IT Security
Most people understand their department and know how to use their tools to get their tasks done, but are isolated and unaware of security issues all around them. The weakest link in most security programs is people. To be part of the process and not part of the problem, you need to be knowledgeable and aware.
Use the buttons below to navigate through the lesson
- Security awareness is recognizing what types of security issues and incidents may arise
Security is about People, Processes and Technology - Explaining existing policies and best practices
Security is more than just Technology – There is no Sec – ? – rity without U
Network eavesdropping
Data flows across networks every day, including passwords, private personal information, personnel records, email messages, financial documents, and more.
By default, data that flows across the network is not protected.
Hackers, malicious insiders, and others may want to steal that data and use it for their own advantage.
A hacker can tap into a network using a wireless device. This is known as War Driving.
A hacker can literally construct a device, that will allow them to park in front of a building or your home and gain access to a network while sitting in their car.
Secure Your Wireless Network
- Your operating system will tell you if a wireless network is secured or not.
- You should not connect to an insecure network because the data that you send out would be available to everyone around you!
Wireless networks are extremely convenient, but that convenience comes at a price: security. With a traditional wired network, data is channelled through cables and cannot be easily intercepted. With a wireless network, data is beamed through the sky and can be more easily intercepted – unless, that is, you have appropriate security measures in place.
Passwords
There several things you should be aware of concerning password security.
Passwords (can be and) are often written down by users who have trouble remembering them. Passwords are also more and more stored electronically, on PDAs or mobile phones. Do not leave passwords recorded anywhere for others to find.
Social engineering and Phishing scams
These scams can trick a user to disclose the password, just by asking the password in some way (e.g. a so called helpdesk-person calling).
Key-logging:
Passwords can be intercepted by key-loggers (hardware or software) and then transmitted to other people.
Shoulder surfing:
refers to using direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they:
- Fill out a form
- Enter their PIN at a cash machine or a POS terminal
- Use a calling card at a public pay phone
- Enter passwords at a cybercafe, public and university libraries, or airport kiosks.
- Enter a code for a rented locker in a public place such as a swimming pool or airport
Shoulder surfing can also be done at a distance using binoculars or other vision-enhancing devices. Inexpensive, miniature closed-circuit television cameras can be concealed in ceilings, walls or fixtures to observe data entry. To prevent shoulder surfing, it is advised to shield paperwork or the keypad from view by using one’s body or cupping one’s hand.
Cracking:
Passwords can be cracked, especially if they are short (although short is a relative concept, taken into account the increased computing power available today).
Guessing:
Passwords can be guessed, e.g. if no strong password policy is enforced.
To counter guessing, quite simply, the passwords need to be made as long and as complex as is practicable. Be significantly different from your previous passwords. Not contain your own name or user name. (Nor the name of spouse, children, pets etc.)
Have at least one symbol character in the second through sixth positions.
Packet Sniffing:
Passwords can be sniffed, intercepted when in transit between a PC and a server (e.g. on the Internet)
Packet sniffing is the monitoring of data traffic on a computer network. Computers communicate over the Internet by breaking up messages (emails, images, videos, web pages, files, etc.) into small chunks called “packets”, which are routed through a network of computers, until they reach their destination, where they are assembled back into a complete “message” again. Packet sniffers are programs that intercept these packets as they are travelling through the network, in order to examine their contents using other programs. A packet sniffer is an information gathering tool, but not an analysis tool. That is it gathers “messages” but it does not analyze them and figure out what they mean.
Resetting:
Passwords can be reset (which is often easier than cracking a password). If you have created a password restore disk for your computer always ensure that it is stored safely. Anyone can use this disk to reset your password. No matter how many times you have changed your password since the disk was created.
Password Best Practice
You should not include personal information in your password, such as your birthday, the name of your dog, favourite sports team, etc.
- Use as many characters as possible; the longer the password, the harder it is to crack.
- Phrases are better then passwords, e.g. ‘Your company is #No1′
- Do not use dictionary words in any language
- Do not use easily guessed patterns (1234,1bcd, qwerty, etc)
- Use a mix of upper and lower case letters, numbers and special characters
- Change your password as often as possible.
Threats and Frauds
Threats
The trends in the use of World Wide Web technology are changing with the aim to enhance creativity, information sharing and collaboration among users
But it also comes with new Risks, Threats and Fraud!
Malware
Malware stands for ‘Malicious Software’. It includes any program or file that is designed to do harm. To distribute them hackers will often hide them inside other programs on websites or send them to you by e-mail. These include:
- Viruses and Worms
- Trojan Horses
- Adware and Spyware
- Phishing / Pharming
- Spam and Hoax letters
Types of Malware
Malware can gain remote access to your system thus allowing data to be sent to the hacker and further infect others through disabling anti-virus and firewall software.
Pharming
Pharming is an attack in which a user can be fooled into entering sensitive data such as a password or credit card number into a malicious web site that impersonates a legitimate web site. The attacker does not have to rely on having the user click on a link in an email. Even if the user correctly enters a URL (web address) into a browser`s address bar, the attacker can still redirect the user to a malicious web site.
Adware
Adware stands for ‘Advertising Supported Software’. It refers to any software that automatically plays, displays or downloads advertisements. These adverts are seen after software is installed on a computer or while the application is being used.
Viruses
A virus is a malicious computer program that can copy itself and infect a computer by corrupting or modifying files. It does this without permission or knowledge of the user. A virus replicates itself by attaching to another object e.g. via e-mail attachments, internet downloads, diskettes, CD’s, etc.
Spyware
Spyware is software that is used to gather information about a person or organization without their knowledge. Spyware displays advertisements related to what it finds from spying on you. This is called ‘Targeted advertising’.
Phishing
An e-mail that masquerades as a legitimate contact from a business or organization in an attempt to steal personal or financial information is called Phishing. Phishing often states that there is a problem or threatens to terminate an account if you do not respond.
Spam
Spam is unsolicited e-mail on the Internet. In almost all cases, the sender’s address is ‘spoofed’ – i.e. it pretends to be from a legitimate sender. Spam is a common carrier of malicious code. Difficult to stop completely without stopping a valid mail from time to time.
Trojan Horses
These are delivery vehicles for malicious or destructive computer programs, similar to viruses or worms. Hackers, virus writers, and even advertisers can embed malicious code into any program or file that appears to be harmless or useful, such as an animation or video game.
Worms
A malicious computer program, like a virus, but a worm can spread itself without any user interaction Usually more dangerous than a virus as they can cause harm to the network. Worms are also invisible to the user.
Antivirus Software
Regardless of the type of anti virus software software running on your PC it should have the following characteristics.
- It will have an antivirus detector, that continuously monitors your system.
- An email scanner than detects viruses in incoming emails.
- An update manager which ensures your virus database is up to date. You can also update the database now rather than waiting for periodic updates.
Do not permit activities which can distribute viruses such as peer-to-peer file sharing from your computer. Also scan all new files, such as those on CDs, DVDs, USB drives, flash memory sticks, and diskettes.
Malware Examples
Adware / Spyware
Adware / Spyware comes in many different forms, a common approach is to try to get you to click on a button which will install the malware onto your computer.
Do not install ‘Free Anti-Spyware’ software or software claiming to speed up your PC. It is usually spyware itself. Pop-up Windows should be closed down immediately.
Never click on links that you receive through Instant Messaging software either. Again this is probably a hidden installation of Spyware or Adware.
Phishing Attacks
A classic phishing attack will often state that there is a problem and threatens to terminate an account if you do not respond by installing software or entering account details on another site. Now if you look at the properties of the sender, it appears genuine BUT if we hover over the link you can see that it is clearly from another domain. www.tsb.co.uk
Never install unauthorized software on your PC or reply to an email with personal or financial information. If you fear you may be a victim of phishing, contact the appropriate financial institution etc.
Pharming Attacks
A pharming website is one which allows a hacker to redirect that website’s traffic to another web site. At this site they can steal your financial or personal details typically on a registration form.
Pharming conscious websites typically use the HTTPS web protocol on their login page to allow the user to verify the web site’s identity.
If an attacker attempts to impersonate a site using HTTPS, the user will receive a message from the browser indicating that the web site’s “certificate” does not match the address being visited.
Under these circumstances you should never proceed and press “No”. You will return to the previous page.
Spam Email
Spam email is often (although NOT ALWAYS) redirected to your “Junk” email folder or else quaranteened on the company mail server.
- Do not open unsolicited messages, just delete them.
- Be very wary of emails with links on them, especially when they link to other domains.
- Do not reply to emails trying to sell you something if the supplier is unknown to you.
- Do not respond to emails from financial institutions. Reputable organisations will never ask you for account details etc by email.
- Never open mail that has “Re:” in the subject line if you did not originally send a message to that address.
- Do not post your email on any websites and do not use a second disposable email account from providers such as hotmail or yahoo as this will greatly increase the amount of junk mail you get.
- Do not forward chain letters
- Never open mail that has “Re:” in the subject line if you did not originally send a message to that address.
- Do not post your email on any websites and do not use a second disposable email account from providers such as hotmail or yahoo as this will greatly increase the amount of junk mail you get.
- Do not forward chain letters.
Email Golden Rules
Remember these golden rules surrounding email:
- Never open unfamiliar “RE:” emails.
- Do not put your email on the web (e.g. Facebook, Twitter etc.)
- Do not use free mailboxes for work emails such as Hotmail or Yahoo.
- Ignore chain letters.
- Be wary of replying to spam messages or clicking ‘unsubscribe’.
- Do not send personal or financial data via email.
Install latest patches
It is very important to keep your Operating System up to date with the very latest updates, services packs and patches. Ensure that updates are automatically downloaded.