Enhancing Customer Security

1

University of Arizona Security Awareness Campaign
Kelley Bogart University Information Security
Coordinator
Gil Salazar Network Administrator University of
Arizona
2
Agenda

• Why Awareness
• Challenges
• Solutions
• Benefits
• Costs
• Initiatives
• Demonstration

3
Why Awareness? Campus Policy, Standards
Guidelines

• Privacy Guidelines
• Acceptable Use Policy
• Security Policy Draft
• Supporting Security Standards Guidelines
• Business Continuity Disaster Recovery
• Incident Reporting
• Management Responsibilities for Security
• Networked Device Security

4
Why Awareness? (cont)

• Heightened Activity

• Regulatory Drivers

• FERPA
• HIPPA
• GLBA
• State Legislation (House Bills)
• Online Privacy Statement
• Misuse of State of Arizona Equipment
• Many more to come

5
Why Awareness? (cont.)

• Relationship of Privacy Security

• Roles and Responsibilities

6
Where to start and how?

• Step 1 Where are we now?
• Current Situation Assessment

• Step 2. Where do we want to be?
• Strategic Direction

• Step 3 - How do we plan to get there?
• Implementation Planning

• Step 4 - How will we monitor progress?
• Monitoring

7
Goal Set the stage for all security efforts by
bringing about a change in attitudes, which will
change the campus culture.
University of Arizona Characteristics
Threats are continually reevaluated based on
changing threat population and security
incidents. Additional or more cost effective
alternatives are continually identified. The
practice of Security is considered a component of
the campus culture. Security Awareness is viewed
as a business enabler.
Level 5 CONTINUOUS IMPROVEMENT
Level 4 COMMON PRACTICE
The integration of Security programs and services
in the campus departments is complete. Security
is involved at the onset of projects. U of A is
considered as a Security Awareness Best Practice
campus.
General acceptance of campus-wide standards based
on Security Infrastructure and displayed through
noticeable behavior change. Staff, faculty and
students actively and visibly participate in the
programs and services. Security incidents are
reported immediately to the appropriate area.
Level 3 INTEGRATION
Level 2 ACKNOWLEDGEMENT
Realization that existing Information Security
processes are fragmented. Executive level
support and involvement is visible. Some
Security Awareness interventions are implemented
and are ongoing.
Security Policies Standards are minimal and may
or may not be documented. Security Incidents are
viewed as someone else's problem. Existing
programs and services are perceived as
sufficient. Security is viewed as an enforcer.
Level 1 COMPLACENCY
8
Challenges

• Funding Resources

• Diversity and Decentralization

• Varied Audiences

• Administrators
• Students
• Staff
• Faculty
• Technical vs. Non-technical

9
Solutions

• Message vs. Delivery Method

• Timeline / Opportunities

• Surveys

• Include WIIFM - Whats in it for me?

• Include Knowledge, Skill and Attitude

• The What, How Why or Want to do

10
The following three slides are a consistent
message we communicate or incorporate in our
awareness / education efforts to help reinforce
the message that Security is Everyone's
responsibility! That technology alone cannot keep
us secure. People are the last layer of defense.
11
The key to security is embedded in the word
security.
U - R - IT
SEC- -Y
YOU ARE IT!
12
If not you, who?
If not now, when?
13
During your typical day, you may be exposed to
situations where you become aware of an attempt
to breach an area of security. You need to be
prepared to
Protect
Detect
React
14
Benefits

• Heightened Awareness

• Key Partnerships formed

• Campus wide understanding, acknowledgement and
  support

• Recognition of Security Office

• Increased reporting requests

15
Costs

• Pamphlets

• Security Awareness Day

• Dedicated Staff

• Posters

16
Initiatives

• Monthly Brown Bag Presentations
• Customized group presentations
• Redesigned Security Page
• security.arizona.edu
• Campus Security Awareness Day
• security.arizona.edu/awarenessday.html
• New Employee Orientation Handout

17
Initiatives (cont.)

• Pamphlets
• Privacy Basics - Guide to Protecting Personal
  Information
• Risk Reduction - Computer Protection and
  Prevention
• Security Basics - Guide for Protecting Your
  Computer
• Computer Security and Privacy Information - What
  everyone needs to know
• Security Awareness Posters
• security.arizona.edu/posters.html

18
First Set
19
First Set
20
First Set
21
Second Set
22
Second Set
23
Second Set
24
Goal Set the stage for all security efforts by
bringing about a change in attitudes, which will
change the campus culture.
University of Arizona Characteristics
Threats are continually reevaluated based on
changing threat population and security
incidents. Additional or more cost effective
alternatives are continually identified. The
practice of Security is considered a component of
the campus culture. Security Awareness is viewed
as a business enabler.
Level 5 CONTINUOUS IMPROVEMENT
Level 4 COMMON PRACTICE
The integration of Security programs and services
in the campus departments is complete. Security
is involved at the onset of projects. U of A is
considered as a Security Awareness Best Practice
campus.
General acceptance of campus-wide standards based
on Security Infrastructure and displayed through
noticeable behavior change. Staff, faculty and
students actively and visibly participate in the
programs and services. Security incidents are
reported immediately to the appropriate area.
Level 3 INTEGRATION
Level 2 ACKNOWLEDGEMENT
Realization that existing Information Security
processes are fragmented. Executive level
support and involvement is visible. Some
Security Awareness interventions are implemented
and are ongoing.
Security Policies Standards are minimal and may
or may not be documented. Security Incidents are
viewed as someone else's problem. Existing
programs and services are perceived as
sufficient. Security is viewed as an enforcer.
Level 1 COMPLACENCY
25
Questions
26
µ
Gil Salazar UA
Network Administrator
Kelley Bogart Information
Security Coordinator
27
(No Transcript)
28
Agenda

• State of the Internet today
• Viruses, Worms Spies!
• How to Protect
• Yourself

29
State of the Internet Today
Internet goes thru your computer
30
Some Local StatisticsUniversity of Arizona
Campus Cyber attacks per day
of outside to inside attacks 64,959 of
Inside to outside attacks 60,040 of Inside
to Inside attacks 6,941 Total of
related victim machines 593,734
31
Threat Follows Value
The 1950s American bank robber Willie Sutton was
asked why he robbed banks. He said he robbed
banks because, Thats where the money is.
Today, the money is in Cyberspace!
The Internet provides for criminals the two
capabilities most required for the conduct of
criminal activities Anonymity Mobility
32
Do The Math

• Spam mailed to over 100 million
  inboxes
• If 10 read the mail and clicked the link
• 10 million people
• If 1 of people who went to site signed up for
  3-days free trial
• (100,000 people) x (0.50) 50,000
• If 1 of free trials sign up for 1 year
• (1,000 people) x (144/yr) 144,000/yr

33
Situation It is getting scary!
Most attacks occur here
Why does this gap exist?
Product ship
Vulnerability Discovered Potential
attack
Software Modified
Patch released
Patch deployed at home/office
34
Exploit Timeline
Why does this gap exist?
Days between patch and exploit

• Days From Patch to Exploit
• The average is now nine days for a system to be
  reverse-engineered

35
Exploit Survival Time

• The SANS Institute has studied what it calls the
  "survival time" of an unprotected computer hooked
  up to the Internet.
• A year ago, the average time before it was
  compromised was about 55 minutes.
• Today it's 20 minutes.
• On the UA campus it can be less then ONE
  MINUTE.

36
Questions?
State of the Internet

• Why do criminals use the internet today?
• To be Anonymous Mobile

37
Viruses, Worms Spies
38
Virus

• Old traditional viruses usually required human
  interaction
• You have to save it, run it, share floppy disks
• E-mailing a program / document, without knowing
  it is infected
• Typically just attach themselves to programs
  documents, and then depend on humans to propagate
• This is changing

39
How It Spreads

• E-mail
• Instant Messenger
• Networks
• P2P/Filesharing software
• Downloads
• Floppy disks, Flash Drives. CDs, etc.

40
Sample E-Mail................... This has a virus
attached!
To user_at_email.arizona.eduSubject Notify about
your e-mail account utilization. From
support_at_arizona.edu Dear user of Arizona.edu
gateway e-mail server, Your e-mail account
will be disabled because of improper using in
next three days, if you are still wishing to use
it, please, resign your account information. For
further details see the attach. For security
reasons attached file is password protected. The
password is "03406". Best wishes, The
Arizona.edu team http//www.arizona.edu
41
Questions?
Virus

• What is the most common way viruses are spread
  today?
• E-Mail

42
Worms

• Sub-class of Virus
• Replicated Automatically without human help
• Example is e-mail address book attack
• Bogs down networks and Internet
• Zotob, Blaster are examples

43
(No Transcript)
44
Worms

• Scary part you dont have to do anything but
  turn your computer on!
• Or make a simple click.

45
Trojan Horse

• Program that appears to be a good program, but
  really isnt
• Might do what it is supposed to, plus a whole lot
  more!
• programs installed in this category use several
  methods to enter the computer
• Web, e-mail, spyware

46
Botnets or Zombies

• Botnets are networks of captive computers (often
  called zombies) that are created by trojans or
  worms that have infected unprotected PCs.
• These networks are frequently used to send spam
  and initiate distributed denial of service (DDoS)
  attacks.

47
Questions?
Worms

• What is it called when a program sneaks onto
  your computer?
• A Trojan

48
Phishing
49
Have you ever received an email that says
something like this?

• We suspect an unauthorized transaction on your
  account. To ensure that your account is not
  compromised, please click the link below and
  confirm your identity.
• OR
• During our regular verification of accounts, we
  couldnt verify your information.Please click
  here to update and verify your information.

50
This is a typical phishing attempt
51
What is Phishing?

• Phishing is a form of social engineering,
  characterized by attempts to fraudulently acquire
  sensitive information, such as passwords and
  credit card details, by masquerading as a
  trustworthy person or legitmate business in an
  apparently official electronic communication,
  such as an email, pop-up window or an instant
  message.
• http//en.wikipedia.org/wiki/PhishingPhishing_tec
  hnique

52
Social engineering is the practice of obtaining
confidential information by manipulation of
legitimate users. A social engineer will commonly
use the telephone or Internet to trick people
into revealing sensitive information or getting
them to do something that is against typical
policies. By this method, social engineers
exploit the natural tendency of a person to trust
his or her word, rather than exploiting computer
security holes.

• Social engineering preys on qualities of human
  nature
• the desire to be helpful
• the tendency to trust people
• the fear of getting into trouble

53
EBAY
54
EBAY
55
EBAY
56
EBAY
57
PayPal
58
PayPal
59
PayPal
60
Visa
61
Visa
62
Microsoft
63
Stats from Anti-Phishing Working Group
64
Stats from Anti-Phishing Working Group
65
Stats from Anti-Phishing Working Group
66
Arizona State Credit Union
67
DM Federal Credit Union
68
Recognizing Phishing

• False Sense Of Urgency - Threatens to
  "close/suspend your account," or charge a fee.
• Indirect invitation - "Dear valued customer",
  "Dear reader", "In attention to service name
  here customers.
• Misspelled or Poorly Written - Helps fraudulent
  e-mails avoid spam filters.

69
Recognizing Phishing

• Suspicious-Looking Links Pop-Ups Links
  containing all or part of a real company's name
  asking you to submit personal information.
• Hyperlinks spoofing You see the
  "http//www.yourbank/Login" link in the message,
  but if you hover the mouse cursor over the link,
  you will see that it points to "http//www.spoofed
  banksite.com/Login"

70
Discover Card Awareness
71
Citibank
72
Spyware or Phishing-based Trojans Keyloggers ?
73
Phishing-based Trojans Keyloggers
Designed with the intent of collecting
information on the end-user in order to steal
those users' credentials. Unlike most generic
keyloggers, phishing-based keyloggers have
tracking components which attempt to monitor
specific actions (and specific organizations,
most importantly financial institutions and
online retailers and ecommerce merchants) in
order to target specific information, the most
common are access to financial based websites,
ecommerce sites, and web-based mail sites.
74
Phishing-based Trojans Keyloggers, Unique
Variants
75
Unique Websites Hosting Keyloggers
76
Yet Another Form of Phishing to worry about

• Unlike a scam which tries to trick you into
  providing personal information.
• This
• executes code
• Changes your host file
• Redirects legitimate webpage to spoofed site
• .and all you did was open an email or view it in
  a preview pane in programs like Microsoft Outlook

77
Phishing-based Trojans Redirectors
Designed with the intent of redirecting end-users
network traffic to a location where it was not
intended to go to. This includes crimeware that
changes hosts files and other DNS
specific information, crimeware browser-helper
objects that redirect users to fraudulent sites,
and crimeware that may install a network level
driver or filter to redirect users to fraudulent
locations.
This is particularly effective because the
attackers can redirect any of the users requests
at any time and the end-users have very little
indication that this is happening as they could
be typing in the address on their own and not
following an email or Instant Messaging lure.
78
(No Transcript)
79
FTC suggestions to help avoid getting hooked by a
phishing scam

• If you get an email or pop-up message that asks
  for personal or financial information, do not
  reply. And dont click on the link in the
  message, either.
• Use anti-virus software and a firewall, and keep
  them up to date.
• Dont email personal or financial information.

80
FTC suggestions (contd)

• Review credit card and bank account statements as
  soon as you receive them
• Be cautious about opening any attachment or
  downloading any files from emails
• Forward spam that is phishing for information to
  spam_at_uce.gov and to the company, bank, or
  organization impersonated in the phishing email.

81
Additional Protection Tips

• Treat all email with suspicion
• Never use a link in an email to get to any web
  page
• Ensure that all of your software is up to date
• Use anti-spyware detection software on a regular
  basis

82
Additional Protection Tips

• If you must use your financial information
  online, ensure that you have adequate insurance
  against fraud
• Be aware or beware.

83
Questions?

• What does the term Phishing refer to?
• Attempt to gather information for illicit use

84
Spyware

• Ever get pop-ups that constantly ask for you to
  click OK and wont go away?
• This is most likely Spyware of some sort

85
Spyware What it is

• spyware is programming that is put in your
  computer to secretly gather information about You
  or your pc and relay it to advertisers or other
  interested parties
• adware pushes ads, track Internet habits and
  performs other sneaky tricks

86
Spyware How Do I know I have it?

• Computers slow down to a crawl
• Annoying Pop-ups appear
• Browser Start Page changes
• Unwanted toolbars, tray programs
• New programs are installed on your PC and show up
  on the desktop

87
Spyware why is it bad?

• Corrupt/alter the current software
• Steal passwords, information etc.
• Track browsing habits, sites
• interferes with system settings
• (registry, startup)
• Even after removal, it can leave crumbs
• which helps program re-install itself

88
Spyware How did I get it?

• Email
• Instant Messaging
• Internet Browsing
• P2P Software (kazaa, limewire, bearshare, AIM)
• Downloads and Installs
• Potentially Unwanted Programs (PUPs)

89
(No Transcript)
90
(No Transcript)
91
Spyware Why do they do it?

• 0x80 is a hacker he says "Most days, I just sit
  at home and chat online while I make money," 0x80
  says. "I get one check like every 15 days in the
  mail for a few hundred bucks, and a buncha others
  I get from banks in Canada every 30 days." He
  says his work earns him an average of 6,800 per
  month, although he's made as much as 10,000. Not
  bad money for a high school dropout.

92
Questions?
Spyware

• What are a couple things Spyware does?
• Create pop-ups, hijacks web pages, collect info,
  slow pc down.

93
How to Protect Yourself
94
Practice Good Surfing Sense

• You know there are bad parts of town that you
  dont go to
• The Internet is the same way be wary!

95
Download Rules

• Never download or open something, if you dont
  know what it is
• Even if you know the sender by name, check with
  them to see if they sent you something

96
Download Rules

• True company-based e-mails never send attachments
• Make sure the link actually goes to their site
  not a spoofed one!
• Only download what you trust, and even then be
  wary!

97
Be Aware of Spoofing

• Have you ever received an e-mail telling you that
  you have a virus?
• It is possible that
• Your address couldve been spoofed and sent to
  someone else
• It could be a trick to get you to install some
  anti-virus or patch (which is really a virus
  itself!)

98
The Best Defense
99
The Best Defense

• Use Strong Passwords
• Passwords should contain 8 characters including
  upper and lowercase, special characters () and
  numbers
• Dont take downloads from strangers
• Only install what you trust
• free music file sharing programs are wide
  open doors for hackers

100
The Best Defense

• Check if your PC has any issues
• Does your browser open to a new home page, or
  search page?
• Increase in advertisements pop-ups?
• Computer seems sluggish?
• Know your system and what is installed

101
The Best Defense

• Get a detect removal tool for spyware
• Ad-Aware easiest to use, free for home use only
• SpyBot Free for any use, more advanced, has
  automated protection features
• Microsoft Anti-spyware Free for any use, has
  automated protection and updates.
• Use all three together for complete protection!

102
The Best Defense

• Install anti-virus software
• (Sophos, Norton, McAfee etc)
• Install a Firewall
• (Windows built-in, Kerio, ZoneAlarm)
• Keep everything up-to-date!
• Windows Automatic Updates, Anti-virus, Spyware
  detection.

103
(No Transcript)
104
The Best Defense

• Limit access to your computer
• keep doors locked if your not around and system
  is on
• Thumb drives can be used to steal data

105
The Best Defense

• At home use multiple user accounts when sharing
  computers and switch users/lock workstation when
  leaving system on when you are away from the
  desktop
• Control Alt Delete
• Windows Key l for XP

106
Quote from a victim
"Overall, you've got to realize that, just like
if you don't secure your home, you run the risk
of getting burglarized if you're crazy enough to
leave the door on your computer open these days,
like I did, someone's gonna walk right in and
make themselves at home." Pastor Michael
White
107
Questions?
The Best Defense

• What is the best way to keep passer bys from
  accessing your computer?
• Control-alt-delete or Windows-Key L

108
Other Reminders.

• Back up your computer data.
• Keeping system patches updated
• Firewalls, pop-up blocker, spyware apps updated.
• Know your systems

109
Now for any Final QA
110
If the situation seems hopeless