Redesigning LBST 2214 at UNC Charlotte Matt Belles, David Langford, Mike Moore, Pilar Zuber.
Advanced Security Training for Staff Presented by Matt Langford.
-
Upload
isabella-palmer -
Category
Documents
-
view
214 -
download
0
Transcript of Advanced Security Training for Staff Presented by Matt Langford.
![Page 1: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/1.jpg)
Advanced Security Training for Staff
Presented by Matt Langford
![Page 2: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/2.jpg)
About me
• Matt Langford [email protected]• University of Northern Colorado CISO • Specialties: security auditing, malware analysis
and infrastructure, forensics, cyber crime investigations, security incident response, penetration testing, chemistry…?
![Page 3: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/3.jpg)
Intro Video
Internet Safety Video
![Page 4: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/4.jpg)
Topics for today’s presentation
• Who wants your information and why• Common techniques to steal your information• Defending your information on social media• Defending yourself from social engineering• Protecting your personal data• Securing your environment
The Bear Bones
![Page 5: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/5.jpg)
Who wants your information?
• Organized Crime • Criminals• Intelligence Organizations• Marketers • People with a grudge• Local Law Enforcement
![Page 6: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/6.jpg)
WHY!?
• Redirect illegal activity from their assets to yours.• To sell your data• To bulk collect your data for future purposes• To steal your identity • To steal your credit card information• Because they are curious about you• Because you are being investigated
![Page 7: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/7.jpg)
How they get you!
• Typically the just ask you– A phone survey– They pretend to be someone or something they are not
• Fake authority figures• Fake emergencies • Fake technical support
– A email survey– A trick email– In person contact – They just look it up online
![Page 8: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/8.jpg)
More complex tricks.
• Links to malicious sites• Links to legitimate appearing websites where you
would think you are safe to give secure information.• They listen to your electronic communications• Malicious code• Dumpster diving • Theft • Hacking
![Page 9: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/9.jpg)
Social Media
• The majority of us use social media of one kind or another.
• Twitter, Facebook, Snapchat, LinkedIn, Pinterest, Google+, Tumblr, Instagram, Vine, etc.
• These applications are fun and keep us connected with our friends and family and help us meet new people.
![Page 10: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/10.jpg)
Social Media Risks
• Posting personal data: Address, Phone Number• Posting sensitive work data: What software you just
had trouble with.• Informing people about your activities and patterns:
What you do on a Friday night.• Informing people about your hobbies and interests:
They know that you love to swim and listen to KennyG.
![Page 11: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/11.jpg)
Social Media Risks, Cont.
• Posting social relationships: That you are married• Posting strong views: The you strongly support a
political party or ideal• Posting you responsibilities: That you are in charge of
processing financial data• Posting possible password hints: You pets name, your
children’s birthdays, etc.
![Page 12: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/12.jpg)
Exercise
![Page 13: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/13.jpg)
Do you want to know more?
https://www.facebook.com/about/basics/
![Page 14: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/14.jpg)
I’m a social engineer
How to defend yourself from social engineering attacks.
![Page 15: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/15.jpg)
Trust… but verify!
• If someone calls you it is OK to ask for identifying information. – Ask them for their name, managers name,
department.– Ask them something specific to the institution
they represent.– Ask them for a call back number.
![Page 16: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/16.jpg)
Beware of escalation
• A person calling you to help should never escalate tension with you.– Is the caller becoming hostile because you haven’t
immediately cooperated?– Have they threatened to go to your manager for
no reason?– Have they told you that you are violating some
law?
![Page 17: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/17.jpg)
Protect sensitive information
• You can often uncover a bad actor by the information or action they want you to take.– If someone calls you they don’t need to connect to
your computer.– If someone calls you they don’t need sensitive
computer data. Like your IP address or OS.– Do they want you to do something you don’t
understand? But insist you just follow their instructions.
![Page 18: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/18.jpg)
Don’t fall for tricks
• There are a tiny handful of times you would be redirected to ANYWHERE to enter your credentials.– Did you click on a link that is asking for your
credentials?– Did you get an email asking to verify sensitive
information or log on information?
![Page 19: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/19.jpg)
Personal data
• Your personal information is often used to protect your sensitive data.– Why does this person want to know your mother’s
maiden name?– Why does this person care about what school I
went to in 7th grade.• These could be your security questions on
your banking website.
![Page 20: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/20.jpg)
Think about it
• Does the request meet your expectations?– You just got a pop up asking for your password. Is
that normal?– You got a pretty official looking email from IT
about resetting your password, have you even seen that before?
– An IT person called you, but you didn’t but in any tickets. He wants to remote your machine to “check stuff out”.
![Page 21: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/21.jpg)
Phishing Examples
![Page 22: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/22.jpg)
Phishing Example
![Page 23: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/23.jpg)
Phishing Example
![Page 24: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/24.jpg)
Phishing Example
![Page 25: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/25.jpg)
Resources
• SPAM / Phishing– http://en.wikipedia.org/wiki/Phishing
• UNC Policies, Best Practices– http://www.unco.edu/cybersecurity/index.asp
• Government– http://www.dhs.gov/topic/cybersecurity
![Page 26: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/26.jpg)
Protecting your information
• Obfuscation
• Encryption
• File Rights
![Page 27: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/27.jpg)
Passwords
• Your first line of defense.• No longer think of passwords think of
passphrases.• #$46rD@! is able to be “cracked” in hours• “I like to take long walks in the park.......”
would take many times the duration of the existence of the universe to solve.
![Page 28: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/28.jpg)
Passwords
• What’s the big deal with passwords?
A protected, rotated and good password will prevent the majority of people from accessing your physical computer and would prevent the majority of cloud hacks.
![Page 29: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/29.jpg)
Password Management
• SplashId by SplashData– Windows, Mac– iOS, Android
![Page 30: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/30.jpg)
Password Management
• Comcast Customers– Norton Security Suite Free
![Page 32: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/32.jpg)
I did everything I was supposed to
• But they still got into my computer.
The second line of defense is your file permissions. We don’t typically deal with that except at the network level, but…
![Page 33: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/33.jpg)
Obfuscation
• Aka. hiding thingsHere I just want to emphasis that you shouldn’t name confidential, personal, private, or secure information as such.• Don’t have a folder on your computer called
private, secure, etc. • Don’t have a file on your computer called
passwords.
![Page 34: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/34.jpg)
Encryption
• Encrypting your mail traffic
• Encrypting your files in transit
• Encrypting your connections
![Page 35: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/35.jpg)
Encrypting Mail
• Mail encryption is probably most easily done by using public/private key encryption.
This is not in wide use at this time within the institution. The benefit is that the mail message cannot be read unless the interceptor has the public key.
![Page 36: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/36.jpg)
Protecting your files in transit
• This option allows for an individual to protect files they send with a key or password.
For example if I am sending a file over the internet but it contains something sensitive like my name, address, phone #, and social security # I will encrypt the file before I send it.
![Page 38: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/38.jpg)
Encrypting you connection
Another excellent way to make sure you are protecting yourself is to encrypt your connection.
You can use an encrypting proxyMany sites have learned to use HTTPSMake sure the site you are putting passwords or sensitive or financial data uses encryption.
![Page 39: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/39.jpg)
Securing your environment
• Close and lock your door• Be aware of those around you• Be aware of the time of year• Do not leave sensitive data unsecured• Do not leave your password out unsecured• Do not leave your portable electronics
unsecured
![Page 40: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/40.jpg)
Securing your environment II
• Share security related information• Engage your coworkers about security• Report suspicious activity or incidents• Report losses • Do not share your credentials• Stay current with security concerns specific to
your work or work environment.
![Page 41: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/41.jpg)
Q&A
• What questions do you have?• Are there topics you want to discuss?• Can I demo something for you?• Do you want additional training on any of the
subjects covered?• Do you want training on some other security
related topic?
![Page 42: Advanced Security Training for Staff Presented by Matt Langford.](https://reader030.fdocuments.us/reader030/viewer/2022032702/56649f475503460f94c69aa5/html5/thumbnails/42.jpg)
Useful Links
• http://www.7-zip.org/• https://lastpass.com/• http://pwsafe.org/• https://blog.protonmail.ch/ • https://
www.youtube.com/watch?v=NeJky05BZaY