SlideShare ist ein Scribd-Unternehmen logo

Why My E Identity Needs Protection

E
ecarrow
TechnologieBildung
1 von 25
Downloaden Sie, um offline zu lesen
Why My Electronic Identity Needs to be Protected! Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires written permission from the author. Videos and specific graphics presented are not for public distribution.
Session Guide  Erwin “Chris” Louis Carrow IT Audit Director; M.Div., MSIS, BM, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA, LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who cares?!) Board of Regents, University System of Georgia; Officeof Internal Audit and Compliance 270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334 (404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax Email: erwin.carrow@usg.edu http://www.linkedin.com/in/thebishop http://twitter.com/ecarrow  What I Do? Just a “Glorified Geek”  High level – IT Evaluations University System Wide  General focus – Lack granularity of detail regarding day to day operations  Validate Assurance or Identify Vulnerabilities / Exploitation  Bottom line: Challenging Others to Apprehend IT Security and Operational Efficiency
Session Agenda Key Takeaways and Introductions Basic Terminology, Context, & Methodology Strategic Protection of YOUR and OTHERS Personal Information What to Do to Be Safe / Limit Risk Q&A
Key Takeaways At the end of this session you should be able to: Understand the RISK with YOUR and OTHERS Electronic Identity; Understand the Motivation for Exploitation of YOUR or OTHERS PERSONAL INFORMATION Identify Practical Considerations and Resources to mitigate associated RISK; Apply Basic Precautions to mitigate potential LOSES;
Terminology, Context, & Who are the Key Players  People – Good (solution oriented), Bad (problem producers), and Indifferent (folks who don’t care /understand the problem)  Technology – Good (well managed), Bad (poorly managed), and Indifferent (don’t care or understand the problem)  Services – The Internet (Home, Work, or Public environment), and associated resources, e.g., ISP, FaceBook, Games, email, etc.  YOU – “Part of the S0lution” or “Part of the Problem,” e.g., a Recipient (“Poor Slob” that GOT HIT), Participant (inadvertently contributed either “for” or “against”), or Initiator (Johnny or Jill Hacker)?  Specific or Potential Risks – Governments, Commerce, Health Organizations, Organized Crime Syndicates, Due Negligence, Hacker Exploits - Phishing attempts, Social Network vulnerabilities, etc.
What is E-Identity and Identity Theft?  E-Identity: an online informational profile about YOU and OTHERS!  Identity theft: the criminal act of stealing your personal information to clone your identity with the intent to use it without your knowledge or permission to commit fraud or other crimes.
You are Identified by… What You Do Online or Otherwise!  Commodities  Banking / Income Tax Filing  Gaming  Purchases  Services: Hospitals, Gas Stations, etc.  Voyeur Site Participation (Porn)  Communication  Voice  Email  Chat  Video Conferencing
Who Am I? I AM, how the world SEE’S me!
Threats and the Facts (Commercial - part 1)  October 19, Help Net Security - (International) Kaspersky download site hacked, redirecting users to fake AV. October 17, the Kaspersky’s USA download site provided download links that redirected users to a malicious Web page where windows telling them their computer was infected were popping up and they were encouraged to buy a fake AV solution. Source: www.net-security.org  October 19, V3.co.uk - (International) RealPlayer receives critical security update. Real Networks has issued a security update for RealPlayer, addressing flaws in versions …. vulnerabilities ranging from buffer overflow and injection flaws to issues that could allow an attacker to remotely execute code on a targeted system. Source: www.v3.co.uk/v3/news  October 18, Computerworld - (International) ‘Unprecedented wave’ of Java exploits hits users, says Microsoft. Microsoft said October 18 that an “unprecedented wave” of attacks are exploiting vulnerabilities …. attempts to exploit Java bugs …. “IDS/IPS vendors ... have challenges with parsing Java code,” … the performance impact on a network IPS could be crippling. [So] the people that we expect to notice increases in exploitation might have a hard time seeing this. Call it Java-blindness.” Source: www.computerworld.com  July 19, SCADA System’s Hard-Coded Password Circulated Online for Years - malware that targets command-and-control software installed in critical infrastructures uses a known default password that the software maker hard-coded into its system.…. SCADA, short for “supervisory control and data acquisition,” systems are programs installed in utilities and manufacturing facilities to manage the operations. SCADA …potentially vulnerable to remote attack by malicious outsiders who might want to seize control of utilities for purposes of sabotage, espionage or extortion. “Default passwords are and have been a major vulnerability for many years,” said Steve Bellovin, …“It’s irresponsible to put them in, in the first place…. If that’s the way the Siemens systems works, they were negligent.” Siemens did not respond to a request for comment. Source: www.wired.com  October 20, Softpedia - (International) Fake Firefox and Chrome warning pages distribute malware. Security researchers warn a new malware distribution campaign uses fake versions of the malicious site warnings commonly displayed by Firefox and Google Chrome. Security researchers from F-Secure now warn malware pushers are increasingly abusing the trust users associate with these warnings to infect them. Malicious Web sites that mimic both Firefox’s “Reported Attack Page” alert, as well as Chrome’s “this site may harm your computer” warning, have been spotted. The pages look exactly the same as the real thing, except for a button that reads “Download Updates,” suggesting that security patches are available for the browsers. The executable files served when these buttons are pressed install rogue antivirus programs … the users who land on these latest sites discovered by F-Secure are also exposed to drive-by downloads via a hidden IFrame, which loads the Phoenix exploit kit. Source: news.softpedia.com  October 20, Trusteer - (International) Trusteer reports hackers improve Zeus Trojan to retain leadership in crimeware race. Trusteer reported October 20 it has captured and analyzed a new version (2.1) of the Zeus financial malware. New capabilities include: URL matching based on a full implementation of the Perl Compatible Regular Expressions (PCRE) library. This allows much more flexibility for Zeus’s configuration to define targets. Source: www.trusteer.com
Threats and the Facts (Personal - part 2)  Personal Experience of Identity Theft (3 official separate times) – and recently hacked this month at a military installation!  64x -8 process, 16 gigs RAM, 2x ½ Terabyte HD, Dual Booted – Windows 7 Pro and SUSE Linux, and multiple other system bells and whistles (bleeding edge laptop technology – do not recommend)  Attacked and hacked while operating in Windows 7 environment through the Chrome Browser – used a java / real player /buffer memory overflow exploit and then attempted to migrate and embed in the OS’s  Gained currently loaded browser credentials and passwords – Google Email account compromised (Google notified me and stated someone in Greece had accessed my account) at the same time of identified problem  Locked up the system, scrambled system settings (date changed to year 2076), locally used IDS/IPS rendered partially ineffective, polluted other partitions – both Linux and Windows  Uncertainty of future protection due to complexity and immaturity of hardware and malware software protection
More of the Same “Threats and the Facts” – But, What are the Results?  Privacy Right Clearinghouse  Chronology of Data Record Breaches 13,678,437 (460 events, 2010) and 510,619,382 since January 2005 that have been reported [www.privacyrights.org/ar/ChronDataBreaches.htm]  Ponemon –HRH 2008 Privacy Breach Index Survey (Sept 2008)  Self evaluation of overall performance of organization: -- 9% gave an “A” -- 31% gave a “B” -- 26% gave a ”C” -- 29% gave a “D” – 5% gave a “F” [www.HRH.com/privacy]  80 % believed their organizations experienced information system data breaches and loss of customer and personal information  50% Negligence, -- 29% Third-Party, 3% Hacker, --1% other criminal activity;  36% 1 to 4 breaches involving 100 or records; 32% 5 to 8; 31% 9 or more
The Various Ways whereby YOUR Information is … LOST (data Leakage)  Physical loss (PHYS) - Lost, discarded or stolen non-electronic records, such as paper documents  Portable device (PORT) - Lost, discarded or stolen laptop, PDA, smart- phone, portable memory device, CD, hard drive, data tape, etc  Stationary device (STAT) - Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility.  Hacking or malware (HACK) - Electronic entry by an outside party, malware and spyware.  Payment Card Fraud (CARD) - Fraud involving debit and credit cards that is not accomplished via hacking. For example, skimming devices at point-of- service terminals.  Unintended disclosure (DISC) - Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail.  Insider ( INSD) - Someone with legitimate access intentionally breaches information - such as an employee or contractor.  Unknown or other (UNKN)
The Basic Method to Exploit ... YOUR E-Identity  Identify Social / Cultural “Normalcy” and associated “Common Denominators” where potential gain or benefit may exist on the Internet or in the real world  Voice / Chat / Email / Tweet has become the primary “Means of Communication”  Browser Based Culture and Community, e.g., On-line Gaming (Entertainment), Banking (financial), Social Networks (Socialization), pornography sites (22% of all Internet based revenue), etc.  Marketing from Data Warehouses – Services (medical Google, Microsoft, Government Entities (regardless of intentions, you are a customer, beneficiary, or potential threat)  Non-electronic communication or storage methods, e.g., stealing stuff with your name and other information on it  Exploit “Common Denominators” by …  Identify and Predict potential Outcomes from Your INFORMATION [ANY FRINGE FANS?]  Making it look like normal expected activity  Browser based exploits – Social networks, social engineer, harvest information, or capitalize on browser technology vulnerabilities  Email based exploits – Phishing  Browser, Email, and Web Site exploitation are all used in conjunction  Obscure and confuse the real with the Counterfeit!  Their Objective …, is to recreate a Counterfeit “Normalcy” that attracts and is utilized by YOU!!!!  FOR ORGANIZATIONAL (Terrorist) or PERSONAL (Theft, Malice, or Vendetta) GAIN
Legal Implications? I am not a lawyer – this is strictly opinion (disclaimer)!  Privacy Laws – Still very immature in the practical governance and implementation of standards  Case Law – On going implications in who is to be held responsible for breaches (Internet is complexity)  Victim – The individual has to initiate action that may prove too costly or ineffective to pursue  The government and big corporate entities very seldom will be held legally liable – Spin City  Bottom-line – Who really cares for YOUR interests and is YOUR advocate (cynical reality)?
Why Pick-on Little old ME?  How do thieves steal identities?  Common methods thieves use to steal identities: Dumpster Diving, Phishing, Address Change, Old Fashioned Stealing, hacking, & False Pretext  What do thieves do with stolen identities?  Thieves use stolen identities to: -Open new credit card accounts, change your billing address, run excessive charges on your accounts, pay the minimum amounts due, and drain your accounts. -Open new phone or wireless accounts, set up utility services, open new bank accounts and write bad checks, take out loans, clone your ATM or debit cards to make electronic withdrawals. -Get driver's licenses, government benefits, file fraudulent tax returns, receive medical services -Give your personal information to police during an arrest, Have dual identities to hide their real identity from the Homeland Security Department.  What are the signs of identity theft?  Look for signs or evidence to determine whether your identity has been compromised: -Evidence of bank or credit card accounts being opened in your name without your knowledge or approval. -Evidence of charges deducted from your accounts that you did not initiate. -Evidence of inaccurate information (e.g. wrong personal information, SSN, address, name, initials, or employers, etc) on your credit reports. -Not receiving your credit card bills, bank statements, or other personal mail for no apparent reasons; or receiving credit cards that you did not apply for. -Receiving calls or letters from collection agencies or businesses asking you to pay the cost of goods or services that you did not buy, or being denied credit or offering you less favorable terms for no apparent reason, e.g. high interest rate.
How Do I Respond? - Apathy, Acceptance, Anger, or … an Attitude of Rebellion and Resolve!  What should I do if my personal information has been compromised in a data breach?  For tips on what to do if your personal information has been exposed due to a security breach, read our guide athttp://www.privacyrights.org/fs/fs17b-SecurityBreach.htm.  Are there resources for businesses and other organizations on how to avoid having sensitive data breached?  Learn about security and privacy protection practices for your workplace.  "Guide to Protecting the Confidentiality of Personally Identifiable Information," National Institute of Standards and Technology. Special Publication 800-122. (April 2010) http://ssrn.com/abstract=1671082.  "How Global Organizations Approach the Challenge of Protecting Personal Data," from Accenture (released April 27, 2010) https://microsite.accenture.com/dataprivacyreport/Pages/default.aspx and https://microsite.accenture.com/dataprivacyreport/Documents/Accenture_Data_Privacy_Report.pdf  "Forrester Consulting Study, “The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk,” (April 2010) sponsored by RSA and Microsoft, available at www.rsa.com/CorporateSecrets. For press release, seehttp://www.microsoft.com/Presspass/press/2010/apr10/04-05MSRSAPR.mspx?rss_fdn=Press%20Releases.  "Data Breach and Incident Readiness Planning Guide" from the Online Trust Alliance (January 2010). https://www.otalliance.org/resources/Incident.html  "Security & Privacy -- Made Simpler,"from the Better Business Bureau www.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf  “Protecting Personal Information: A Guide for Business,”from the Federal Trade Commission.www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf  “Information Security Handbook,”from the National Institute of Standards and Technology http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf  “Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace,” from the Privacy Rights Clearinghouse www.privacyrights.org/ar/PreventITWorkplace.htm  The California Office of Privacy Protection has developed a series of Recommended Practices. Several of the guides may be helpful in protecting your business whether or not you are located in California. www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf www.privacyprotection.ca.gov/res/docs/pdf/ssnrecommendations.pdf
A Response with Rebellion and Resolve! Know Yourself – Know Your Enemy! The Art of War (Chinese: 孫子兵法; pinyin: Sūn Zǐ Bīng Fǎ) is a Chinese military treatise that was written during the 6th century BC by Sun Tzu.  Two Possible not Recommended Responses to the Challenge  Freak Out: Embrace Hopelessness, Hide, Ignore, Deny, and Play Computer games until the Inevitable Occurs  Idealistic and Unrealistic: Do the “Don Quixote (To Dream the Impossible Dream and Fight the Impossible Fight)” - Wear yourself out Fighting Windmills by shooting at whatever pops its head out!  Third Approach “How do you Eat the Elephant standing in the corner, Instead of Avoiding it?” Take ONE BITE at a time by…  Assess the level of risk you are willing to incur  Strategize a response  Be deliberate and not apathetic or indifferent  Be practical / understand it is not just about you (or ME)  Be an advocate or part of a culture that supports secure practices  Test and monitor the process with identifiable outcomes
Example: My E-Identity Maltego App paterva.com That’s Me?!
Your Risk Profile, Probability, & Impact Risk “reality” is just a “Click” or “Communiqué” away!  Am I important, and if so why?  Why would someone want my information?”  If I commit (“C”) to providing my information what could be the outcome?  Is the “C” cost to high?  How will the “C” possibly impact OTHERS?
The “Life Cycle” of Security, the Process, Provisioning & Potential Exploitation – the Weakest Link? People!
What to Do to Be Safe…?  Protect Yourself and Others?  Hardware – Stay off of the Bleeding Edge (very costly), OS updates; Latest version of Browser / Email Clients and ensure they are patched (from the right vendors); Dedicated systems per functional risk  Software – Anti-virus / Anti-Malware, Host level IDS –IPS, Security BrowserApps, Plug-in filters, etc. (buy from reputable vendor)  Head-ware, e.g., “Common Sense” that is not too common  Don’t “Bank Online” (personal opinion and choice), limit on-line purchases, etc. – every transaction has an associated risk!  Don’t share personal identifiable information of any type or form online without assessing the risk!  Have fun, be cautious, and educate yourself regarding the risk  Remember, once it is on the Internet “it belongs to everyone.” Is it something you really wanted to share?  Assess non-Internet exchanges and communications, e.g., bill paying and US Postal Service  For everything you do information is being collected. Ask the various organization you do business with about their Privacy Policies and how they are protecting your information!
Thank You for Your Participation - Any Questions?  Understand EVERYONE is collecting Information about YOU – Their OBJECTIVE is PREDICTABILITY  YOUR and OTHERS E-Identity is a marketable commodity!  Take the necessary Precautions, Preventive measures, and Practice safe exchange of information  Hold Everyone Accountable for what they have been entrusted!  Expect CONFLICT regardless of the approach you take.
Oops, Forgot – One Possible Solution! Current practical challenges are virtualization and distribution
Sources & Considerations  Infected Web Sites - http://www.computerworld.com/s/article/342457/Visitors_Under_Attack?taxonomyId =%2016  Mozilla & Microsoft - http://news.cnet.com/8301-30685_3-10377445-264.html http://www.infoworld.com/d/security-central/mozilla-plug-in-checker-boostssecurity  Anti Malware Tactic - http://www.scmagazineuk.com/Aggressive-tactics-used-in-new- distributionand-%20installation-of-fake-anti-virus-software/article/154886/  Outlook - http://www.networkworld.com/news/2009/101509-phishing-zeus- outlook.html  Twitter - http://www.mxlogic.com/securitynews/web-security/security-experts-warn- of-possible-id-theft-scam-on-twitter835.cfm  P2P Software - http://www.darkreading.com/security/app- security/showArticle.jhtml?articleID=220600367  Email - http://news.bbc.co.uk/2/hi/technology/8294714.stm http://crave.cnet.co.uk/software/0,39029471,49303832,00.htm  Browsers - http://www.theregister.co.uk/2009/10/05/fraudulent_paypay_certificate_published/  Google - http://www.theregister.co.uk/2009/10/13/google_webmaster_malware_notification/  Terrorism - http://www.theregister.co.uk/2009/10/13/poland_cyberattacks/ http://www.internetnews.com/government/article.php/3843136/Cyber+Terrorism+De m%20ands+New+Tactics+Study.htm  Click Fraud - http://www.theregister.co.uk/2009/10/23/botnet_generated_click_fraud/
Helpful Resources  USGBOR Information Security Reporting Process http://www.usg.edu/infosec/incident_management/ Twitter: http://twitter.com/usginfosec/  Internet Alert Dashboard To report cyber infrastructure incidents or to request information, please contact US-CERT at sos@us-cert.gov or visit their Website: http://www.us-cert.gov. Information on IT information sharing and analysis can be found at the IT ISAC (Information Sharing and Analysis Center) Website: https://www.it-isac.org/  US-CERT: us-cert.gov/cas/tips/st06-003.html  StaySafeOnline: staysafeonline.info/practices/index.html  CyberSmart.org: www.ccybersmart.org/downloads/pdf/SocialNetworkGuide.pdf  GetNetWise: www.getnetwise.org  OnGuard Online: onguardonline.gov/socialnetworking_youth.html  TechMission, Inc. Safe Families: www.safefamilies.org/socialnetworking.php  Join my FaceBook “Mafia War” Family (beware it is a social networking experiment) http://www.facebook.com/TheBishopOfOZ  Data Leakage http://ilpubs.stanford.edu:8090/968/1/leakage_tkde_final.pdf

Empfohlen

Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBCapyn
 
P50 fahl
P50 fahlP50 fahl
P50 fahlКомсс Файквэе
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15haney888
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 
Cybercrime
CybercrimeCybercrime
CybercrimeYash Kothari
 

Empfohlen

Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBCapyn
 
P50 fahl
P50 fahlP50 fahl
P50 fahlКомсс Файквэе
 
SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15SEC 573 Project 1 2.22.15
SEC 573 Project 1 2.22.15haney888
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 
Cybercrime
CybercrimeCybercrime
CybercrimeYash Kothari
 
Balancing Your Internet Cyber-Life with Privacy and Security
Balancing Your Internet Cyber-Life with Privacy and SecurityBalancing Your Internet Cyber-Life with Privacy and Security
Balancing Your Internet Cyber-Life with Privacy and Securityevolutionaryit
 
Malware
MalwareMalware
Malwarezelkan19
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challengesYury Chemerkin
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingUmang Patel
 
Malwares
MalwaresMalwares
MalwaresAbolfazl Naderi
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksLondon School of Cyber Security
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
Emp tech las-week-2
Emp tech las-week-2Emp tech las-week-2
Emp tech las-week-2Joemer Mabagos
 
Information-Security-Lecture-6.pptx
Information-Security-Lecture-6.pptxInformation-Security-Lecture-6.pptx
Information-Security-Lecture-6.pptxanbersattar
 
4 threatsandvulnerabilities
4 threatsandvulnerabilities4 threatsandvulnerabilities
4 threatsandvulnerabilitiesricharddxd
 
The process of computer security
The process of computer securityThe process of computer security
The process of computer securityWritingHubUK
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile MalwareMartin Holovský
 
Security
SecuritySecurity
SecurityBob Cherry
 
At Your Expense
At Your ExpenseAt Your Expense
At Your ExpenseDan Oblak
 
THESIS-2(2)
THESIS-2(2)THESIS-2(2)
THESIS-2(2)Elsayed Muhammad
 
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONSCYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONSIAEME Publication
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESShyam Kumar Singh
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Oiac It Audit Wo Cartoons
Oiac It Audit Wo CartoonsOiac It Audit Wo Cartoons
Oiac It Audit Wo Cartoonsecarrow
 
Social Networks And Phishing
Social Networks And PhishingSocial Networks And Phishing
Social Networks And Phishingecarrow
 
InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...ecarrow
 

Weitere ähnliche Inhalte

Was ist angesagt?

Balancing Your Internet Cyber-Life with Privacy and Security
Balancing Your Internet Cyber-Life with Privacy and SecurityBalancing Your Internet Cyber-Life with Privacy and Security
Balancing Your Internet Cyber-Life with Privacy and Securityevolutionaryit
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challengesYury Chemerkin
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
Information-Security-Lecture-6.pptx
Information-Security-Lecture-6.pptxInformation-Security-Lecture-6.pptx
Information-Security-Lecture-6.pptxanbersattar
 
4 threatsandvulnerabilities
4 threatsandvulnerabilities4 threatsandvulnerabilities
4 threatsandvulnerabilitiesricharddxd
 
The process of computer security
The process of computer securityThe process of computer security
The process of computer securityWritingHubUK
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011Felipe Prado
 
At Your Expense
At Your ExpenseAt Your Expense
At Your ExpenseDan Oblak
 
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONSCYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONSIAEME Publication
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESShyam Kumar Singh
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 

Was ist angesagt? (19)

Balancing Your Internet Cyber-Life with Privacy and Security
Balancing Your Internet Cyber-Life with Privacy and SecurityBalancing Your Internet Cyber-Life with Privacy and Security
Balancing Your Internet Cyber-Life with Privacy and Security
 
Malware
MalwareMalware
Malware
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challenges
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Malwares
MalwaresMalwares
Malwares
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
Emp tech las-week-2
Emp tech las-week-2Emp tech las-week-2
Emp tech las-week-2
 
Information-Security-Lecture-6.pptx
Information-Security-Lecture-6.pptxInformation-Security-Lecture-6.pptx
Information-Security-Lecture-6.pptx
 
4 threatsandvulnerabilities
4 threatsandvulnerabilities4 threatsandvulnerabilities
4 threatsandvulnerabilities
 
The process of computer security
The process of computer securityThe process of computer security
The process of computer security
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
 
Security
SecuritySecurity
Security
 
At Your Expense
At Your ExpenseAt Your Expense
At Your Expense
 
THESIS-2(2)
THESIS-2(2)THESIS-2(2)
THESIS-2(2)
 
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONSCYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURES
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 

Andere mochten auch

Oiac It Audit Wo Cartoons
Oiac It Audit Wo CartoonsOiac It Audit Wo Cartoons
Oiac It Audit Wo Cartoonsecarrow
 
Social Networks And Phishing
Social Networks And PhishingSocial Networks And Phishing
Social Networks And Phishingecarrow
 
InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...ecarrow
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploitsecarrow
 
Educause+V4
Educause+V4Educause+V4
Educause+V4ecarrow
 
Dns Hardening Linux Os
Dns Hardening Linux OsDns Hardening Linux Os
Dns Hardening Linux Osecarrow
 

Andere mochten auch (7)

Oiac It Audit Wo Cartoons
Oiac It Audit Wo CartoonsOiac It Audit Wo Cartoons
Oiac It Audit Wo Cartoons
 
Social Networks And Phishing
Social Networks And PhishingSocial Networks And Phishing
Social Networks And Phishing
 
InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
 
Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploits
 
Educause+V4
Educause+V4Educause+V4
Educause+V4
 
Dns Hardening Linux Os
Dns Hardening Linux OsDns Hardening Linux Os
Dns Hardening Linux Os
 

Ähnlich wie Why My E Identity Needs Protection

Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9Amanda Case
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.pptSadiaMuqaddas
 
Computer and Network Security
Computer and Network SecurityComputer and Network Security
Computer and Network SecurityAsif Raza
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.pptROHITCHHOKER3
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceJeff Lemmermann
 
091005 Internet Security
091005 Internet Security091005 Internet Security
091005 Internet Securitydkp205
 
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsSophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsConnecting Up
 
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia LunaAviva Spectrum™
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to InfrastructureJorge Orchilles
 
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxThe uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxarnoldmeredith47041
 
computer_security.ppt
computer_security.pptcomputer_security.ppt
computer_security.pptAsif Raza
 
Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Symptai Consulting Limited
 

Ähnlich wie Why My E Identity Needs Protection (20)

Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
information security awareness course
information security awareness courseinformation security awareness course
information security awareness course
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
Computer and Network Security
Computer and Network SecurityComputer and Network Security
Computer and Network Security
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
NetWitness
NetWitnessNetWitness
NetWitness
 
C3
C3C3
C3
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
 
Information security
Information securityInformation security
Information security
 
091005 Internet Security
091005 Internet Security091005 Internet Security
091005 Internet Security
 
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsSophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
 
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
 
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxThe uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
 
computer_security.ppt
computer_security.pptcomputer_security.ppt
computer_security.ppt
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
 
Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?Can your company survive a modern day cyber attack?
Can your company survive a modern day cyber attack?
 

Kürzlich hochgeladen

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Kürzlich hochgeladen (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Why My E Identity Needs Protection

  • 1. Why My Electronic Identity Needs to be Protected! Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires written permission from the author. Videos and specific graphics presented are not for public distribution.
  • 2. Session Guide  Erwin “Chris” Louis Carrow IT Audit Director; M.Div., MSIS, BM, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA, LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who cares?!) Board of Regents, University System of Georgia; Officeof Internal Audit and Compliance 270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334 (404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax Email: erwin.carrow@usg.edu http://www.linkedin.com/in/thebishop http://twitter.com/ecarrow  What I Do? Just a “Glorified Geek”  High level – IT Evaluations University System Wide  General focus – Lack granularity of detail regarding day to day operations  Validate Assurance or Identify Vulnerabilities / Exploitation  Bottom line: Challenging Others to Apprehend IT Security and Operational Efficiency
  • 3. Session Agenda Key Takeaways and Introductions Basic Terminology, Context, & Methodology Strategic Protection of YOUR and OTHERS Personal Information What to Do to Be Safe / Limit Risk Q&A
  • 4. Key Takeaways At the end of this session you should be able to: Understand the RISK with YOUR and OTHERS Electronic Identity; Understand the Motivation for Exploitation of YOUR or OTHERS PERSONAL INFORMATION Identify Practical Considerations and Resources to mitigate associated RISK; Apply Basic Precautions to mitigate potential LOSES;
  • 5. Terminology, Context, & Who are the Key Players  People – Good (solution oriented), Bad (problem producers), and Indifferent (folks who don’t care /understand the problem)  Technology – Good (well managed), Bad (poorly managed), and Indifferent (don’t care or understand the problem)  Services – The Internet (Home, Work, or Public environment), and associated resources, e.g., ISP, FaceBook, Games, email, etc.  YOU – “Part of the S0lution” or “Part of the Problem,” e.g., a Recipient (“Poor Slob” that GOT HIT), Participant (inadvertently contributed either “for” or “against”), or Initiator (Johnny or Jill Hacker)?  Specific or Potential Risks – Governments, Commerce, Health Organizations, Organized Crime Syndicates, Due Negligence, Hacker Exploits - Phishing attempts, Social Network vulnerabilities, etc.
  • 6. What is E-Identity and Identity Theft?  E-Identity: an online informational profile about YOU and OTHERS!  Identity theft: the criminal act of stealing your personal information to clone your identity with the intent to use it without your knowledge or permission to commit fraud or other crimes.
  • 7. You are Identified by… What You Do Online or Otherwise!  Commodities  Banking / Income Tax Filing  Gaming  Purchases  Services: Hospitals, Gas Stations, etc.  Voyeur Site Participation (Porn)  Communication  Voice  Email  Chat  Video Conferencing
  • 8. Who Am I? I AM, how the world SEE’S me!
  • 9. Threats and the Facts (Commercial - part 1)  October 19, Help Net Security - (International) Kaspersky download site hacked, redirecting users to fake AV. October 17, the Kaspersky’s USA download site provided download links that redirected users to a malicious Web page where windows telling them their computer was infected were popping up and they were encouraged to buy a fake AV solution. Source: www.net-security.org  October 19, V3.co.uk - (International) RealPlayer receives critical security update. Real Networks has issued a security update for RealPlayer, addressing flaws in versions …. vulnerabilities ranging from buffer overflow and injection flaws to issues that could allow an attacker to remotely execute code on a targeted system. Source: www.v3.co.uk/v3/news  October 18, Computerworld - (International) ‘Unprecedented wave’ of Java exploits hits users, says Microsoft. Microsoft said October 18 that an “unprecedented wave” of attacks are exploiting vulnerabilities …. attempts to exploit Java bugs …. “IDS/IPS vendors ... have challenges with parsing Java code,” … the performance impact on a network IPS could be crippling. [So] the people that we expect to notice increases in exploitation might have a hard time seeing this. Call it Java-blindness.” Source: www.computerworld.com  July 19, SCADA System’s Hard-Coded Password Circulated Online for Years - malware that targets command-and-control software installed in critical infrastructures uses a known default password that the software maker hard-coded into its system.…. SCADA, short for “supervisory control and data acquisition,” systems are programs installed in utilities and manufacturing facilities to manage the operations. SCADA …potentially vulnerable to remote attack by malicious outsiders who might want to seize control of utilities for purposes of sabotage, espionage or extortion. “Default passwords are and have been a major vulnerability for many years,” said Steve Bellovin, …“It’s irresponsible to put them in, in the first place…. If that’s the way the Siemens systems works, they were negligent.” Siemens did not respond to a request for comment. Source: www.wired.com  October 20, Softpedia - (International) Fake Firefox and Chrome warning pages distribute malware. Security researchers warn a new malware distribution campaign uses fake versions of the malicious site warnings commonly displayed by Firefox and Google Chrome. Security researchers from F-Secure now warn malware pushers are increasingly abusing the trust users associate with these warnings to infect them. Malicious Web sites that mimic both Firefox’s “Reported Attack Page” alert, as well as Chrome’s “this site may harm your computer” warning, have been spotted. The pages look exactly the same as the real thing, except for a button that reads “Download Updates,” suggesting that security patches are available for the browsers. The executable files served when these buttons are pressed install rogue antivirus programs … the users who land on these latest sites discovered by F-Secure are also exposed to drive-by downloads via a hidden IFrame, which loads the Phoenix exploit kit. Source: news.softpedia.com  October 20, Trusteer - (International) Trusteer reports hackers improve Zeus Trojan to retain leadership in crimeware race. Trusteer reported October 20 it has captured and analyzed a new version (2.1) of the Zeus financial malware. New capabilities include: URL matching based on a full implementation of the Perl Compatible Regular Expressions (PCRE) library. This allows much more flexibility for Zeus’s configuration to define targets. Source: www.trusteer.com
  • 10. Threats and the Facts (Personal - part 2)  Personal Experience of Identity Theft (3 official separate times) – and recently hacked this month at a military installation!  64x -8 process, 16 gigs RAM, 2x ½ Terabyte HD, Dual Booted – Windows 7 Pro and SUSE Linux, and multiple other system bells and whistles (bleeding edge laptop technology – do not recommend)  Attacked and hacked while operating in Windows 7 environment through the Chrome Browser – used a java / real player /buffer memory overflow exploit and then attempted to migrate and embed in the OS’s  Gained currently loaded browser credentials and passwords – Google Email account compromised (Google notified me and stated someone in Greece had accessed my account) at the same time of identified problem  Locked up the system, scrambled system settings (date changed to year 2076), locally used IDS/IPS rendered partially ineffective, polluted other partitions – both Linux and Windows  Uncertainty of future protection due to complexity and immaturity of hardware and malware software protection
  • 11. More of the Same “Threats and the Facts” – But, What are the Results?  Privacy Right Clearinghouse  Chronology of Data Record Breaches 13,678,437 (460 events, 2010) and 510,619,382 since January 2005 that have been reported [www.privacyrights.org/ar/ChronDataBreaches.htm]  Ponemon –HRH 2008 Privacy Breach Index Survey (Sept 2008)  Self evaluation of overall performance of organization: -- 9% gave an “A” -- 31% gave a “B” -- 26% gave a ”C” -- 29% gave a “D” – 5% gave a “F” [www.HRH.com/privacy]  80 % believed their organizations experienced information system data breaches and loss of customer and personal information  50% Negligence, -- 29% Third-Party, 3% Hacker, --1% other criminal activity;  36% 1 to 4 breaches involving 100 or records; 32% 5 to 8; 31% 9 or more
  • 12. The Various Ways whereby YOUR Information is … LOST (data Leakage)  Physical loss (PHYS) - Lost, discarded or stolen non-electronic records, such as paper documents  Portable device (PORT) - Lost, discarded or stolen laptop, PDA, smart- phone, portable memory device, CD, hard drive, data tape, etc  Stationary device (STAT) - Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility.  Hacking or malware (HACK) - Electronic entry by an outside party, malware and spyware.  Payment Card Fraud (CARD) - Fraud involving debit and credit cards that is not accomplished via hacking. For example, skimming devices at point-of- service terminals.  Unintended disclosure (DISC) - Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail.  Insider ( INSD) - Someone with legitimate access intentionally breaches information - such as an employee or contractor.  Unknown or other (UNKN)
  • 13. The Basic Method to Exploit ... YOUR E-Identity  Identify Social / Cultural “Normalcy” and associated “Common Denominators” where potential gain or benefit may exist on the Internet or in the real world  Voice / Chat / Email / Tweet has become the primary “Means of Communication”  Browser Based Culture and Community, e.g., On-line Gaming (Entertainment), Banking (financial), Social Networks (Socialization), pornography sites (22% of all Internet based revenue), etc.  Marketing from Data Warehouses – Services (medical Google, Microsoft, Government Entities (regardless of intentions, you are a customer, beneficiary, or potential threat)  Non-electronic communication or storage methods, e.g., stealing stuff with your name and other information on it  Exploit “Common Denominators” by …  Identify and Predict potential Outcomes from Your INFORMATION [ANY FRINGE FANS?]  Making it look like normal expected activity  Browser based exploits – Social networks, social engineer, harvest information, or capitalize on browser technology vulnerabilities  Email based exploits – Phishing  Browser, Email, and Web Site exploitation are all used in conjunction  Obscure and confuse the real with the Counterfeit!  Their Objective …, is to recreate a Counterfeit “Normalcy” that attracts and is utilized by YOU!!!!  FOR ORGANIZATIONAL (Terrorist) or PERSONAL (Theft, Malice, or Vendetta) GAIN
  • 14. Legal Implications? I am not a lawyer – this is strictly opinion (disclaimer)!  Privacy Laws – Still very immature in the practical governance and implementation of standards  Case Law – On going implications in who is to be held responsible for breaches (Internet is complexity)  Victim – The individual has to initiate action that may prove too costly or ineffective to pursue  The government and big corporate entities very seldom will be held legally liable – Spin City  Bottom-line – Who really cares for YOUR interests and is YOUR advocate (cynical reality)?
  • 15. Why Pick-on Little old ME?  How do thieves steal identities?  Common methods thieves use to steal identities: Dumpster Diving, Phishing, Address Change, Old Fashioned Stealing, hacking, & False Pretext  What do thieves do with stolen identities?  Thieves use stolen identities to: -Open new credit card accounts, change your billing address, run excessive charges on your accounts, pay the minimum amounts due, and drain your accounts. -Open new phone or wireless accounts, set up utility services, open new bank accounts and write bad checks, take out loans, clone your ATM or debit cards to make electronic withdrawals. -Get driver's licenses, government benefits, file fraudulent tax returns, receive medical services -Give your personal information to police during an arrest, Have dual identities to hide their real identity from the Homeland Security Department.  What are the signs of identity theft?  Look for signs or evidence to determine whether your identity has been compromised: -Evidence of bank or credit card accounts being opened in your name without your knowledge or approval. -Evidence of charges deducted from your accounts that you did not initiate. -Evidence of inaccurate information (e.g. wrong personal information, SSN, address, name, initials, or employers, etc) on your credit reports. -Not receiving your credit card bills, bank statements, or other personal mail for no apparent reasons; or receiving credit cards that you did not apply for. -Receiving calls or letters from collection agencies or businesses asking you to pay the cost of goods or services that you did not buy, or being denied credit or offering you less favorable terms for no apparent reason, e.g. high interest rate.
  • 16. How Do I Respond? - Apathy, Acceptance, Anger, or … an Attitude of Rebellion and Resolve!  What should I do if my personal information has been compromised in a data breach?  For tips on what to do if your personal information has been exposed due to a security breach, read our guide athttp://www.privacyrights.org/fs/fs17b-SecurityBreach.htm.  Are there resources for businesses and other organizations on how to avoid having sensitive data breached?  Learn about security and privacy protection practices for your workplace.  "Guide to Protecting the Confidentiality of Personally Identifiable Information," National Institute of Standards and Technology. Special Publication 800-122. (April 2010) http://ssrn.com/abstract=1671082.  "How Global Organizations Approach the Challenge of Protecting Personal Data," from Accenture (released April 27, 2010) https://microsite.accenture.com/dataprivacyreport/Pages/default.aspx and https://microsite.accenture.com/dataprivacyreport/Documents/Accenture_Data_Privacy_Report.pdf  "Forrester Consulting Study, “The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk,” (April 2010) sponsored by RSA and Microsoft, available at www.rsa.com/CorporateSecrets. For press release, seehttp://www.microsoft.com/Presspass/press/2010/apr10/04-05MSRSAPR.mspx?rss_fdn=Press%20Releases.  "Data Breach and Incident Readiness Planning Guide" from the Online Trust Alliance (January 2010). https://www.otalliance.org/resources/Incident.html  "Security & Privacy -- Made Simpler,"from the Better Business Bureau www.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf  “Protecting Personal Information: A Guide for Business,”from the Federal Trade Commission.www.ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf  “Information Security Handbook,”from the National Institute of Standards and Technology http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf  “Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace,” from the Privacy Rights Clearinghouse www.privacyrights.org/ar/PreventITWorkplace.htm  The California Office of Privacy Protection has developed a series of Recommended Practices. Several of the guides may be helpful in protecting your business whether or not you are located in California. www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf www.privacyprotection.ca.gov/res/docs/pdf/infosharingdisclos.pdf www.privacyprotection.ca.gov/res/docs/pdf/ssnrecommendations.pdf
  • 17. A Response with Rebellion and Resolve! Know Yourself – Know Your Enemy! The Art of War (Chinese: 孫子兵法; pinyin: Sūn Zǐ Bīng Fǎ) is a Chinese military treatise that was written during the 6th century BC by Sun Tzu.  Two Possible not Recommended Responses to the Challenge  Freak Out: Embrace Hopelessness, Hide, Ignore, Deny, and Play Computer games until the Inevitable Occurs  Idealistic and Unrealistic: Do the “Don Quixote (To Dream the Impossible Dream and Fight the Impossible Fight)” - Wear yourself out Fighting Windmills by shooting at whatever pops its head out!  Third Approach “How do you Eat the Elephant standing in the corner, Instead of Avoiding it?” Take ONE BITE at a time by…  Assess the level of risk you are willing to incur  Strategize a response  Be deliberate and not apathetic or indifferent  Be practical / understand it is not just about you (or ME)  Be an advocate or part of a culture that supports secure practices  Test and monitor the process with identifiable outcomes
  • 18. Example: My E-Identity Maltego App paterva.com That’s Me?!
  • 19. Your Risk Profile, Probability, & Impact Risk “reality” is just a “Click” or “Communiqué” away!  Am I important, and if so why?  Why would someone want my information?”  If I commit (“C”) to providing my information what could be the outcome?  Is the “C” cost to high?  How will the “C” possibly impact OTHERS?
  • 20. The “Life Cycle” of Security, the Process, Provisioning & Potential Exploitation – the Weakest Link? People!
  • 21. What to Do to Be Safe…?  Protect Yourself and Others?  Hardware – Stay off of the Bleeding Edge (very costly), OS updates; Latest version of Browser / Email Clients and ensure they are patched (from the right vendors); Dedicated systems per functional risk  Software – Anti-virus / Anti-Malware, Host level IDS –IPS, Security BrowserApps, Plug-in filters, etc. (buy from reputable vendor)  Head-ware, e.g., “Common Sense” that is not too common  Don’t “Bank Online” (personal opinion and choice), limit on-line purchases, etc. – every transaction has an associated risk!  Don’t share personal identifiable information of any type or form online without assessing the risk!  Have fun, be cautious, and educate yourself regarding the risk  Remember, once it is on the Internet “it belongs to everyone.” Is it something you really wanted to share?  Assess non-Internet exchanges and communications, e.g., bill paying and US Postal Service  For everything you do information is being collected. Ask the various organization you do business with about their Privacy Policies and how they are protecting your information!
  • 22. Thank You for Your Participation - Any Questions?  Understand EVERYONE is collecting Information about YOU – Their OBJECTIVE is PREDICTABILITY  YOUR and OTHERS E-Identity is a marketable commodity!  Take the necessary Precautions, Preventive measures, and Practice safe exchange of information  Hold Everyone Accountable for what they have been entrusted!  Expect CONFLICT regardless of the approach you take.
  • 23. Oops, Forgot – One Possible Solution! Current practical challenges are virtualization and distribution
  • 24. Sources & Considerations  Infected Web Sites - http://www.computerworld.com/s/article/342457/Visitors_Under_Attack?taxonomyId =%2016  Mozilla & Microsoft - http://news.cnet.com/8301-30685_3-10377445-264.html http://www.infoworld.com/d/security-central/mozilla-plug-in-checker-boostssecurity  Anti Malware Tactic - http://www.scmagazineuk.com/Aggressive-tactics-used-in-new- distributionand-%20installation-of-fake-anti-virus-software/article/154886/  Outlook - http://www.networkworld.com/news/2009/101509-phishing-zeus- outlook.html  Twitter - http://www.mxlogic.com/securitynews/web-security/security-experts-warn- of-possible-id-theft-scam-on-twitter835.cfm  P2P Software - http://www.darkreading.com/security/app- security/showArticle.jhtml?articleID=220600367  Email - http://news.bbc.co.uk/2/hi/technology/8294714.stm http://crave.cnet.co.uk/software/0,39029471,49303832,00.htm  Browsers - http://www.theregister.co.uk/2009/10/05/fraudulent_paypay_certificate_published/  Google - http://www.theregister.co.uk/2009/10/13/google_webmaster_malware_notification/  Terrorism - http://www.theregister.co.uk/2009/10/13/poland_cyberattacks/ http://www.internetnews.com/government/article.php/3843136/Cyber+Terrorism+De m%20ands+New+Tactics+Study.htm  Click Fraud - http://www.theregister.co.uk/2009/10/23/botnet_generated_click_fraud/
  • 25. Helpful Resources  USGBOR Information Security Reporting Process http://www.usg.edu/infosec/incident_management/ Twitter: http://twitter.com/usginfosec/  Internet Alert Dashboard To report cyber infrastructure incidents or to request information, please contact US-CERT at sos@us-cert.gov or visit their Website: http://www.us-cert.gov. Information on IT information sharing and analysis can be found at the IT ISAC (Information Sharing and Analysis Center) Website: https://www.it-isac.org/  US-CERT: us-cert.gov/cas/tips/st06-003.html  StaySafeOnline: staysafeonline.info/practices/index.html  CyberSmart.org: www.ccybersmart.org/downloads/pdf/SocialNetworkGuide.pdf  GetNetWise: www.getnetwise.org  OnGuard Online: onguardonline.gov/socialnetworking_youth.html  TechMission, Inc. Safe Families: www.safefamilies.org/socialnetworking.php  Join my FaceBook “Mafia War” Family (beware it is a social networking experiment) http://www.facebook.com/TheBishopOfOZ  Data Leakage http://ilpubs.stanford.edu:8090/968/1/leakage_tkde_final.pdf