390 likes | 552 Views
EASTERN WASHINGTON UNIVERSITY. Computer Security Basics. Presented by Skye Hagen Asst Dir – Enterprise Systems QSI Presentation. Assistant Director – Enterprise Systems Work for Linda Matthias, Director Computer Security Prepare IT Security Plan for EWU DIS requirement
E N D
EASTERN WASHINGTON UNIVERSITY Computer Security Basics Presented by Skye Hagen Asst Dir – Enterprise Systems QSI Presentation.
Assistant Director – Enterprise Systems Work for Linda Matthias, Director Computer Security Prepare IT Security Plan for EWU DIS requirement Server Registration / Authorization Network Security Server Security Who Am I?
Talk about procedures and processes that will help with computer security Password schemes Running anti-virus software Not going to talk about products and how to use them Not going to talk about how to configure a firewall But will talk about them in general terms Ask question at any time About This Presentation
Most items covered in the presentation are applicable to any computer system Work Home Telephone (yes, it is a computer system) PDA Applicability
WA State Department of Information Services DIS – Mandates that each Agency have an IT Security Plan Chief Information Officer Pat Kelley Information Technology Policy Committee CIO is chair Made up of CIO, ACC representative and Vice Presidents Cast of Characters
Why would anyone want to break into my computer Use as a launch pad and/or for disguise For the data on the system For the access that the system may have to other systems You are a Target
Universities are seen as ‘open’, and easy to break into Universities, especially libraries, may be anonymous Universities have fast Internet connections Universities have lots of confidential data, and store it for long periods of time The University is a Target
Denial of Service attacks Computer Viruses Phishing / Phreaking Spyware / Malware Script kiddies Insider theft Current Computer Security Issues
Flooding a computer to prevent access eBay, Microsoft and Yahoo have all been brought down for several hours by denial of service attacks Domain Name System (DNS) is a major concern Creating a fault that halts the system Create a Blue Screen of Death Stops system Harder to trap or isolate Denial of Service
What are we doing about this at EWU? Limiting bandwidth in some locations Open ports in JFK Cyber Café (coming soon) Limiting bandwidth to the Internet Slowing down some traffic Limiting bandwidth from the Internet Limiting certain applications to prevent a server from being flooded Denial of Service (cont’d)
What can I do to safeguard my computer Directly, not much Practice safe computing (I know, you came to this presentation to learn how, not to hear me state the obvious) More will come Denial of Service (cont’d)
Computer viruses have been around for a long time Lots of kinds of viruses Worms Trojan Horse Lots of other technical names Designed to replicate and move from system to system Computer Viruses
Morris worm Exploited a known vulnerability Mistake in programming caused it to spread faster than intended Effect was a denial of service, affecting a large portion of the Internet Michelangelo virus First computer virus to make national news First to really make the general public aware of viruses Because it had little effect, the public did not take computer viruses seriously Famous Computer Viruses
What are we doing about this at EWU? Anti-virus software is available to faculty and staff Call the Service Desk (x2247) if you need a copy Students may purchase anti-virus software for a very low cost at the Bookstore E-mail is scanned for viruses before delivery to your Inbox Computer Viruses (cont’d)
What can I do to safeguard my computer Do not remove or disable your anti-virus software Do not prevent your anti-virus software from automatically updating itself Scan unknown attachments after making sure your anti-virus software is up-to-date Scan any files received via Instant Messaging before opening Turn auto-preview features off in e-mail Computer Virus (cont’d)
Phishing is the term for the latest identity theft racket. From the AntiPhishing.org web site, “Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them.” Phishing / Phreaking
What are we doing about this at EWU? Fortunately, most phishing e-mails are quarantined as SPAM by our anti-spam filter PreciseMail Phishing (cont’d)
What can I do to protect myself? Never reply with personal information in an e-mail, it is insecure Do not use the link provided in the e-mail Call the bank or retailer, using a phone number obtained from a phone book or the operator Know how your bank operates Bank of America sends passwords via the postal system Use unique passwords for each account Phishing (cont’d)
Currently, passwords are the most common method of authentication They are also the easiest to obtain and use falsely What is the easiest way to break into a password protected account? Passwords, A Digression
Brute force Try every possible combination of characters Takes a long time Dictionary method Try dictionary words (includes common words, common misspellings, foreign dictionaries, words from films or books, and l33t sp34k) Try date formats How to Break a Password
Use lots of non-repeating characters, at least 8 Use special characters and digits Vary the case of letters Use the first letter of each word in a phrase only you would know Tanstaafl – (Actually, This is a bad password!) Use different passwords for different systems Categorize systems by criticality How to Make a Good Password
Do not write your passwords down Do not give your passwords to anyone Do not store your passwords in a password manager Do not use the same password for multiple accounts The (Perfect) Don’ts of Passwords
Use unique passwords for critical systems If you do give your password to someone, make sure they are who they claim to be, and change it immediately afterwards Use the password manager for non-critical accounts Change your passwords often The Reality of Passwords
Technology may be able to help Stanford University has two products that may help A plug-in that will analyze a web site to see if it fits the pattern of a phishing site Another plug-in that creates and encrypts a unique password for every web site, even if you enter the same word Still a few bugs in the system Phishing (cont’d)
General category of obnoxious applications Usually installed without your knowledge Sometimes rides along with another application, very common with music sharing software Watches what you do, and may report it back to someone Sometimes difficult to detect and remove Spyware / Malware
Can capture keystrokes Including passwords! Sometimes poorly written, making the system unstable May create pop-ups May be delivered via virus or spam Primarily a Microsoft Windows problem Spyware / Malware (cont’d)
What are we doing about this at EWU? Microsoft critical updates include an anti-spyware search Enterprise Systems recommends using the full Microsoft Giant Anti-Spyware product It’s free! Some trapped by anti-virus software, or quarantined by PreciseMail Spyware / Malware (cont’d)
What can I do to protect my computer? Use an anti-spyware product routinely Keep it up-to-date with the latest signatures Review the license agreement of any software you download – You would be amazed at some of the things in there! Spyware / Malware (cont’d)
Derogatory term for wannabe computer crackers with limited knowledge Use attack applications, without the underlying knowledge of how the exploit works Exploits known vulnerabilities, does not look for new vulnerabilities Script Kiddies
What are we doing about them at EWU? Using firewalls Server registration Intrusion detection and prevention systems What about the future? Researching requiring current patches and anti-virus software before allowing computers on the network Patch management is a new DIS requirement Script Kiddies (cont’d)
What can I do to protect my computer? Use a personal firewall Use complex and difficult to guess passwords Disable file sharing Keep current on critical updates Script Kiddies (cont’d)
Most security incidents are caused by insiders People with trusted access abuse the system System administrators give too much access to people Bank of America incident Insiders selling personal financial information Very difficult to control Insiders
What are we doing about this at EWU? Putting controls in place on sensitive data Informing people of consequences Auditing Dividing duties What, no specifics? You must be kidding Insiders (cont’d)
What can I do to help? Do not give your password to anyone Do not write your password down and tape it to your monitor (or anywhere else for that matter) Use a complex, difficult to guess password Change your password often Do not allow anyone to ‘shoulder surf’ Use screen saver passwords This may be an administrative requirement for you Insiders (cont’d)
Backup your data Viruses and script kiddies may erase files A departmental server may make this easier Remove unused software from your system Do not reply to spam Set your time What other steps can you take?
Financial institutions are heading to more complex authentication schemes Multiple passwords One time passwords (tokens) Payment card industry requiring audits and assessments of all merchants, banks, providers in order to continue taking credit cards Trends in Computer Security
Education QSI Presentations Server and Computer Maintenance Support Group Brochures (coming soon… No, really!) Articles Now & Next Web pages (www.ewu.edu/securityawareness) Server registration What are we doing at EWU?
Requiring encrypted access to applications Looking at patch management Push on a routine basis Audit whenever connected to network More intrusion detection and prevention Possibly replacing dial-up access to the university with virtual private network (VPN) connections for remote access More EWU
Questions, comments, etc., The End?