This presentation was given on April 1st, 2011 as part of Wharton Computing's Techfast series. More information about Techfast can be found: http://technology.wharton.upenn.edu/techfast

1. 4/1/11 Barry Wilson/Scott McNulty – Wharton Computing 4/1/11 Techfast: Security – Not just for banks

2. Who Are We?And what do we do? 2 Wharton Computing

3. Two quotes from experts 3 As head of security it is my duty to be... concerned. - Worf, USS Enterprise By failing to prepare, you are preparing to fail. - B. Franklin, local celebrity Wharton Computing 4/1/11

4. The Internet is out to get you (only a little) 4 Wharton Computing 4/1/11

5. Password Rules of Thumb WHARTON COMPUTING 5

6. No sharing passwords between accounts 4/1/11 WHARTON COMPUTING 6

7. One password to spoil them all 7 Wharton Computing 4/1/11

8. No short passwords 4/1/11 Wharton Computing 8

9. No Dictionary Words 4/1/11 WHARTON COMPUTING 9

10. No personal information 4/1/11 WHARTON COMPUTING 10

11. Passphrases: exception to the rules 11 Wharton Computing 4/1/11 Very long Easy to remember Hard to crack

12. Example passphrase My, aren’t members of Wharton Computing good looking? 4/1/11 WHARTON COMPUTING 12

13. How Secure is your password? 4/1/11 13 http://howsecureismypassword.net Wharton Computing

14. How long will it take to crack these passwords: 14 Wharton Computing 4/1/11

15. password 15 Wharton Computing

16. Instantly 4/1/11 16 Wharton Computing

17. Other common passwords 4/1/11 Wharton Computing 17

18. Password Cracking 101 WHARTON COMPUTING 18

19. Dictionary Attacks 4/1/11 Wharton Computing 19 http://mtyourmind.10001mb.com/2009/0127/

20. Rainbow Table 4/1/11 WHARTON COMPUTING 20 http://www.elsingadesign.com/

21. Brute Force attacks 4/1/11 Wharton Computing 21 http://ryan.skow.org/siege/Fields2002/SaturdayBattleReport.html

22. Social engineering 4/1/11 WHARTON COMPUTING 22 http://news.bbc.co.uk/2/hi/technology/3639679.stm

23. Password Tip 1 o = 0 4/1/11 Wharton Computing 23

24. Password Tip 2 cAmelCaSe 4/1/11 Wharton Computing 24

25. passW0rd 25 Wharton Computing

26. 10 Days 4/1/11 26 Wharton Computing

27. Password Tip 3 $pec!@l Ch@r@cter$ 4/1/11 WHARTON coMPUTING 27

28. p055W0rD! 28 Wharton Computing

29. 9 Years 4/1/11 29 Wharton Computing

30. My, aren’t members of Wharton Computing good looking? 30 Wharton Computing

31. 560 tresvigintillion years 4/1/11 31 Wharton Computing

32. Managing your passwords the old way 32 Wharton Computing 4/1/11

33. 169 days 4/1/11 33 Wharton Computing

34. Managing your passwords the old way 34 Wharton Computing 4/1/11

35. Managing your passwords the secure way 35 Password Safe http://passwordsafe.sourceforge.net/ 1Password http://agilewebsolutions.com/onepassword/ Wharton Computing 4/1/11

36. Phishing 36 Wharton Computing

37. As defined by the OED 4/1/11 WHARTON COMPUTING 37

38. Tips for identifying a phishing email 38 Wharton Computing 4/1/11

39. Phishing - browser address bar 39 Wharton Computing 4/1/11

40. Phishing - browser address bar 40 Wharton Computing 4/1/11

41. Phishing - browser address bar - SSL 41 Wharton Computing 4/1/11

42. Phishing - browser address bar - SSL 42 Wharton Computing 4/1/11

43. Phishing – Poor wording 43 Wharton Computing 4/1/11

44. Phishing – Check the sender 44 From: Usman Bagudu <Usman.Bagudu@pet.hw.ac.uk> Wharton Computing 4/1/11

45. Phishing – asks for your password 4/1/11 WHARTON COMPUTING 45

46. Phishing email or not? 4/1/11 WHARTON COMPUTING 46

47. Phishing email or not? 4/1/11 WHARTON COMPUTING 47 Undisclosed recipients PHISHING! Not a Penn Web site. Not a real group @ Penn

48. When in doubt: ask 4/1/11 WHARTON COMPUTING 48

49. Defending against Phishing 4/1/11 WHARTON COMPUTING 49

50. Defending against Phishing 4/1/11 WHARTON COMPUTING 50

51. Defending against Phishing 4/1/11 WHARTON COMPUTING 51

52. What to do if you respond to a phishing email 52 http://mantia.me/wallpaper/dont-panic/ Wharton Computing 4/1/11

53. Tell Someone 53 Wharton Computing 4/1/11

54. Change your passwords 54 Wharton Computing 4/1/11

55. Review Statements 55 Wharton Computing 4/1/11

56. Contact the authorities Wharton: security@wharton.upenn.edu FTC: 1-877-ID-THEFT or https://www.ftccomplaintassistant.gov/ Police Credit Card issuers: Setup a fraud alert 56 Wharton Computing 4/1/11

57. Home Computers 57 Wharton Computing

58. Avoid: no-name anti-virus 58 Image credit: Complete Computer Repair of CT (http://tinyurl.com/272uvla) Wharton Computing 4/1/11

59. Avoid: downloading © material 59 Wharton Computing 4/1/11

60. Forewarned is Forearmed. 60 Wharton Computing

61. Automatic Software Updates 61 Wharton Computing 4/1/11

62. Software Updates – 3rd Party Software 62 Wharton Computing 4/1/11

63. Install Antivirus software 63 http://www.upenn.edu/computing/virus/ Wharton Computing 4/1/11

64. Install Antivirus software 64 Wharton Computing 4/1/11

65. Firewall 65 Credit: Stuck in Customs http://www.flickr.com/photos/stuckincustoms/1194563275/in/photostream/ Wharton Computing 4/1/11

66. Firewall – Windows 7 4/1/11 WHARTON COMPUTING 66

67. Firewall – Windows 7 4/1/11 WHARTON COMPUTING 67

68. Firewall – Windows 7 4/1/11 WHARTON COMPUTING 68

69. Firewall – OS X 4/1/11 WHARTON COMPUTING 69

70. Firewall – OS X 4/1/11 WHARTON COMPUTING 70

71. Firewall – OS X 4/1/11 WHARTON COMPUTING 71

72. Home computers: Ideal vs. Reality 72 Wharton Computing 4/1/11

73. Home computers: Ideal Dedicated computer: Only you use your computer. Password protected. 73 Wharton Computing 4/1/11

74. Home computers: Practical Multiple accounts: Each user has their own individual account. VPN. Don’t store work files on home computer. 74 Wharton Computing 4/1/11

75. Mobile devices 75 Wharton Computing 4/1/11

76. Mobile devices: set a password 76 Wharton Computing 4/1/11

77. Mobile devices: remote wipe 77 Wharton Computing 4/1/11

78. Mobile devices: encryption 78 Wharton Computing 4/1/11

79. IPAD DEMO Wharton Computing 79

80. Confidential Data WHARTON COMPUTING 80

81. Nobody wants this 81 Wharton Computing 4/1/11

82. Or this… 82 Wharton Computing 4/1/11

83. Or this! 4/1/11 WHARTON COMPUTING 83

84. Confidential Data – What is it? 84 Wharton Computing 4/1/11

85. Legally Protected As defined by the government. SSNs Credit Card Data Bank Account information Medical data Student enrollment data (anything defined in FERPA) 85 Wharton Computing 4/1/11

87. University Policy “This policy establishes expectations around the use of SSNs - sensitive data whose misuse poses privacy risks to individuals, and compliance and reputational risks to the University. It calls on staff, faculty, contractors, and agents of the above to inventory their online and offline SSNs and reduce the above risks by, in priority order: (1) eliminating this data altogether, (2) converting it to PennID, (3) truncating the data to capture and display only the last four digits, (4) when the complete SSN is clearly necessary, ensuring strict security controls to protect the full data.” 87 Wharton Computing 4/1/11

88. University Policy - Summary Four easy things to do: Eliminate Convert (to PennID) Truncate Secure 88 Wharton Computing 4/1/11

89. Identity Finder 4/1/11 WHARTON COMPUTING 89

90. Why Identity Finder? Cross platform Centrally managed Best in class software 4/1/11 WHARTON COMPUTING 90

91. Identity Finder 91 Wharton Computing 4/1/11

92. Shredding files 4/1/11 WHARTON COMPUTING 92

93. Identity Finder Management Console 4/1/11 WHARTON COMPUTING 93

94. Identity Finder Management Console 4/1/11 WHARTON COMPUTING 94

95. IMPORTANT None of your data is transmitted/stored on the Identity Finder Management server Only location/general type of found data is transmitted (securely) No data will be deleted from your computer by Wharton Computing without your consent 4/1/11 WHARTON COMPUTING 95

96. How “dangerous” is your confidential data? 3 questions to help gauge your risk How much do you have? Who does it include? What else is stored with it? 96 Wharton Computing 4/1/11

97. How do youmanageit? Know what you have Keep it separated Make sure it is secure 97 Wharton Computing 4/1/11

98. Securingyourconfidential data Store it on a central server Back it up Encrypt it 98 Wharton Computing 4/1/11

99. Securingyourconfidential data Never let anyone log in as you. Don’t allow workstudies to use a computer that contains confidential data 99 Wharton Computing 4/1/11

100. Hacking happens WHARTON COMPUTING 100

101. The Process 101 Wharton Computing 4/1/11

102. Questions? 102 Wharton Computing

103. http://beacon.wharton.upenn.edu/security/techfast WHARTON COMPUTING 103 4/1/11

104. Contact us 104 Barry Wilson Chief Security Officer wilsonbf@wharton.upenn.edu Scott McNulty Sr. IT Project Leader smcnulty@wharton.upenn.edu security@wharton.upenn.edu http://beacon.wharton.upenn.edu/security Wharton Computing 4/1/11

105. Tell us what you think! Tech-fast@wharton.upenn.edu 4/1/11 WHARTON COMPUTING 105