Presentation is loading. Please wait.

Presentation is loading. Please wait.

SOCIAL ENGINEERING AND INFORMATION PROTECTION BEST PRACTICES.

Similar presentations


Presentation on theme: "SOCIAL ENGINEERING AND INFORMATION PROTECTION BEST PRACTICES."— Presentation transcript:

1 SOCIAL ENGINEERING AND INFORMATION PROTECTION BEST PRACTICES

2 Social engineering Who Are We? Graduate students at UNM Anderson School of Management, both studying toward graduate degree in Information Assurance Full time employees at Sandia National Laboratories, working in an IT department INTRODUCTION

3 Social engineering Why Are We Here? We all need to learn to defend our information from unauthorized access and use Survey given 3/10/2013 discloses some areas in which you can protect yourselves better Major Topics Online Privacy/Protection Social Engineering Password Strength/Password Management INTRODUCTION

4 Here are some of the more interesting results from the survey… SURVEY RESULTS Do you reuse the same password across your online accounts? Do you regularly clear your browser cache? Do you use strong passwords for your online accounts? How familiar are you with social media privacy settings?

5 Social engineering You may have heard recently that many celebrities accounts were being hacked So much information about celebrities on the internet Countless followers via Twitter, Facebook, and other social media ONLINE PRIVACY/PROTECTION

6 Social engineering One of the biggest threats to your personal privacy protection is social media Over-sharing “Checking in” Embarrassing pictures/posts/likes Lack of controlling who can see what Anonymous information gathering ONLINE PRIVACY/PROTECTION

7 Social engineering Browser Safety Cleaning cache Tracking and Cookies Double checking URLs Safety Spam filtering Attachments / BROWSER SAFETY

8 Social engineering Due to social media use today, we are all “celebrities” Just as people have been able to hack real celebrity accounts using information from the internet, the same can be done for anyone sharing via social media All this public information makes an individual vulnerable to social engineering attacks SOCIAL ENGINEERING

9 Social engineering “the art of manipulating people into performing actions or divulging confidential information” Tricking the victim in to divulging information Only a few of you responded that you had previously given personal information over the internet Can involve pretexting, or creating a target specific scenario, to help give the victim the sense of legitimacy SOCIAL ENGINEERING

10 Pretexting “the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.” Attackers will research their targets so that they can create a more believable lie Phishing from your bank asking to confirm your username and password Use of other information such as work or school gained via social networking sites. PRETEXTING

11 Social engineering 1. Clear out your ________ ________ regularly to keep sites from tracking your internet activity. MIDTERM EXAM Browser Cache 2. The act of creating a scenario to engage a targeted victim to divulge information is known as what? Pretexting 3. True or False. “Checking In” on Facebook on a regular basis is a safe practice. False 4. The art of manipulating people to divulge confidential information is known as what? Social Engineering 5. One of the greatest threats to our personal online privacy is how we use ________ ________. Social Media

12 Password best practices Password Strength Most of you say you use strong passwords What makes a strong password? At least 8 characters – more is better Avoid any dictionary words Mix of letters (upper and lower), numbers, and other characters (like punctuation) Some examples r3t7A#EM Tad3cha5$uh#q PASSWORD STRENGTH

13 WHY A COMPLEX PASSWORD? There are several methods of acquiring a password –Guessing* – use of personal information available –Dictionary-based attacks* –“Brute Force” attacks* – Programs that can guess every possible combination of characters. –Phishing** –Shoulder surfing** * These attacks are best mitigated through the use of a strong password. The stronger the password, the harder it is to guess by either people or programs. ** These attacks are best mitigated through personal security (preventing social engineering) Password strength criteria: –http://www.microsoft.com/security/online-privacy/passwords- create.aspxhttp://www.microsoft.com/security/online-privacy/passwords- create.aspx Password strength checker: –https://www.microsoft.com/security/pc-security/password- checker.aspxhttps://www.microsoft.com/security/pc-security/password- checker.aspx Password generator: –https://secure.pctools.com/guides/passwordhttps://secure.pctools.com/guides/password Importance of a strong password: –http://www.utexas.edu/its/secure/articles/importance_strong _passwords.phphttp://www.utexas.edu/its/secure/articles/importance_strong _passwords.php PASSWORD STRENGTH

14 HOW STRONG IS MY PASSWORD? 5 volunteers! Password Strength Checker How long would it take a Desktop PC to crack a password Do NOT put your REAL password into this site – it is for relative strength checking only! PASSWORD STRENGTH DEMONSTRATION

15 Password best practices Password Reuse While most of you said you use strong passwords, most of you also said you reuse passwords DON’T USE SAME PASSWORD ACROSS ALL ACCOUNTS! Sites are hacked regularly and passwords are retrieved SERIOUSLY??? Did you see those password examples????? PASSWORD REUSE

16 Password best practices Password Management Various tools to manage passwords Allows unique passwords to be used for each account Convenient features for ease of use Categorization Auto-type/Auto-fill Online/Cloud based and client based Each solution has its Pros and Cons PASSWORD MANAGEMENT

17 Password best practices Pros/Cons Cloud-based – less secure, passwords stored somewhere on the internet Client-based – more secure, less convenient as only available when installed Solution: KeePass with Dropbox Power of client-based, encrypted database with availability provided by online storage PASSWORD MANAGEMENT

18 Password best practices Dropbox Online storage Web browser interface Desktop sync iPhone/iPad/Android sync FREE! (2GB – more than enough for a KeePass database file) PASSWORD MANAGEMENT KeePass Encrypted password database Categorize by folder Lightweight install Password generator/strength indicator Secure notes Auto-type iPhone/iPad/Android app support FREE! Result: encrypted database of passwords synced across all devices – only have to remember one really strong password! For FREE!

19 Password best practices PASSWORD MANAGEMENT DEMONSTRATION KeePass & Dropbox Demo

20 Password best practices Best Practices Use spam filters Don’t open unusual/unknown attachments Double-check URLs before clicking Lock-down public information on social media sites Be absolutely sure you know who you are divulging information to Use strong passwords Use a password management tool to enable unique passwords across the internet REVIEW

21 Password best practices QUESTIONS??? QUESTIONS


Download ppt "SOCIAL ENGINEERING AND INFORMATION PROTECTION BEST PRACTICES."

Similar presentations


Ads by Google