Teaching Practical Cyber Security

Teaching Practical Cyber Security
Dr. Mark Ciampa Western Kentucky University / Cengage Author

Do To Stay Safe Be suspicious of everything Change passwords
Check if HTTPS Delete cookies Do not share information Install software updates Use 2-factor authentication Use antivirus Use Linux Use password manager Use strong passwords Use unique passwords Verify software Visit only known websites

Experts & Non-Experts Do To Stay Safe
Be suspicious of everything Change passwords [3] Check if HTTPS Delete cookies Do not share information [5] Install software updates (1) Use 2-factor authentica (3) Use antivirus [1] Use Linux Use password manager (5) Use strong passwords (4) [2] Use unique passwords (2) Verify software Visit only known website [4]

Do To Stay Safe Install software updates Use unique passwords
Use 2-factor authenticat Use strong passwords Use password manager Use antivirus Use strong passwords Change passwords Visit only known website Do not share info

What Doesn’t Work Use Antivirus Software

Antivirus (AV) Software
At one time installing antimalware software was considered to be the primary defense against attackers One of the first antimalware software security applications was antivirus (AV) software This software can examine a computer for any infections as well as monitor computer activity and scan new documents that might contain a virus (this scanning is typically performed when files are opened, created, or closed) If a virus is detected, options generally include cleaning the file of the virus, quarantining the infected file, or deleting the file

Many AV products scan files by attempting to match known virus patterns against potentially infected files (static analysis) AV software contains virus scanning engine and database of known virus signatures, which are created by extracting a sequence of characters found in virus that serves as virus’s unique “signature” Database is called signature file By comparing the virus signatures against a potentially infected file a match may indicate an infected file

Weakness of static analysis: AV vendor must constantly be searching for new viruses, extracting virus signatures, and distributing those updated databases to all users Any out-of-date signature file could result in an infection AV vendors cannot keep up with the sheer number of new attacks

Antivirus Misses Based on average number of infections being distributed by attackers this means that these antivirus products would have missed 796 malicious files each day One antivirus software security institute receives more than 390,000 submissions of potential malware each day At this rate the antivirus vendors would have to create and distribute updates every few seconds to keep users fully protected

Why Antivirus Dependence?
Offers convenient install-and-forget type of solution Users consider all attacks as “viruses” so antivirus repels all attacks Heard or read news media security advice

What Doesn’t Work Visit Only Known Websites

Online Advertising When user goes to site’s page, web browser silently connects to dozens of advertising network sites from which ad banners, popup ads, video files, and pictures are sent to the user’s computer Online display do not come from the main site itself Most mainstream and high-trafficked websites outsource the ad content to different third-party advertising networks

Malvertising Attackers using these third-party advertising networks to distribute their malware to unsuspecting users who are visiting a well-known website Malvertising (malicious advertising) or a poisoned ad attack Attackers may infect the third-party advertising networks so that their malware is distributed through ads sent to users’ web browsers Or the attackers may promote themselves as reputable third-party advertisers while distributing their malware through ads An ad contains malware secretly redirects visitors who receive it to the attacker’s webpage that then downloads malware onto user’s computer through vulnerabilities in web browser

Malvertising Malvertising occurs on “big-name” websites so unsuspecting users, who otherwise would avoid or be suspicious of less popular sites, are deceived into thinking that because they are on a reputable site they are free from attacks The New York Times, Reuters, Yahoo!, Bloomberg, and Google, among many others, have all been infected with malvertising In one year, 12.4 billion “malvertisements” were distributed, an increase of over 300 percent from the previous year

Web Site Monthly Visitors
msn.com 1,300,000,000 nytimes.com 313,100,000 bbc.com 290,600,000 aol.com 218,600,000 my.xfinity.com 102,800,000 nfl.com 60,700,000 realtor.com 51,100,000 theweathernetwork.com 40,000,000 the hill.com 31,400,000 newsweek.com 9,900,000

More Bad News

Distributed Denial of Service Attack (DDoS)
Distributed denial of service (DDoS) attack is deliberate attempt to prevent authorized users from accessing system by overwhelming with requests Sep 2016 security researcher published series of articles calling out a DDoS-for-hire service Two weeks later his web site was overwhelmed with a DDoS attack of a whopping 620 gigabits per second In contrast 2013 massive DDoS attack was only half (300 gigabits per second) of this attack

Distributed Denial of Service Attack (DDoS)
Sep 2016 French web hosting service was victim of even more staggering DDoS attack: 1.1 terabits per second Oct 2016 DDoS attack targeted DNS provider Dyn Brought down wide parts of Internet and disabled dozens of websites, including Twitter, Netflix, Spotify, Airbnb, Reddit and The New York Times.

Source of DDoS Attacks Mundane devices connected to the Internet makes up what is called the Internet of Things (IoT) Immense number of new types of devices (aka “things”) from refrigerators to car sensors to traffic lights to thermostats are all dynamically connected to the web for communication and control

Source of DDoS Attacks Source DDoS attacks not traditional desktop computers but IoT devices In French web host attack, attacks delivered through collection of 145,607 hacked Internet-connected cameras and digital video recorders (DVRs) IoT botnet of 1 million devices could send 4 terabits per second attack or equivalent to streaming 800,000 high-definition movies simultaneously

IoT Issues Many IoT devices have little capacity for being updated to address security vulnerability so will never receive a security patch Devices that can receive patches may see long gaps between the discovery of the vulnerability and a patch being applied Average lifetime of a critical security bug in the Linux kernel, from the time the Linux code is finalized to a vulnerability being uncovered and then a patch issued, over 3 years

Good IoT Idea? Visa in Feb 2017 said partnering with IBM to add payment capabilities to many IoT devices Objective create additional "points of sale" where didn't already exist Wearable fitness band can tell runner when it's time to replace athletic shoes and even allow to order them through the band: simple one click on device will bring a pair of shoes right to doorstep.

Ransomware One of the fastest-growing types of malware is ransomware
Ransomware prevents a user’s device from properly and fully functioning until a fee is paid Ransomware embeds itself onto the computer in such a way that the it cannot be bypassed, and even rebooting still causes the ransomware to launch again

Blocker Ransomware Widespread ransomware first starting appearing in 2010 Earliest ransomware displays a screen and prevents the user from access the computer’s resources (called blocker ransomware) Instructions that pretends be from reputable third-party giving “valid” reason for blocking user’s computer From law enforcement agency – You accessed prohibited site and must immediately pay a fine online by entering a credit card number From software vendor – Your software license has expired or there is a hardware problem or (irony!) a malware infection

Blocker Ransomware Initially price for individuals around $500 and for enterprises $8, $17,000 Recently demanded ransoms have been significantly increasing: Hollywood Presbyterian Medical Center ($17,000), Los Angeles Valley College ($28,000), and San Francisco's Municipal Transportation Agency ($73,000) Estimated that $1 billion was paid in ransom in one year, yet only 42% victims who paid ransom could then retrieve their data Enterprises prime targets: almost half of all enterprises have been a victim of a ransomware attack

FBI Recommendation The FBI does not support paying a ransom in response to a ransomware attack “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals”

Crypto-malware Threat actors developed more malicious form of ransomware Instead of blocking user from accessing computer now encrypt all files on device so none can be opened (crypto-malware) Tell victim fee must be paid in order to receive key to unlock files Increased urgency for payment: cost for key to unlock increases every few hours or increasing number of encrypted user files are deleted every few hours, and if ransom not paid promptly (often hours) key can never be retrieved

Crypto-malware Worse Two recent additional updates
Instead of only encrypting files on the user's local hard drive now encrypt all files on any network or attached device that is connected to that computer (secondary hard disk drives, USB hard drives, network attached storage devices, network servers, cloud-based data repositories) If a user’s computer in enterprise is infected with crypto-malware potentially all files for the enterprise be locked Also now using crypto-malware to infect mobile devices such as smartphones and tablets

Crypto-malware Defenses
2 tests to determine if other files (not those stored on the local hard drive) are at risk from crypto-malware If a remote storage device is "mounted" on the local computer and displays a drive letter (like "D:") then those files are at risk If a cloud storage repository is configured so that files that are automatically placed in a folder are then synced to the cloud storage then they too are at risk (crypto-malware can move encrypted files into the folder and they will be replicated onto the cloud)

Dumpster Diving 2017 Electronic variation of physical dumpster diving is use Google's search engine to look for documents and data posted online that can be used in an attack Called Google dorking and uses advanced Google search techniques to look for information that unsuspecting victims have carelessly posted on the web. For example, to find on the web any Microsoft Excel spreadsheets (.xlsx) that contain the column heading "SSN" (social security numbers) the Google search term intext:"SSN" filetype:xlsx Find any Microsoft Word documents (.docx) that contained the word "passwords" as part of the title search term allintitle: "passwords" filetype:docx

What Can We Do?

Why Increase In Attacks
Speed of attacks More sophisticated attacks Simplicity of attack tools Faster detection weaknesses Delays in user patching Distributed attacks Attacks exploit user ignorance & confusion

User Confusion Confusion over different attacks: Worm or virus? Adware or spyware? Rootkit or Trojan? Confusion over different defenses: Antivirus? Firewall? Patches? Users asked to make security decisions and perform technical procedures

Think Of a Typical User Will you grant permission to open this port?
Is it safe to un-quarantine this attachment? May I install this add-in?

User Misconceptions I don’t have anything on my computer they want
I have antivirus software so I’m protected The IT Department takes care of security here at school or work My Apple computer is safe

Security Is Hard It’s hard for users to protect against attacks
Threats and attacks are constant and widespread Users generally think about security only when something goes wrong Do not have a good understanding of what a security risk looks like in practice

Security Education Today
Teach comprehensive enterprise security in CIS security track Teach network security to CIS majors Teach brief coverage of security definitions in Introduction to Computers to rest of students Yet we are leaving out practical security awareness for all students

Calls for Awareness Training (Gov’t)
Action and Recommendation 3-4 of NSSC calls upon colleges and universities to model user awareness programs and materials Colloquium for Information Systems Security Education (CISSE), International Federation of Information Processing Working Group on Information Security Education (IFIP WISE), and Workshop on Education in Computer Security (WECS) all involved in security training in schools Bipartisan Cybersecurity Enhancement Act would fund more cybersecurity research, awareness and education

Calls for Awareness Training
We need to invest in cyber education, and there’s no such thing as ‘too early’ when it comes to exposing our young people to [cybersecurity] and training them in this field – Rep. Jim Langevin, D-RI, congressional cybersecurity caucus co-chair & former member Homeland Security Committee We want to educate everybody about the need for security and the basic construct of security We are working to create a course that everybody can take and develop some basic understanding of cybersecurity – Program director Southeast Missouri State University

Calls for Awareness Training (Researchers)
Researchers state that institutions of higher education should be responsible for providing security awareness instruction, including Crowley (2003), Mangus (2002), Null (2004), Tobin and Ware (2005), Valentine (2005), Werner (2005), and Yang (2001) Security instruction and training important not only to meet current demands of securing systems but also to prepare students for employment in their respective fields Location of security awareness instruction and training in a college curriculum should not be isolated in upper-level courses for IT majors (Tobin and Ware, 2005; Werner, 2005) Instruction should be taught to all graduates as a “security awareness” course (Valentine, 2005) along with integrating it across through the curriculum (Yang, 2001) Long (1999) advocated that security instruction should begin as early as kindergarten

Security Education Challenge
Need educate all students about practical computer security in all of our courses “Users should be as fluent with practical security as with using Word” All our courses all use technology, so make security a “teaching moment” Security Across the Curriculum

Pushback: ‘No Time’ We can take the opportunity to introduce security as we cover specific topics (“teaching moment”) For example, when we ask them to research using the Internet then spend 10 minutes that day talking about Internet security

Pushback: ‘Not an Expert’
Security experts are not wanted! Often security experts get too carried away with too many details! Need teach basic practical security skills and not advanced security topics

Practical Computer Security
What Doesn’t Work Use Antivirus Software Visit Only Known Websites What Does Work Passwords Resist Phishing Personal Computer Defenses Mobile Defenses.

What Does Work Password Management

thisisverylongpassword Xp4!e% Long is strong
Which Is Better? thisisverylongpassword Xp4!e% Long is strong

Length Over Complexity
Keyboard had only 3 keys: A, B, and C Had to create a 2-character password How many different passwords could we create? What’s the relationship between those numbers?

Length Over Complexity
How Secure Is My Password Password Strength Calculator Haystack Password Meter

Password Problems Effective passwords are long and complex, but these are difficult to memorize and then accurately recall Users must remember passwords for many different accounts (different computers and mobile devices at work, school, and home; multiple accounts; online banking; Internet site accounts, etc.) Many security policies make passwords expire after a set period of time when new one must be created Some security policies prevent recycling previously used password, forcing users to repeatedly memorize new passwords

Weak Passwords Common word (Eagles) Short passwords (ABCDEF)
Personal information (name of a child or pet) Write password down Predictable use of characters Not change password Reuse same password

How Crack Passwords Attack technique not used is online guessing in which the attacker attempts to randomly guess the password by typing different variations at the password login prompt Most accounts are set to disable all logins after a limited number of incorrect attempts (such as five), thus locking out the attacker Even if attacker had an unlimited number of attempts it would still take an unreasonable amount of time to attempt all of the different combinations in order to guess the right password.

How Crack Passwords Because of the limitations of online guessing, most password attacks today use offline cracking When a password is first created by the user, digital representation of that password is created and stored on the computer or website (process for creating this digital representation is based on a hash algorithm, which creates a digest) When user later reenters her password to log on, the same hash algorithm is applied to what she just typed into the password login prompt and then compared with the stored version If match then user approved

How Crack Passwords With offline cracking, attackers steal the file of password digests and then use their own powerful computers to break the passwords Create their own passwords and then generating the digests (called candidates) for these passwords They then compare their digests against the stolen digests: when the digests match then the attackers will know the password behind the digest. Advantage of offline cracking is that it allows the attacker to use fast technology to break a password instead of manual random guesses: one security researcher created a computer cluster of five server computers and was able to generate 350 billion password candidates per second.

How Crack Passwords Create the hash Crack the hash

Password Principles Any password that can be memorized is a weak password Any password that is repeated is a weak password We must use technology instead of our brain for managing our passwords

Password Managers Secure solution to credential management is rely on technology rather than human memory to store and manage passwords Password managers – Technologies for storing and managing passwords Three basic types of password managers

Password Management Applications
Dashlane LastPass KeePass 1Password Blur PasswordBox RoboForm StickyPassword

If You Rely On Memory Only
Do not use passwords that consist of dictionary words or phonetic words Do not use birthdays, family member names, pet names, addresses, or any personal information Do not repeat characters (xxx) or use sequences (abc, 123, qwerty) Minimum of 16 characters in length; for accounts that require higher security a minimum of 30 characters is recommended Consider using a longer passphrase but not in normal English sequence: not theraininspainfallsmainlyontheplain but instead use in sequence mainlyinonthethespainrainfalls Use nonkeyboard characters Length is more important than complexity

Use Nonkeyboard Characters
Make passwords stronger with special characters not on keyboard Created by holding down ALT key while simultaneously typing a number on numeric keypad (but not the numbers across the top of the keyboard); ALT produces £. To see a list of all the available non-keyboard characters click Start and Run and enter charmap.exe; click on character and the code ALT + 0xxx will appear in lower-right corner if can be reproduced in Windows

What Does Work Resist Phishing

Phishing Social engineering - Relies on deceiving someone to obtain secure information Phishing - Common form of social engineering is sending an or displaying a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information User asked respond to an or is directed to a web site where instructed to update personal information, such as passwords, credit card numbers, Social Security numbers, bank account numbers, or other information for which the legitimate organization already has a record However, web site is actually a fake and is set up to steal the user’s information

Embedded Hyperlink . . . you can <a href=" in to Online Account Services (OAS) </a> from this . . . you can <a href=" in to Online Account Services (OAS) </a> from this

Good Advice, But . . . “It is never advisable to login to a website that you reached from a link in an . It is far better to type the address into a browser and then login. You can find additional tips for spotting phishing at phishing.php”

What Does Work Personal Computer Defenses

Patches To address vulnerabilities software that are uncovered after the software has been released, software vendors usually deploy a software “fix” A security patch is a publicly released software security update intended to repair vulnerability Modern operating systems have the ability to perform automatic patch updates to their software so that the user’s computer interacts with the vendor’s online update service to receive the patches Prior to Windows 10, Microsoft users had several options regarding accepting or even rejecting patches Computers should be configured to immediately accept all patches when they are made available

What Does Work Mobile Security

Lock Down Wireless Router
Create strong password to access wireless router Disable Remote Management (cannot access settings via Internet)

Turn on WPA2 Wi-Fi Protected Access 2
This secures wireless network in two ways Encrypts all wireless transmissions Limits who can join the wireless network First turn on wireless router for WPA2 Personal May be several options Do NOT use “mixed” DO use “AES” Then enter key value (preshared key (PSK), WPA2 shared key, or passphrase)

Turn on WPA2 After turning on WPA2 Personal on wireless router and entering a key value, the same key value must also be entered on each mobile device that you allow to access the Wi-Fi network A mobile device that attempts to access a wireless network with WPA2 Personal will automatically ask for the key value Once the key value is entered, the mobile device can retain the value and does need to ask for it again Trendnet Online Emulator

Using Public Wi-Fi Exclamation point means not secure
Limit type of work (not online banking or sending confidential information) Use sites that have padlocks (encrypts all transmissions) Do not set to automatically connect Beware of imposters

Security Awareness 5e Security Awareness: Applying Practical Security in Your World, 5e Basic introduction to practical computer security for all users, from students to home users to business professionals New 5e published 2016 Now has MindTap component

Updated Cengage Security+ Textbook
Slight changes in chapter sequencing (i.e., cryptography now Chapter 3) Updated section units group common security chapters together for a more comprehensive understanding of security topics (i.e., wireless chapter grouped in network unit) Hands-On Projects are expanded in companion Lab Manual and in MindTap Virtual Machines, providing a pathway for students to begin with basic projects and then advance through intermediate and advanced level projects New Blooms taxonomy icons direct the learner to different levels of coverage All new figures reflecting modern design

Dr. Mark Ciampa Western Kentucky University / Cengage Author

Teaching Practical Cyber Security

Similar presentations

Presentation on theme: "Teaching Practical Cyber Security"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Teaching Practical Cyber Security

Similar presentations

Presentation on theme: "Teaching Practical Cyber Security"— Presentation transcript:

Similar presentations

About project

Feedback