Title: Enhancing Customer Security
1 University of Arizona Security Awareness Campaign
Kelley Bogart University Information Security
Coordinator
Gil Salazar Network Administrator University of
Arizona
2Agenda
- Why Awareness
- Challenges
- Solutions
- Benefits
- Costs
- Initiatives
- Demonstration
3Why Awareness? Campus Policy, Standards
Guidelines
- Privacy Guidelines
- Acceptable Use Policy
- Security Policy Draft
- Supporting Security Standards Guidelines
- Business Continuity Disaster Recovery
- Incident Reporting
- Management Responsibilities for Security
- Networked Device Security
4Why Awareness? (cont)
- FERPA
- HIPPA
- GLBA
- State Legislation (House Bills)
- Online Privacy Statement
- Misuse of State of Arizona Equipment
- Many more to come
5Why Awareness? (cont.)
- Relationship of Privacy Security
- Roles and Responsibilities
6Where to start and how?
- Step 1 Where are we now?
- Current Situation Assessment
- Step 2. Where do we want to be?
- Strategic Direction
- Step 3 - How do we plan to get there?
- Implementation Planning
- Step 4 - How will we monitor progress?
- Monitoring
7Goal Set the stage for all security efforts by
bringing about a change in attitudes, which will
change the campus culture.
University of Arizona Characteristics
Threats are continually reevaluated based on
changing threat population and security
incidents. Additional or more cost effective
alternatives are continually identified. The
practice of Security is considered a component of
the campus culture. Security Awareness is viewed
as a business enabler.
Level 5 CONTINUOUS IMPROVEMENT
Level 4 COMMON PRACTICE
The integration of Security programs and services
in the campus departments is complete. Security
is involved at the onset of projects. U of A is
considered as a Security Awareness Best Practice
campus.
General acceptance of campus-wide standards based
on Security Infrastructure and displayed through
noticeable behavior change. Staff, faculty and
students actively and visibly participate in the
programs and services. Security incidents are
reported immediately to the appropriate area.
Level 3 INTEGRATION
Level 2 ACKNOWLEDGEMENT
Realization that existing Information Security
processes are fragmented. Executive level
support and involvement is visible. Some
Security Awareness interventions are implemented
and are ongoing.
Security Policies Standards are minimal and may
or may not be documented. Security Incidents are
viewed as someone else's problem. Existing
programs and services are perceived as
sufficient. Security is viewed as an enforcer.
Level 1 COMPLACENCY
8Challenges
- Diversity and Decentralization
- Administrators
- Students
- Staff
- Faculty
- Technical vs. Non-technical
9Solutions
- Message vs. Delivery Method
- Include WIIFM - Whats in it for me?
- Include Knowledge, Skill and Attitude
- The What, How Why or Want to do
10The following three slides are a consistent
message we communicate or incorporate in our
awareness / education efforts to help reinforce
the message that Security is Everyone's
responsibility! That technology alone cannot keep
us secure. People are the last layer of defense.
11The key to security is embedded in the word
security.
U - R - IT
SEC- -Y
YOU ARE IT!
12If not you, who?
If not now, when?
13During your typical day, you may be exposed to
situations where you become aware of an attempt
to breach an area of security. You need to be
prepared to
Protect
Detect
React
14Benefits
- Campus wide understanding, acknowledgement and
support
- Recognition of Security Office
- Increased reporting requests
15Costs
16Initiatives
- Monthly Brown Bag Presentations
- Customized group presentations
- Redesigned Security Page
- security.arizona.edu
- Campus Security Awareness Day
- security.arizona.edu/awarenessday.html
- New Employee Orientation Handout
17Initiatives (cont.)
- Pamphlets
- Privacy Basics - Guide to Protecting Personal
Information - Risk Reduction - Computer Protection and
Prevention - Security Basics - Guide for Protecting Your
Computer - Computer Security and Privacy Information - What
everyone needs to know - Security Awareness Posters
- security.arizona.edu/posters.html
18First Set
19First Set
20First Set
21Second Set
22Second Set
23Second Set
24Goal Set the stage for all security efforts by
bringing about a change in attitudes, which will
change the campus culture.
University of Arizona Characteristics
Threats are continually reevaluated based on
changing threat population and security
incidents. Additional or more cost effective
alternatives are continually identified. The
practice of Security is considered a component of
the campus culture. Security Awareness is viewed
as a business enabler.
Level 5 CONTINUOUS IMPROVEMENT
Level 4 COMMON PRACTICE
The integration of Security programs and services
in the campus departments is complete. Security
is involved at the onset of projects. U of A is
considered as a Security Awareness Best Practice
campus.
General acceptance of campus-wide standards based
on Security Infrastructure and displayed through
noticeable behavior change. Staff, faculty and
students actively and visibly participate in the
programs and services. Security incidents are
reported immediately to the appropriate area.
Level 3 INTEGRATION
Level 2 ACKNOWLEDGEMENT
Realization that existing Information Security
processes are fragmented. Executive level
support and involvement is visible. Some
Security Awareness interventions are implemented
and are ongoing.
Security Policies Standards are minimal and may
or may not be documented. Security Incidents are
viewed as someone else's problem. Existing
programs and services are perceived as
sufficient. Security is viewed as an enforcer.
Level 1 COMPLACENCY
25Questions
26 µ
Gil Salazar UA
Network Administrator
Kelley Bogart Information
Security Coordinator
27(No Transcript)
28Agenda
- State of the Internet today
- Viruses, Worms Spies!
- How to Protect
- Yourself
29State of the Internet Today
Internet goes thru your computer
30Some Local StatisticsUniversity of Arizona
Campus Cyber attacks per day
of outside to inside attacks 64,959 of
Inside to outside attacks 60,040 of Inside
to Inside attacks 6,941 Total of
related victim machines 593,734
31Threat Follows Value
The 1950s American bank robber Willie Sutton was
asked why he robbed banks. He said he robbed
banks because, Thats where the money is.
Today, the money is in Cyberspace!
The Internet provides for criminals the two
capabilities most required for the conduct of
criminal activities Anonymity Mobility
32Do The Math
- Spam mailed to over 100 million
inboxes - If 10 read the mail and clicked the link
- 10 million people
- If 1 of people who went to site signed up for
3-days free trial - (100,000 people) x (0.50) 50,000
- If 1 of free trials sign up for 1 year
- (1,000 people) x (144/yr) 144,000/yr
33Situation It is getting scary!
Most attacks occur here
Why does this gap exist?
Product ship
Vulnerability Discovered Potential
attack
Software Modified
Patch released
Patch deployed at home/office
34Exploit Timeline
Why does this gap exist?
Days between patch and exploit
- Days From Patch to Exploit
- The average is now nine days for a system to be
reverse-engineered
35Exploit Survival Time
- The SANS Institute has studied what it calls the
"survival time" of an unprotected computer hooked
up to the Internet. - A year ago, the average time before it was
compromised was about 55 minutes. - Today it's 20 minutes.
- On the UA campus it can be less then ONE
MINUTE.
36Questions?
State of the Internet
- Why do criminals use the internet today?
- To be Anonymous Mobile
37Viruses, Worms Spies
38Virus
- Old traditional viruses usually required human
interaction - You have to save it, run it, share floppy disks
- E-mailing a program / document, without knowing
it is infected - Typically just attach themselves to programs
documents, and then depend on humans to propagate - This is changing
39How It Spreads
- E-mail
- Instant Messenger
- Networks
- P2P/Filesharing software
- Downloads
- Floppy disks, Flash Drives. CDs, etc.
40Sample E-Mail................... This has a virus
attached!
To user_at_email.arizona.eduSubject Notify about
your e-mail account utilization. From
support_at_arizona.edu Dear user of Arizona.edu
gateway e-mail server, Your e-mail account
will be disabled because of improper using in
next three days, if you are still wishing to use
it, please, resign your account information. For
further details see the attach. For security
reasons attached file is password protected. The
password is "03406". Best wishes, The
Arizona.edu team http//www.arizona.edu
41Questions?
Virus
- What is the most common way viruses are spread
today? - E-Mail
42Worms
- Sub-class of Virus
- Replicated Automatically without human help
- Example is e-mail address book attack
- Bogs down networks and Internet
- Zotob, Blaster are examples
43(No Transcript)
44Worms
- Scary part you dont have to do anything but
turn your computer on! - Or make a simple click.
45Trojan Horse
- Program that appears to be a good program, but
really isnt - Might do what it is supposed to, plus a whole lot
more! - programs installed in this category use several
methods to enter the computer - Web, e-mail, spyware
46Botnets or Zombies
- Botnets are networks of captive computers (often
called zombies) that are created by trojans or
worms that have infected unprotected PCs. - These networks are frequently used to send spam
and initiate distributed denial of service (DDoS)
attacks.
47Questions?
Worms
- What is it called when a program sneaks onto
your computer? - A Trojan
48Phishing
49Have you ever received an email that says
something like this?
- We suspect an unauthorized transaction on your
account. To ensure that your account is not
compromised, please click the link below and
confirm your identity. - OR
- During our regular verification of accounts, we
couldnt verify your information.Please click
here to update and verify your information.
50This is a typical phishing attempt
51What is Phishing?
- Phishing is a form of social engineering,
characterized by attempts to fraudulently acquire
sensitive information, such as passwords and
credit card details, by masquerading as a
trustworthy person or legitmate business in an
apparently official electronic communication,
such as an email, pop-up window or an instant
message. - http//en.wikipedia.org/wiki/PhishingPhishing_tec
hnique
52Social engineering is the practice of obtaining
confidential information by manipulation of
legitimate users. A social engineer will commonly
use the telephone or Internet to trick people
into revealing sensitive information or getting
them to do something that is against typical
policies. By this method, social engineers
exploit the natural tendency of a person to trust
his or her word, rather than exploiting computer
security holes.
- Social engineering preys on qualities of human
nature - the desire to be helpful
- the tendency to trust people
- the fear of getting into trouble
53EBAY
54EBAY
55EBAY
56EBAY
57PayPal
58PayPal
59PayPal
60Visa
61Visa
62Microsoft
63Stats from Anti-Phishing Working Group
64Stats from Anti-Phishing Working Group
65Stats from Anti-Phishing Working Group
66Arizona State Credit Union
67DM Federal Credit Union
68Recognizing Phishing
- False Sense Of Urgency - Threatens to
"close/suspend your account," or charge a fee. - Indirect invitation - "Dear valued customer",
"Dear reader", "In attention to service name
here customers. - Misspelled or Poorly Written - Helps fraudulent
e-mails avoid spam filters.
69Recognizing Phishing
- Suspicious-Looking Links Pop-Ups Links
containing all or part of a real company's name
asking you to submit personal information. - Hyperlinks spoofing You see the
"http//www.yourbank/Login" link in the message,
but if you hover the mouse cursor over the link,
you will see that it points to "http//www.spoofed
banksite.com/Login"
70Discover Card Awareness
71Citibank
72Spyware or Phishing-based Trojans Keyloggers ?
73Phishing-based Trojans Keyloggers
Designed with the intent of collecting
information on the end-user in order to steal
those users' credentials. Unlike most generic
keyloggers, phishing-based keyloggers have
tracking components which attempt to monitor
specific actions (and specific organizations,
most importantly financial institutions and
online retailers and ecommerce merchants) in
order to target specific information, the most
common are access to financial based websites,
ecommerce sites, and web-based mail sites.
74Phishing-based Trojans Keyloggers, Unique
Variants
75Unique Websites Hosting Keyloggers
76Yet Another Form of Phishing to worry about
- Unlike a scam which tries to trick you into
providing personal information. - This
- executes code
- Changes your host file
- Redirects legitimate webpage to spoofed site
- .and all you did was open an email or view it in
a preview pane in programs like Microsoft Outlook
77Phishing-based Trojans Redirectors
Designed with the intent of redirecting end-users
network traffic to a location where it was not
intended to go to. This includes crimeware that
changes hosts files and other DNS
specific information, crimeware browser-helper
objects that redirect users to fraudulent sites,
and crimeware that may install a network level
driver or filter to redirect users to fraudulent
locations.
This is particularly effective because the
attackers can redirect any of the users requests
at any time and the end-users have very little
indication that this is happening as they could
be typing in the address on their own and not
following an email or Instant Messaging lure.
78(No Transcript)
79FTC suggestions to help avoid getting hooked by a
phishing scam
- If you get an email or pop-up message that asks
for personal or financial information, do not
reply. And dont click on the link in the
message, either. - Use anti-virus software and a firewall, and keep
them up to date. - Dont email personal or financial information.
80FTC suggestions (contd)
- Review credit card and bank account statements as
soon as you receive them - Be cautious about opening any attachment or
downloading any files from emails - Forward spam that is phishing for information to
spam_at_uce.gov and to the company, bank, or
organization impersonated in the phishing email.
81Additional Protection Tips
- Treat all email with suspicion
- Never use a link in an email to get to any web
page - Ensure that all of your software is up to date
- Use anti-spyware detection software on a regular
basis
82Additional Protection Tips
- If you must use your financial information
online, ensure that you have adequate insurance
against fraud - Be aware or beware.
83Questions?
- What does the term Phishing refer to?
- Attempt to gather information for illicit use
84Spyware
- Ever get pop-ups that constantly ask for you to
click OK and wont go away? - This is most likely Spyware of some sort
85Spyware What it is
- spyware is programming that is put in your
computer to secretly gather information about You
or your pc and relay it to advertisers or other
interested parties - adware pushes ads, track Internet habits and
performs other sneaky tricks
86Spyware How Do I know I have it?
- Computers slow down to a crawl
- Annoying Pop-ups appear
- Browser Start Page changes
- Unwanted toolbars, tray programs
- New programs are installed on your PC and show up
on the desktop
87Spyware why is it bad?
- Corrupt/alter the current software
- Steal passwords, information etc.
- Track browsing habits, sites
- interferes with system settings
- (registry, startup)
- Even after removal, it can leave crumbs
- which helps program re-install itself
88Spyware How did I get it?
- Email
- Instant Messaging
- Internet Browsing
- P2P Software (kazaa, limewire, bearshare, AIM)
- Downloads and Installs
- Potentially Unwanted Programs (PUPs)
89(No Transcript)
90(No Transcript)
91Spyware Why do they do it?
- 0x80 is a hacker he says "Most days, I just sit
at home and chat online while I make money," 0x80
says. "I get one check like every 15 days in the
mail for a few hundred bucks, and a buncha others
I get from banks in Canada every 30 days." He
says his work earns him an average of 6,800 per
month, although he's made as much as 10,000. Not
bad money for a high school dropout.
92Questions?
Spyware
- What are a couple things Spyware does?
- Create pop-ups, hijacks web pages, collect info,
slow pc down.
93How to Protect Yourself
94Practice Good Surfing Sense
- You know there are bad parts of town that you
dont go to - The Internet is the same way be wary!
95Download Rules
- Never download or open something, if you dont
know what it is - Even if you know the sender by name, check with
them to see if they sent you something
96Download Rules
- True company-based e-mails never send attachments
- Make sure the link actually goes to their site
not a spoofed one! - Only download what you trust, and even then be
wary!
97Be Aware of Spoofing
- Have you ever received an e-mail telling you that
you have a virus? - It is possible that
- Your address couldve been spoofed and sent to
someone else - It could be a trick to get you to install some
anti-virus or patch (which is really a virus
itself!)
98The Best Defense
99The Best Defense
- Use Strong Passwords
- Passwords should contain 8 characters including
upper and lowercase, special characters () and
numbers - Dont take downloads from strangers
- Only install what you trust
- free music file sharing programs are wide
open doors for hackers
100The Best Defense
- Check if your PC has any issues
- Does your browser open to a new home page, or
search page? - Increase in advertisements pop-ups?
- Computer seems sluggish?
- Know your system and what is installed
101The Best Defense
- Get a detect removal tool for spyware
- Ad-Aware easiest to use, free for home use only
- SpyBot Free for any use, more advanced, has
automated protection features - Microsoft Anti-spyware Free for any use, has
automated protection and updates. - Use all three together for complete protection!
102The Best Defense
- Install anti-virus software
- (Sophos, Norton, McAfee etc)
- Install a Firewall
- (Windows built-in, Kerio, ZoneAlarm)
- Keep everything up-to-date!
- Windows Automatic Updates, Anti-virus, Spyware
detection.
103(No Transcript)
104The Best Defense
- Limit access to your computer
- keep doors locked if your not around and system
is on - Thumb drives can be used to steal data
105The Best Defense
- At home use multiple user accounts when sharing
computers and switch users/lock workstation when
leaving system on when you are away from the
desktop - Control Alt Delete
- Windows Key l for XP
106Quote from a victim
"Overall, you've got to realize that, just like
if you don't secure your home, you run the risk
of getting burglarized if you're crazy enough to
leave the door on your computer open these days,
like I did, someone's gonna walk right in and
make themselves at home." Pastor Michael
White
107Questions?
The Best Defense
- What is the best way to keep passer bys from
accessing your computer? - Control-alt-delete or Windows-Key L
108Other Reminders.
- Back up your computer data.
- Keeping system patches updated
- Firewalls, pop-up blocker, spyware apps updated.
- Know your systems
109Now for any Final QA
110If the situation seems hopeless