advanced security training for staff presented by matt langford
TRANSCRIPT
Advanced Security Training for Staff
Presented by Matt Langford
About me
• Matt Langford [email protected]• University of Northern Colorado CISO • Specialties: security auditing, malware analysis
and infrastructure, forensics, cyber crime investigations, security incident response, penetration testing, chemistry…?
Intro Video
Internet Safety Video
Topics for today’s presentation
• Who wants your information and why• Common techniques to steal your information• Defending your information on social media• Defending yourself from social engineering• Protecting your personal data• Securing your environment
The Bear Bones
Who wants your information?
• Organized Crime • Criminals• Intelligence Organizations• Marketers • People with a grudge• Local Law Enforcement
WHY!?
• Redirect illegal activity from their assets to yours.• To sell your data• To bulk collect your data for future purposes• To steal your identity • To steal your credit card information• Because they are curious about you• Because you are being investigated
How they get you!
• Typically the just ask you– A phone survey– They pretend to be someone or something they are not
• Fake authority figures• Fake emergencies • Fake technical support
– A email survey– A trick email– In person contact – They just look it up online
More complex tricks.
• Links to malicious sites• Links to legitimate appearing websites where you
would think you are safe to give secure information.• They listen to your electronic communications• Malicious code• Dumpster diving • Theft • Hacking
Social Media
• The majority of us use social media of one kind or another.
• Twitter, Facebook, Snapchat, LinkedIn, Pinterest, Google+, Tumblr, Instagram, Vine, etc.
• These applications are fun and keep us connected with our friends and family and help us meet new people.
Social Media Risks
• Posting personal data: Address, Phone Number• Posting sensitive work data: What software you just
had trouble with.• Informing people about your activities and patterns:
What you do on a Friday night.• Informing people about your hobbies and interests:
They know that you love to swim and listen to KennyG.
Social Media Risks, Cont.
• Posting social relationships: That you are married• Posting strong views: The you strongly support a
political party or ideal• Posting you responsibilities: That you are in charge of
processing financial data• Posting possible password hints: You pets name, your
children’s birthdays, etc.
Exercise
Do you want to know more?
https://www.facebook.com/about/basics/
I’m a social engineer
How to defend yourself from social engineering attacks.
Trust… but verify!
• If someone calls you it is OK to ask for identifying information. – Ask them for their name, managers name,
department.– Ask them something specific to the institution
they represent.– Ask them for a call back number.
Beware of escalation
• A person calling you to help should never escalate tension with you.– Is the caller becoming hostile because you haven’t
immediately cooperated?– Have they threatened to go to your manager for
no reason?– Have they told you that you are violating some
law?
Protect sensitive information
• You can often uncover a bad actor by the information or action they want you to take.– If someone calls you they don’t need to connect to
your computer.– If someone calls you they don’t need sensitive
computer data. Like your IP address or OS.– Do they want you to do something you don’t
understand? But insist you just follow their instructions.
Don’t fall for tricks
• There are a tiny handful of times you would be redirected to ANYWHERE to enter your credentials.– Did you click on a link that is asking for your
credentials?– Did you get an email asking to verify sensitive
information or log on information?
Personal data
• Your personal information is often used to protect your sensitive data.– Why does this person want to know your mother’s
maiden name?– Why does this person care about what school I
went to in 7th grade.• These could be your security questions on
your banking website.
Think about it
• Does the request meet your expectations?– You just got a pop up asking for your password. Is
that normal?– You got a pretty official looking email from IT
about resetting your password, have you even seen that before?
– An IT person called you, but you didn’t but in any tickets. He wants to remote your machine to “check stuff out”.
Phishing Examples
Phishing Example
Phishing Example
Phishing Example
Resources
• SPAM / Phishing– http://en.wikipedia.org/wiki/Phishing
• UNC Policies, Best Practices– http://www.unco.edu/cybersecurity/index.asp
• Government– http://www.dhs.gov/topic/cybersecurity
Protecting your information
• Obfuscation
• Encryption
• File Rights
Passwords
• Your first line of defense.• No longer think of passwords think of
passphrases.• #$46rD@! is able to be “cracked” in hours• “I like to take long walks in the park.......”
would take many times the duration of the existence of the universe to solve.
Passwords
• What’s the big deal with passwords?
A protected, rotated and good password will prevent the majority of people from accessing your physical computer and would prevent the majority of cloud hacks.
Password Management
• SplashId by SplashData– Windows, Mac– iOS, Android
Password Management
• Comcast Customers– Norton Security Suite Free
I did everything I was supposed to
• But they still got into my computer.
The second line of defense is your file permissions. We don’t typically deal with that except at the network level, but…
Obfuscation
• Aka. hiding thingsHere I just want to emphasis that you shouldn’t name confidential, personal, private, or secure information as such.• Don’t have a folder on your computer called
private, secure, etc. • Don’t have a file on your computer called
passwords.
Encryption
• Encrypting your mail traffic
• Encrypting your files in transit
• Encrypting your connections
Encrypting Mail
• Mail encryption is probably most easily done by using public/private key encryption.
This is not in wide use at this time within the institution. The benefit is that the mail message cannot be read unless the interceptor has the public key.
Protecting your files in transit
• This option allows for an individual to protect files they send with a key or password.
For example if I am sending a file over the internet but it contains something sensitive like my name, address, phone #, and social security # I will encrypt the file before I send it.
Encrypting you connection
Another excellent way to make sure you are protecting yourself is to encrypt your connection.
You can use an encrypting proxyMany sites have learned to use HTTPSMake sure the site you are putting passwords or sensitive or financial data uses encryption.
Securing your environment
• Close and lock your door• Be aware of those around you• Be aware of the time of year• Do not leave sensitive data unsecured• Do not leave your password out unsecured• Do not leave your portable electronics
unsecured
Securing your environment II
• Share security related information• Engage your coworkers about security• Report suspicious activity or incidents• Report losses • Do not share your credentials• Stay current with security concerns specific to
your work or work environment.
Q&A
• What questions do you have?• Are there topics you want to discuss?• Can I demo something for you?• Do you want additional training on any of the
subjects covered?• Do you want training on some other security
related topic?
Useful Links
• http://www.7-zip.org/• https://lastpass.com/• http://pwsafe.org/• https://blog.protonmail.ch/ • https://
www.youtube.com/watch?v=NeJky05BZaY
