License

1
License to Steal
Cheri Darling Senior Support Systems Analyst Risk
Management Safety
Kelley Bogart, CISSP Sr. Information Security
Specialist University Information Security Office
2
Agenda

• Threats and Statistics
• Whats Wrong With This Picture?
• Use of Personal / Confidential Data
• Physical Security
• Technology
• Limiting Access to your computer and data
• Download Rules

3
Information Security
90
10
4
Employees _at_ Risk

• The Security Softie
• The Gadget Geek
• The Squatter
• The Saboteur

5
Insider Threat Statistics

• One in five workers (21) let family and friends
  use company laptops and PCs to access the
  Internet.
• More than half (51) connect their own devices or
  gadgets to their work PC.
• A quarter of these do so every day.
• Around 60 admit to storing personal content on
  their work PC.

6
MORE Insider Threat Statistics

• One in ten confessed to downloading content at
  work they shouldn't.
• Two thirds (62) admitted they have a very
  limited knowledge of IT Security.
• More than half (51) had no idea how to update
  the anti-virus protection on their company PC.
• Five percent say they have accessed areas of
  their IT system they shouldn't have.

7
Social Engineering
The practice of obtaining confidential
information by manipulation of legitimate users.
A social engineer will commonly use the telephone
or Internet to trick people into revealing
sensitive information or getting them to do
something that is against typical policies.

• Social engineering preys on qualities of human
  nature
• the desire to be helpful
• the tendency to trust people
• the fear of getting into trouble

8
Latest Phishing Attempts
9
Latest Phishing Attempts
10
Whats Wrong With This Picture?
11
Whats Wrong with This Picture?
12
Items Left on the Desk
13
Exposure beyond the Desk
14
Computer Exposure
15
Around the Office Spatial Misconfigurations
16
Personal / Confidential Information

• Electronic and Paper Data
• Know where you use it
• Access
• Store
• Securely dispose of
• Hard copies
• Deleting files
• CDs and Floppies
• Securely transmit it
• Network you are on
• Instant Messaging (IM)
• Emails

17
Physical Security

• Lock
• Office Doors
• Filing Cabinets
• Location
• Printers
• Fax Machines
• Building Access
• Tailgating
• Piggy backing

18
Technology

• Operating System Patches
• Updates
• Required Restart
• Anti-Virus
• Installed
• Configured
• Running

19
Limit Access

• Limit access to your computer
• Lock or logoff of your workstation
• µ enter
• Windows Key l key
• Password Protected Screensaver
• Limit Use of Privileged Account

20
Passwords

• Passwords are the keys to many things your bank
  account, your computer, your email, a server on a
  network.
• Your password gives others the power to
• access your account (financial, email, etc)
• modify or destroy your files
• send malicious e-mail such as spam or threats in
  your name
• commit fraud while masquerading as you
• use your computer to distribute illegally files
  such as movies, songs or worse (child
  pornography)

21
Password Dos

• Use Strong Passwords
• Change default passwords
• Change passwords that you suspect may have been
  compromised
• If the service provides a Logout feature, use it.
• Use only secure programs that protect both your
  password and your data such as SSH Secure Shell
  (Windows) or Fugu (Macintosh) when connecting to
  the UA computing environment.

22
Password Donts

• Do not store them in obvious places
• Do not let anyone observe you entering it
• Do not share your password
• Do not reveal a password
• on questionnaires or security forms
• to anyone over the phone, e-mail, or IM
• Do not use the Remember Password" feature of
  applications
• Do not use same password for different
  servers/services
• Do not use written examples of passwords

23
Password Construction

• Strong Passwords
• Have at least 8 characters long (more is better)
• Are not a single word found in any dictionary
• Include both upper lowercase, at least 1
  special character a number

24
Password Construction

• Ways to create them
• Vanity Plate
• Title of movie, song or book
• Compound words with special char number
• Type a sentence of use

W!ldKatz
passwordsareapain
25
Wireless _at_ Home Home Computers used to access
University Computers and Data

• Change default admin username and password
• Configure to use encryption (avoid WEP, use WPA
  or WPA2)
• Do not Broadcast SSID
• Use UA site licensed VPN client to connect to
  University Systems and Services
• Ask your computer savvy friend to help you
  configure your home wireless to use encryption

26
Use of Open Access Wireless

• Other
• Airports
• Hotels
• Conferences
• Free WiFi Hotspots
• Coffee Shops
• Bookstores

27
Wireless - Other

• Limit what you do when connected
• Do not access anything sensitive unless the
  website is secure

28
Download Rules

• Only download what you trust, and even then be
  wary!
• Know with whom you are doing business
• Dont take downloads from strangers
• What else are you getting with the free stuff
• free music file sharing programs are wide
  open doors for hackers
• Limit what you download to your computer

29
SURF SAFER w/SITEADVISOR
http//www.siteadvisor.com/
30
www.siteadvisor.com
31
A Closer Look _at_ EULAs

• Read Carefully
• Understand what you are agreeing to
• Do not agree to questionable activities

Spyware Guide EULA Analyzer by FaceTime Security
Labs http//www.spywareguide.com/analyze/index.php
EULAlyzer by Javacool Software http//www.javaco
olsoftware.com/eulalyzer.html
32
EULA Examples
33
General Awareness Sessions

• ANTIVIRUS IS NOT ENOUGH  Securing Home Computers
  
• LICENSE TO STEAL  What Your IT Staff CAN'T Do
  For You  
• FROM RUSSIA WITHOUT LOVE  Identity Theft
  Phishing  
• SPY ANOTHER DAY  Botnets and Spyware  
• NOT FOR YOUR EYES ONLY  Securing Wireless and
  Mobile Devices  
• PROFILES ARE FOREVER  Safe Surfing Social
  Networking

will be available online at security.arizona.edu/
SAFE08
34
Questions?