SlideShare ist ein Scribd-Unternehmen logo
1 von 19
Downloaden Sie, um offline zu lesen
A Security Perspective on
                  “Phishing” and “Social
                        Networks”



Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for
non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is
given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires
written permission from the author. Videos and specific graphics presented are not for public distribution.
Session Guide
 Erwin “Chris” Louis Carrow
IT Auditor, M.Div., MSIS, BM, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA,
   LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who
   cares?!)
Board of Regents, University System of Georgia; Office of Internal Audit and Compliance
270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334
(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax
Email: erwin.carrow@usg.edu http://www.linkedin.com/in/thebishop
   http://twitter.com/ecarrow

 What I Do? Just a “Glorified Geek”
   High level – IT Evaluations System Wide
   General focus – Lack granularity of detail regarding day
    to day operations
   Bottom line “It’s all about ME” (joke)!
Session Agenda
   Key Takeaways and Introductions
   Basic Terminology, Context, &
    Methodology
   Strategic Use of YOUR and Others
    Personal Information
   What to Do to Be Safe / Limit Risk
   Q&A
Key Takeaways
At the end of this session you should be able to:
  Understand the RISK with Phishing & Social
  Networks;
  Understand the Motivation for Exploitation of
  YOUR or OTHERS PERSONAL INFORMATION
  Identify & Assess Resources to Mitigate
  Associated RISK;
  Apply Basic Precautions to Mitigate Potential
  LOSES;
Gone Phishing and Not Just
Wishing -Videos
 Safe-guarding the Process
  http://www.youtube.com/watch?v=UNanKfY5T9A
  online.gov/videos/overview.aspx
 Types of Phishing http://www.onguard
Threats and the Facts
 Recent Email, Browser, & Web Site Exploits (this month!)
    Yahoo, Hotmail, & Gmail – Oct 7, self propagating phishing scam; Oct 6,
     account username / password s illegally leaked
    Google – Oct 13, Web Masters of compromised sites warned with detailed
     code samples found
    Microsoft– Oct 14, Phishing attacks with Zeus Trojan targeting
      Outlook Webmail
     Mozilla - Oct 16, disabled a Microsoft plug-in for Firefox
    Facebook, My Space, etc. – Oct 16, Twitter phishing login scams
    Browsers – Oct 1-5, IE, Chrome, Safari duped by bogus PayPal SSL
     certificate of authority
    Peer to Peer downloads – Oct 12, Software piracy embeds malware
    Puppet Nets / Bot Nets: Trusted Major brand’s Web site - instead of
     stealing customer records, the attacker installs malware that infects
     the computers of thousands of visitors to the site
    Cyber Terrorism – Oct 9, Research points to new cyber terror tactics; Oct
     13, Polish Government attack blamed on Russia (duh)!
    Click fraud – Oct 23, Botnet click fraud at record high
More of the Same “Threats and the
Facts” – But, What are the Results?
 Privacy Right Clearinghouse
    Chronology of Data Breaches 2,500,000 since January 2005
     that have been reported
     [www.privacyrights.org/ar/ChronDataBreaches.htm]
 Ponemon –HRH 2008 Privacy Breach Index Survey (Sept 2008)
    Self evaluation of overall performance of organization: -- 9%
     gave an “A” -- 31% gave a “B” -- 26% gave a ”C” -- 29% gave a
     “D” – 5% gave a “F” [www.HRH.com/privacy]
    80 % believed their organizations experienced information
     system data breaches and loss of customer and personal
     information
    50% Negligence, -- 29% Third-Party, 3% Hacker, --1% other
     criminal activity;
    36% 1 to 4 breaches involving 100 or records; 32% 5 to 8; 31%
     9 or more
Terminology, Context, & Who are
the Key Players
 People – Good (solution oriented), Bad (problem producers),
    and Indifferent (folks who don’t care /understand the problem)
   Technology – Good (well managed), Bad (poorly managed),
    and Indifferent (don’t care or understand the problem)
   Services – The Internet (Home, Work, or Public environment),
    and associated resources, e.g., ISP, FaceBook, Games, email, etc.
   YOU – “Part of the S0lution” or “Part of the Problem,” e.g., a
    Recipient (“Poor Slob” that GOT HIT), Participant
    (inadvertently contributed either “for” or “against”), or Initiator
    (Johnny or Jill Hacker)?
   Specific or Potential Risks – Phishing attempts, Social
    Network exploits, etc.
Basic Methodology for all -
Terrorist or Criminal Exploitations
 Identify Social / Cultural “Normalcy” and associated “Common
  Denominators” where potential gain or benefit may exist on Internet
    Email has become the primary “Means of Communication”
    Browser Based Culture and Community, e.g., On-line Gaming
     (Entertainment), Banking (financial), Social Networks (Socialization)
 Exploit “Common Denominators” by …
    Making it look like normal expected activity
         Browser based exploits – Social networks, social engineer, harvest information, or
          capitalize on browser technology vulnerabilities
         Email based exploits – Phishing
         Browser, Email, and Web Site exploitation are all used in conjunction
    Obscure and confuse the real with the Counterfeit!
 Their Objective …, is to recreate a Counterfeit “Normalcy” that
  attracts and is utilized by YOU!!!!
    FOR ORGANIZATIONAL (Terrorist) or PERSONAL (Theft, Malice, or
      Vendetta) GAIN
Response?
Know Yourself – Know Your Enemy!
The Art of War (Chinese: 孫子兵法; pinyin: Sūn Zǐ Bīng Fǎ) is a Chinese military treatise
that was written during the 6th century BC by Sun Tzu.

 Two Possible not Recommended Responses to the Challenge
     Freak Out: Embrace Hopelessness, Hide, Ignore, Deny, and Play
     Computer games until the Inevitable Occurs
    Idealistic and Unrealistic: Do the “Don Quixote (To Dream the
     Impossible Dream and Fight the Impossible Fight)” - Wear yourself
     out Fighting Windmills by shooting at whatever pops its head out!
 Third Approach “How do you Eat the Elephant standing in the corner,
  Instead of Avoiding it?” Take ONE BITE at a time by…
    Assess the level of risk you are willing to incur
    Strategize a response
    Be deliberate and not apathetic or indifferent
    Be practical / understand it is not just about you (or ME)
    Be an advocate or part of a culture that supports secure practices
    Test and monitor the process with identifiable outcomes
Know Yourself
 Profile – Who are YOU?
 Habits & Preferences
 Vocation or Ad-Vocation
 Social Outlets, What you do,
  & Who you Know
 Financial Resources
 Education & Military Duty
 Government Affiliation
 YOUR PERSONAL
  IDENTITY is based on what
  you share in your “Click!”
Know Your Enemy
Profile - Who are They?
 Terrorist
 Foreign Governments
 Organized Crime
 Petty Thieves
 People trying to have
  fun at your expense?
 People who don’t Like
  you!
 All motivated by what
  you have or what you
  can provide them, e.g.,
  “Click”
The Internet is Bigger than Any
Person or Government!
 No Boundaries,
    Constantly Changing, &
    High Complexity
   Political Alliances w/
    Limitations
   Governments Sponsored
    Terrorism and Hacking
   Electronic Relationships
    w/ No Commitment
   Values vary with Social
    Cultural Norms
   Fallacy / Pitfall – YOU will
    evaluate acceptability by
    your own standards!
Risk Profile, Probability, & Impact
Risk “reality” is just a
 “Click” away!
 Am I important, and if so
    why?
   Why would someone want
    me to “Click?”
   If I commit to “Clicking,”
    what could be the
    outcome?
   Is the “Click” cost to high?
   How will the “Click”
    possibly impact others?
Campus “Life Cycle” of Security & Process
Provisioning – Are YOU the Weakest Link?
What to Do to Be Safe…?
 Protect Yourself and Others?
    Hardware – OS updates; Latest version of Browser / Email
     Clients and ensure they are patched; Dedicated systems per
     functional risk
    Software – Anti-virus / Anti-Malware, Host level IDS –IPS,
     Security Browser Apps, Plug-in filters, etc. (buy from
     reputable vendor)
    Head-ware, e.g., “Common Sense” that is not too common
        Don’t “Bank Online” (personal opinion and choice), limit on-line
         purchases, etc. – every transaction has an associated risk!
        Don’t share personal identifiable information of any type or form
         online without assessing the risk!
        Have fun, be cautious, and educate yourself regarding the risk
        Remember, once it is on the Internet “it belongs to everyone.” Is it
         something you really wanted to share?
Thank You for Your Participation
- Any Questions?
 Understand the “browser-based” Risk
  and potential Phishing and Social
  Networking Scams that dominate
  “normalcy!”
 Profile Your and Others Risk per the
  “Click” you take!
 Take the necessary Precautions,
  Preventive measures, and Practice safe
  browsing!
Sources & Considerations
  Infected Web Sites -
   http://www.computerworld.com/s/article/342457/Visitors_Under_Attack?taxonomyId
   =%2016
  Mozilla & Microsoft - http://news.cnet.com/8301-30685_3-10377445-264.html
   http://www.infoworld.com/d/security-central/mozilla-plug-in-checker-boostssecurity
  Anti Malware Tactic - http://www.scmagazineuk.com/Aggressive-tactics-used-in-new-
   distributionand-%20installation-of-fake-anti-virus-software/article/154886/
  Outlook - http://www.networkworld.com/news/2009/101509-phishing-zeus-
   outlook.html
  Twitter - http://www.mxlogic.com/securitynews/web-security/security-experts-warn-
   of-possible-id-theft-scam-on-twitter835.cfm
  P2P Software - http://www.darkreading.com/security/app-
     security/showArticle.jhtml?articleID=220600367
    Email - http://news.bbc.co.uk/2/hi/technology/8294714.stm
     http://crave.cnet.co.uk/software/0,39029471,49303832,00.htm
    Browsers -
     http://www.theregister.co.uk/2009/10/05/fraudulent_paypay_certificate_published/
    Google -
     http://www.theregister.co.uk/2009/10/13/google_webmaster_malware_notification/
    Terrorism - http://www.theregister.co.uk/2009/10/13/poland_cyberattacks/
     http://www.internetnews.com/government/article.php/3843136/Cyber+Terrorism+De
     m%20ands+New+Tactics+Study.htm
    Click Fraud - http://www.theregister.co.uk/2009/10/23/botnet_generated_click_fraud/
Helpful Resources
  USGBOR Information Security Reporting Process
     http://www.usg.edu/infosec/incident_management/ Twitter:
     http://twitter.com/usginfosec/
    Internet Alert Dashboard To report cyber infrastructure incidents or to request
     information, please contact US-CERT at sos@us-cert.gov or visit their Website:
     http://www.us-cert.gov. Information on IT information sharing and analysis
     can be found at the IT ISAC (Information Sharing and Analysis Center) Website:
     https://www.it-isac.org/
    US-CERT: us-cert.gov/cas/tips/st06-003.html
    StaySafeOnline: staysafeonline.info/practices/index.html
    CyberSmart.org:
     www.ccybersmart.org/downloads/pdf/SocialNetworkGuide.pdf
    GetNetWise: www.getnetwise.org
    OnGuard Online: onguardonline.gov/socialnetworking_youth.html
    TechMission, Inc. Safe Families:
     www.safefamilies.org/socialnetworking.php
    Join my FaceBook “Mafia War” Family (beware it is a social networking
     experiment) http://www.facebook.com/TheBishopOfOZ

Weitere ähnliche Inhalte

Was ist angesagt?

Facebook white paper2011
Facebook white paper2011Facebook white paper2011
Facebook white paper2011CPPGroup Plc
 
Social Media Privacy
Social Media PrivacySocial Media Privacy
Social Media PrivacyLisa Turner
 
3Rs of Internet Safety: Rights, Responsibilities and Risk Management
3Rs of Internet Safety: Rights, Responsibilities and Risk Management3Rs of Internet Safety: Rights, Responsibilities and Risk Management
3Rs of Internet Safety: Rights, Responsibilities and Risk ManagementConnectSafely
 
Learn internet governance initiative child online safety by shreedeep rayamaj...
Learn internet governance initiative child online safety by shreedeep rayamaj...Learn internet governance initiative child online safety by shreedeep rayamaj...
Learn internet governance initiative child online safety by shreedeep rayamaj...Shreedeep Rayamajhi
 
E safety-course_2010
E safety-course_2010E safety-course_2010
E safety-course_2010kevinbrace
 
Brandon + Eddie users guide phi 235
Brandon + Eddie users guide phi 235Brandon + Eddie users guide phi 235
Brandon + Eddie users guide phi 235brendaylo
 
parent_teacher_tutorial
parent_teacher_tutorialparent_teacher_tutorial
parent_teacher_tutorialtutorialsruby
 
Do fear and exaggeration increase risk?
Do fear and exaggeration increase risk?Do fear and exaggeration increase risk?
Do fear and exaggeration increase risk?Larry Magid
 
Keep your Kids Safe Online
Keep your Kids Safe OnlineKeep your Kids Safe Online
Keep your Kids Safe Online_chimes_
 
Filters and monitoring: Panacea or band-aid
Filters and monitoring: Panacea or band-aidFilters and monitoring: Panacea or band-aid
Filters and monitoring: Panacea or band-aidConnectSafely
 
Internet Safety for Parents
Internet Safety for ParentsInternet Safety for Parents
Internet Safety for Parentswstagnaro
 
Tech Boot Camp October 2012
Tech Boot Camp October 2012Tech Boot Camp October 2012
Tech Boot Camp October 2012Marsha Harris
 
Internet safety presentation 2014
Internet safety presentation 2014Internet safety presentation 2014
Internet safety presentation 2014KanelandSvihlik
 
Tech Boot Camp 10.3.11
Tech Boot Camp 10.3.11Tech Boot Camp 10.3.11
Tech Boot Camp 10.3.11MMHoward
 
Pr cyberbullying campaign powerpoint
Pr cyberbullying campaign powerpointPr cyberbullying campaign powerpoint
Pr cyberbullying campaign powerpointhmorrell1
 
Ethical and safe internet use
Ethical and safe internet useEthical and safe internet use
Ethical and safe internet useBurkeV
 

Was ist angesagt? (20)

Facebook white paper2011
Facebook white paper2011Facebook white paper2011
Facebook white paper2011
 
Social Media Privacy
Social Media PrivacySocial Media Privacy
Social Media Privacy
 
Safe Social Networking Handout
Safe Social Networking HandoutSafe Social Networking Handout
Safe Social Networking Handout
 
3Rs of Internet Safety: Rights, Responsibilities and Risk Management
3Rs of Internet Safety: Rights, Responsibilities and Risk Management3Rs of Internet Safety: Rights, Responsibilities and Risk Management
3Rs of Internet Safety: Rights, Responsibilities and Risk Management
 
Learn internet governance initiative child online safety by shreedeep rayamaj...
Learn internet governance initiative child online safety by shreedeep rayamaj...Learn internet governance initiative child online safety by shreedeep rayamaj...
Learn internet governance initiative child online safety by shreedeep rayamaj...
 
Social media-threats
Social media-threatsSocial media-threats
Social media-threats
 
E safety-course_2010
E safety-course_2010E safety-course_2010
E safety-course_2010
 
Brandon + Eddie users guide phi 235
Brandon + Eddie users guide phi 235Brandon + Eddie users guide phi 235
Brandon + Eddie users guide phi 235
 
Social media-threats
Social media-threatsSocial media-threats
Social media-threats
 
Digital Self
Digital SelfDigital Self
Digital Self
 
parent_teacher_tutorial
parent_teacher_tutorialparent_teacher_tutorial
parent_teacher_tutorial
 
Do fear and exaggeration increase risk?
Do fear and exaggeration increase risk?Do fear and exaggeration increase risk?
Do fear and exaggeration increase risk?
 
Keep your Kids Safe Online
Keep your Kids Safe OnlineKeep your Kids Safe Online
Keep your Kids Safe Online
 
Filters and monitoring: Panacea or band-aid
Filters and monitoring: Panacea or band-aidFilters and monitoring: Panacea or band-aid
Filters and monitoring: Panacea or band-aid
 
Internet Safety for Parents
Internet Safety for ParentsInternet Safety for Parents
Internet Safety for Parents
 
Tech Boot Camp October 2012
Tech Boot Camp October 2012Tech Boot Camp October 2012
Tech Boot Camp October 2012
 
Internet safety presentation 2014
Internet safety presentation 2014Internet safety presentation 2014
Internet safety presentation 2014
 
Tech Boot Camp 10.3.11
Tech Boot Camp 10.3.11Tech Boot Camp 10.3.11
Tech Boot Camp 10.3.11
 
Pr cyberbullying campaign powerpoint
Pr cyberbullying campaign powerpointPr cyberbullying campaign powerpoint
Pr cyberbullying campaign powerpoint
 
Ethical and safe internet use
Ethical and safe internet useEthical and safe internet use
Ethical and safe internet use
 

Andere mochten auch

Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22CheapSSLsecurity
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewDerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewCiNPA Security SIG
 
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurityComodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurityCheapSSLsecurity
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto  2017 - Accelerating Incident Response in Organizations...Cisco Connect Toronto  2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Canada
 
OISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewOISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewCiNPA Security SIG
 
Dns Hardening Linux Os
Dns Hardening   Linux OsDns Hardening   Linux Os
Dns Hardening Linux Osecarrow
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Umbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic WorkerUmbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic WorkerOpenDNS
 
Microsoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampMicrosoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampAlexander Benoit
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafeCheapSSLsecurity
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
Scripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteScripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteMen and Mice
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & securityAvani Patel
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Canada
 
Role of DNS in Botnet Command and Control
Role of DNS in Botnet Command and ControlRole of DNS in Botnet Command and Control
Role of DNS in Botnet Command and ControlOpenDNS
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...CiNPA Security SIG
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 

Andere mochten auch (20)

Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) OverviewDerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
 
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurityComodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto  2017 - Accelerating Incident Response in Organizations...Cisco Connect Toronto  2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
 
OISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) OverviewOISF: Regular Expressions (Regex) Overview
OISF: Regular Expressions (Regex) Overview
 
Dns Hardening Linux Os
Dns Hardening   Linux OsDns Hardening   Linux Os
Dns Hardening Linux Os
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Umbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic WorkerUmbrella Webcast: Redefining Security for the Nomadic Worker
Umbrella Webcast: Redefining Security for the Nomadic Worker
 
Microsoft Cyber Security IT-Camp
Microsoft Cyber Security IT-CampMicrosoft Cyber Security IT-Camp
Microsoft Cyber Security IT-Camp
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You Safe
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
Scripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice SuiteScripting and automation with the Men & Mice Suite
Scripting and automation with the Men & Mice Suite
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & security
 
Tcp udp
Tcp udpTcp udp
Tcp udp
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
 
Role of DNS in Botnet Command and Control
Role of DNS in Botnet Command and ControlRole of DNS in Botnet Command and Control
Role of DNS in Botnet Command and Control
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
 

Ähnlich wie Social Networks And Phishing

Cognitive security: all the other things
Cognitive security: all the other thingsCognitive security: all the other things
Cognitive security: all the other thingsSara-Jayne Terp
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Michele Chubirka
 
Why My E Identity Needs Protection
Why My E Identity Needs ProtectionWhy My E Identity Needs Protection
Why My E Identity Needs Protectionecarrow
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
100812 internet security2.0
100812 internet security2.0100812 internet security2.0
100812 internet security2.0dkp205
 
The Dark Side Of The Web
The Dark Side Of The WebThe Dark Side Of The Web
The Dark Side Of The Webmshin
 
Social Networking and Cyberbullying
Social Networking and CyberbullyingSocial Networking and Cyberbullying
Social Networking and CyberbullyingLouise Jones
 
Data Security for Nonprofits
Data Security for NonprofitsData Security for Nonprofits
Data Security for NonprofitsNPowerCR
 
Issues with computers
Issues with computersIssues with computers
Issues with computersayerssaa
 
Social Networking Threats
Social Networking ThreatsSocial Networking Threats
Social Networking Threatsejhilbert
 
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009Scott Wright
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasuresJorge Sebastiao
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxDinesh582831
 
IMA Meeting 03222012
IMA Meeting 03222012IMA Meeting 03222012
IMA Meeting 03222012jerryjustice
 
Your digital identity - are you feeling lucky?
Your digital identity - are you feeling lucky?Your digital identity - are you feeling lucky?
Your digital identity - are you feeling lucky?Kirsten Thompson
 
Cyber Safety How Children Can Protect Themselves From Online Threats
Cyber Safety How Children Can Protect Themselves From Online ThreatsCyber Safety How Children Can Protect Themselves From Online Threats
Cyber Safety How Children Can Protect Themselves From Online Threatsmkinzie
 
Tech Topic Privacy
Tech Topic PrivacyTech Topic Privacy
Tech Topic Privacynetapprad
 

Ähnlich wie Social Networks And Phishing (20)

Cognitive security: all the other things
Cognitive security: all the other thingsCognitive security: all the other things
Cognitive security: all the other things
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)
 
Users guide
Users guideUsers guide
Users guide
 
Why My E Identity Needs Protection
Why My E Identity Needs ProtectionWhy My E Identity Needs Protection
Why My E Identity Needs Protection
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Cyber Threat Landscape
Cyber Threat LandscapeCyber Threat Landscape
Cyber Threat Landscape
 
100812 internet security2.0
100812 internet security2.0100812 internet security2.0
100812 internet security2.0
 
The Dark Side Of The Web
The Dark Side Of The WebThe Dark Side Of The Web
The Dark Side Of The Web
 
Social Networking and Cyberbullying
Social Networking and CyberbullyingSocial Networking and Cyberbullying
Social Networking and Cyberbullying
 
Data Security for Nonprofits
Data Security for NonprofitsData Security for Nonprofits
Data Security for Nonprofits
 
Issues with computers
Issues with computersIssues with computers
Issues with computers
 
Social Networking Threats
Social Networking ThreatsSocial Networking Threats
Social Networking Threats
 
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 
IMA Meeting 03222012
IMA Meeting 03222012IMA Meeting 03222012
IMA Meeting 03222012
 
Your digital identity - are you feeling lucky?
Your digital identity - are you feeling lucky?Your digital identity - are you feeling lucky?
Your digital identity - are you feeling lucky?
 
Cyber Safety How Children Can Protect Themselves From Online Threats
Cyber Safety How Children Can Protect Themselves From Online ThreatsCyber Safety How Children Can Protect Themselves From Online Threats
Cyber Safety How Children Can Protect Themselves From Online Threats
 
Tech Topic Privacy
Tech Topic PrivacyTech Topic Privacy
Tech Topic Privacy
 

Social Networks And Phishing

  • 1. A Security Perspective on “Phishing” and “Social Networks” Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires written permission from the author. Videos and specific graphics presented are not for public distribution.
  • 2. Session Guide  Erwin “Chris” Louis Carrow IT Auditor, M.Div., MSIS, BM, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA, LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who cares?!) Board of Regents, University System of Georgia; Office of Internal Audit and Compliance 270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334 (404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax Email: erwin.carrow@usg.edu http://www.linkedin.com/in/thebishop http://twitter.com/ecarrow  What I Do? Just a “Glorified Geek”  High level – IT Evaluations System Wide  General focus – Lack granularity of detail regarding day to day operations  Bottom line “It’s all about ME” (joke)!
  • 3. Session Agenda  Key Takeaways and Introductions  Basic Terminology, Context, & Methodology  Strategic Use of YOUR and Others Personal Information  What to Do to Be Safe / Limit Risk  Q&A
  • 4. Key Takeaways At the end of this session you should be able to: Understand the RISK with Phishing & Social Networks; Understand the Motivation for Exploitation of YOUR or OTHERS PERSONAL INFORMATION Identify & Assess Resources to Mitigate Associated RISK; Apply Basic Precautions to Mitigate Potential LOSES;
  • 5. Gone Phishing and Not Just Wishing -Videos  Safe-guarding the Process http://www.youtube.com/watch?v=UNanKfY5T9A online.gov/videos/overview.aspx  Types of Phishing http://www.onguard
  • 6. Threats and the Facts  Recent Email, Browser, & Web Site Exploits (this month!)  Yahoo, Hotmail, & Gmail – Oct 7, self propagating phishing scam; Oct 6, account username / password s illegally leaked  Google – Oct 13, Web Masters of compromised sites warned with detailed code samples found  Microsoft– Oct 14, Phishing attacks with Zeus Trojan targeting Outlook Webmail  Mozilla - Oct 16, disabled a Microsoft plug-in for Firefox  Facebook, My Space, etc. – Oct 16, Twitter phishing login scams  Browsers – Oct 1-5, IE, Chrome, Safari duped by bogus PayPal SSL certificate of authority  Peer to Peer downloads – Oct 12, Software piracy embeds malware  Puppet Nets / Bot Nets: Trusted Major brand’s Web site - instead of stealing customer records, the attacker installs malware that infects the computers of thousands of visitors to the site  Cyber Terrorism – Oct 9, Research points to new cyber terror tactics; Oct 13, Polish Government attack blamed on Russia (duh)!  Click fraud – Oct 23, Botnet click fraud at record high
  • 7. More of the Same “Threats and the Facts” – But, What are the Results?  Privacy Right Clearinghouse  Chronology of Data Breaches 2,500,000 since January 2005 that have been reported [www.privacyrights.org/ar/ChronDataBreaches.htm]  Ponemon –HRH 2008 Privacy Breach Index Survey (Sept 2008)  Self evaluation of overall performance of organization: -- 9% gave an “A” -- 31% gave a “B” -- 26% gave a ”C” -- 29% gave a “D” – 5% gave a “F” [www.HRH.com/privacy]  80 % believed their organizations experienced information system data breaches and loss of customer and personal information  50% Negligence, -- 29% Third-Party, 3% Hacker, --1% other criminal activity;  36% 1 to 4 breaches involving 100 or records; 32% 5 to 8; 31% 9 or more
  • 8. Terminology, Context, & Who are the Key Players  People – Good (solution oriented), Bad (problem producers), and Indifferent (folks who don’t care /understand the problem)  Technology – Good (well managed), Bad (poorly managed), and Indifferent (don’t care or understand the problem)  Services – The Internet (Home, Work, or Public environment), and associated resources, e.g., ISP, FaceBook, Games, email, etc.  YOU – “Part of the S0lution” or “Part of the Problem,” e.g., a Recipient (“Poor Slob” that GOT HIT), Participant (inadvertently contributed either “for” or “against”), or Initiator (Johnny or Jill Hacker)?  Specific or Potential Risks – Phishing attempts, Social Network exploits, etc.
  • 9. Basic Methodology for all - Terrorist or Criminal Exploitations  Identify Social / Cultural “Normalcy” and associated “Common Denominators” where potential gain or benefit may exist on Internet  Email has become the primary “Means of Communication”  Browser Based Culture and Community, e.g., On-line Gaming (Entertainment), Banking (financial), Social Networks (Socialization)  Exploit “Common Denominators” by …  Making it look like normal expected activity  Browser based exploits – Social networks, social engineer, harvest information, or capitalize on browser technology vulnerabilities  Email based exploits – Phishing  Browser, Email, and Web Site exploitation are all used in conjunction  Obscure and confuse the real with the Counterfeit!  Their Objective …, is to recreate a Counterfeit “Normalcy” that attracts and is utilized by YOU!!!!  FOR ORGANIZATIONAL (Terrorist) or PERSONAL (Theft, Malice, or Vendetta) GAIN
  • 10. Response? Know Yourself – Know Your Enemy! The Art of War (Chinese: 孫子兵法; pinyin: Sūn Zǐ Bīng Fǎ) is a Chinese military treatise that was written during the 6th century BC by Sun Tzu.  Two Possible not Recommended Responses to the Challenge  Freak Out: Embrace Hopelessness, Hide, Ignore, Deny, and Play Computer games until the Inevitable Occurs  Idealistic and Unrealistic: Do the “Don Quixote (To Dream the Impossible Dream and Fight the Impossible Fight)” - Wear yourself out Fighting Windmills by shooting at whatever pops its head out!  Third Approach “How do you Eat the Elephant standing in the corner, Instead of Avoiding it?” Take ONE BITE at a time by…  Assess the level of risk you are willing to incur  Strategize a response  Be deliberate and not apathetic or indifferent  Be practical / understand it is not just about you (or ME)  Be an advocate or part of a culture that supports secure practices  Test and monitor the process with identifiable outcomes
  • 11. Know Yourself Profile – Who are YOU?  Habits & Preferences  Vocation or Ad-Vocation  Social Outlets, What you do, & Who you Know  Financial Resources  Education & Military Duty  Government Affiliation  YOUR PERSONAL IDENTITY is based on what you share in your “Click!”
  • 12. Know Your Enemy Profile - Who are They?  Terrorist  Foreign Governments  Organized Crime  Petty Thieves  People trying to have fun at your expense?  People who don’t Like you!  All motivated by what you have or what you can provide them, e.g., “Click”
  • 13. The Internet is Bigger than Any Person or Government!  No Boundaries, Constantly Changing, & High Complexity  Political Alliances w/ Limitations  Governments Sponsored Terrorism and Hacking  Electronic Relationships w/ No Commitment  Values vary with Social Cultural Norms  Fallacy / Pitfall – YOU will evaluate acceptability by your own standards!
  • 14. Risk Profile, Probability, & Impact Risk “reality” is just a “Click” away!  Am I important, and if so why?  Why would someone want me to “Click?”  If I commit to “Clicking,” what could be the outcome?  Is the “Click” cost to high?  How will the “Click” possibly impact others?
  • 15. Campus “Life Cycle” of Security & Process Provisioning – Are YOU the Weakest Link?
  • 16. What to Do to Be Safe…?  Protect Yourself and Others?  Hardware – OS updates; Latest version of Browser / Email Clients and ensure they are patched; Dedicated systems per functional risk  Software – Anti-virus / Anti-Malware, Host level IDS –IPS, Security Browser Apps, Plug-in filters, etc. (buy from reputable vendor)  Head-ware, e.g., “Common Sense” that is not too common  Don’t “Bank Online” (personal opinion and choice), limit on-line purchases, etc. – every transaction has an associated risk!  Don’t share personal identifiable information of any type or form online without assessing the risk!  Have fun, be cautious, and educate yourself regarding the risk  Remember, once it is on the Internet “it belongs to everyone.” Is it something you really wanted to share?
  • 17. Thank You for Your Participation - Any Questions?  Understand the “browser-based” Risk and potential Phishing and Social Networking Scams that dominate “normalcy!”  Profile Your and Others Risk per the “Click” you take!  Take the necessary Precautions, Preventive measures, and Practice safe browsing!
  • 18. Sources & Considerations  Infected Web Sites - http://www.computerworld.com/s/article/342457/Visitors_Under_Attack?taxonomyId =%2016  Mozilla & Microsoft - http://news.cnet.com/8301-30685_3-10377445-264.html http://www.infoworld.com/d/security-central/mozilla-plug-in-checker-boostssecurity  Anti Malware Tactic - http://www.scmagazineuk.com/Aggressive-tactics-used-in-new- distributionand-%20installation-of-fake-anti-virus-software/article/154886/  Outlook - http://www.networkworld.com/news/2009/101509-phishing-zeus- outlook.html  Twitter - http://www.mxlogic.com/securitynews/web-security/security-experts-warn- of-possible-id-theft-scam-on-twitter835.cfm  P2P Software - http://www.darkreading.com/security/app- security/showArticle.jhtml?articleID=220600367  Email - http://news.bbc.co.uk/2/hi/technology/8294714.stm http://crave.cnet.co.uk/software/0,39029471,49303832,00.htm  Browsers - http://www.theregister.co.uk/2009/10/05/fraudulent_paypay_certificate_published/  Google - http://www.theregister.co.uk/2009/10/13/google_webmaster_malware_notification/  Terrorism - http://www.theregister.co.uk/2009/10/13/poland_cyberattacks/ http://www.internetnews.com/government/article.php/3843136/Cyber+Terrorism+De m%20ands+New+Tactics+Study.htm  Click Fraud - http://www.theregister.co.uk/2009/10/23/botnet_generated_click_fraud/
  • 19. Helpful Resources  USGBOR Information Security Reporting Process http://www.usg.edu/infosec/incident_management/ Twitter: http://twitter.com/usginfosec/  Internet Alert Dashboard To report cyber infrastructure incidents or to request information, please contact US-CERT at sos@us-cert.gov or visit their Website: http://www.us-cert.gov. Information on IT information sharing and analysis can be found at the IT ISAC (Information Sharing and Analysis Center) Website: https://www.it-isac.org/  US-CERT: us-cert.gov/cas/tips/st06-003.html  StaySafeOnline: staysafeonline.info/practices/index.html  CyberSmart.org: www.ccybersmart.org/downloads/pdf/SocialNetworkGuide.pdf  GetNetWise: www.getnetwise.org  OnGuard Online: onguardonline.gov/socialnetworking_youth.html  TechMission, Inc. Safe Families: www.safefamilies.org/socialnetworking.php  Join my FaceBook “Mafia War” Family (beware it is a social networking experiment) http://www.facebook.com/TheBishopOfOZ