computer security basics
DESCRIPTION
EASTERN WASHINGTON UNIVERSITY. Computer Security Basics. Presented by Skye Hagen Asst Dir – Enterprise Systems QSI Presentation. Assistant Director – Enterprise Systems Work for Linda Matthias, Director Computer Security Prepare IT Security Plan for EWU DIS requirement - PowerPoint PPT PresentationTRANSCRIPT
EASTERN WASHINGTON UNIVERSITY
Computer Security BasicsComputer Security BasicsEASTERN WASHINGTON UNIVERSITY
Presented by Skye Hagen
Asst Dir – Enterprise Systems
QSI Presentation.
EASTERN WASHINGTON UNIVERSITY
Who Am I?
• Assistant Director – Enterprise Systems– Work for Linda Matthias, Director
• Computer Security– Prepare IT Security Plan for EWU
• DIS requirement
– Server Registration / Authorization– Network Security– Server Security
EASTERN WASHINGTON UNIVERSITY
About This Presentation
• Talk about procedures and processes that will help with computer security– Password schemes– Running anti-virus software
• Not going to talk about products and how to use them– Not going to talk about how to configure a firewall– But will talk about them in general terms
• Ask question at any time
EASTERN WASHINGTON UNIVERSITY
Applicability
• Most items covered in the presentation are applicable to any computer system– Work– Home– Telephone (yes, it is a computer system)– PDA
EASTERN WASHINGTON UNIVERSITY
Cast of Characters
• WA State Department of Information Services– DIS – Mandates that each Agency have an IT
Security Plan
• Chief Information Officer– Pat Kelley
• Information Technology Policy Committee– CIO is chair– Made up of CIO, ACC representative and Vice
Presidents
EASTERN WASHINGTON UNIVERSITY
You are a Target
• Why would anyone want to break into my computer
• Use as a launch pad and/or for disguise
• For the data on the system
• For the access that the system may have to other systems
EASTERN WASHINGTON UNIVERSITY
The University is a Target
• Universities are seen as ‘open’, and easy to break into
• Universities, especially libraries, may be anonymous
• Universities have fast Internet connections
• Universities have lots of confidential data, and store it for long periods of time
EASTERN WASHINGTON UNIVERSITY
Current Computer Security Issues
• Denial of Service attacks
• Computer Viruses
• Phishing / Phreaking
• Spyware / Malware
• Script kiddies
• Insider theft
EASTERN WASHINGTON UNIVERSITY
Denial of Service
• Flooding a computer to prevent access– eBay, Microsoft and Yahoo have all been brought
down for several hours by denial of service attacks– Domain Name System (DNS) is a major concern
• Creating a fault that halts the system– Create a Blue Screen of Death– Stops system– Harder to trap or isolate
EASTERN WASHINGTON UNIVERSITY
Denial of Service (cont’d)
• What are we doing about this at EWU?– Limiting bandwidth in some locations
• Open ports in JFK
• Cyber Café (coming soon)
– Limiting bandwidth to the Internet• Slowing down some traffic
– Limiting bandwidth from the Internet• Limiting certain applications to prevent a server from
being flooded
EASTERN WASHINGTON UNIVERSITY
Denial of Service (cont’d)
• What can I do to safeguard my computer– Directly, not much– Practice safe computing
• (I know, you came to this presentation to learn how, not to hear me state the obvious)
– More will come
EASTERN WASHINGTON UNIVERSITY
Computer Viruses
• Computer viruses have been around for a long time
• Lots of kinds of viruses– Worms– Trojan Horse– Lots of other technical names
• Designed to replicate and move from system to system
EASTERN WASHINGTON UNIVERSITY
Famous Computer Viruses
• Morris worm– Exploited a known vulnerability– Mistake in programming caused it to spread faster than
intended– Effect was a denial of service, affecting a large portion of
the Internet
• Michelangelo virus– First computer virus to make national news– First to really make the general public aware of viruses– Because it had little effect, the public did not take computer
viruses seriously
EASTERN WASHINGTON UNIVERSITY
Computer Viruses (cont’d)
• What are we doing about this at EWU?– Anti-virus software is available to faculty and staff
• Call the Service Desk (x2247) if you need a copy
– Students may purchase anti-virus software for a very low cost at the Bookstore
– E-mail is scanned for viruses before delivery to your Inbox
EASTERN WASHINGTON UNIVERSITY
Computer Virus (cont’d)
• What can I do to safeguard my computer– Do not remove or disable your anti-virus software– Do not prevent your anti-virus software from
automatically updating itself– Scan unknown attachments after making sure your
anti-virus software is up-to-date– Scan any files received via Instant Messaging
before opening– Turn auto-preview features off in e-mail
EASTERN WASHINGTON UNIVERSITY
Phishing / Phreaking
• Phishing is the term for the latest identity theft racket. From the AntiPhishing.org web site, “Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them.”
EASTERN WASHINGTON UNIVERSITY
Phishing (cont’d)
• What are we doing about this at EWU?– Fortunately, most phishing e-mails are quarantined
as SPAM by our anti-spam filter PreciseMail
EASTERN WASHINGTON UNIVERSITY
Phishing (cont’d)
• What can I do to protect myself?– Never reply with personal information in an e-
mail, it is insecure– Do not use the link provided in the e-mail– Call the bank or retailer, using a phone number
obtained from a phone book or the operator– Know how your bank operates
• Bank of America sends passwords via the postal system
– Use unique passwords for each account
EASTERN WASHINGTON UNIVERSITY
Passwords, A Digression
• Currently, passwords are the most common method of authentication
• They are also the easiest to obtain and use falsely
• What is the easiest way to break into a password protected account?
EASTERN WASHINGTON UNIVERSITY
How to Break a Password
• Brute force– Try every possible combination of characters– Takes a long time
• Dictionary method– Try dictionary words (includes common words,
common misspellings, foreign dictionaries, words from films or books, and l33t sp34k)
– Try date formats
EASTERN WASHINGTON UNIVERSITY
How to Make a Good Password
• Use lots of non-repeating characters, at least 8
• Use special characters and digits
• Vary the case of letters
• Use the first letter of each word in a phrase only you would know– Tanstaafl – (Actually, This is a bad password!)
• Use different passwords for different systems– Categorize systems by criticality
EASTERN WASHINGTON UNIVERSITY
The (Perfect) Don’ts of Passwords
• Do not write your passwords down
• Do not give your passwords to anyone
• Do not store your passwords in a password manager
• Do not use the same password for multiple accounts
EASTERN WASHINGTON UNIVERSITY
The Reality of Passwords
• Use unique passwords for critical systems
• If you do give your password to someone, make sure they are who they claim to be, and change it immediately afterwards
• Use the password manager for non-critical accounts
• Change your passwords often
EASTERN WASHINGTON UNIVERSITY
Phishing (cont’d)
• Technology may be able to help• Stanford University has two products that may
help– A plug-in that will analyze a web site to see if it
fits the pattern of a phishing site– Another plug-in that creates and encrypts a unique
password for every web site, even if you enter the same word
• Still a few bugs in the system
EASTERN WASHINGTON UNIVERSITY
Spyware / Malware
• General category of obnoxious applications
• Usually installed without your knowledge
• Sometimes rides along with another application, very common with music sharing software
• Watches what you do, and may report it back to someone
• Sometimes difficult to detect and remove
EASTERN WASHINGTON UNIVERSITY
Spyware / Malware (cont’d)
• Can capture keystrokes– Including passwords!
• Sometimes poorly written, making the system unstable
• May create pop-ups
• May be delivered via virus or spam
• Primarily a Microsoft Windows problem
EASTERN WASHINGTON UNIVERSITY
Spyware / Malware (cont’d)
• What are we doing about this at EWU?– Microsoft critical updates include an anti-spyware
search– Enterprise Systems recommends using the full
Microsoft Giant Anti-Spyware product• It’s free!
– Some trapped by anti-virus software, or quarantined by PreciseMail
EASTERN WASHINGTON UNIVERSITY
Spyware / Malware (cont’d)
• What can I do to protect my computer?– Use an anti-spyware product routinely– Keep it up-to-date with the latest signatures– Review the license agreement of any software you
download – You would be amazed at some of the things in there!
EASTERN WASHINGTON UNIVERSITY
Script Kiddies
• Derogatory term for wannabe computer crackers with limited knowledge
• Use attack applications, without the underlying knowledge of how the exploit works
• Exploits known vulnerabilities, does not look for new vulnerabilities
EASTERN WASHINGTON UNIVERSITY
Script Kiddies (cont’d)
• What are we doing about them at EWU?– Using firewalls– Server registration– Intrusion detection and prevention systems
• What about the future?– Researching requiring current patches and anti-
virus software before allowing computers on the network
• Patch management is a new DIS requirement
EASTERN WASHINGTON UNIVERSITY
Script Kiddies (cont’d)
• What can I do to protect my computer?– Use a personal firewall– Use complex and difficult to guess passwords– Disable file sharing– Keep current on critical updates
EASTERN WASHINGTON UNIVERSITY
Insiders
• Most security incidents are caused by insiders
• People with trusted access abuse the system
• System administrators give too much access to people
• Bank of America incident– Insiders selling personal financial information
• Very difficult to control
EASTERN WASHINGTON UNIVERSITY
Insiders (cont’d)
• What are we doing about this at EWU?– Putting controls in place on sensitive data– Informing people of consequences– Auditing– Dividing duties– What, no specifics?
• You must be kidding
EASTERN WASHINGTON UNIVERSITY
Insiders (cont’d)
• What can I do to help?– Do not give your password to anyone– Do not write your password down and tape it to
your monitor (or anywhere else for that matter)– Use a complex, difficult to guess password– Change your password often– Do not allow anyone to ‘shoulder surf’– Use screen saver passwords
• This may be an administrative requirement for you
EASTERN WASHINGTON UNIVERSITY
What other steps can you take?
• Backup your data– Viruses and script kiddies may erase files– A departmental server may make this easier
• Remove unused software from your system
• Do not reply to spam
• Set your time
EASTERN WASHINGTON UNIVERSITY
Trends in Computer Security
• Financial institutions are heading to more complex authentication schemes– Multiple passwords– One time passwords (tokens)
• Payment card industry requiring audits and assessments of all merchants, banks, providers in order to continue taking credit cards
EASTERN WASHINGTON UNIVERSITY
What are we doing at EWU?
• Education– QSI Presentations– Server and Computer Maintenance Support Group– Brochures (coming soon… No, really!)– Articles
• Now & Next
– Web pages (www.ewu.edu/securityawareness)
• Server registration
EASTERN WASHINGTON UNIVERSITY
More EWU
• Requiring encrypted access to applications
• Looking at patch management– Push on a routine basis– Audit whenever connected to network
• More intrusion detection and prevention
• Possibly replacing dial-up access to the university with virtual private network (VPN) connections for remote access