Presentation is loading. Please wait.

Presentation is loading. Please wait.

Personal Information Security and Malware Awareness Workshop Bard College at Simons Rock Information Technology Services (ITS) Summer 2012 (Please sign.

Similar presentations


Presentation on theme: "Personal Information Security and Malware Awareness Workshop Bard College at Simons Rock Information Technology Services (ITS) Summer 2012 (Please sign."— Presentation transcript:

1 Personal Information Security and Malware Awareness Workshop Bard College at Simons Rock Information Technology Services (ITS) Summer 2012 (Please sign in on the attendance sheet so we know youve been here!)

2 What are we doing here? Brief intro to (some of) the information protection laws that apply to Simons Rock Brief intro to (some of) the information protection laws that apply to Simons Rock –Especially the 2010 Mass. Privacy Law, which is the reason you have to attend this session. Strategies for protecting the private data we work with. Strategies for protecting the private data we work with. –Needs to be a college-wide effort. –Reduce the amount of private data we store, Restrict access to what we do store, and Encrypt any that leaves campus. Defenses against individual attacks on our personal accounts and computers. Defenses against individual attacks on our personal accounts and computers. –Unique passwords, required to wake system –Software updates –Recognizing fraudulent s and websites

3 Warm Up: If Nothing Else, Remember This: Legitimate online service providers, including ITS staff and your bank, will never, ever ask you for your password by . (Watch out for fake login links by , too.) Legitimate online service providers, including ITS staff and your bank, will never, ever ask you for your password by . (Watch out for fake login links by , too.)

4 What is Protected Personal Information? Depends which law is defining it! (We have to comply with lots of em!) Assume financial, academic, and health data need to be protected. FERPA Family Education Right to Privacy Act FERPA Family Education Right to Privacy Act PCI Payment Card Industry regulations PCI Payment Card Industry regulations HIPAA Health Insurance Portability and Accountability Act HIPAA Health Insurance Portability and Accountability Act MA CMR Standards for the Protection of Personal Information of Residents of the Commonwealth (aka the Massachusetts Privacy Law) This is the big one… MA CMR Standards for the Protection of Personal Information of Residents of the Commonwealth (aka the Massachusetts Privacy Law) This is the big one… IANAL I Am Not A Lawyer : This is a very brief overview, and I dont really know what Im talking about. IANAL I Am Not A Lawyer : This is a very brief overview, and I dont really know what Im talking about.

5 FERPA * –FERPA covers living students and alumni, and protects their academic records. –Also, each institution defines student directory information (Ours is in our Student Handbook) –Everything else is non-directory information –Simons Rock may release directory information –We may not release non-directory information without prior consent of the student, except in specific circumstances (such as a subpoena) –A student may request that even their directory information not be published *(ask Heidi and Moira if you desire more details)

6 Directory Simons Rock Directory Simons Rock –students name; –addresses (home, campus, and ); –telephone numbers (home and campus); –major or field of study; –date and place of birth; –full- or part-time status; –enrollment dates; FERPA (more) In general, faculty and staff have access to personally identifiable, non-directory information about students as long as they have a legitimate educational interest in it, in other words a "need to know." In general, faculty and staff have access to personally identifiable, non-directory information about students as long as they have a legitimate educational interest in it, in other words a "need to know." Releasing personally identifiable non-directory information to others without prior permission from the student or alumnus/a is illegal. Releasing personally identifiable non-directory information to others without prior permission from the student or alumnus/a is illegal. –date of graduation (past or anticipated); –current grade level (first-year, sophomore, junior, or senior); –graduation information as published in the commencement program.

7 PCI*: Credit Card Transactions Any entity which collects payments with credit cards is contractually bound to follow the Payment Card Industry (PCI) Standard to protect information related to credit-card transactions. Any entity which collects payments with credit cards is contractually bound to follow the Payment Card Industry (PCI) Standard to protect information related to credit-card transactions. The PCI standard provides very specific guidelines on how to protect such information in both paper and electronic formats. The PCI standard provides very specific guidelines on how to protect such information in both paper and electronic formats. Failure to comply can result in withholding of credit card revenue to pay fines & penalties. Failure to comply can result in withholding of credit card revenue to pay fines & penalties. See https://www.pcisecuritystandards.org See https://www.pcisecuritystandards.orghttps://www.pcisecuritystandards.org *Im not sure if we have a resident expert on PCI. (Im not it.)

8 PCI (more) : Credit Cards at Simons Rock –Kilpatrick Athletic Center –Admissions –Development and Alumni Relations Phone-a-thons? Phone-a-thons? –Business Office –Chartwells and Bookstore –Others?

9 HIPAA* Protect Personal Health Information Protect Personal Health Information –Personal Health Information (PHI) must be protected, including information about: Health Status Health Status Provision of Health Care Provision of Health Care Payment for Health Care Payment for Health Care In general, any information about a patients medical record or medical payment history is protected. In general, any information about a patients medical record or medical payment history is protected. –HIPAA defines administrative, physical, and technical safeguards for protecting PHI –HIPAA applies to faculty, staff, and student information –(FERPA also covers student health information, since it is non-directory information) *We pretty much depend on Health Services staff to deal with HIPAA.

10 MA CMR * (Mass Privacy Law) Protects Personal Financial Information (PFI) Protects Personal Financial Information (PFI) –Mass. definition: A persons name with their: Social Security Number (SSN) Social Security Number (SSN) Drivers License or State-issued ID Number Drivers License or State-issued ID Number Financial Account Number Financial Account Number Credit Card Number Credit Card Number Information in any format: paper or digital Information in any format: paper or digital Protection applies to all Mass. residents: Protection applies to all Mass. residents: –Students, Alumni, Employees, Guest speakers, contractors,…and everybody else. *Janice is probably our best resource on this, plus there is lots of data on-line, because it is a recent law and all MA businesses have been scrambling to comply.

11 MA CMR (more) Mass. businesses must develop, implement and maintain a comprehensive Written Information Security Program (WISP) to… Mass. businesses must develop, implement and maintain a comprehensive Written Information Security Program (WISP) to… –Designate one or more employees to design, implement and coordinate the program –Put in place processes for Inventorying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to identify those records containing personal information. –Put in place administrative, technical, and physical safeguards to ensure the security and confidentiality of such records

12 MA CMR (still more) WISP requirements continued… WISP requirements continued… –Verify that third-party service providers with access to personal information have the capacity to protect such personal information –Provide Education and training of employees on the proper use of the computer security system and the importance of personal information security But, having the WISP written down is one thing, making it work to actually protect data depends on all of us. But, having the WISP written down is one thing, making it work to actually protect data depends on all of us.

13 The law has regulations about Information Security Breaches, defined as unauthorized use or acquisition of personal information that creates a substantial risk of identity theft or fraud. So, a breach means the release (or potential release) of either: - Unencrypted personal financial information - Unencrypted data capable of compromising personal financial information (e.g. usernames & passwords) MA CMR (omg, more)

14 If a breach or possible breach occurs in Massachusetts: Business and other organizations in MA must notify - MA Office of Consumer Affairs and Business Regulation - The Massachusetts Attorney General - The individuals whose information is at risk The notification to the State must include: –The nature and circumstances of the breach –The number of Mass residents involved –Steps that have been taken to deal with the breach The notification to involved individuals must include –Consumers right to obtain a police report –Instructions for requesting a credit report security freeze –BUT, should not include the nature of the breach or number of MA residents involved. MA CMR (more, more, more!) Information Security Breach

15 Williams Breach: October, 2009 Data loss occurred when a college-owned laptop computer was stolen from users car. Steps necessary to respond to this breach: Interviewed laptop owner about information on laptop Interviewed laptop owner about information on laptop Scanned laptop backup files for protected financial information and health data Scanned laptop backup files for protected financial information and health data –Protected data was found (Names w/ SSNs), so laws in 39 states and many foreign countries probably apply, depending on residency of leaked individuals Williams obtained legal assistance and contracted for breach counseling services Williams obtained legal assistance and contracted for breach counseling services

16 Where did the Williams SSNs come from? Excel files of pre-2006 class rosters from the old Student System (SIS) Excel files of pre-2006 class rosters from the old Student System (SIS) messages related to paying individuals such as guest speakers, performers, referees messages related to paying individuals such as guest speakers, performers, referees Unsolicited messages that contained protected personal data. Unsolicited messages that contained protected personal data.

17 Williams Breach: Cleanup Process Compiled list of residential and addresses for approximately 750 potential victims Compiled list of residential and addresses for approximately 750 potential victims Notified potential victims by mail and by , sent all-campus notice Notified potential victims by mail and by , sent all-campus notice Responded to phone calls and s Responded to phone calls and s Financial costs to handle this breach included staff time, legal assistance and breach counseling services. Costs exceeded $50,000. Financial costs to handle this breach included staff time, legal assistance and breach counseling services. Costs exceeded $50,000. Note: If the laptop had been encrypted, the only loss would have been the cost of the laptop. (Hint: Do not store Simons Rock PPI on an unencrypted portable device!) Note: If the laptop had been encrypted, the only loss would have been the cost of the laptop. (Hint: Do not store Simons Rock PPI on an unencrypted portable device!)

18 (Aside) Fun Fact: if your personal data is involved in a data breach, you get a Free Credit Report Security Freeze Any consumer in Massachusetts, New York, or Vermont may place a security freeze on his or her credit report by sending a request in writing, by mail, to all 3 consumer reporting agencies (EquiFax, Experian, TransUnion). Theres no fee for victims or their spouses for placing or removing a security freeze on a credit report. You can prove youre a victim by sending a copy of a police report. All other consumers must pay a $5-$10 fee. See the Consumers Union web site for more information:

19 Discussion break (pop quiz?) You are the advisor to a first-year student. Their parent s you and is concerned that the student is not doing well in classes, and asks if you can check with the students professors and let the parent know. You are the advisor to a first-year student. Their parent s you and is concerned that the student is not doing well in classes, and asks if you can check with the students professors and let the parent know. Can you do this? What regulations might apply?

20 Heres the FERPA form that all students fill out:

21 Part II: Okay, so what do we do? How do we comply with all these laws? How do we comply with all these laws? We need to determine what Protected data we really need to have, and then figure out how to actually protect it. We need to determine what Protected data we really need to have, and then figure out how to actually protect it. (Disclaimer: This data protection is not something ITS can magically make happen!) (Disclaimer: This data protection is not something ITS can magically make happen!)

22 Data Security Guiding Principles Reduce! Reduce! –Dont collect personal data you dont need –Dont store data you wont need again Restrict! Restrict! –Keep protected data in secure locations Paper docs in locked drawers or closets Paper docs in locked drawers or closets Electronic docs stay on central servers Electronic docs stay on central servers Password required to see your screen! Password required to see your screen! Encrypt! Encrypt! –Protected electronic data that leaves Simons Rock must be encrypted. (Also: Why is it leaving? Is it going to someone with a legitimate need for it?)

23 Shared Responsibility for Data Security Responsibility of Staff Departments Each department head is responsible for ensuring the appropriate protection of information within his or her area. Every employee is responsible for protecting the data they use and store, both electronic and on paper. Responsibility of Faculty Every faculty member is responsible for ensuring the confidentiality of any information they collect or use, both electronic and on paper. The Dean of Academic Affairs and Division heads should be aware of protected information handled by their divisions.

24 What about your office? Goal: Minimize the potential risks from information leaks Goal: Minimize the potential risks from information leaks If you dont need it, get rid of it (use a shredder if its paper) If you dont need it, get rid of it (use a shredder if its paper) Be skeptical of requests for information Be skeptical of requests for information –Dont disclose protected information to just anyone!

25 What about your office? Does your office handle legally-protected or confidential information? Does your office handle legally-protected or confidential information? –Do you know what protected data you have? Workgroups should audit their stored data to confirm that old confidential docs are still required. Workgroups should audit their stored data to confirm that old confidential docs are still required. If youre not sure whats protected, ask! If youre not sure whats protected, ask! –Photocopies of checks? –Credit card info on scrap paper until it is processed? Does your office or department have policies and procedures for protecting confidential information? Does your office or department have policies and procedures for protecting confidential information?

26 What about your office? Does your office send or receive confidential information via ? Does your office send or receive confidential information via ? –Encrypt them when you send (details later) –Delete them from when you receive them Does your office use a shredder? Does your office use a shredder? –Or the secure document disposal can at Business Office. Do you lock up your files when the office is closed? Do you lock up your files when the office is closed? Does your computer need a password to wake from sleep? Does your computer need a password to wake from sleep? Do you lock the screen when you are away from your desk? Do you lock the screen when you are away from your desk?

27 Goal: Each department that handles PPI has an Information Usage Policy An information usage policy explains An information usage policy explains –What information is confidential –How to protect confidential information –How to handle requests for information, both internal and external –When and how to dispose of confidential information –What the consequences are if the policy isnt followed

28 ITS can help (somewhat) Locate data with PPI (part of your office audit!) Locate data with PPI (part of your office audit!) –We have software called Identity Finder which will search documents (Word, Excel, pdfs) and for things that look like PPI –Often finds SS#s, Credit Card #s, Bank Account #s and passwords in clear text. –Such data should be removed from your computer: Delete if not needed Delete if not needed Store only on the server if possible. Store only on the server if possible. Install Full-Disk encryption on all college laptops Install Full-Disk encryption on all college laptops –Truecrypt on Windows, File Vault on Macs –Requires extra password to decrypt for boot –Hard disk unreadable without decryption

29 Part III: Getting Personal Securing PCs (including home PCs) Some elements are software based, e.g. system updates, secure password storage. Some elements are software based, e.g. system updates, secure password storage. Mostly human based: Learn to recognize fake s and bogus websites Mostly human based: Learn to recognize fake s and bogus websites BUT: The bad guys are getting better and better. Malware and web-based attacks get more sophisticated and more effective. BUT: The bad guys are getting better and better. Malware and web-based attacks get more sophisticated and more effective.

30 How is data is lost or stolen? Via Physical Access: Theft of computer, external drives, flash drives, CDs, smartphones Theft of computer, external drives, flash drives, CDs, smartphones Carelessness with passwords: Written in obvious places, passwords or hints too simple, home wifi router passwords left at default value. Carelessness with passwords: Written in obvious places, passwords or hints too simple, home wifi router passwords left at default value. It just takes seconds to read saved Firefox passwords, or to install monitoring software. It just takes seconds to read saved Firefox passwords, or to install monitoring software. Via the Network: phishing scams – users reply with passwords phishing scams – users reply with passwords Server hacks: Password files stolen and decrypted via brute force, then any recovered usernames/passwords are tried on other services. Server hacks: Password files stolen and decrypted via brute force, then any recovered usernames/passwords are tried on other services. Viruses / spyware used to install key-loggers or other monitoring software remotely Viruses / spyware used to install key-loggers or other monitoring software remotely –Includes Drive by web hacks. Malware code hacked into legit website infects your computer when you visit. Wireless data sniffing Wireless data sniffing

31 Install ALL updates to key software Updates come out so frequently, because new exploits of bugs & security flaws are discovered all the time. Updates come out so frequently, because new exploits of bugs & security flaws are discovered all the time. –(Can you get the fixes installed before you get hacked by the new malware?) Important Software to Update: Important Software to Update: –Windows or Mac OS –AntiVirus definitions –Java –Adobe Reader –Adobe Flash player –Firefox (and all browsers) Or: : Select, install, and update softwarehttp://ninite.com

32 Simple computer security Dont use post-its to manage your passwords Dont use post-its to manage your passwords – Use a program with strong encryption to store passwords https://lastpass.com https://lastpass.com https://lastpass.com Dont store passwords in Firefox (no encryption) Dont store passwords in Firefox (no encryption) If you must write passwords down, keep them in your wallet. If you must write passwords down, keep them in your wallet. If you have your own office: keep the door locked when away If you have your own office: keep the door locked when away If you work in a public area, lock your screen when you leave If you work in a public area, lock your screen when you leave – Windows: Press Windows-key + L to lock without logging out. – Macintosh: Apple Menu > Sleep. (Also, see next point!) Require a password when your computer wakes from sleep Require a password when your computer wakes from sleep Laptop security cable: Cheap, prevents opportunistic theft. Laptop security cable: Cheap, prevents opportunistic theft.

33 and PPI & files sent over the Internet containing PPI must be encrypted. & files sent over the Internet containing PPI must be encrypted. – may pass through many servers en-route to its destination –Our users often read on small devices that are not encrypted and that can be easily lost. –Most computer clients keep local copies of s that can be read by anyone with access to the system For these reasons, any un-encrypted PPI in an counts as a potential data breach. For these reasons, any un-encrypted PPI in an counts as a potential data breach.

34 Received with PPI Some bozo un-aware parent sends you an with an unencrypted PDF of their tax return attached. What do you? Some bozo un-aware parent sends you an with an unencrypted PDF of their tax return attached. What do you? –Get this document out of your box! –Download the document if you need it –Delete the message, and Empty your trash. –If you need to forward it to another staff member, encrypt the file you downloaded, the encrypted version, and delete the file.

35 Sending PPI (Encryption basics) Encryption is scrambling a file using complex mathematics and a password. Encryption is scrambling a file using complex mathematics and a password. –Without the password, the file is random gibberish. –The password allows the file to be decrypted back to the original readable form, using similar complex math –Some encryption schemes are weak and cant be used. Choose a password, encrypt the file of PPI, and attach the encrypted version to an Choose a password, encrypt the file of PPI, and attach the encrypted version to an –Dont send the password via ! (Call or skype or something to get it to the recipient) –Dont use your regular system password! –If you send many files to this recipient, you can use the same password for all of them

36 Encrypting Microsoft Office files MS Office (since 2007) has strong encryption. So, password protect Word and Excel files of PPI directly in Office. MS Office (since 2007) has strong encryption. So, password protect Word and Excel files of PPI directly in Office. –Must use the new.docx or.xlsx file fomats encryption of the older.DOC or.XLS versions is weak, and there are free websites that can decrypt these files without the password. –(Recipient must have Office 2007 or later to read such files.) –To encrypt: File menu > Info. Click Protect… button, then select Encrypt with password.

37 Encryption for other files (PDF, etc.) Zip files have adequate encryption. So, put the file or files you need to send into a zip file, and then add a password. Zip files have adequate encryption. So, put the file or files you need to send into a zip file, and then add a password. –Use a long passphrase, as zip encryption is weaker with short passwords. – Older Macs will not open password-protected zip files without additional (free) software. The password scheme built-in to PDF files is very weak. Use password protected zip files instead The password scheme built-in to PDF files is very weak. Use password protected zip files instead

38 Traveling with a computer Before you leave, think about what it would mean if your laptop were stolen or lost – are you sure you need it on your trip? Before you leave, think about what it would mean if your laptop were stolen or lost – are you sure you need it on your trip? Consider a loaner with no personal data. Consider a loaner with no personal data. If you just need to check you can use a smart phone. If you just need to check you can use a smart phone. Do not EVER leave a laptop in a parked car in a city – this is by far the most common way that laptops are stolen Do not EVER leave a laptop in a parked car in a city – this is by far the most common way that laptops are stolen Dont check your laptop when flying – in general dont let your computer out of your sight. Dont check your laptop when flying – in general dont let your computer out of your sight. If using a public wireless network, use https sites to prevent data sniffing If using a public wireless network, use https sites to prevent data sniffing If your laptop is stolen, contact ITS immediately and change your Simons Rock password (consider it compromised)

39 We are often required to log into web sites. How can you tell if the site is legitimate? First, any site with a login must be https://, not Next, check the domain – which of these could be Simons Rock sites: https://www.simons-rockrewards.com/https://simons-rock.edu.technical-support.com/https://technical-support.simons-rock.edu/ The domain is the last two words between the or https:// and the next / Same format as addresses: or Any Simons Rock site will be //xyz.simons-rock.edu/ Any American Express site will be //xyz.americanexpress.com/ https://www.simons-rock.edu/go/x is legitimate because the domain is correct Web Security

40 Security + Phishing NEVER FORGET: It is easy to spoof the From: address in an . NEVER FORGET: It is easy to spoof the From: address in an . Does the From: address match the Reply-to: address (if not, beware) Does the From: address match the Reply-to: address (if not, beware) Phishing s often start out your account has been used to send spam or we are doing maintenance on our webmail system – then they ask that you reply with your username and password Phishing s often start out your account has been used to send spam or we are doing maintenance on our webmail system – then they ask that you reply with your username and password There will never be a reason to give anyone your password by – honestly. (Also, be careful of links to login sites.) There will never be a reason to give anyone your password by – honestly. (Also, be careful of links to login sites.) Note: notifications to the community from Simons Rock ITS will always be from an individual listed at ITS in the campus staff directory, not from a generic name like Help Desk. (But, the directory is on-line, so a smart spammer could use it to find a good from address.) Note: notifications to the community from Simons Rock ITS will always be from an individual listed at ITS in the campus staff directory, not from a generic name like Help Desk. (But, the directory is on-line, so a smart spammer could use it to find a good from address.) Phishing is the fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

41 Find the phishing clues From: Bard College at Simons Rock" Date: February 13, :25:45 AM EST Subject: Webmail Subscriber Reply-To: Attn. Webmail User, We regret to announce to you that we will be making some vital maintainance on our webmail. During this process you might have login problems in signing into your Online account, but to prevent this you have to confirm your account immediately after you receive this notification. Your simons-rock.edu Account Confirmation Name: ID: Password: Date of birth: Your account shall remain active after you have successfully confirmed your account details. Thanks Bard College at Simons Rock Webmail Support Team

42 Phishing clues shown in yellow From: Bard College at Simons Rock" Date: February 13, :25:45 AM EST Subject: Webmail Subscriber (Missing list tag, e.g [Faculty] ) Reply-To: Attn. Webmail User, We regret to announce to you that we will be making some vital maintainance on our webmail. During this process you might have login problems in signing into your Online account, but to prevent this you have to confirm your account immediately after you receive this notification. Your simons-rock.edu Account Confirmation Name: ID: Password: Date of birth: Your account shall remain active after you have successfully confirmed your account details. Thanks Bard College at Simons Rock Webmail Support Team

43 Phishing Detection: Check the links! HTML format s let the sender hide the target URL address of a link behind descriptive text, which can be set to look like a different URL. HTML format s let the sender hide the target URL address of a link behind descriptive text, which can be set to look like a different URL. Hold the cursor over the link text to see the actual link address. (Mac Mail shown.) Note that it is simple to copy graphics from the web…

44 More Check the Links! With Webmail (and Thunderbird), the actual link is shown in the Status Bar at the bottom of the window. With Webmail (and Thunderbird), the actual link is shown in the Status Bar at the bottom of the window.

45 A Phish that Worked at Simons Rock The following spam went to some faculty and staff: The following spam went to some faculty and staff: This is not a particularly strong effort: ? ?! Undisclosed recipients?!? Helpdesk.4-all.org ??!! But, it did the trick! Aside: Sophos missed this. Forward it as an attachment to: False positives to:

46 Heres the Web Site linked to in that spam: Although this page does not seem much like a Simons Rock website, one employee logged in to this site. The attackers used the stolen credentials to send spam via our webmail server, a few per second. Unhappily, it was the 4 th of July weekend…

47 Another successful attack: Williams Webmail site copy On Monday Sept. 29, 2009, a bogus was sent with the subject line Read Security Message to many hundreds of Williams employees and students. The had an attachment with a link to a bogus Williams webmail site. On Monday Sept. 29, 2009, a bogus was sent with the subject line Read Security Message to many hundreds of Williams employees and students. The had an attachment with a link to a bogus Williams webmail site. The itself was not particularly believable, but the fake webmail site was a perfect copy of Williams real site. The only way to tell it was fake was to look at the domain information, which was: The itself was not particularly believable, but the fake webmail site was a perfect copy of Williams real site. The only way to tell it was fake was to look at the domain information, which was:http://www.jctaiwan.com/~jctaiwan/webmail.williams.edu/

48 Preventing Malware, Viruses, Spyware Spyware is like a virus specifically designed to steal information. Spyware is like a virus specifically designed to steal information. Worst-case Malware allows attacker to remotely control your computer: Worst-case Malware allows attacker to remotely control your computer: –Send spam from hosts with no direct link to actual source –Use clusters of compromised hosts for mass attacks on other web targets –Record keystrokes and web traffic to obtain users financial account logins, etc. Keep up to date with AV, OS, Browser, Java, and Adobe patches. Keep up to date with AV, OS, Browser, Java, and Adobe patches. Tools for home use: Tools for home use: –Microsoft Security Essentials : Simple, lightweight AV free from Microsoft. – Malwarebytes.org : Free removal tool – MalwareBytes AntiMalware (MBAM) Run if you have a problem. (Download file is mbam-setup-versionnumber.exe : Be careful of the ads for other stuff on the download page. You want only the mbam-setup… file) Malware, short for malicious software, is designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code covering viruses, spyware, trojan horses, worms, rogues, etc.informed consent

49 Common ways to get Malware: Beware of online pop-up ads pretending to be a malware scanner. Beware of online pop-up ads pretending to be a malware scanner. Beware of online videos that claim you need to install special software to play the video. Beware of online videos that claim you need to install special software to play the video. attachments – Dont open it unless you are sure. Check with the sender. This includes e-cards, Word documents and PDFs. attachments – Dont open it unless you are sure. Check with the sender. This includes e-cards, Word documents and PDFs. Web links in – Dont follow it unless you know for sure where it goes. (Check the actual link address, not the pretty version.) Web links in – Dont follow it unless you know for sure where it goes. (Check the actual link address, not the pretty version.) Dont download hacked versions of expensive software who knows what else the hacker might have added? Dont download hacked versions of expensive software who knows what else the hacker might have added? Dont add random software to your system if you can live without it Dont add random software to your system if you can live without it – E.g. WeatherBug, popup Smiley-face tools, fancy screen savers, etc. However, some malware can get you if you merely visit an infected website. Sorry. However, some malware can get you if you merely visit an infected website. Sorry.

50 Rogue Security Software Rogue security software (Fake Anti-Virus) is software that misleads users into paying for the fake removal of malware. Rogue security software (Fake Anti-Virus) is software that misleads users into paying for the fake removal of malware. Typically you get a pop-up window while on the web alerting you that you have viruses or spyware on the computer and offering to clean it up. If you accept the offer the program installs itself, then will continuously try to get you to pay for a professional version – which does nothing, except maybe remove itself. Typically you get a pop-up window while on the web alerting you that you have viruses or spyware on the computer and offering to clean it up. If you accept the offer the program installs itself, then will continuously try to get you to pay for a professional version – which does nothing, except maybe remove itself. Sometimes these rogue programs will not be picked up by real anti-virus software because you agreed to install the software. Sometimes these rogue programs will not be picked up by real anti-virus software because you agreed to install the software. One program that does very well at removing this type of software is Malwarebytes AntiMalware (MBAM) from malwarebytes.org. One program that does very well at removing this type of software is Malwarebytes AntiMalware (MBAM) from malwarebytes.org. A partial list of know rogue security software. Just the as!! Advanced Cleaner, AlfaCleaner, Alpha AntiVirus, AntiSpyCheck 2.1, AntiSpyStorm, AntiSpyware 2009, AntiSpyware Bot, AntiSpywareExpert, AntiSpywareMaster, AntiSpywareSuite, AntiSpyware Shield, Antivermins, Antivirus 2008, Antivirus 2009, Antivirus 2010, Antivirus 360, Antivirus Pro 2009, AntiVirus Gold, Antivirus Master, Antivirus XP 2008, Antivirus Pro 2010, Antivirus System PRO, Avatod Antispyware 8.0, Awola

51 Security recap 1. Physical security can usually be attained by applying common sense and a little care – treat your computer like a passport or your wallet or purse. 2. Apply important software updates as soon as you are prompted. 3. Your office computer is a business tool – dont use it like a home entertainment system. This may help avoid some malware 4. Wireless is everywhere and incredibly convenient, but anyone can receive your traffic (traffic generally meaning whatever you are typing in a web browser). If you are doing anything off- campus that requires a username and password, or requires entry of confidential information make sure the website is https:// 5. Your username and password protect a lot more than just YOUR personal info – they may give access to many peoples PPI on college systems.

52 Quick Quizzes Youre traveling without a computer and want to see if you were paid on time. You find an internet café, pay for access, and log in to your online banking web site. You note that the username/password page in the web browser on the computer youre using is encrypted (using https://). Should you log in?

53 Quick Quizzes Which of these web addresses (URLs) are legitimate Simons Rock addresses? https://webmail.simons-rock.edu/ https://webmail.simons-rock.edu/ https://webmail.simons-rock.collegebound.net/ https://webmail.simons-rock.collegebound.net/

54 If Nothing Else, What should you remember? ?

55 Questions? Many thanks to Williams College OIT for use of their PowerPoint presentation and for sharing their specific exploit examples. WWII Posters from American Merchant Marine at War,


Download ppt "Personal Information Security and Malware Awareness Workshop Bard College at Simons Rock Information Technology Services (ITS) Summer 2012 (Please sign."

Similar presentations


Ads by Google