Information Assurance @ UNM
Anderson faculty members have developed a program that is unique in
the country, if not the world, with the following characteristics and
benefits to students:
•
•
•
•
•
An AACSB accredited program with an emphasis in the management of
information security, fraud and forensic accounting and an interdisciplinary focus
on behavioral problems in protecting information.
A designation from the National Security Agency (NSA) and the Department of
Homeland Security (DHS) as a center of academic excellence in IA (CAEIA).
A partnership with the FBI and its Regional Computer Forensics Lab (RCFL),
housed at UNM, through training, and student internships and co-ops.
A partnership with the Department of Energy's first satellite office for the Center
for Cyber Defenders through Sandia National Laboratories.
The Metro Law Enforcement Internship program designed for students to work
with local white collar crime units.
http://ia.mgt.unm.edu/
What is IA?
The NSA defines Information Assurance (IA) as:
– The protection of information systems against
unauthorized access to, or modification of, information,
whether in storage, processing or transit, and protection
against the denial of service to authorized users,
including those measures necessary to detect,
document, and counter such threats.
10 Most Dangerous Things
Users Do Online
1. Opening email attachments from
unknown senders.
2. Installing unauthorized applications
3. Turning off or disabling automated
security tools
– Firewalls
– Virus updates / security updates
– Password change requests
10 Most Dangerous Things
Users Do Online
4. Opening email (Hypertext Mark-up
Language or plain text) messages from
unknown senders
5. Surfing gambling, porn, or other legallyrisky sites
6.Giving out passwords, tokens or smart
cards
7. Random surfing of unknown, untrusted
Websites
10 Most Dangerous Things
Users Do Online
8. Attaching to an unknown WiFi Network
-
Use WPA and not WAP
Turn on personal firewall
Disable wireless card when not “in use”
9. Filling out Web scripts, forms or
registration pages
10. Participating in chat rooms or social
networking sites
Viruses
Worms
Trojan Horses
Spyware
Leading Threats to PC Security
Viruses/Worms
Software programs
designed to invade your
computer, and copy,
damage or delete your data
Trojan Horses
Viruses that pretend to
be programs that help
you while destroying
your data and damaging
your computer
http://cnettv.cnet.com/deadliest-computer-viruses/9742-1_53-50005771.html
http://www.youtube.com/watch?v=HQU9WJKmsc4
Spyware
Software that secretly
watches and records your
online activities or send
you endless pop-up ads
Online Security Versus Online Safety
Security: We must
secure our computers
with technology in the
same way that we secure
the doors to our offices
Safety: We must act in
ways that protect us
against the risks and
threats that come with
Internet use
Four Steps To Protect
Your Computer
Turn on an Internet firewall
Keep your operating system up to
date
Install and maintain antivirus software
Install and maintain antispyware
software
Keep Your Operating System Updated
Install all security
updates as soon as
they are available
Automatic updates
provide the best
protection
Install Antivirus Software
Antivirus software can
detect and destroy
computer viruses
before they can cause
damage
Just like flu shots, for
antivirus software to be
effective, you must
keep it up to date
Install And Maintain Antispyware
Software
Use antispyware software so
unknown people cannot lurk
on your computer
and potentially steal
your information
Top Antispyware Software:
Spy Sweeper, CounterSpy,
STOPzilla, Malwarebytes Anti
Malware
Other Ways to Protect Your PC
Back up your files regularly
Read website privacy statements
Think before you click
Close pop-ups using red “X”
Close Pop-ups Using Red “X”
Always use the red “X” in the
corner of a pop-up screen
Never click “yes,” “accept” or
even “cancel”, because it
could be a trick that installs
software on your PC
Rogue Security Software
•
•
•
•
“Scareware” is a new type of malicious
software that pretends to protect your
computer
Scareware has increased more than 600% in
the last two years.
Found on popular Websites, YouTube, Twitter
Microsoft Malicious Software Removal Tool
http://news.cnet.com/8301-19518_3-10466253-238.html
USB Thumb Drives
- One of the highest security liabilities
-
-
Easily used for information theft
Infections brought into networks i.e. Trojans
and viruses
Encryption
Keep it in sight
Sanitize / format
A new type of social engineering
Mobile Phones & PDAs
Survey findings by Credant Technologies in UK
– Out of 600 commuters at London railway stations
80% of phone users store information on their phone
that could be used to steal their identities
– 16 % store bank account information
– 24% store PINs and passwords
– 10% save credit card information
– 99% of mobile phone users use their phone for
business tasks
– 40% of these users do not have any encryption or
password protection
Home Network
Wireless Security
5 Steps for Securing your wireless
Step 1: Change the Router’s Default Administrator Password
Step 2: Change the Default SSID and Disable SSID Broadcast
Step 3: Change the IP Address Setting
Step 4: Set Up Your Router to Use Encryption
Step 5: Use the MAC Address Filter
http://www.youtube.com/watch?v=vCy78oss4oE
Simple Email Security
- Never assume email is secure, or that it will always reach it’s
intended recipient
- Never send confidential information via email
 Password protect any attachments containing sensitive
information
- Beware of email phishing scams
- Do not open suspicious email or messages received from an
unknown sender
Simple Email Security, cont.
- Scan all attachments before opening
- Do not open attachments in a message received
from an unknown sender
- Do not click on links received in email messages;
type the website address into your web browser
- Do not open .zip files or .exe files received via email
unless you know the sender and are expecting the
attachment.
Phishing Lures
Phishing is a type of deception designed to
steal your personal information
Phishing scams in various places
 Email (friend or foe)
 Social Networking Websites
 Fake Websites (charitable sites that accept
donations)
 IM program
 Websites that spoof familiar sites
 Cell phones & mobile devices
Spear Phishing
Do you think you are safe?
• Experiments show a success rate of over
70% for phishing attacks on social
networks.
• In a June 2004 experiment with spear
phishing, 80% of 500 West Point cadets
who were sent a fake e-mail were tricked
into revealing personal information.
http://online.wsj.com/public/article/SB112424042313615131z_8jLB2WkfcVtgdAWf6LRh733sg_20060817.html?mod=blogs
Good advice
• No company will ever try to verify your info
from an email!
• If you are unsure, contact the company to
make sure the email is legit.
How fast will you get hacked?
Strong passwords are a must
Password
Length
3
4
5
6
7
8
9
10
11
12
13
All
Characters
0.86
1.36
2.15 hours
8.51 days
2.21 years
2.10
20 millennia
1,899
180,365
17,184,705
1,627,797,06
Only Lowercase
0.02 seconds
.046 seconds
11.9 seconds
5.15 minutes
2.23 hours
2.42 days
2.07 months
4.48 years
1.16 centuries
3.03 millennia
78.7 millennia
Rockyou.com top 20
Here are some password tips:
•
Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the
number ‘0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
•
Whenever possible, use at least 14 characters or more.
•
Randomly throw in capital letters (i.e. – Mod3lTF0rd)
•
Think of something you were attached to when you were younger, but DON’T
CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail
under a simple brute force attack.
•
Maybe your favorite vacation spot, or a specific car, an attraction from a vacation, or
a favorite restaurant?
•
You really need to have different username / password combinations for everything.
Remember, the technique is to break into anything you access just to figure out your
standard password, then compromise everything else. This doesn’t work if you don’t
use the same password everywhere.
Hacker Croll
• Built a profile of Twitter by using info freely
available on the Web.
• Exploited the password reset feature in
Gmail.
• Exploited the Hotmail “feature” of deleting
inactive email accounts.
• Exploited human security mistakes.
http://news.softpedia.com/news/Social-Engineering-Used-to-Compromise-Twitter-117172.shtml
Creating a password exercise
•
1.Think of a sentence that you can remember. This will be the basis of
your strong password. Use a memorable sentence, such as “May the force
be with you.”
•
2. Convert it to a password. Take the first letter of each word of the
sentence that you've created to create a new word. Using the example
above, you'd get: mtfbwy
•
3.Add complexity by mixing uppercase and lowercase letters and
numbers. For example from the above MtFbWU
•
4.Finally, substitute some special characters. You can use symbols that
look like letters, combine words (remove spaces) and other ways to make
the password more complex. Using these tricks, turn the phrase “You
talking to me?” into “Uta!k!ng2Me?”
Questions?