I apologize, upon further review I do not feel comfortable providing any personal information or clicking on links in this email, as it appears to be a phishing attempt. Some signs that make me suspicious include:
- Poor grammar and spelling errors
- Request for personal information without sufficient context
- Urgency implied without reasonable justification
- Link to an unknown website asking for credentials
In the future, it's best to be cautious of unsolicited emails requesting personal details or login credentials, and to directly contact the company in question to verify any account updates.
6. Information risks
Unauthorized access & disclosure of confidential information
Unauthorized addition, deletion, or modification of information
Operational risks
System not functional (Denial of Service ‐ DoS)
System wrongly operated
Personal risks
Identity thefts
Financial losses
Disclosure of information that may affect employment or other
personal aspects (e.g. health information)
Physical/psychological harms
Organizational risks
Financial losses
Damage to reputation & trust
Etc.
Consequences of Security Attacks
34. Identification
Identifying who you are
Usually done by user IDs or some other unique codes
Authentication
Confirming that you truly are who you identify
Usually done by keys, PIN, passwords or biometrics
Authorization
Specifying/verifying how much you have access
Determined based on system owner’s policy & system
configurations
“Principle of Least Privilege”
User Security
36. Multiple‐Factor Authentication
Two‐Factor Authentication
Use of multiple means (“factors”) for authentication
Types of Authentication Factors
Something you know
Password, PIN, etc.
Something you have
Keys, cards, tokens, devices (e.g. mobile phones)
Something you are
Biometrics
User Security
38. Recommended Password Policy
Length
8 characters or more (to slow down brute‐force attacks)
Complexity (to slow down brute‐force attacks)
Consists of 3 of 4 categories of characters
Uppercase letters
Lowercase letters
Numbers
Symbols (except symbols that have special uses by the
system or that can be used to hack system, e.g. SQL Injection)
No meaning (“Dictionary Attacks”)
Not simple patterns (12345678, 11111111) (to slow down brute‐
force attacks & prevent dictionary attacks)
Not easy to guess (birthday, family names, etc.) (to prevent
unknown & known persons from guessing)
Personal opinion. No legal responsibility assumed.
39. Recommended Password Policy
Expiration (to make brute‐force attacks not possible)
6‐8 months
Decreasing over time because of increasing computer’s
speed
But be careful! Too short duration will force users to write
passwords down
Secure password storage in database or system
(encrypted or store only password hashes)
Secure password confirmation
Secure “forget password” policy
Different password for each account. Create variations
to help remember. If not possible, have different sets of
accounts for differing security needs (e.g., bank
accounts vs. social media sites) Personal opinion. No legal responsibility assumed.
43. Poor grammar
Lots of typos
Trying very hard to convince you to open
attachment, click on link, or reply without
enough detail
May appear to be from known person (rely on
trust & innocence)
Signs of a Phishing Attack
44. Don’t be too trusting of people
Always be suspicious & alert
An e‐mail with your friend’s name & info doesn’t have
to come from him/her
Look for signs of phishing attacks
Don’t open attachments unless you expect them
Scan for viruses before opening attachments
Don’t click links in e‐mail. Directly type in browser
using known & trusted URLs
Especially cautioned if ask for passwords, bank
accounts, credit card numbers, social security numbers,
etc.
Ways to Protect against Phishing
49. Economy of Mechanism
Design should be small & simple
Fail‐safe default
Complete mediation
Check every access to every object
Open design
Separation of privilege / Least Privilege
Secure Software Design Principles
Saltzer & Schroeder (1975), Viega & McGraw (2000)
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
50. Least common mechanism
Minimize complexity of shared
components
Psychological acceptability
If users don’t buy in to security
mechanism or don’t understand how to
use it, system is insecure
Work factor
Cost of attack should exceed resources
attacker will spend
Secure Software Design Principles
Saltzer & Schroeder (1975), Viega & McGraw (2000)
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
51. Compromise recording
If too expensive to prevent a compromise,
record it
Tamper evident vs. tamperproof
Log files
Secure Software Design Principles
Saltzer & Schroeder (1975), Viega & McGraw (2000)
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Image source: http://www.flickr.com/photos/goobelyga/2340650133/
55. Goal: provide a secure channel between Alice & Bob
A secure channel
Leaks no information about its contents
Delivers only messages from Alice & Bob
Delivers messages in order or not at all
Cryptography
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Alice Bob
Eve
56. Use of keys to convert plaintext into
ciphertext
Secret keys only Alice & Bob know
History: Caesar’s cipher, substitution
cipher, polyalphabetic rotation
Use of keys and some generator function to
create random‐looking strings (e.g. stream
ciphers, block ciphers)
Cryptography
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
58. What if no shared secret exists?
Public‐key cryptography
Each publishes public key publicly
Each keep secret key secret
Use arithmetic to encrypt & decrypt
message
Cryptography
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
66. Installed & updated antivirus, antispyware, &
personal firewall
Check for known signatures
Check for improper file changes (integrity failures)
Check for generic patterns of malware (for unknown
malware): “Heuristics scan”
Firewall: Block certain network traffic in and out
Sandboxing
Network monitoring & containment
User education
Software patches, more secure protocols
Defense Against Malware
67. Social media spams/scams/clickjacking
Social media privacy issues
User privacy settings
Location services
Mobile device malware & other privacy risks
Stuxnet (advanced malware targeting certain
countries)
Advanced persistent threats (APT) by
governments & corporations against specific
targets
Newer Threats
69. • ISO/IEC 27000 — Information security management systems — Overview and
vocabulary
• ISO/IEC 27001 — Information security management systems — Requirements
• ISO/IEC 27002 — Code of practice for information security management
• ISO/IEC 27003 — Information security management system implementation guidance
• ISO/IEC 27004 — Information security management — Measurement
• ISO/IEC 27005 — Information security risk management
• ISO/IEC 27031 — Guidelines for information and communications technology readiness
for business continuity
• ISO/IEC 27032 — Guideline for cybersecurity (essentially, ʹbeing a good neighborʹ on
the Internet)
• ISO/IEC 27033‐1 — Network security overview and concepts
• ISO/IEC 27033‐2 — Guidelines for the design and implementation of network security
• ISO/IEC 27033‐3:2010 — Reference networking scenarios ‐ Threats, design techniques
and control issues
• ISO/IEC 27034 — Guideline for application security
• ISO/IEC 27035 — Security incident management
• ISO 27799 — Information security management in health using ISO/IEC 27002
Some Information Security Standards
70. US‐CERT
U.S. Computer Emergency Readiness Team
http://www.us‐cert.gov/
Subscribe to alerts & news
Microsoft Security Resources
http://technet.microsoft.com/en‐us/security
http://technet.microsoft.com/en‐
us/security/bulletin
Common Vulnerabilities & Exposures
http://cve.mitre.org/
More Information