Advanced Security Training for Staff Presented by Matt Langford

advertisement
Advanced Security
Training for Staff
Presented by Matt Langford
About me
• Matt Langford matthew.langford@unco.edu
• University of Northern Colorado CISO
• Specialties: security auditing, malware
analysis and infrastructure, forensics, cyber
crime investigations, security incident
response, penetration testing, chemistry…?
Intro Video
Internet Safety Video
The Bear Bones
Topics for today’s presentation
•
•
•
•
•
•
Who wants your information and why
Common techniques to steal your information
Defending your information on social media
Defending yourself from social engineering
Protecting your personal data
Securing your environment
Who wants your information?
•
•
•
•
•
•
Organized Crime
Criminals
Intelligence Organizations
Marketers
People with a grudge
Local Law Enforcement
WHY!?
•
•
•
•
•
•
•
Redirect illegal activity from their assets to yours.
To sell your data
To bulk collect your data for future purposes
To steal your identity
To steal your credit card information
Because they are curious about you
Because you are being investigated
How they get you!
• Typically the just ask you
– A phone survey
– They pretend to be someone or something they are not
• Fake authority figures
• Fake emergencies
• Fake technical support
–
–
–
–
A email survey
A trick email
In person contact
They just look it up online
More complex tricks.
• Links to malicious sites
• Links to legitimate appearing websites where you
would think you are safe to give secure information.
• They listen to your electronic communications
• Malicious code
• Dumpster diving
• Theft
• Hacking
Social Media
• The majority of us use social media of one kind or
another.
• Twitter, Facebook, Snapchat, LinkedIn, Pinterest,
Google+, Tumblr, Instagram, Vine, etc.
• These applications are fun and keep us connected
with our friends and family and help us meet new
people.
Social Media Risks
• Posting personal data: Address, Phone Number
• Posting sensitive work data: What software you just
had trouble with.
• Informing people about your activities and patterns:
What you do on a Friday night.
• Informing people about your hobbies and interests:
They know that you love to swim and listen to
KennyG.
Social Media Risks, Cont.
• Posting social relationships: That you are married
• Posting strong views: The you strongly support a
political party or ideal
• Posting you responsibilities: That you are in charge of
processing financial data
• Posting possible password hints: You pets name, your
children’s birthdays, etc.
Exercise
Facebook
Do you want to know more?
https://www.facebook.com/about/basics/
I’m a social engineer
How to defend yourself from social engineering
attacks.
Trust… but verify!
• If someone calls you it is OK to ask for
identifying information.
– Ask them for their name, managers name,
department.
– Ask them something specific to the institution
they represent.
– Ask them for a call back number.
Beware of escalation
• A person calling you to help should never
escalate tension with you.
– Is the caller becoming hostile because you haven’t
immediately cooperated?
– Have they threatened to go to your manager for
no reason?
– Have they told you that you are violating some
law?
Protect sensitive information
• You can often uncover a bad actor by the
information or action they want you to take.
– If someone calls you they don’t need to connect
to your computer.
– If someone calls you they don’t need sensitive
computer data. Like your IP address or OS.
– Do they want you to do something you don’t
understand? But insist you just follow their
instructions.
Don’t fall for tricks
• There are a tiny handful of times you would be
redirected to ANYWHERE to enter your
credentials.
– Did you click on a link that is asking for your
credentials?
– Did you get an email asking to verify sensitive
information or log on information?
Personal data
• Your personal information is often used to
protect your sensitive data.
– Why does this person want to know your mother’s
maiden name?
– Why does this person care about what school I
went to in 7th grade.
• These could be your security questions on
your banking website.
Think about it
• Does the request meet your expectations?
– You just got a pop up asking for your password. Is
that normal?
– You got a pretty official looking email from IT
about resetting your password, have you even
seen that before?
– An IT person called you, but you didn’t but in any
tickets. He wants to remote your machine to
“check stuff out”.
Phishing Examples
Phishing Example
Phishing Example
Phishing Example
Resources
• SPAM / Phishing
– http://en.wikipedia.org/wiki/Phishing
• UNC Policies, Best Practices
– http://www.unco.edu/cybersecurity/index.asp
• Government
– http://www.dhs.gov/topic/cybersecurity
Protecting your information
• Obfuscation
• Encryption
• File Rights
Passwords
• Your first line of defense.
• No longer think of passwords think of
passphrases.
• #$46rD@! is able to be “cracked” in hours
• “I like to take long walks in the park.......”
would take many times the duration of the
existence of the universe to solve.
Passwords
• What’s the big deal with passwords?
A protected, rotated and good password will
prevent the majority of people from accessing
your physical computer and would prevent the
majority of cloud hacks.
Password Management
• SplashId by SplashData
– Windows, Mac
– iOS, Android
Password Management
• Comcast Customers
– Norton Security Suite Free
Lastpass Demo
Lastpass
I did everything I was supposed to
• But they still got into my computer.
The second line of defense is your file
permissions. We don’t typically deal with that
except at the network level, but…
Obfuscation
• Aka. hiding things
Here I just want to emphasis that you shouldn’t
name confidential, personal, private, or secure
information as such.
• Don’t have a folder on your computer called
private, secure, etc.
• Don’t have a file on your computer called
passwords.
Encryption
• Encrypting your mail traffic
• Encrypting your files in transit
• Encrypting your connections
Encrypting Mail
• Mail encryption is probably most easily done
by using public/private key encryption.
This is not in wide use at this time within the
institution. The benefit is that the mail message
cannot be read unless the interceptor has the
public key.
Protecting your files in transit
• This option allows for an individual to protect
files they send with a key or password.
For example if I am sending a file over the
internet but it contains something sensitive like
my name, address, phone #, and social security
# I will encrypt the file before I send it.
Demonstration
7-zip demo
Encrypting you connection
Another excellent way to make sure you are
protecting yourself is to encrypt your
connection.
You can use an encrypting proxy
Many sites have learned to use HTTPS
Make sure the site you are putting passwords or
sensitive or financial data uses encryption.
Securing your environment
•
•
•
•
•
•
Close and lock your door
Be aware of those around you
Be aware of the time of year
Do not leave sensitive data unsecured
Do not leave your password out unsecured
Do not leave your portable electronics
unsecured
Securing your environment II
•
•
•
•
•
•
Share security related information
Engage your coworkers about security
Report suspicious activity or incidents
Report losses
Do not share your credentials
Stay current with security concerns specific to
your work or work environment.
Q&A
•
•
•
•
What questions do you have?
Are there topics you want to discuss?
Can I demo something for you?
Do you want additional training on any of the
subjects covered?
• Do you want training on some other security
related topic?
Useful Links
•
•
•
•
•
http://www.7-zip.org/
https://lastpass.com/
http://pwsafe.org/
https://blog.protonmail.ch/
https://www.youtube.com/watch?v=NeJky05
BZaY
Thank you
Matt Langford – matthew.Langford@unco.edu
www.unco.edu/cybersecurity/
Download