Advanced Security Training for Staff Presented by Matt Langford About me • Matt Langford matthew.langford@unco.edu • University of Northern Colorado CISO • Specialties: security auditing, malware analysis and infrastructure, forensics, cyber crime investigations, security incident response, penetration testing, chemistry…? Intro Video Internet Safety Video The Bear Bones Topics for today’s presentation • • • • • • Who wants your information and why Common techniques to steal your information Defending your information on social media Defending yourself from social engineering Protecting your personal data Securing your environment Who wants your information? • • • • • • Organized Crime Criminals Intelligence Organizations Marketers People with a grudge Local Law Enforcement WHY!? • • • • • • • Redirect illegal activity from their assets to yours. To sell your data To bulk collect your data for future purposes To steal your identity To steal your credit card information Because they are curious about you Because you are being investigated How they get you! • Typically the just ask you – A phone survey – They pretend to be someone or something they are not • Fake authority figures • Fake emergencies • Fake technical support – – – – A email survey A trick email In person contact They just look it up online More complex tricks. • Links to malicious sites • Links to legitimate appearing websites where you would think you are safe to give secure information. • They listen to your electronic communications • Malicious code • Dumpster diving • Theft • Hacking Social Media • The majority of us use social media of one kind or another. • Twitter, Facebook, Snapchat, LinkedIn, Pinterest, Google+, Tumblr, Instagram, Vine, etc. • These applications are fun and keep us connected with our friends and family and help us meet new people. Social Media Risks • Posting personal data: Address, Phone Number • Posting sensitive work data: What software you just had trouble with. • Informing people about your activities and patterns: What you do on a Friday night. • Informing people about your hobbies and interests: They know that you love to swim and listen to KennyG. Social Media Risks, Cont. • Posting social relationships: That you are married • Posting strong views: The you strongly support a political party or ideal • Posting you responsibilities: That you are in charge of processing financial data • Posting possible password hints: You pets name, your children’s birthdays, etc. Exercise Facebook Do you want to know more? https://www.facebook.com/about/basics/ I’m a social engineer How to defend yourself from social engineering attacks. Trust… but verify! • If someone calls you it is OK to ask for identifying information. – Ask them for their name, managers name, department. – Ask them something specific to the institution they represent. – Ask them for a call back number. Beware of escalation • A person calling you to help should never escalate tension with you. – Is the caller becoming hostile because you haven’t immediately cooperated? – Have they threatened to go to your manager for no reason? – Have they told you that you are violating some law? Protect sensitive information • You can often uncover a bad actor by the information or action they want you to take. – If someone calls you they don’t need to connect to your computer. – If someone calls you they don’t need sensitive computer data. Like your IP address or OS. – Do they want you to do something you don’t understand? But insist you just follow their instructions. Don’t fall for tricks • There are a tiny handful of times you would be redirected to ANYWHERE to enter your credentials. – Did you click on a link that is asking for your credentials? – Did you get an email asking to verify sensitive information or log on information? Personal data • Your personal information is often used to protect your sensitive data. – Why does this person want to know your mother’s maiden name? – Why does this person care about what school I went to in 7th grade. • These could be your security questions on your banking website. Think about it • Does the request meet your expectations? – You just got a pop up asking for your password. Is that normal? – You got a pretty official looking email from IT about resetting your password, have you even seen that before? – An IT person called you, but you didn’t but in any tickets. He wants to remote your machine to “check stuff out”. Phishing Examples Phishing Example Phishing Example Phishing Example Resources • SPAM / Phishing – http://en.wikipedia.org/wiki/Phishing • UNC Policies, Best Practices – http://www.unco.edu/cybersecurity/index.asp • Government – http://www.dhs.gov/topic/cybersecurity Protecting your information • Obfuscation • Encryption • File Rights Passwords • Your first line of defense. • No longer think of passwords think of passphrases. • #$46rD@! is able to be “cracked” in hours • “I like to take long walks in the park.......” would take many times the duration of the existence of the universe to solve. Passwords • What’s the big deal with passwords? A protected, rotated and good password will prevent the majority of people from accessing your physical computer and would prevent the majority of cloud hacks. Password Management • SplashId by SplashData – Windows, Mac – iOS, Android Password Management • Comcast Customers – Norton Security Suite Free Lastpass Demo Lastpass I did everything I was supposed to • But they still got into my computer. The second line of defense is your file permissions. We don’t typically deal with that except at the network level, but… Obfuscation • Aka. hiding things Here I just want to emphasis that you shouldn’t name confidential, personal, private, or secure information as such. • Don’t have a folder on your computer called private, secure, etc. • Don’t have a file on your computer called passwords. Encryption • Encrypting your mail traffic • Encrypting your files in transit • Encrypting your connections Encrypting Mail • Mail encryption is probably most easily done by using public/private key encryption. This is not in wide use at this time within the institution. The benefit is that the mail message cannot be read unless the interceptor has the public key. Protecting your files in transit • This option allows for an individual to protect files they send with a key or password. For example if I am sending a file over the internet but it contains something sensitive like my name, address, phone #, and social security # I will encrypt the file before I send it. Demonstration 7-zip demo Encrypting you connection Another excellent way to make sure you are protecting yourself is to encrypt your connection. You can use an encrypting proxy Many sites have learned to use HTTPS Make sure the site you are putting passwords or sensitive or financial data uses encryption. Securing your environment • • • • • • Close and lock your door Be aware of those around you Be aware of the time of year Do not leave sensitive data unsecured Do not leave your password out unsecured Do not leave your portable electronics unsecured Securing your environment II • • • • • • Share security related information Engage your coworkers about security Report suspicious activity or incidents Report losses Do not share your credentials Stay current with security concerns specific to your work or work environment. Q&A • • • • What questions do you have? Are there topics you want to discuss? Can I demo something for you? Do you want additional training on any of the subjects covered? • Do you want training on some other security related topic? Useful Links • • • • • http://www.7-zip.org/ https://lastpass.com/ http://pwsafe.org/ https://blog.protonmail.ch/ https://www.youtube.com/watch?v=NeJky05 BZaY Thank you Matt Langford – matthew.Langford@unco.edu www.unco.edu/cybersecurity/