Keep it safe agm13

Keep IT safe!
AGM Maribor
workshop
Damian Bulira
IT Committee

Identify a sensitive data
• What do you want to protect
Identify applications that you store information
in
• Where do you want to store it
Identify parties that have access to the data
• Who do you want to share it with
Secure and constrain access
• How do you want to protect it
IT security in a nutshell
AGM Maribor - Security Workshop | Damian Bulira - ESN IT Committee | damian@bulira.pl

Identify a sensitive data
• Personal data
• Financial data
• Photos ;)
• Password file

Identify applications that you store information
in
• Local files
• Locally stored on your hard drive
• How not to loose them?
• Mobile devices
• Laptops, smartphones, USB drives
• What if you loose them?
• Cloud services
• Google docs, Facebook, e-mail

Identify parties that have access to the data
• Family
• Friends
• Co-workers
• Internet provider
• Service providers
• Public
Secure and constrain access
• Access only to people that needs it
• Protect your passwords, tokens, digital IDs

How would you store and share it?
ESN case

Protecting local files
Password protection
• Office / OpenOffice -> embdedd function
• Password archive protection
• TrueCrypt protection
Remote copy
• Dropbox folders
• Scheduled backups

Backups
Avoid single point of failure
• Store sensitive data in more than 1 place
• Archive data (you never know when you want to bring
back some of it)
Dropbox, Google Drive
• Store but remember about encryption
• Easy sharing

CORRECT!

Sharing is caring
Similar stuff with Google Drive (docs)
• Even better – more detailed control
Why?
• Control over the contributors
• Someone leaves the organization
• A „black sheep” problem
• Version control – change tracking
• You share with the people that you explicitly invite

Mobile devices problem
Common scenario – lost smartphone:
• Stored passwords to FB, Google etc.
• All accounts and data have been took over!
• Always lock your phone – pattern lock, password
Laptop
• Hard disk fully encrypted
USB drive
• Vault partition on flash drive with sensitive data

Password protection
How easy is to crack your password
• Strong password policy
Never don’t share your password
• No shared accounts!
Don’t repeat the password in different
applications
• Password system
• PIN codes

How to pick a good password
Bad ideas
• Dates
• Names
• Common words
• „Pallomeri” ;)
Good ideas
• First letters of a poem, song
• P4770.m3r1
• Don’t reuse the passwords
TOP 2012
1. password
2. 123456
3. 12345678
4. abc123
5. qwerty
6. monkey
7. letmein
8. dragon
9. 111111
10. baseball

How to share passwords
Password shall be a private and unique
Share passwords only when it is necessary
DON’Ts
• Send whole passwords by e-mail
• Never send website, login and password together
DOs
• Share wisely – you share the responsibility
• Store passwords encrypted!
• Share passwords on a regular basis

The biggest EVIL!

Plaintext passwords
Thank you for signing up to Our Webpage, we hope that you
will have a great time here! Please click the link below to
authorise your username and password for use on the Our
site.
http://www.site.com/register.php?action=auth&email=damian@b
ulira.pl&auth=dnyhxn
***IF THIS LINK DOES NOT WORK, LOGIN AS NORMAL AND ENTER
THE DETAILS BELOW***
Your username that you used to sign up with is: dbulira
Your password you used to sign up with is: password12#
The email that you signed up with is: damian@bulira.pl

PGP mail encryption

Single Site Login
Being able to log in to any website through
existing proxy account

The security question
Helps with the password recovery, mostly to e-
mail boxes
Extremely important thing!
Treat it as the second password
Cool story…
http://www.foxnews.com/entertainment/2012/12/17/hollywood-hacker-honed-his-
skills-for-years/

Identity dependency
ESN use case ;)
• A jealous geeky boyfriend wants to spy on her
girfriend, he captures a google password (how?)
• Later on he discovers some fishy e-mails so he goes
deeper
• He changes the Google password and using lost
password feature generates a new password to
Facebook (SSO!), Twitter, etc.
• He discovers even more… :>
• Imagine what happens later…

Other day-to-day ESN security
cases
PC in the ESN office
• Private user accounts
• Guest account
ESN Office key access
• A case similar to password handling
• Track usage
• Access list (checked regularly)

Internet privacy
When you upload something to the Internet, it
stays there forever
Think before you post!
Restrict you privacy in social media
• Application access
Respect others privacy and don’t let people to
desrespect yours

Exercise
Sending credit card credentials
• You’ve forgot a credit card from your apartment and
urgently need to book a flight, fortunately your trustful
roommate can send you all the necessary data, how do
you proceed?

Join the IT Committee!
We always look for:
• Programmers
• Designers
• Documentation Writers
• Tutorial Makers
• System Administrators
• Linux Experts
• Drupal Developers

Keep it safe agm13

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (20)

Mehr von Salih Odabasi

Mehr von Salih Odabasi (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Keep it safe agm13