Web page
talks to the ActiveX control.

• Disable never allow. This provides the most
  safety and most trusted sources mark their
  controls as safe.
• Enable always allow
• Prompt decide on a case-by-case basis.

• Initialize and script ActiveX controls not marked
  as safe
• What is safe?

• What is safe?
• What is Initialize and script?

• What is Initialize and script?
• Do I want this?

19
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Run ActiveX controls and plug-ins

Can IE run ActiveX controls and other
plug-ins? Choices are Administrator approved,
disable, enable and prompt.
20
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Script ActiveX controls marked safe for scripting

Can IE allow scripting of an ActiveX control that
has been marked as safe? Choices are disable,
enable and prompt.
Instructions to the browser from the
programmer. Most interactivity in Web pages is
due to scripting. Scripting ActiveX controls can
be dangerous since they can do anything

• Script ActiveX controls marked safe for scripting
• What is scripting?

21
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• File download

Should IE allow the downloading of
files? Choices are disable and enable.
22
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Java permissions

How should IE handle Java applets? Choices are
custom, disable, high safety, low safety and
medium safety.
23
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Access data sources across domains

Should IE allow accessing data sources to/from
locations that isnt the Web site being looked
at? Choices are disable, enable and prompt.
24
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Allow METAREFRESH

Should IE allow the page to automatically refresh
after a page specified period of time? Choices
are disable and enable.
25
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Display mixed content

Should IE allow secure and non-secure information
to be displayed on the same Web page? Choices
are disable, enable and prompt.
26
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Dont prompt for client certificate selection
  when no certificate on only one certificate exists

Should IE prompt you for a certificate selection
when one or no certificates are installed on your
computer? Choices are disable and enable.
27
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Drag and drop or copy and paste files

Should IE allow files to be copied via drag and
drop or copy and paste? Choices are disable,
enable and prompt.
28
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Installation of desktop items

I am not really sure what this is I think it is
related to Microsofts Active Desktop. Choices
are disable, enable and prompt.
29
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Launching programs and files in an IFRAME

Allow IE to launch programs in a IFRAME? Choices
are disable, enable and prompt.
30
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Navigates sub-frames across different domains

Allow IE to let one frame changes the contents of
another frame if both are from different
domains? Choices are disable, enable and prompt.
31
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Software channel permissions

Software channels provide the ability to install
software updates. What security do you want to
use for this? Choices are high, low and medium.
32
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Submit unencrypted form data

Allow IE to send unencrypted form data
information youve entered into a Web
page? Choices are disable, enable and prompt.
33
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Userdata persistence

Allow IE to persist userdata sort of a super
cookie? Choices are disable and enable.
34
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Active scripting

Allow IE to let programming scripts run? Choices
are disable, enable and prompt.
35
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Allow paste operations via script

Allow IE to let programming scripts paste
information from your Windows Clipboard? Choices
are disable, enable and prompt.
36
Step 4 Software Settings - Browser

• Settings for Internet Explorer 6
• Logon

How you want IE to respond when a Web page
requests authentication Choices are Anonymous
login, automatic logon only for Intranet zone,
automatic logon with current username and
password and prompt for user name and password
37
Step 4 Software Settings E-mail

• Settings for Outlook 2002
• Open Dialog Box Tools-gtOptions and go to the
  Security tab.

Open the Outlook Options dialog box and go to the
Security section. Make Secure Content Zone to
be Restricted.
38
Step 4 Software Settings Word

• Settings for Word 2002
• Open Dialog Box Tools-gtOptions and go to the
  Security tab.

Open the Word Options dialog box and go to the
Security section.
39
Step 4 Software Settings Word

• Settings for Word 2002
• Password Advanced Encryption Type

Click the Advanced Button next to the Password
to open text box.
40
Step 4 Software Settings Word

• Settings for Word 2002
• Macro Security

Click the Macro Security Button.
41
Step 5 Use a firewall

• What is a firewall?

• What is a firewall?
• Types of firewalls
• Personal

A firewall is like a security fence to help keep
out intruders.
A personal firewall is meant to guard a single
computer. It is like the lock on a bedroom door.
A router helps make computers attached to it
invisible to the outside. It is like the
doorman in a secure apartment building.
A hardware firewall is a dedicated device design
to detect and repel intruders and attacks. It is
like the a security fence around a gated
community.
Windows XP Norton Personal Firewall ZoneAlarm Blac
k Ice Defender Sygate Personal Firewall McAfee
Personal Firewall

• Types of firewalls
• Personal
• Routers
• Hardware
• Firewall vendors

• Personal
• Routers

• Routers
• Hardware

42
Step 6 Create Strong Passwords

• Why do I need one?

• Why do I need one?
• What is a strong password?

Hackers use automated tools that let them try a
large number of common words, abbreviations and
acronyms in a short period of time.
A strong password is one that follows a few
rules long, varied, random and unusual.
The longer the password is the more secure it is
likely to be. Make it at least 7 or 8 characters
long.
The more variety in the password the more secure
it will be. Use letters, number and symbols. Use
lower and upper case. Dont repeat a
character. Change your password frequently.
A password is less strong if it uses a common
word or acronym. It is less strong if it has
repeating or consecutive characters . It is less
strong if it uses numbers instead of similar
letters.

• What is a strong password?
• Longer is more secure
• Varied is more secure
• What isnt a strong password?

• What is a strong password?
• Longer is more secure

• Longer is more secure
• Varied is more secure

j8sH_at_0Ql.1Wa
Jennifer aaabbb123 R0b3r7
supercalifragilisticexpialidocious
43
Step 6 Create Strong Passwords

• What do I do?
• At least 7 or 8 characters long

Create a password that is at least 7-8 characters
long.
Create a password that has at least one UPPER
case and one lower case letter one numbers one
symbol.
Create a password that does not repeat any
letter, number or symbol.
Do not write down your password. If you do it is
not a strong password any longer.
Create several passwords, one for different
purposes. Create one for casual uses. Create one
for less casual uses. Create one for secure uses.
Make sure you change your password every 3 to 6
months.
First date was with Mary in 1970 at the Goshen
Pizza Hut.

• At least 7 or 8 characters long
• One of each type

• One of each type
• Dont repeat anything

• Dont repeat anything
• Do NOT write it down

• Do NOT write it down
• Have several passwords

• Have several passwords
• Change password periodically

• Change password periodically
• Example

M70_at_gph
44
Step 7 Do Security Maintenance

• Continually maintain
• Automatic
• Virus Definitions

Periodic maintenance of your system is required
to keep it secure. Do automatic updates of your
virus definitions.
Periodic maintenance of your system is required
to keep it secure. Do automatic updates of your
virus definitions. Do automatic updates of
Windows.
Periodic maintenance of your system is required
to keep it secure. Every week run a complete
virus scan of your system. Then backup your
important files just in case!
Periodic maintenance of your system is required
to keep it secure. Every month run a complete
scan of your hard disk. This will make sure your
data is okay on the disk.
Periodic maintenance of your system is required
to keep it secure. Twice a year change your
password and re-assess your current situation in
regards to security.

• Automatic
• Virus Definitions
• Windows Updates
• Periodic
• Weekly Virus scan then backup

• Virus Definitions
• Windows Updates

• Periodic
• Weekly Virus scan then backup
• Monthly Check your disk

• Monthly Check your disk
• Semi-Annually Change passwords and reassess your
  situation.

45
Step 7 QA

• Questions
• and
• (hopefully) Answers