1 / 39

TOP TEN (10) Security Tips

Simple ways to make security easier. TOP TEN (10) Security Tips. Karen McDowell, Ph.D., GCIH Information Security, Policy, and Records Office Office Technology Conference 2010. Security Tip #1. Don’t click on unsolicited email messages If in doubt, telephone the sender

hateya
Télécharger la présentation

TOP TEN (10) Security Tips

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Simple ways to make security easier TOP TEN (10) Security Tips Karen McDowell, Ph.D., GCIH Information Security, Policy, and Records Office Office Technology Conference 2010

  2. Security Tip #1 • Don’t click on unsolicited email messages • If in doubt, telephone the sender • Use the 800 number on the back of your credit or debit card • Check the UVa Security and Suspicious Alerts Page (updated hourly if necessary)

  3. Courtesy of Yale University

  4. Old-Fashioned Trickery orSocial Engineering How shall I trick you? Let me count the ways! • Phishing • Spear-phishing • Vishing

  5. How Do I Identify a Phishing message? • Unsolicited – no reputable financial institution will ask for your personally identifiable information (PII) – if someone asks, suspect trouble • Timing is a clue, though not always • Words or tone of urgency • Web page or email message mimics in almost every detail legitimate, commercial or social networking sites

  6. Phishing with Masked Web Address • If you clicked on this, you went to the http://www.virginia.vbedu.net/info/v/

  7. Courtesy of Yale University

  8. Spear Phishing Most Dangerous • Spear phishing is a highly-targeted attack directed to specific groups • Addresses members by first name • Conveys tone of intimacy • Spear phishers also create fake social networking login pages to lure us into sites, where we routinely enter PII (personally identifiable information) • Spear phishers lately tricking Fortune 500 senior execs who play Farmville

  9. Spear Phishing Message Attached document contained malware!

  10. Phishing with Masked Web Address • If you clicked on the URL below, you went to xxx@bongfaschist.de

  11. http://fret.bio.virginia.edu/icons/ii.html

  12. Why Spear Phishing Works • Success relies upon details used -- • Apparent source is known, trusted individual, like HR or IT staff • Message information supports its validity • Request has a logical basis • Anytime you see anything you think is suspicious, go to the Alerts page at UVa, and check if posted • http://itc.virginia.edu/security/alerts

  13. Courtesy of Yale University

  14. Security Tip #2 • Prepare for Rogue Antivirus, so you know what to do if it hits you

  15. Fake (Rogue) Antivirus Courtesy of Indiana University

  16. RAV: Social Engineering Plague • Rogue Antivirus popups appear to be authentic copy of legitimate Windows screens • RAV tricks users into thinking their computer is infected with viruses • Offer antivirus to help them clean it • Aggressive use of spam, online ads, and schemes to manipulate search engine results to infect Web users, searching for trends, like celebrity foibles, big breaking news, etc http://gadgetwise.blogs.nytimes.com/2010/04/15/threat-of-fake-anti-virus-software-grows/

  17. What You Can Do • Install and run Malwarebytes (legal on home computer only) • Stop using the computer immediately • Don’t click on any popups! • Turn off wireless, or pull the high-speed line out of the back • Why we backup often

  18. Security Tip #3 • Avoid wireless hotspots, or modify your computer use if you use them • Don’t do anything that requires a password • Don’t login to your bank or email

  19. The Evil Twin Wireless Insecurity • Home-made wireless access points masquerade as legitimate hot spots • Fairly easy to create an evil twin with a laptop

  20. Security Tip #4 • Use social networking sites like Facebook, LinkedIn, and Twitter very carefully

  21. Facebook Security Issues • Social network du jour • Attackers go where we go • Facebook members greater than population of USA • Weak passwords or passphrases • Don’t use third-party applications • Check for mis-configured or unused privacy settings

  22. Facebook Instant Personalization Reports that Facebook has once again compromised users privacy settings by not only making the process more complex but by making it an opt-out process, instead of opt-in. Don't post any information, like announcing you are going on vacation, on your blog or Facebook that could be used by identity thieves to target you, your family or friends, or UVa. ZDNet 25 May 2010

  23. Rogue Antivirus and Twitter • Twitter hit with rogue anti-virus scam • Flurry of tweets directed users to a website promising "Best Video“ • Appeared to offer content from YouTube, but delivered a document infecting those using vulnerable versions of Adobe's Reader program • Victims then received urgent warning that their systems were infected and needed fraudulent security software cleaning <theregister.co.uk> 6/2009

  24. Twitter Security Issues • Link shorteners like TinyURL lead users to unknown destinations, though there’s a fix for this • Vulnerable to phishing attacks • Users unwittingly give their passwords to third-party applications • Phishers use Twitter May 2009 • Bogus accounts of “hot” women • Tiny URLs obfuscated real sites <gadgetwise.blogs.nytimes.com> 5/2009

  25. Security Tip #5 Protect Smart Phones • Passcode • Enable at least 4 digits but this also depends upon IT policies • Exceeding the number of allowed password attempts deletes all data • Auto-Lock • Locks the screen after a pre-set time periodof non-use (consider 30 minutes or less) • Passcode-lock enhances auto-lock • By itself not exactly a security feature but combined with passcode protection,it’s essential security

  26. Security Tip #6 • Use strong passwords or • Try a passphrase if it is easier for you to remember

  27. Create Strong Passwords • A 10-character password is not as hard to remember as you think • Make up a unique sentence, and use the first letter of each word in the sentence • Mix up the capitalization, and add a digit or punctuation mark somewhere • A sentence unique to you might be: “My Chevy’s front muffler leaks too much” for the password “MCfml,t3m” • But don’t accidentally create a word, as in “How older US educators sit” for password “HoUSes”

  28. Courtesy of Indiana University

  29. Passphrases are just words • Easy to remember • “Mysonjusthitmefor1200dollars” • “AvoidworkonMondaysifyoucan” • Avoid famous sayings or quotes like “give me liberty or give me death", “to be or not to be", or "four score and seven years ago", etc., because attackers makes lists of these

  30. Courtesy of Indiana University

  31. Security Tip #7 • Update, update, update! • Backup, backup, backup!

  32. Update, Update, Update • Secunia.com (home use only) • Macintosh Security Update • Microsoft Automatic Update

  33. Backup, Backup, Backup • Home Directory • External hard drive • These mechanical systems can fail! • Memory stick • Only for short term storage • Drag and drop action

  34. Security Tip #8 • Check your free annual credit report http://annualcreditreport.com • Not freecreditreport.com • Pull down your credit history, and see what accounts have been opened in your name • Check personal data for accuracy • You will not receive a credit score, unless you pay for it

  35. Security Tip #9 • Stay on Main Street when using the Internet • Don’t go down any dark alleys • What’s a dark alley on the Internet?

  36. Security Tip #10 • Apply the same common sense rules you use in the real world to protect institutional and personal data – • Ask Ben Bernake’s wife • Regularly check your computer for sensitive data (Backup/remove files) • Use Secure Deletion Shredder • Use Identity Finder at work

More Related