computer security basics

EASTERN WASHINGTON UNIVERSITY

Computer Security BasicsComputer Security BasicsEASTERN WASHINGTON UNIVERSITY

Presented by Skye Hagen

Asst Dir – Enterprise Systems

QSI Presentation.


Who Am I?

• Assistant Director – Enterprise Systems– Work for Linda Matthias, Director

• Computer Security– Prepare IT Security Plan for EWU

• DIS requirement

– Server Registration / Authorization– Network Security– Server Security


About This Presentation

• Talk about procedures and processes that will help with computer security– Password schemes– Running anti-virus software

• Not going to talk about products and how to use them– Not going to talk about how to configure a firewall– But will talk about them in general terms

• Ask question at any time


Applicability

• Most items covered in the presentation are applicable to any computer system– Work– Home– Telephone (yes, it is a computer system)– PDA


Cast of Characters

• WA State Department of Information Services– DIS – Mandates that each Agency have an IT

Security Plan

• Chief Information Officer– Pat Kelley

• Information Technology Policy Committee– CIO is chair– Made up of CIO, ACC representative and Vice

Presidents


You are a Target

• Why would anyone want to break into my computer

• Use as a launch pad and/or for disguise

• For the data on the system

• For the access that the system may have to other systems


The University is a Target

• Universities are seen as ‘open’, and easy to break into

• Universities, especially libraries, may be anonymous

• Universities have fast Internet connections

• Universities have lots of confidential data, and store it for long periods of time


Current Computer Security Issues

• Denial of Service attacks

• Computer Viruses

• Phishing / Phreaking

• Spyware / Malware

• Script kiddies

• Insider theft


Denial of Service

• Flooding a computer to prevent access– eBay, Microsoft and Yahoo have all been brought

down for several hours by denial of service attacks– Domain Name System (DNS) is a major concern

• Creating a fault that halts the system– Create a Blue Screen of Death– Stops system– Harder to trap or isolate


Denial of Service (cont’d)

• What are we doing about this at EWU?– Limiting bandwidth in some locations

• Open ports in JFK

• Cyber Café (coming soon)

– Limiting bandwidth to the Internet• Slowing down some traffic

– Limiting bandwidth from the Internet• Limiting certain applications to prevent a server from

being flooded


Denial of Service (cont’d)

• What can I do to safeguard my computer– Directly, not much– Practice safe computing

• (I know, you came to this presentation to learn how, not to hear me state the obvious)

– More will come


Computer Viruses

• Computer viruses have been around for a long time

• Lots of kinds of viruses– Worms– Trojan Horse– Lots of other technical names

• Designed to replicate and move from system to system


Famous Computer Viruses

• Morris worm– Exploited a known vulnerability– Mistake in programming caused it to spread faster than

intended– Effect was a denial of service, affecting a large portion of

the Internet

• Michelangelo virus– First computer virus to make national news– First to really make the general public aware of viruses– Because it had little effect, the public did not take computer

viruses seriously


Computer Viruses (cont’d)

• What are we doing about this at EWU?– Anti-virus software is available to faculty and staff

• Call the Service Desk (x2247) if you need a copy

– Students may purchase anti-virus software for a very low cost at the Bookstore

– E-mail is scanned for viruses before delivery to your Inbox


Computer Virus (cont’d)

• What can I do to safeguard my computer– Do not remove or disable your anti-virus software– Do not prevent your anti-virus software from

automatically updating itself– Scan unknown attachments after making sure your

anti-virus software is up-to-date– Scan any files received via Instant Messaging

before opening– Turn auto-preview features off in e-mail


Phishing / Phreaking

• Phishing is the term for the latest identity theft racket. From the AntiPhishing.org web site, “Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them.”


Phishing (cont’d)

• What are we doing about this at EWU?– Fortunately, most phishing e-mails are quarantined

as SPAM by our anti-spam filter PreciseMail


Phishing (cont’d)

• What can I do to protect myself?– Never reply with personal information in an e-

mail, it is insecure– Do not use the link provided in the e-mail– Call the bank or retailer, using a phone number

obtained from a phone book or the operator– Know how your bank operates

• Bank of America sends passwords via the postal system

– Use unique passwords for each account


Passwords, A Digression

• Currently, passwords are the most common method of authentication

• They are also the easiest to obtain and use falsely

• What is the easiest way to break into a password protected account?


How to Break a Password

• Brute force– Try every possible combination of characters– Takes a long time

• Dictionary method– Try dictionary words (includes common words,

common misspellings, foreign dictionaries, words from films or books, and l33t sp34k)

– Try date formats


How to Make a Good Password

• Use lots of non-repeating characters, at least 8

• Use special characters and digits

• Vary the case of letters

• Use the first letter of each word in a phrase only you would know– Tanstaafl – (Actually, This is a bad password!)

• Use different passwords for different systems– Categorize systems by criticality


The (Perfect) Don’ts of Passwords

• Do not write your passwords down

• Do not give your passwords to anyone

• Do not store your passwords in a password manager

• Do not use the same password for multiple accounts


The Reality of Passwords

• Use unique passwords for critical systems

• If you do give your password to someone, make sure they are who they claim to be, and change it immediately afterwards

• Use the password manager for non-critical accounts

• Change your passwords often


Phishing (cont’d)

• Technology may be able to help• Stanford University has two products that may

help– A plug-in that will analyze a web site to see if it

fits the pattern of a phishing site– Another plug-in that creates and encrypts a unique

password for every web site, even if you enter the same word

• Still a few bugs in the system


Spyware / Malware

• General category of obnoxious applications

• Usually installed without your knowledge

• Sometimes rides along with another application, very common with music sharing software

• Watches what you do, and may report it back to someone

• Sometimes difficult to detect and remove


Spyware / Malware (cont’d)

• Can capture keystrokes– Including passwords!

• Sometimes poorly written, making the system unstable

• May create pop-ups

• May be delivered via virus or spam

• Primarily a Microsoft Windows problem



• What are we doing about this at EWU?– Microsoft critical updates include an anti-spyware

search– Enterprise Systems recommends using the full

Microsoft Giant Anti-Spyware product• It’s free!

– Some trapped by anti-virus software, or quarantined by PreciseMail



• What can I do to protect my computer?– Use an anti-spyware product routinely– Keep it up-to-date with the latest signatures– Review the license agreement of any software you

download – You would be amazed at some of the things in there!


Script Kiddies

• Derogatory term for wannabe computer crackers with limited knowledge

• Use attack applications, without the underlying knowledge of how the exploit works

• Exploits known vulnerabilities, does not look for new vulnerabilities


Script Kiddies (cont’d)

• What are we doing about them at EWU?– Using firewalls– Server registration– Intrusion detection and prevention systems

• What about the future?– Researching requiring current patches and anti-

virus software before allowing computers on the network

• Patch management is a new DIS requirement


Script Kiddies (cont’d)

• What can I do to protect my computer?– Use a personal firewall– Use complex and difficult to guess passwords– Disable file sharing– Keep current on critical updates


Insiders

• Most security incidents are caused by insiders

• People with trusted access abuse the system

• System administrators give too much access to people

• Bank of America incident– Insiders selling personal financial information

• Very difficult to control


Insiders (cont’d)

• What are we doing about this at EWU?– Putting controls in place on sensitive data– Informing people of consequences– Auditing– Dividing duties– What, no specifics?

• You must be kidding


Insiders (cont’d)

• What can I do to help?– Do not give your password to anyone– Do not write your password down and tape it to

your monitor (or anywhere else for that matter)– Use a complex, difficult to guess password– Change your password often– Do not allow anyone to ‘shoulder surf’– Use screen saver passwords

• This may be an administrative requirement for you


What other steps can you take?

• Backup your data– Viruses and script kiddies may erase files– A departmental server may make this easier

• Remove unused software from your system

• Do not reply to spam

• Set your time


Trends in Computer Security

• Financial institutions are heading to more complex authentication schemes– Multiple passwords– One time passwords (tokens)

• Payment card industry requiring audits and assessments of all merchants, banks, providers in order to continue taking credit cards


What are we doing at EWU?

• Education– QSI Presentations– Server and Computer Maintenance Support Group– Brochures (coming soon… No, really!)– Articles

• Now & Next

– Web pages (www.ewu.edu/securityawareness)

• Server registration


More EWU

• Requiring encrypted access to applications

• Looking at patch management– Push on a routine basis– Audit whenever connected to network

• More intrusion detection and prevention

• Possibly replacing dial-up access to the university with virtual private network (VPN) connections for remote access


The End?

• Questions, comments, etc.,

computer security basics

Documents