Dynamic Net, Inc.

1
Dynamic Net, Inc.

• Dynamic Hosting.
• Precision Thinking.

2
Email Security

• Email based threats, how to identify them, and
  how to avoid them.

3
The SPAM Epidemic

• Every day, over 31 billion email messages are
  sent across the internet. On average, 70- 80
  of these emails are considered Spam Unsolicited
  email. But what does spam have to do with
  security?
• Data destruction and theft are the number one
  issues affecting both individuals and businesses
  on the Internet. The single easiest way to get
  the data these criminals crave is to waltz right
  into a computer or network on this wave of spam
  email.

4
What Are the Dangers Associated with Malicious
Email?

• Identity theft and associated Data Loss.
• One of the key ways spammers infiltrate the
  business community is through identity theft and
  the FTC estimates that Identity theft will cost
  businesses in the United States more than 8
  billion in 2006.
• Identity theft affects businesses and isnt just
  limited to personal credits cards and cell
  phones. Corporate data can be stolen just as
  easily which can lead to financial losses, lost
  clients, lost productivity, and massive fees
  associated with cleanup and stabilization of
  internal data.

5
What Are the Dangers Associated with Malicious
Email? (continued)

• Destruction/Loss of Data
• If theft of sensitive client data is the biggest
  fear of a small business, destruction of that
  data cant be far behind. Most have backups of
  critical data, but what happens if the backup
  fails- or worse- is corrupted by the malicious
  code of a virus, for example?
• Its difficult to measure cleanup costs because
  companies loath reporting incidents, but the FBI
  polled 269 private respondents and they admitted
  spending a staggering 141 million in cleanup
  fees last year (2004).

6
What Can My Business Do?

• The following will deal with some common email
  security risks as well as how to protect yourself
  and business from stepping on one of the many
  landmines planted by hackers and criminals before
  they cost you or your company more than you ever
  want to risk.

7
Email Viruses

• Viruses have been the most commonly known and
  most often addressed issue related to internet,
  data, and email security. Still, many fail to
  properly address these threats and protect
  themselves from catastrophe. In 2004, despite
  the common use of antivirus software, over 37
  MILLION computers were infected by a virus.
• Despite often being preventable, viruses continue
  to destroy valuable data and cripple computers
  every day.
• These outbreaks tend to hit small or medium
  business the hardest because of limited budgets
  and a small or non-existent IT staff. Protecting
  your business from a virus isnt all that
  difficult, but the issue lies predominantly in
  effort (or lack thereof), diligence, and
  education.

8
How to Prevent a Virus

• Make sure every computer in your office is
  equipped with antivirus software. Perhaps more
  importantly, make sure it is properly configured
  and up to date (the number one shortfall among
  victims of a virus or worm).
• Make sure Antivirus applications are properly
  configured to check incoming AND outgoing
  messages. Not only is it important to know when
  a virus is coming in, but scanning outgoing
  messages will stop you from potentially spreading
  anything your computer has contracted. This also
  allows you to snuff the problem out before it
  causes damage to others.

9
How to Prevent a Virus (continued)

• Never open attachments from unknown parties.
• Never open unexpected attachments from known
  parties. Just because you recognize the email
  address doesnt mean the attachment is valid.
• Always use an email host that filters for
  viruses. Why deal with a virus on your own
  computer if you can have it taken care of without
  ever seeing it?
• Make sure Operating System (usually Windows)
  patches are applied as soon as they are released.
  The timeframe between vulnerability discovery
  and virus release is getting shorter all the
  time.

10
How to Prevent a Virus (continued)

• Many computers are set to automatically download
  patches, but these programs sometimes fail- make
  sure you check for updates manually at least once
  every week.
• Education and policies are key. If employees do
  not understand the risks and what they must do to
  prevent the inevitable, the entire office could
  be open to a catastrophic compromise of data
  integrity including client financial data.
• This list probably sounds like a broken record,
  but sometimes the basics are the best place to
  start. You may be surprised by how many simple
  preventative steps ARENT being taken in your
  very own office.

11
Keyloggers, Spyware, and Trojans.

• Another fairly common set of risks are
  Keyloggers, Spyware, and Trojans. All of these
  threats are designed to give up control of your
  system in one way or another and can be very
  dangerous.

12
Trojans

• A Trojan is often distributed as part of a virus,
  but its calling card is its ability to fly under
  the radar by disguising itself as a valid file or
  program. Often times, Trojans work with other
  malicious software in tandem.
• The Trojan Horse is primarily designed to get in
  the door and the malware does the dirty work of
  securing the data it is designed to steal or
  destroy.

13
Spyware

• The Malicious running mate of the Trojan is
  normally some form of Spyware. Spyware is often
  times installed without the knowledge of the user
  and can infiltrate a network through downloads, a
  virus, an email attachment, a click of a pop-up
  window, or even by simply receiving an email.
• Spyware is designed to Spy on a victim.
  Sometimes this data is used for something as
  innocent as market research, but even in that
  context, it violates privacy and slows
  computers/compromises data integrity. At its
  worst, Spyware is far more dangerous.

14
Spyware- Did You Know??

• If your email program (Such as Outlook) accepts
  HTML email, there are pieces of software that can
  be installed through the preview pane of the
  email box. By simply clicking on an email in
  Outlook, the default setting allows for a
  preview pane where messages can be read. What
  many dont understand is simply viewing email in
  the HTML enabled preview pane can execute some
  malicious code on your computer and lead to a
  loss of data integrity on your network!
• A recent poll revealed that the average computer
  has 29 pieces of spyware running on it!

15
Key Stroke Loggers

• Software Keyloggers are perhaps the most
  frightening of all threats that can attack via
  email. The primary goal of keyloggers is
  recording keystrokes in specific ways with the
  goal of storing and sending that information to
  the hacker or hackers that created the tool.
• The most common and damaging way keyloggers are
  used involves silently recording passwords,
  credit card data, and other sensitive information
  that is then transmitted from your computer to a
  remote user. At that point, they can do whatever
  they wish with that data.

16
Protecting yourself from Trojans, Spyware, and
Keyloggers

• First and foremost The best security and related
  policy is always built on layers. The best way
  to protect a system and network from these
  intrusions always starts with the same methods
  one would use to prevent the spread of a virus,
  but additional measures must be taken for these
  new risk BEYOND those measures.

17
Protecting yourself from Trojans, Spyware, and
Keyloggers (continued)

• Make sure your Internet Browser (often times
  Explorer on Windows) and mail program are both
  completely up to date with the latest patches and
  check for new releases frequently. These threats
  can reach your system in more way that one.
• Keyloggers and Trojans often arent detected by
  Antivirus systems, so make sure you have a good
  spyware detection and removal tool OR verify your
  Antivirus program handles these spyware threats
  as well. Make sure this software is update and
  run regularly as new threats can burrow in at any
  time.

18
Protecting yourself from Trojans, Spyware, and
Keyloggers (continued)

• Consider disabling HTML in your email box to
  protect against threats that can execute
  themselves through a preview pane.
• Make sure any sensitive data that must be stored
  on a computer is centralized, password protected,
  and encrypted.
• Consider installing a personal firewall on each
  computer or at least enabling a firewall built
  into the operating system of the computer.
  Firewalls cant save the world by themselves, but
  a good personal firewall monitoring incoming AND
  outgoing traffic from an individual computer will
  be a good way to find out if anyone is attempting
  to break in. It will also give you an idea as to
  whether or not anyone or thing is attempting to
  have your computer send data out.

19
Phishing

• Phishing attacks use both social engineering and
  technical subterfuge to steal personal identity
  data, financial account credentials, passwords,
  and more. In plain English, these emails are
  designed to fool the recipient into providing
  data the Phisher (criminal) wants to ascertain.
  They normally attack via email and get the
  information they need by installing keyloggers,
  coercing the victim, or fooling the victim into
  providing data in a form or on a web site.
• Generally, what separates Phishing from other
  malicious activity is the intent. Phishing is a
  profit-driven attack, plain and simple. While
  many threats are designed to destroy or corrupt
  data for the sake of chaos or notoriety in the
  hacker community, Phishing has the intention of
  stealing data for personal financial gain.

20
Phishing (continued)

• Phishing normally has one of two objectives-
  stealing an identity for profit or stealing
  information for small ransom fees.
• Many individuals in the U.S. have their
  identities stolen every year, but the real
  corporate risk involves company data phishers can
  get their hands on.
• Just imagine how much a company stands to lose if
  a phishing scam coupled with a keylogger reveals
  login credentials for an accounting program, a
  corporate credit card, or private client
  information?

21
Phishing (continued)

• The main goal of a Phishing email is to provoke a
  reaction from the recipient. They normally
  achieve this by spoofing (faking) email addresses
  from large companies and sending very
  professional and accurate corporate emails. In
  that email, they will normally ask the victim to
  click on a link to the site in order to verify
  some personal data (normally a username,
  password, or credit card). These emails normally
  relay an immediacy such as before your account
  is suspended, and often are bold enough to warn
  of Phishing scams in that very Phishing email!

22
Phishing (continued)

• Some of the most popular companies these
  criminals fake are the biggest ones in the world
  like eBay, Citibank, Paypal, etc. They use these
  large companies as cover because their phishing
  spam is more likely to reach a match- someone who
  has an account with that company.

23
Phishing (continued)

• Once you click on the link, they use one of many
  technologies to direct you where they want you to
  go- their trap. These sites almost always match
  the real corporate sites exactly and its
  difficult for even professionals to tell the
  difference between real and fake.
• When you complete the task they request, nothing
  horrible happens right away that would set off an
  alarm in the victims mind, but the phisher now
  has enough data to start using your identity for
  whatever purpose they have.
• Its very difficult to track these scam sites
  because they never stay in one place for more
  than a couple days, so the primary objective is
  educating potential victims on tips to avoid
  these criminals so both employees and clients
  remain safe from these attacks

24
Phishing (continued)

• Legal experts worry that compromised companies
  could be open to legal action from clients for
  failing to protect private data.
• Phishing could have the largest impact on
  businesses when these criminals target the
  identity of an employee in order to gain access
  to the real honey pot your clients.

25
Phishing Did You Know??

• Phishing is one of the main reasons identity
  theft has been the fastest growing crime in the
  U.S. for the past 5 years running.
• 9.9 million people in the U.S. had their
  identities stolen last year alone.
• Companies reported losses of over 8 billion due
  to identity theft in 2004 with actual numbers
  estimated much higher.

26
Phishing Did You Know?? (continued)

• The term Phishing originates from a combination
  of hacking phrases.
• Fish is a common term when using social
  engineering to steal passwords or information.
• The PH in place of F is a common hacker way
  of spelling. This originated with John Draper,
  who developed one of the first methods of hacking
  called Phone Phreaking in 1971. He achieved
  this task by inventing a blue box and using a
  toy whistle found in boxes of Capn Crunch that
  blew a frequency of exactly 2600 Hz. The tone
  from the whistle gave him full access to the
  entire phone system.

27
How to Avoid Phishing Scams

• As stated earlier in this presentation, all
  security is built in layers, so all steps to
  avoid a virus, keylogger, trojans, phishing
  scams, etc. are built on the critical bases of
  protection already established.
• Each layer and helpful hint from the previous
  sections provides crossover protection to help
  thwart phishing scams.

28
How to Avoid Phishing Scams (continued)

• While Phishing has become more sophisticated over
  the years, the first keys to anything out of the
  ordinary are spelling and grammatical errors.
  Most of the scams are smarter than this, but
  these types of errors are a huge red flag.
• Never reply with sensitive data in an email or
  form requesting it- a reputable company will
  NEVER ask you to.

29
How to Avoid Phishing Scams (continued)

• Beware of any links embedded in email. They
  often transpose a few letters for their fake site
  or add additional characters before or after the
  main web address for an easy way to direct you to
  their trap (ex. www.123AOLConfirm.com).
• Never click on any of the links in an email if
  you are unsure whether the request is legitimate
  or not. Always open up a separate browser and
  type the main web address in yourself. If there
  is an urgent alert to clients of a major company
  being sent out via email, there will an
  announcement on their web site.

30
How to Avoid Phishing Scams (continued)

• For a quick reference on the latest Phishing
  scams (and past scams as well), check
  http//www.antiphishing.org/. When you become
  aware of a new scam, theres a decent chance
  someone else in the office was also contacted, so
  communicate with one another to help avoid these
  pitfalls.
• If all else fails, call the company directly, but
  never be intimidated by the urgency of the email.
  The more urgent the email is, the more likely
  its a fake.

31
Make Sure These Threats Never Reach your Inbox

• The best defense is making sure threats never
  reach your network. Make sure the company
  handling your email is scrubbing it for viruses,
  spam, content, etc.
• While this layer doesnt guarantee success,
  prevent all attacks, or remove the need for all
  other measures included in this presentation-
  its a critical first step in keeping your
  computer and network safe.

32
Make Sure Every Computer is Patched and Up to
Date.

• Make sure you stay up to date on all of your
  internal countermeasures (operating system
  patches, firewall updates, antivirus updates,
  etc.).
• Many threats can be avoided by simply keeping up
  to date and the rest can be managed by utilizing
  sound policies built on the information and tips
  like the ones weve included. A clearly
  understood policy will help eliminate potential
  human error.
• This has been mentioned throughout the
  presentation, but it cant be overemphasized!

33
Change Those Passwords!

• Make sure your policy includes passwords.
• Strong passwords (uppercase and lowercase letter,
  numbers, etc.) that would be impossible to guess
  are optimal.
• If this isnt practical, make sure your policy
  includes stipulations on how long a password
  should be used before its changed and make sure
  employees do not use the same password for entry
  into many different places- this will help limit
  the damage that can be done even if your
  information is taken.

34
When it Doubt, Pull it Out!

• If You believe a computer on your network has
  been infected or compromised, remove it from the
  network and/or Internet immediately.
• Its much safer to troubleshoot a computer and
  scour for compromises if that computer cant do
  damage while youre looking.

35
Dynamic Net, Inc.

• Dynamicnet.net is a privately held Pennsylvania
  corporation and we have been providing Secure Web
  Hosting, Email Hosting, and Web Server Management
  services from right here in Berks County since
  1995