4. Security News
Computer spyware is newest weapon in Syrian conflict
A U.S.-based antivirus software maker, which analyzed one of the viruses at
CNN's request, said that it was recently written for a specific cyberespionage
campaign and that it passes information it robs from computers to a server at a
government-owned telecommunications company in Syria.
Virus infects computer at CCSU (Central CT State Univ.)
The virus, which perpetrated the infection, was a variant of the malevolent
software, ZBot said James Estrada, Spokesman of the university. According to
him, except for the Social Security Numbers, no other private detail was
compromised. Ctpost.com reported this on February 16, 2012.
Computer Infections to Rise During #Oscars ?
NORIS system shut down over virus
A critical computer network is down after falling victim to a sophisticated worm.
Friday, that system is down for the third day, impacting about 200 different
agencies, including police departments, jails and courts all over northwest Ohio.
High School student blamed for uploading virus to school PC
4-8% of computers in China have viruses
5. The List ….
Latest 5 virus alerts
2/27/12 W32/Autorun-BUY
2/27/12 Troj/ZBot-BNF
2/27/12 Troj/ZBot-BNE
2/27/12 Troj/JavaSMS-L
2/27/12 Mal/ZboCheman-A
Source: Sophos Anti-Virus
Top 5 viruses in October 2010
1 Troj/Invo-Zip
2 W32/Netsky
3 Mal/EncPk-EI
4 Troj/Pushdo-Gen
5 Troj/Agent-HFU
Source: Sophos Anti-Virus
6. Security Myths
Why should I care? I have nothing to hide.
There is nothing on my computer that
anyone would want.
I have the best security set-up.
I have a firewall/virus program.
Hackers usually go after big companies.
I use a MAC!
7. Quick Check!
On your own (5 minutes) – on the cards
1. Your name
2. What is computer security?
3. List 2 ways in which users put themselves at risk
4. On a scale of 1-10 (1=never safe, 10=totally secure), how safe do
you feel from computer threats (viruses, worms, hackers, etc.)?
5. On a scale of 1-10 (1=never, 10=always), how often do you
protect your computer from viruses?
6. On a scale of 1-10 (1=never, 10=always), how often do you
provide personal information on the web
8. What is the goal of
Computer Security?
To prevent and detect unauthorized actions by users of the
system
How do you achieve Computer Security?
– Security principles/concepts: explore general
principles/concepts that can be used as a guide to design
secure information processing systems
– Security mechanisms: explore some of the security
mechanisms that can be used to secure information
processing systems
– Physical/Organizational security: consider physical &
organizational security measures (policies)
Take a class in SECURITY
Get certified – CISSP
9. Security Defined
What is Computer Security (in reality)?
– Confidentiality: prevent unauthorized disclosure of information
– Integrity: prevent unauthorized modification of information
– Availability: prevent unauthorized withholding of information
CIA model is the basis of Information
Assurance
Additional criteria:
• Authenticity, accountability, reliability, safety,
dependability, survivability, currency, etc.
10. Security Defined (CIA)
Confidentiality: prevent unauthorized disclosure of
information
• privacy: protection of private data
• secrecy: protection of organizational data
• https:// pgp ssh ipsec
Integrity: prevent unauthorized modification of
information
• Preventing unauthorized writing or modifications
• Access control
Availability: prevent unauthorized withholding of
information
• Services are accessible and useable (without undue delay) whenever
needed by an authorized entity
• 24/7 – no DOS
12. Beyond CIA
Accountability
– Actions affecting security must be traceable to the responsible party (audits)
– Audit information must be kept and protected (compliance with SOX)
– Access control is needed
Reliability – deals with accidental damage (do you get consistent
performance)
Dependability – reliance can be justifiably placed on the system
(similar to integrity)
Survivability/Disaster Recovery/Business Continuity – deals with
the recovery of the system after massive failure (especially after
9/11)
13. Finding a Balance
• Security policies interfere with working patterns,
and can be very inconvenient
• Require a focus on new workflows
• Security mechanisms need additional computational
resources
• Security should be a forethought
• Managing security requires additional effort and
costs
• ROI is hard to determine
• Ideally, there should be a trade-off
14. Finding a Balance
Application Software
|
|
User ---------------------------|-------------------- Resource
(subject) | (object)
|
Hardware
The Dimensions of Computer Security
15. Asking the Right Questions
Should protection focus on data, operations, or users? (See the
onion.)
In which layer should we place security?
Could we place it in all layers?
Should security focus on simplicity (i.e., complexity, assurance, one
password entry, lots of passwords)?
Should security control tasks be given to a central entity, or left to
individual components (i.e., people, departments, divisions, etc. )?
Who controls the security policy? Hardware
OS
Services
Applications
17. Hardware
Hardware is more visible to criminals
It is easier to add/remove/change hardware devices,
intercept traffic, flood devices with traffic, and in
general control hardware devices’ functionality
Hardware is ignored in security training
Hardware can also be removed – VA laptop, DOD
laptop, hard drives lost, etc.
EX: UNC Since Jan. 1, the Chapel Hill Police Department has received reports of the theft of 45
laptops. Some were reportedly stolen in residential or business break-ins, others were taken
during armed robberies or when their owners left them unattended.
18. Software
Interruption (deletion): surprisingly easy!
Modification:
– Logic bomb – failure occurs when certain conditions are
met
– Buffer overflow – similar to logic or programming error
– Virus – a specific Trojan horse that can be used to spread its
“infection”
– Worm – self-reproducing program (usually spreads through
e-mails)
– Trapdoor – a program that has a specific entry point
Interception (theft): unauthorized copying
19. Software
Phishing
Ex.: During the 12 months that ended in May 2005, 73 million American adults who use the
Internet said that they "definitely" received or "thought they received" an average of more
than 50 phishing e-mails. That number was 28 percent higher than the previous year.
Where do they originate?
20. Data
Data are readily accessible
Attacks on data are more widespread
Data are everywhere …. We give it away
to everyone!
Fill out a credit card application, get a
free water bottle/coffee cup/t-shirt
What’s your zip code, your phone
number, etc?
23. Attacks
United States Department of Commerce has
compiled a list of the general categories of
computer attacks (Security Glossary):
•Remote or Local Penetration
•Remote or Local DOS
•Scanning (Ethereal)
•Password Crackers
•Sniffers
24. Protections
Basics
– Firewall (Zone Alarm, Norton, hardware solutions)
– Anti-virus (McAfee, Norton, Symantec)
– Patches (automatic updates)
– Strong passwords (> 20 characters)
– Where is your data? How is it protected? Do you
have it backed up?
26. Risk Assessment
A process of ………
– Including a Business Impact Analysis
– Identifying assets and ranking them
– Identifying risks and ranking them
– Associating specific risks with critical assets
– Recommending actions to be taken
See http://security.fsu.edu
27. Risk Assessment
Don’t assume physical security!!!!
VA laptop, DOD laptop, Los Alamos HD
issue
Why steal just the data when you can
steal the hardware?
Faculty offices, student laptops in
libraries
28. Risk Assessment
Use strong passwords on all accounts
– More than 20 characters
– Limited by keyboard
– Under 14 characters is “crackable”
Your password is a very important secret
Select one you can remember (new rules)
You can remember a long password (Peter
Henry Thesis)
29. Risk Assessment
Passwords
– Change yours often!
– Dont leave yours lying around!
– The longer the better!
– Dont share yours with friends!
– FYI – in healthcare, people write down passwords all
the time
– CHECK! (# passwords 1, 2, 3, 4, 5, 6, recycle)
30. Technology Approaches
Operating system software
– Keep it updated with necessary patches
Patching
– Make sure your computer has the latest
operating system release
– Auto setting is the best!
– New security bugs are discovered all the time
– Remember the CERT website
31. Technology Approaches
Firewall (hardware or software) – permits
passage of data based on security policies
Virtual private Network (VPN) – private
communications over public networks
(secured through authentication,
cryptography, tunneling protocols) using
Ipsec (IP Security), SSL (tunneling), and
others …
32. Technology Approaches
• Hardware can be replaced - Keep serial numbers in a secure location
•
Application software can be reloaded - Know what you have installed
• Data could be gone forever
• Data could be gone forever
• Data could be gone forever
• Data could be gone forever
• Ensure that adequate backups for your systems are done on a regular basis
34. Web Sites
Understand that e-mail is not secure.
KaZaA, etc. turned your computer into a distributor so that
people can download from your machine!
– NOTE: 45% of free files collected by KaZaA contained viruses,
Trojan horse programs and backdoors.
Sometimes you dont even know you are responsible for
security violations
– your computer gets hacked and is used to hack others (you have
no idea its being done).
35. E-mail & Social Engineering
E-mail:
– A day-to-day necessity in our educational
environment
– We take it for granted
Social Engineering
– “Smooth-talking your way into a system”
– Common types of social engineering:
• Impersonation / Important user / Pre-texting
• You can find out information on Facebook /
MySpace
• Surplus equipment, Tallahassee (Cash for Trash)
• War-driving & dumpster diving
37. Solutions
None! (Well, none that are completely secure.)
Assume you will be compromised.
The task is to get back up and running.
http://security.fsu.edu/
Reporting
Setting up VPN at FSU
Subscribe to CERT
Subscribe to US-CERT
38. CERT
http://www.cert.org/stats/cert_stats.ht
ml
http://www.us-cert.gov/
39. Getting a JOB
Computer Security (Network Security)
Information Assurance
– The technical and managerial measures
designed to ensure the confidentiality,
possession/control, integrity, authenticity,
availability, and utility of information and
information systems. This term originated with
government usage and is sometimes
synonymous with information security.
– Become a CISSP