1. User Awareness and Practices Andy Wiener Director, Information Technology FAME

2.  Introduction  Importance of Information Security  Security Threat Landscape  FAME Practices to Protect Your Data  User Practices to Protect Your Data

3.  FAME IT Director since March 2011  Over 30 years in the IT industry  Former VP of IT for Florida Career College  Hold the top 2 information security certifications in the industry: CISSP (Certified Information Systems Security Professional) CISM (Certified Information Security Manager)  Passed many security audits, including the U.S. Department of Defense

4.  The Internet allows a hacker to attack from anywhere on the planet.  Risks caused by poor security knowledge and practice: Identity Theft Monetary Theft Legal Ramifications (for yourself and your company) Termination if company policies are not followed  According to www.SANS.org, the top vulnerabilities available for a cyber criminal are: Web Browser Instant Messaging Clients Web Applications Excessive User Rights

5.  Organizations lose 5-6% of revenue annually due to internal fraud = $652 Billion in U.S. (2006)  Average scheme lasts 18 months, costs $159,000  25% costs exceed $1M  Smaller companies suffer greater average $ losses than large companies Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

6.  Federal law that protects the privacy of student education records  Applies to all schools that receive funds from the U.S. Department of Education  Protects Personally Identifiable Information (PII) Social Security Number Place & date of birth Driver’s license # Bank account # Mother’s maiden name

8. Cracker: Computer-savvy programmer creates attack software Script Kiddies: Unsophisticated computer users who know how to execute programs Hacker Bulletin Board SQL Injection Buffer overflow Password Crackers Password Dictionaries Successful attacks! Crazyman broke into … CoolCat penetrated… Criminals: Create & sell bots -> spam Sell credit card numbers,… System Administrators Some scripts are useful to protect networks… Malware package=$1K-2K 1 M Email addresses = $8 10,000 PCs = $1000

9.  Virus  Worm  Trojan Horse / Logic Bomb  Social Engineering  Rootkits  Botnets / Zombies

10.  A virus attaches itself to a program, file, disk, USB drive  When the program is executed, the virus is activated  The virus executes its payload and wreaks havoc Steals data and sends it to a hacker Deletes files Crashes your computer Program A Extra Code Program B infects

11.  A program that replicates itself and sends copies from computer to computer. It can infect any vulnerable machine on the network. To Joe To Ann To Bob Email List: Joe@gmail.com Ann@yahoo.com Bob@school.edu

12.  Logic Bomb: Program executes upon certain conditions. Software that malfunctions if maintenance fee is not paid Employee triggers a data deletion when he is fired.  Trojan Horse: Masquerades as beneficial program while quietly destroying data or damaging your system. Download a game: Might be fun but has a hidden part that emails your password file without your knowledge.

13.  Social engineering manipulates people into performing actions or divulging confidential information. Similar to a confidence trick or simple fraud, the term applies to the use of deception to gain information, commit fraud, or access computer systems. Phone Call: This is John, in IT. I need your password... Email: ABC Bank has noticed a problem with your account… In Person: Where were you born? Your mother’s maiden name? and have some software patches I’ve come to repair your computer…

14.  Phishing: a ‘trustworthy entity’ asks via email for sensitive information such as SSN, credit card numbers, user names, or passwords.

15.  A link provided in an email leads to a fake web page that collects important information and sends it to the hacker.  The fake web page looks like the real thing

16.  A botnet is a large number of compromised computers that are used to create and send spam or viruses, or flood a web site with messages as a denial-of-service attack.  The compromised computers are called zombies.

17.  An attacker pretends to be your final destination on the network. If a person tries to connect to a WiFi access point or web server, an attacker can masquerade as that device. He can then read your email, display fake web pages to get you to input data, etc.

18.  Upon penetrating a computer, a hacker installs a collection of programs, called a rootkit.  May enable: Easy access for the hacker Keystroke logger  Eliminates evidence of break-in  Modifies the operating system Backdoor entry Keystroke Logger Hidden user

19. PatternPossibilities Time to Guess (current tech.) Personal Info: interests, relatives 20 5 minutes Social Engineering 1 2 minutes American Dictionary 80,000 < 1 second 4 lower case alpha 26 4 (456,976) < 3 seconds 8 lower case alpha26 8 < 10 seconds 8 upper + lower case alpha52 8 < 1 minute 8 upper + lower case alpha + numbers62 8 3.4 minutes 8 upper + lower case alpha + numbers + punc. 72 8 12 minutes 12 upper + lower case alpha + numbers62 12 96 years 12 upper + lower case alpha + numbers + punc.72 12 500 years

20.  Antivirus software detects a problem  Firewall alerts for strange programs trying to access the Internet  Pop-ups suddenly appear (may sell security software)  Files or transactions appear that should not be there  Your computer shuts down and powers off by itself  Ending up on a strange site when conducting a search  Lots of network activity while not particularly active  New icons, programs, favorites suddenly appear  System slows down to a crawl  Your mouse moves by itself  Change to your browser home page  Disk space disappears  Often no symptoms at all !!!!!!!!!!!!!!

23.  Employees trained on security  Complex passwords required (8 chars, 3:U l 9$)  Screensaver timeout (20 minutes)  Block outgoing email with SSNs  Email transmission encrypted (Gmail w/ https)  WiFi on outside of our corporate network  File & server access determined by user role  Software updates installed within 1 week  Windows firewall enabled on all laptops

24.  Vipre antivirus/anti-spyware on all company computers, scans USB drives  Vipre home edition offered to employees  VPN access limited to certain employees  Server room locked, only IT Dept. has keys  WatchGuard firewall blocks bad websites  Corporate data not exposed to Internet

25.  Dedicated Cisco firewall  Customer databases on dedicated servers  Customer databases encrypted  All web transmission encrypted (https)  Only Cloud Administrators can log into production servers  System passwords changed every 90 days

27. Multiple layers of defense provide the best security. DataData Application Computer Network Anti-VirusAnti-Virus Anti-SpywareAnti-Spyware EncryptedCommunicationEncryptedCommunication StrongPasswordsStrongPasswords SessionControlsSessionControls Limit Use of Admin Accounts Limit Use of Admin Accounts PhysicalSecurityPhysicalSecuritySoftwareUpdatesSoftwareUpdates

28.  Anti-virus software detects malware and can destroy it before any damage is done  Be sure to maintain license to keep receiving updates – new viruses come out every day  Many free and pay options exist  Can be used on phones/tablets as well as PCs

29.  A firewall acts as a wall between your computer/private network and the Internet. A firewall prevents hacker connections from entering your computer.

30.  Microsoft, Adobe (Flash, Reader), and Oracle (Java) regularly issue updates to solve security problems in their software. These should be installed as soon as possible.  Chrome & Firefox browsers automatically update in the background.  The Windows Update feature should be set up to automatically download and install Microsoft updates.

31.  Never use ‘admin’ or ‘administrator’ as a user name  A good password is: private: it is used and known by one person only secret: it does not appear in clear text in any file or program or on a piece of paper stuck to the monitor easily remembered: so there is no need to write it down at least 8 characters, complex: a mixture of at least 3 of the following: upper case letters, lower case letters, numbers, and punctuation not guessable by any program in a short time. changed regularly: a good change policy is every 90 days  Beware that someone may see you typing.

32. Combine unrelated wordsmail + phone = m@!lf0n3 Abbreviate a phraseMy favorite color is blue = Mfc1blu3 Music lyricHappy birthday to you, happy birthday to you, happy birthday dear Jim, happy birthday to you. = Hb2uhb2uhbdJhb2u

33.  Do not open email attachments unless you are expecting the email with the attachment and you trust the sender.  Do not click on links in emails unless you are absolutely sure of their validity.  Only go to web pages or download software from web sites you trust.

34.  Be sure to have a good firewall or popup blocker installed  Always close a popup using the ‘X’ in the upper corner.  Never click “Yes,” “Accept,” or even “Cancel”  Never insert a USB drive into your computer unless you know where it came from. Hackers often leave infected drives unattended in public places.

35.  Always make sure your browser is using encryption for sensitive online activities. https:// Symbol showing enhanced security

36.  No security measure is 100%  What information is important to you?  Is your back-up: Recent? Off-site? Secure? Encrypted? Tested?