Presentation is loading. Please wait.

Presentation is loading. Please wait.

Texas Christian University Technology Resources

Similar presentations


Presentation on theme: "Texas Christian University Technology Resources"— Presentation transcript:

1 Texas Christian University Technology Resources
Security Texas Christian University Technology Resources In this online training video I will talk about Security.

2 Overview Phishing Spam Spoofing Attachments Best Practices
Data Protection First I will discuss Phishing, what it is and how to avoid it. Next I will talk about Spam – why we get spam and what we can do about it. Then I will look at why we should be wary of attachments and links in . Best Practices to protect yourself and others when using will be discussed. Finally we will talk about why we shouldn’t unencrypted sensitive personal information and how we can go about safely transmitting SPI via . TCU Information Security Services

3 Phishing Phishing is an illegal activity that uses social engineering techniques to trick people into giving out personal information. Typically you will receive an that appears to be from a legitimate business or organization asking for verification of personal or financial information. Phishing is an illegal activity that uses social engineering techniques to trick people into giving out personal information. What is social engineering….. A phishing usually appears to be from a legitimate business or organization asking for verification of personal or financial information. Often there will be urgent and alarming statements of consequences if you don’t respond immediately. TCU Information Security Services

4 Wikiopedia: “Social engineering is the art of manipulating people into performing actions or divulging information.” CERT: “…an attacker uses human interaction (social skills) to obtain or compromise information.” Wikopedia defines it as “the art of manipulating people into performing actions or divulging information.” CERT – which is the United States Computer Emergency Readiness Team (part of Homeland Security) – says that social engineers use human interaction or social skills to obtain or compromise information. Some say that the Human Element is the weakest link in information security. (Return to previous page) TCU Information Security Services

5 Phishing Email Information asked for in a phishing email may include:
Username, userid, id, identity Password Social security number Birthdate Or there may just be a link to click on that takes you to an official looking web site to enter information. A phishing may ask for information such as your username, password, social security number, bank or credit card account number, your birthday, even your mother’s maiden name. Or, the may just simply have a link to click on that will take you to an official looking web site where you will be asked to enter in personal or financial information. TCU Information Security Services

6 Phishing techniques Link manipulation Spoofed website Website forgery
Technical deception designed to make a link in an and the spoofed website it leads to, appear to belong to the spoofed organization. Spoofed website Looks almost exactly like the real thing Website forgery A spoofed website that uses JavaScript to alter the address bar to appear legitimate. Filter evasion Misspelled words and images instead of text are used to evade anti- phishing filters. A little bit more about the techniques used by phishers. Link manipulation is one method that uses technical deception to make a link look real. When you click on the link, it will take you to a spoofed website. A spoofed website is setup to look exactly like the real web site – so if you are used to logging into your bank, and you feel like you know what the bank web site looks like, if you click on a link in an supposedly from your bank that takes you to a website that looks identical, you may enter in your username and password and then the phishers have access to your bank account. Your only clue might be that the URL is different, although with new techniques such as Website Forgery – that may also appear the same. With Website Forgery they use JavaScript to disguise the address bar to appear secure. Many organizations have begun using filters to reduce phishing s and spam. Here at TCU we have the End User Quarantine. So, phishers use Filter evasion techniques such as misspelled words and using images instead of text to evade the filters. TCU Information Security Services

7 Spear Phishing A highly targeted version of a phishing scam is “spear phishing.” A spear phishing message may look like it is coming from your employer or computer help desk. Spear Phishing is a highly targeted version of phishing. A spear phishing message may appear to come from a trusted source such as your employer or the computer help desk and it may seem that the information requested is not out of the realm of possibilities. The relative success of spear phishing relies upon the details used: The apparent source is a known and trusted, information within the message supports its validity, and the request seems to have a logical basis. TCU Information Security Services

8 Vishing Voice Over Internet Protocol (VoIP) enables phone calls over the web. For criminals this makes it easy to fake real numbers and create phony automated customer service lines. They can’t be traced. Vishing Scheme 1: You get phishing with phone number to call where you are asked for information. Vishing Scheme 2: You get phone call directing you to take action to protect an account. Another form of phishing is Vishing. Voice Over Internet Protocol technology enables phone calls over the web. Criminals use this to setup phone numbers and phony automated customer service lines. These numbers cannot be traced. So – you may be a phishing that contains a phone number to call. When you call, you are asked for personal or financial information. Or – you may get a phone call – maybe in the middle of the night – indicating that suspicious activity has taken place on an account. You are then asked to verify your identity with account information. TCU Information Security Services

9 Smishing Phishing fraud sent via SMS (Short Message Service) text messaging. Emerging as new threat to cell phone users. Examples Text message received contains web site hyperlink which if clicked will download Trojan horse to phone. Text message informing you that your bank account has been frozen. Call a phone number to unlock – automated (bogus) phone system asks for account number, ssn and pin. TCU Information Security Services

10 Recent Phishing Email at TCU
Spoofed Link manipulation TCU Technology Resources will NEVER send a link in an which takes you to a website requesting that you login or enter your username and password.

11 Look between first double // and first single / - that’s NOT TCU
Fake Website Notice no https Look between first double // and first single / - that’s NOT TCU

12 Real Website https://my.is.tcu.edu/psp/pa9prd/?cmd=login That is TCU
Secure That is TCU

13 Another TCU Phishing Email
Link manipulation

14 Look between first double // and first single / - that’s NOT TCU
Fake Website No https Look between first double // and first single / - that’s NOT TCU

15 Real https://mobile.tcu.edu/owa/auth/logon.aspx Secure That is TCU

16 And Another TCU Email False urgency
TCU Technology Resources, including the Help Desk, will NEVER ask for your password – in an , over the phone or in person! False urgency Misspellings of simple words Don’t give out your username or password! This is a spear phishing received recently at TCU. It looks like it comes from Technology Resources and it sounds like your account will be closed if you don’t respond. There is once again, a false sense of urgency. Notice the misspelling of words – this is frequently seen in phishing s . This asks for Username and password. TCU Technology Resources, including the Help Desk or Information Security Services, will NEVER ask for your password – in an , over the phone or in person. TCU Information Security Services

17 Phishing Example – Financial Institution
False urgency defined to get you to act without thinking. False credibility Lack of personal greeting Untraceable phone number More false urgency So lets look at some examples of phishing s and then we’ll discuss other ways that you can protect yourself. This first example is supposedly from Wachovia Bank. The first thing to note is that the phishers have established a false sense of urgency in the subject line – Account Update Alert!!! – they are trying to get you to act without thinking. Notice that they have used the Wachovia bank’s banner that was probably copied and pasted from their website. This gives a false sense of credibility. A lack of personal greeting is a good clue (although not a guarantee) that this is a phishing . Most likely the phone number is untraceable and if you called it would be greeted by a phony customer service representative. In the text we again see an alarming message meant to give us a sense of urgency to respond. And finally, the web addressed is forged and takes us to a spoofed web site. Spoofed web address TCU Information Security Services

18 Phishing Eample – Lottery Scam
Foreign lottery scams are common You won – but did you play? If it sounds too good to be true, it usually is. This example is a foreign lottery scam, which are relatively common. If you get an like this you need to ask yourself – why did I win – I don’t remember even playing? And remember – if it sounds too good to be true, it probably is! TCU Information Security Services

19 Phishing Example – IRS Scam
IRS web site clearly states that it will not initiate taxpayer communications through . False credibility This past spring many people got this IRS phishing . Notice the official looking letterhead giving us a false sense of credibility. Also notice the False urgency in the paragraph stating that your refund may be delayed if you don’t respond quickly. The link leads to a spoofed web site that looks like an IRS web site asking for information including social security number. Please note – the real IRS web site clearly states that it will not initiate taxpayer communications through . False urgency Links to spoofed web site. TCU Information Security Services

20 Avoid being Phished! Links in Emails
Approach links in an with caution. They might look genuine, but they could be forged. Copy and paste the link to your web browser. Type in the address yourself. Or even Google the company and go to their website from the search results.

21 Avoid being Phished (continued)
Learn to spot non-legitimate web sites Look at the address between the // and the first / - it should end with the company you expect Fake: Real: https://mobile.tcu.edu/owa/auth/logon.aspx… Is it secure? https in the address Yellow lock icon In addition to Attachments – you should be very cautious about Links in s. As mentioned previously, they may look real but could be easily forged. Make a habit of NOT clicking on links in s – whether you know they are legitimate or not. You can copy and paste the link from the to the address bar of your web browser. You can also type in the address yourself. Or you can even google the company or organization and go to their website from the search results. TCU Information Security Services

22 Avoid being Phished (continued)
Greet or phone calls seeking personal information with skepticism. If you think it may be legitimate, call customer service number provided when account was opened. Be leery of alarming statements that urge you to respond immediately. Do NOT reply to phishing s. So how can we protect ourselves from Phishing? First, be skeptical when you are asked from personal information in s or over the phone. If there is a possibility that it might be legitimate, locate the customer service number provided when you setup the account and call them. Be wary of alarming statements that urge you to respond immediately. If you think you have received a phishing , do not reply to it. If there is a link in an that might be legitimate, do not click on the link. Copy and paste it into your web browser. TCU Information Security Services

23 Avoid being Phished (continued)
TCU Technology Resources, including the computer help desk and information security services will NEVER ask you for your password via , the phone or in person. When TCU upgrades its computer or systems we will NEVER send a link inside an which will go to a website requesting that you login or enter your username and password. If you do respond to a phishing with TCU account information, you will compromise your network and account as well as all of TCU’s system. The TCU spear phishing received recently was responded to by a couple of people. Their accounts were immediately hacked into and from their accounts the phishers sent thousands of phishing s out across the country and the world. This caused other organizations to adjust their anti-phishing filters to exclude our s (phishing s and the legitimate s). Our s are back off the anti-phishing filters now, but we want to avoid this in the future. So, it is important to remember -- Technology Resources will never, ever ask you for your password, in , over the phone or in person. TCU Information Security Services

24 Phishing Scams Game Play the Phishing Scam Game
scams.aspx TCU Information Security Services

25 Spam Spam is anonymous, unsolicited junk sent indiscriminately to huge numbers of recipients. What for? Advertising goods and services (often of a dubious nature) Quasi-charity appeals Financial scams Chain letters Phishing attempts Spread malware and viruses Spam is junk . It is sent indiscriminately and anonymously sent to huge numbers of recipients. Why do we get spam – it is economically viable. The costs are low to the advertisers so the volume of unsolicited mail has become very high. One estimate I heard recently is that 1 in 28 messages sent over the internet is legitimate. That means the other 27 are not! What are we getting in spam? They are advertising goods and services – often of a dubious nature – We get charity appeals - again, of dubious nature. There are Financial Scams and Chain Letters. Spam may be phishing attempts and may also spread malware and viruses. Research shows that there is an extremely low response rate to spam, but the volume is so high that it is still very profitable for the spammers. However – the overall spam related corporate costs are estimated to be $200 billion in 2007! TCU Information Security Services

26 Origins of the term "Spam"
WWII England Spam was only meat not rationed. 1970 Monty Python skit: Every item on the menu includes Spam Vikings drown out dialogue by repeating SPAM, SPAM, SPAM, SPAM 1980’s – in early internet Chat rooms quotes from the skit were used repeatedly to drive out newcomers or invade “rival” chat rooms (Star Wars/Star Trek) In 1993 the term Spam was used on Usenet to mean excessive multiple postings of the same message. In 1998 the new meaning was included in the New Oxford Dictionary of English. A little bit about the origins of the term Spam As you know, spam is a canned lunch meat. During WWII in England, it was the only meat not rationed. Thus there was lots of spam on the menu. You may have heard about the famous 1970 Monty Python Spam skit . If you’ve never seen it be sure to check it out – a link to it on YouTube is displayed. During the skit, every item on the menu includes Spam and as the waiter recites the spam filled menu a chorus of Vikings drown out the dialogue with a song repeating SPAM over and over. In early internet chat rooms in the 1980’s quotes from the Monty Python skit were used repeatedly to scroll unwanted newcomers text off the screen and were used t6o prevent members of rival groups (such as the Star Wars and Star Trek groups) from chatting. The actual term “Spam” was used in 1993 on Usenet to mean excessive multiple postings of the same message in several if not all newsgroups. Finally, in 1998 the term Spam was added to the New Oxford Dictionary. TCU Information Security Services

27 What to do with Spam Do not open email that is obviously Spam.
If you do open junk mail, do not click on any links. Including a link that claims it will remove you from the list. Spammers use this to verify that you have a “live” address. Use “disposable address” – setup a yahoo or gmail account to use on the web. Send spam to Send as an attachment. End User Quarantine reduces amount of Spam received. So what do we do with all this Spam? First, if you get an that is obviously spam, do not open it. If you do open junk mail, do not click on any of the links. Often you will find a link at the bottom of the that you are supposed to click on to remove yourself from the mailing list. If you click on it, you are just simply verifying to the Spammers that you have a good live address and you will get even more spam. You may want to setup a “disposable” address in yahoo or gmail to use on the web. That will cut down on exposure of your TCU address. When you get spam you can send it as an attachment to When it is sent as an attachment, Technology Resources can view header information that can be used to adjust the filters for the End User Quarantine. This will help us reduce the amount of Spam and phishing s received. TCU Information Security Services

28 How to send email as attachment
In Outlook 2007 From the Inbox, click to select the message From the menu choose Actions, Forward as Attachment. In Entourage 2004 for Mac OSX From the menu choose Message, Forward as Attachment. For your reference here is how you can send as an attachment. In Office 2007, in the Inbox, click on the spam – do not open it. From the menu, choose Actions, then Forward as Attachment. In Entourage for the Mac – click on the and from the menu select Message and then Forward as Attachment. TCU Information Security Services

29 Spoofing appears to be from a friend, colleague or yourself but subject and text obviously not something you or they would send Spoofing is a way of sending counterfeit using stolen addresses TCU Information Security Services

30 Spoofing continued Favorite technique of spammers and phishers
How do they steal addresses Write programs that gather addresses from websites, discussion boards, blogs. Also worms and viruses collect addresses from address books they infect What can you do Nothing to prevent spoofing Just be aware and never fully trust the “From” field of an . TCU Information Security Services

31 Attachments Computer viruses and other malicious software are often spread through attachments. If a file attached to an contains a virus, it is often launched when you open (or double-click) the attachment. Don’t open attachments unless you know whom it is from and you were expecting it. When you receive s with Attachments or Links – even if you don’t think the may be spam or phishing – they should be approached with a great deal of caution. Computer viruses, malware and spyware can be easily spread through attachments. When you open or double-click the attachment, if the file contains a virus it will be launched and infect your computer. So be very cautious – do not open attachments unless you know who sent it and you were expecting it. TCU Information Security Services

32 Should You Open that Attachment?
If it is suspicious, do not open it! What is suspicious? Not work-related. The containing the attachment was not addressed to you, specifically, by name. Incorrect or suspicious filename. Unexpected attachments. Attachments with suspicious or unknown file extensions (e.g., .exe, .vbs, .bin, .com, .pif, or .zzx) Unusual topic lines: “Your car?”; “Oh!”; “Nice Pic!”; “Family Update!”; “Very Funny!” If you are at all suspicious, do not open the attachment. What is suspicious? If it is not work related If the does not address you specifically by name If the file name is misspelled, incorrect or odd I would be suspicious of unexpected attachments. Even if you recognize the sender’s address – their may have been spoofed or hijacked. Beware of attachments with suspicious or unknown file extensions And watch out for unusual subject lines especially if you were not expecting a file and do not know who sent it. TCU Information Security Services

33 Best Practices Use the BCC field when sending to large distribution lists. Protects recipients addresses Prevents Reply to All issues Avoid use of large distribution lists unless legitimate business purpose. E.g., All Faculty/Staff list Use TCU Announce instead Beware of Reply to All button Don’t forward chain letters. Some best practices to use to protect yourself and others Use the BCC field when sending to large distribution lists. (click BCC Field to see how to view the field in Outlook or Entourage) The BCC field is the blind carbon copy field – the addresses of the recipients are hidden from each other. The advantage of this is that is protect their addresses if the should fall into the hands of a spammer or phisher. It also prevents accidental “reply to all” issues. Unless you have a legitimate business purpose, avoid using large distribution lists such as the All TCU Faculty Staff list – use TCU Announce from the portal instead. When you receive an beware of responding with the Reply to All button. Verify who you are sending the to before hitting the send button. And, finally, please do not forward chain letters. TCU Information Security Services

34 BCC Field In Office 2007 In Entourage 2004 for OSX
In a new mail message select Options, Show BCC In Entourage 2004 for OSX The Bcc field is visible when you start a new message. To view the BCC field in Outlook, in a new mail message select Options, Show BCC And in Entourage on the Mac the BCC field is visible when you start a new message. back TCU Information Security Services

35 Email password separately!
Data Protection Do Not Unencrypted Sensitive Personal Information (SPI) On-campus – encrypt or use shared drive instead. Digital ID Allows you to digitally sign and encrypt . Required for sender and recipient. to request. WinZip version 10 and above – create encrypted archive to send in . Office allows AES encryption . It is very important to not unencrypted sensitive personal information. (Go to SPI slide) If you need to transport a file containing SPI to someone else on campus – either encrypt the or use a shared network drive instead. There are different ways you can encrypt s. One is a Digital ID This allows you to digitally sign and encrypt an . However it is required that both you the sender and the recipient have a digital ID. If you are interested in this method, to make a request for one. Both WinZip and Office 2007 offer AES encryption, which is the industry standard. Documentation on how to encrypt files using WinZip and in Office is located on the Digital Self Defense page of the security.tcu.edu website. When you send an encrypted file in an , be sure to the password separately. password separately! TCU Information Security Services

36 What is SPI? Sensitive Personal Information (SPI):  Defined as an individual's name, address, or telephone number combined with any of the following: Social security number or taxpayer ID number Credit or debit card number Financial/salary data Driver's license number Date of birth Medical or health information protected under HIPAA Student related data protected under FERPA SPI is an individual's name, address, or telephone number combined with: Social security number Credit or debit card number Financial/salary data Driver's license number Date of birth Medical or health information protected under HIPAA Student related data protected under FERPA back TCU Information Security Services

37 Resources TCU Computer Help Desk Information Security Services
Location: Mary Couts Burnett Library, first floor Information Security Services https://Security.tcu.edu In this presentation we have reviewed security threats that you should be aware of and discussed ways in which you can protect yourself and others. For computer problems please contact the TCU Computer help desk at ext 6855 or For questions about security, send an to and please refer to the security.tcu.edu web site for further information on current alerts and advisories, Digital Self Defense, policies and procedures, etc. To completely ensure that you understand security please take a few minutes to complete the following quiz. The results will be ed to the Technology Resources security team and will help us develop further training materials to better meet your needs. Thank you very much! TCU Information Security Services


Download ppt "Texas Christian University Technology Resources"

Similar presentations


Ads by Google