1 / 114

Security For Everyone

Security For Everyone. “A guide to what every one needs to know about security.”. Source: Kentucky Information Technology Center www.kitcenter.org. Security Threats. Viruses and worms cost billions of dollars each year.

gavril
Télécharger la présentation

Security For Everyone

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security ForEveryone “A guide to what every one needs to know about security.” Source: Kentucky Information Technology Center www.kitcenter.org

  2. Security Threats • Viruses and worms cost billions of dollars each year. • Industrial/business espionage has always been a big business and now has new avenues of attack. • Thousands of people have their personal information (their identity) stolen each year. This information is used to obtain online loans and credit cards. 2

  3. Security Threats (continued) • Online businesses are attacked in such a way that prospective customers can’t access their web site (a “Denial of Service” attack). This costs businesses millions in lost revenue and reputation. • Thousands of people fall victim to various scams that are communicated electronically and lose millions of dollars (and often their personal information). 3

  4. Hackers vs. Crackers • Hacker - (Originally, someone who makes furniture with an axe) 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. 3. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. 4. One who • Cracker - An individual who attempts to gain unauthorized access to a computer system. These individuals are often malicious and have many means at their disposal for breaking into a system. The term was coined ca. 1985 by hackers in defense against journalistic misuse of "hacker". 4

  5. Contrary to widespread myth, cracking does not usually involve some mysterious leap of hackerly brilliance, but rather persistence and the dogged repetition of a handful of fairly well-known tricks that exploit common weaknesses in the security of target systems. Accordingly, most crackers are only mediocre hackers 5

  6. If I’m a bad guy, I could spam a large company every few days in July. What could I do with the information in the auto-replies? A Potential Scenario • You go on vacation and use the “auto-reply” in Outlook. You are telling anyone who emails you that you are out of town, possibly for several days. This includes spammers. 6

  7. What could a bad guy do? • A bad guy could call the help desk, say I’m so-and-so, I’ve been on vacation and I’ve forgotten my password …. • A bad guy could also determine where you live, drop by some night, and help himself to your “toys” (remember, you are on vacation) 7

  8. How Easy Is it? • Go to Google.com in your browser. • Type in your phone number. • Click Google Search. 8

  9. Why would a cracker want access to your computer? 9

  10. A cracker could; • The cracker wants to “own” as many computers as possible. It’s a status thing. • The cracker might trade your computer to another cracker in exchange for something else (more valuable computer, social security numbers, etc). 10

  11. Why MY computer? • The cracker might be looking for credit card numbers, social security numbers, banking information, etc. The cracker might install a key logger to record the details of your transactions. 11

  12. Why MY computer? • cracker might want your computer to use to attack your company’s network over a dial-up or other type of connection. • cracker might want your computer to use as a repository for mp3s, porn, etc. • The cracker might want as many computers as possible to use to attack another computer or web site. 12

  13. My computer used in an attack? • Your computer could be one of many sending traffic to a specific computer or web site in a denial-of-service (DoS) attack. This happened to amazon.com and e-bay.com. It takes about 200 computers to completely DoS a web server. DoS attacks also consume network bandwidth. 13

  14. My computer used in an attack? • Your computer could be used as a relay in an attack, to hide the true identity of the attacker in case someone tries to trace the attack back to it’s source. Crackers usually relay their attacks through 8 to 10 computers to hide their tracks. Anyone investigating would have to go to all those ISPs to check their log files. 14

  15. My computer used in an attack? • If your computer is compromised and you use it to connect to your company’s network, your computer could then be used to attack your company’s network. 15

  16. How is this possible? • Users choose easy-to-guess passwords. • Poorly written software contains vulnerabilities that the cracker can exploit. • Users install software from unknown sources (viruses, spyware, malware). • Users are easily fooled (social engineering, hoaxes, scams). 16

  17. How good are the crackers? • Crackers have tools (programs, utilities) that will scan a network looking for computers. • Crackers have tools that can identify what operating system a computer is running (from across the network – the hacker could be in Japan). 17

  18. How good are the crackers? • Crackers have tools that will probe a computer for specific vulnerabilities. • Crackers have tools that will perform the exploit against these vulnerabilities. • There are scripts that can do these things automatically – allowing crackers with few skills to attack computers (script kiddies). 18

  19. The “good” news • A cracker will often patch your computer for you. • After the cracker “owns” your box, he/she doesn’t want someone else to be able to successfully attack it. 19

  20. The “bad” news • Currently operating systems and applications are riddled with vulnerabilities. • crackers have really good tools. • The public is not very aware of the problem, and that helps the crackers. 20

  21. NEED TO BE MORE PARANOID! What can we do? • Change your attitude about security: • Educate yourself. • Pay attention (don’t click on just anything). • Assume the worst at all times. • Change your bad habits. • Think like a cracker. • Assume responsibility – we all have a stake in effective security. 21

  22. STOP Think how much of your personal information is already out there!! Security is a Way of Thinking • Security is not just something you do (especially something you only have to do once and then forget). Security is an on-going process. • Security is also a state of mind, or an attitude. We have to start thinking of everything in the context of security. 22

  23. Convenience vs. Security • Computer and software companies have gone to great lengths to make things easy. • Problem is, we’ve made things easy for the bad guys, too. • In general, anything that improves security does so at the expense of convenience. • As users, we have to realize that the loss of convenience is necessary, to improve security. 23

  24. Remember! • Don’t unnecessarily give out information in any form. • Don’t assume that everybody has honorable intentions. • Don’t assume that something secure today will be secure tomorrow. • Don’t assume you have nothing of interest to anyone else. 24

  25. Areas you have to be concerned with • Physical security • Authentication/Passwords • Social Engineering • Software issues • Viruses, Worms, Trojan Horses • Identity Theft and Scams • Email issues 25

  26. Physical Security • All bets are off if the bad guy is able to sit down at your computer, so physical security is absolutely vital. • All computers with sensitive information should be behind locked doors. • Problem  any computer in the company may be connected to these physically secured computers. 26

  27. Physical Security: What can you do? • Require a username and password to log in to your computer. • Lock your workstation when you leave your desk. • Use a screensaver with a password. Set it to come on in a short period of time. • If you travel with a laptop, never let it leave your sight. 27

  28. Physical Security: What can you do? • Don’t let your kids use the company computer. • Don’t let outside service people wander un-escorted inside your company. • Check the ID of anyone you let inside. • Don’t throw away things that a Dumpster Diver can use! 29

  29. Dumpster Diving • Dumpster diving – the bad guys go through your trash. • What are they looking for? • Written passwords • Company phone directories • Network diagrams • Personal information • Any information that can be used against you or your company 30

  30. Areas you have to be concerned with • Physical security • Authentication/Passwords • Social Engineering • Software issues • Viruses, Worms, Trojan Horses • Identity Theft and Scams • Email issues 31

  31. Authentication • A central concept of security is that data should be kept from the wrong people, but those that legitimately need access should be given access after their identity is verified. • This process of verification is called authentication. • The most popular method of authentication is currently a username and a password. 32

  32. Authentication • Authentication is making sure you are who you say you are. • Methods are: • Something you know (password) • Something you have (smart card or token, used with a PIN number) • Something you are (some biometric measure, such as fingerprint, retinal scan, voiceprint) 33

  33. Authentication (cont.) • Passwords are cheap, but have serious problems. • Smart cards/tokens have a cost (configuration is labor-intensive), require readers, can be lost (and the user cannot authenticate until replaced). • Biometrics require readers, take time to authenticate, give both false positives and false negatives. (very expensive) 34

  34. False Positives/Negatives • A false positive is when something is found to be true, but isn’t really. In biometrics this means someone is authenticated who shouldn’t be (a security breach) • A false negative is when something is found to be false, but isn’t really. In biometrics this means that someone is not authenticated, but should have been (a hassle) 35

  35. The Problems with Passwords • People use short passwords • People use common words as passwords • People use their name, or the name of their spouse, or children, or pet • People write their password down and place in near their keyboard • People use the same password on multiple systems 36

  36. Password “Crackers” • Programs exist that can eventually “crack” any password. • One way they do this by trying each word in a list (a dictionary attack). • Another way is to try each possible combination of letters, numbers, etc. (brute-force attack). 37

  37. Short Passwords • A short password is not a good password because there are not many combinations that need to be tried before the password is cracked. • A short password will be cracked by a brute-force attack in a shorter time than a longer password. • Although any password can eventually be cracked, the goal is to make it take so long as to be pointless (you will change the password before someone cracks it). 38

  38. The Problem with Common Words • People like to choose common words for passwords, because these are easy to remember. These are vulnerable using a “dictionary” attack. • In a dictionary attack the cracker uses a password cracker and a file of common words (dictionary words) to try to match your password. 39

  39. The Problem With Using a Name • Another way to remember your password is to use your name (or some variation), your spouse’s name, your child’s name, etc. • Sometimes this information is readily available to the bad guy (maybe it’s in the phone book – Thomas & Amanda Smith, or it’s on the picture frame on your desk – “Fluffy the Cat”). 40

  40. Writing Your Password Down • Believe it or not, the bad guy knows to look under the keyboard for your password. • It’s also pretty obvious when you stick it to your monitor. • Most know to look under your mouse or mouse pad. 41

  41. Using the Same Password Over and Over • Most of us have to log in to more than one system, so we use the same password over and over. • If a cracker cracks your password for any of these systems, he/she will certainly try the same password on other systems. • This technique is often used: crack an unimportant machine, then use the same password on an important machine. 42

  42. How to Make a Better Password • Upper-case alpha, lower-case alpha, numbers, and punctuation add to the “complexity”, this tends to nullify the dictionary attack, and makes the brute-force take much longer. (Microsoft’s definition of complexity is 3 of 4 of these) • Using a passphrase or a password based on a phrase is better, both from the standpoint of being harder to “guess” and being easier for you to remember. 43

  43. Pass-phrase Example • “I’m Fixing a Hole” (from the Beatles Sgt. Pepper’s Lonely Hearts Club album) becomes !’mFxng@H0l& • “I’m a Believer” becomes 1m@B3l13v3r • You get the idea …. 44

  44. Password Policies • The company you work for probably has a password policy. Some of the things covered in this policy could be: • Length – longer passwords are harder to crack • Complexity – passwords using a combination of uppercase, lowercase, numbers, and/or punctuation are harder to crack • Maximum age – how long a user is allowed to use a particular password 45

  45. Password Policies • Minimum age – length of time a user must use a particular password before they can change it. This (along with “history”) prevents a user from changing a password when required, then changing it back to a favorite. • History – the number of passwords the operating system remembers. A user can’t use a password that the OS remembers. 46

  46. Why are you telling me this? • So you will understand the importance of using long and complex passwords, of not writing your password down, of changing your password regularly, etc. • We are not asking you to do all this to annoy you. There are valid, important reasons you should do these things. 47

  47. Areas you have to be concerned with • Physical security • Authentication/Passwords • Social Engineering • Software issues • Viruses, Worms, Trojan Horses • Identity Theft and Scams • Email issues 48

  48. Social Engineering • Humans are acknowledged as the weakest link in any security design/implementation. • Since most of the technical ways of hacking a system are hard, numerous ways of exploiting this human factor have been developed by the bad guys. • These are called “social engineering.” 49

  49. Social Engineering • Social engineering uses weaknesses in people instead of in software. • Classic social engineering – a cracker calls up the help desk and says “I’m so-and-so and I’ve just been hired as a consultant to do so-and-so and the IT guy said call you and have an account set up, and I’m in a hurry. . . . .” ----help desk person gives the password over the phone 50

  50. Social Engineering • Social engineering relies on the desire to be “helpful” or the desire to “stay out of trouble.” • Social engineering is so effective it is usually the first thing a serious cracker will try. 51

More Related