Operating System - Virginia Tech by pengxuebo


									Security Awareness 101a

                 Wayne Donald
       Information Technology Security Officer

               Randy Marchany
    Director – Information Technology Security Lab
 Why Worry About Security?
Viruses and trojans     Hackers
Adware                  Phishing and pharming
Keyloggers              Unintentional actions or
Disgruntled employees   lack of action
Spyware and spam        Identity theft
Social engineering      Worms
Email                   Audits
Qualified personnel     Hoaxes and scams
Browser hijackers       Bad passwords
New technologies        Federal & State laws
Denial of service       Lack of training
    Why Security Awareness?

God put me on earth to
 accomplish a certain
 number of things.
 Right now I’m so far
 behind, I will never
Why Security Awareness?
Threats to Computer Systems
Threats By People
–   Unintentional Employee Action   50-60%
–   Intentional Employee Action     15-20%
–   Outside Actions                 1- 3%
Physical & Environmental Threats
–   Fire Damage                     10-15%
–   Water Damage                    5-10%
–   Electrical Fluctuations         1- 5%
–   Natural Disaster                1%
Other                               5-10%
  Top 10 Technology Issues
Funding Information Technology
Security and Identity Management
Administrative/ERP/Information Systems
Strategic Planning
Infrastructure Management
Faculty Development, Support, & Training
E-Learning/Distributed Teaching & Learning
Governance, Organization, and Leadership
Enterprise-Level Portals
Web Systems and Services
                                     EDUCAUSE 2005
      Today’s Presentation
Creating an awareness of the technology risks is
a step in helping the Virginia Tech user
community take necessary precautions
There is a need to be more proactive when it
comes to technology security
We need to understand that in many cases,
technology alone cannot solve security problems
Providing users with information that can be
used to help make their technology environment
more secure is a win-win situation
Does It Happen in Higher Education?
 Laptop with 98,000 names stolen at UC-Berkeley
 University of Northern Colorado missing hard drive with
 personal information
 Boston College reveals alumni data breach
 Students use “smart” phones to get answers to test
 Southern University says hundreds altered grades
 Hackers set up shop in State agency’s server
 Auditors find sensitive data on surplus computer
 Student installs device on teacher’s computer to sell tests
 An externally managed server at Tufts University compromised
 by hackers – impacting 106,000 alumni donors
 Carnegie Mellon business school reports data breach
 Hackers plot more phishing, mobile viruses
 University of Colorado computers breached for personal info
Does It Happen At VT?
      Does It Happen At VT?
Faculty member loses 2 years research material (no backup)
Student accesses instructor’s machine and changes grade
A user falsifies PID to send threatening email
Confidential information found on surplus machine
Illegal copies of copyrighted software sold to users
Employee dismissed for using Tech system to run business
In a two-month period 6 machines stolen from buildings
Unsecured lab machine used as relay for an attack on a web site
Hundreds of users at Tech infected with virus via attachment
Illegal music and movie sites appear on Virginia Tech machines
Probes on Tech machines continue to increase monthly
Student gains access to office machine and manipulates systems
Student laptop stolen from table while he goes to restroom
   Why Higher Education?
Insecure machines
High bandwidth Internet
Sophisticated computing capacity
Unsophisticated user population
An “open” network security environment
Not enough policies regarding systems
Insufficient funding!
A Growing Concern: Malware
A generic term for bad software that ends up on
– Viruses and worms – either standalone or carried by
  a program, document, or image
– Trojan horses – malicious software that looks like
  you’re downloading something good
– Adware – designed to enhance the effectiveness of
  targeted advertising
– Spyware – gathers information about you and sends
  to it someone else – then comes the spam
    As much as 80-90% of today’s email is spam
A Growing Concern: Phishing
A scam technique that seeks to get
personal information (bank account, credit
card, user’s password, etc.)
– Basically a malicious form of “spam”
– Emails that appear to come from legitimate
  sources (online retailers, banks, etc.)
– Many will direct the user to a fake website
– Confirmation of your address may be made
  by you clicking on the “unsubscribe” option
 A New Concern: Pharming
A newer technique to obtain important
personal and financial information
– It can operate directly on users’ computers or
  on domain name servers
– Implants malicious software on a victim’s
  computer that sends the consumer to a bogus
  site even though they type in the correct
    An email contains a virus that installs small
    computer programs on users’ computers
     – Redirects the browser to the pharmer’s fake site
  Additional Security Threats
Gaining access to a printer (or basically any device on a
network) – Remote Control Programs
Which means hackers can access parking gates, sewer
systems, traffic lights, electronic signs – you name it!
Tiny storage devices such as pocketsize hard drives,
USB hard drives, and other memory media present new
Digital cameras as well as new “smart” phones provide
hackers and cheaters with additional tools
Handheld devices (Blackberry’s, for example) that
provide users with even greater access capabilities are
another threat
       What Can YOU Do?
 Recognize technology security is a major
 problem in any organization
 Understand that technology security is a
 process, not a product
 Consider making security an integral part
 of your organization

Take a proactive approach to technology
Some Steps to Ensure You Can
Have a More Secure Computing
        Operating System
An updated operating system helps protect your
computer from viruses, worms, and other threats
as they are discovered
With Windows you can utilize the Automatic
Update feature
– Click Start, and then click Control Panel
– If there is not an Automatic Update icon, click on the
  System icon and then click on Automatic Updates
If your preference is to do the updates manually,
visit the Windows Update site:
        Operating System
You can schedule updates for any time of the
However, your computer must be on for the
updates to be installed
Also recommend it not be a time when you might
be doing other tasks
If you do select Automatic Updates and forget to
leave your computer on, you will receive a
notification and will have to install manually
          Internet Firewall
An internet firewall can help protect your
computer against hacker attacks
You can purchase firewall software but new
systems (both Windows and Mac) now come
with build-in firewall software
Click Start, and then click Control Panel – you
can then click on the Windows Firewall icon to
see the status
The firewall settings will prevent certain tasks so
each individual user may have to determine an
acceptable risk level
Antivirus software helps protect your computer
from “known” viruses
Antivirus software works by comparing files on
your computer against a file containing known
virus definitions
Click Start, and then click Programs to see if you
have antivirus software installed
– NOTE: Having two different antivirus programs
  installed on one computer can cause problems
Check the Virginia Tech antivirus site to
download free Symantec software –
        Other Precautions
A secure password is the first line of
Don’t assume physical security
A regular backup routine can ensure
recovery from an incident
Remember email is not secure
Be aware of social engineering activities
Accessing the web can bring unwanted
Passwords Help Ensure Privacy
 The purpose of a login process is to establish
 who you are, and establish a level of security
 If someone learns of your password, they can
 log on as you (and even share your password)
 If a person does something malicious while
 logged on as you, it will likely be blamed on you
 If you think someone knows your password –
 Password rules have become essential to help
 ensure privacy
Passwords Are Like Underwear
 Change yours often!
 Don’t leave yours lying around!
 The longer the better!
 Don’t share yours with friends!
 Be Mysterious!

(Compliments of University of Michigan)
           Physical Security
Don’t assume physical security!!!!
Anyplace with access to sensitive information:
– Key control and limited access
     Keep areas locked when necessary (rooms and file cabinets)
     Restrict access (physically and on systems)
– Be aware of how one uses the technology (position of
  keyboard and even monitor)
Report any suspicious activity
Remember – a stolen computer (and the data on
it) can be sold thru various channels
   Regular Backup Routine
Hardware can be replaced
– Keep serial numbers in a secure location
Application software can be reloaded
– Know what you have installed
Data could be gone forever
– Ensure adequate backups for your systems
  are done on a regular basis
         Email Is Not Secure
A day-to-day necessity in our educational
environment today
Tech provides inbound/outbound filtering
Consider settings for your individual machine
Be aware of exposure and dangers with email
–   Unwanted email (Spam) or abusive email
–   Mail attachments – computer viruses
–   Request for confidential information
–   Email forgery
–   Ease of misaddressing
            Social Engineering
“The practice of gaining unauthorized access to systems
or information by manipulation of legitimate users”
Social engineers rely on the following:
–   clever manipulation of the natural human tendency to trust
–   the natural helpfulness of people
–   the fact that people are often not aware of the value of the
    information they possess and are careless about protecting it
Common types of social engineering:
–   Impersonation / Important user
–   Face-to-face manipulation to gain physical access
–   Email and attachments – spam, phishing, etc.
–   Even “dumpster diving”
          Social Engineering
Social engineering remains one of the greatest
threats to any system – hardware or software
It will always focus on the weakest link in the
security chain – the individual user
Prevention includes:
–   educating people about the value of information,
–   training them to protect it,
–   knowing who you are dealing with at all times, and
–   increasing people's awareness of how social
    engineers operate
                    Web Usage
If you are maintaining a web site and have confidential
information, be sure it’s a secure web site (https://..) –
can contact Web Hosting Service
When providing personal information on the web, know
who you are dealing with and that it’s secure
Downloading music/movies:
– The unauthorized reproduction and distribution of copyrighted
  music or movies is just as illegal as shoplifting a CD
– Programs such as KaZaA turn your computer into a distributor so
  people can download from your machine!
      Much more serious violation than just having a illegal copy
      Poses legal risks for you and the university
      Sometimes you don’t even know you are doing it
If Tech is contacted, YOU will be contacted
 KaZaA License Agreement
Why it can be a big risk for you and
Virginia Tech:
– “You hereby grant Brilliant Digital
  Entertainment the right to access and use the
  unused computing power and storage space
  on your computer/s and/or Internet access or
  bandwidth for the aggregation of content and
  use in distributed computing. The user
  acknowledges and authorizes this use without
  the right of compensation.”
Policy 2015: Acceptable Use (AUP)
 From that policy we have guidelines
 Acceptable Use Guidelines
 – http://www.policies.vt.edu/acceptableuse.html
 – States what you can and cannot do in the
   technology arena at Virginia Tech
 – Basically, you are responsible for anything
   that originates from your computer
 – AUP violations are taken as a serious offense
 Now required to check when issued PID
              Helpful References
Primary Virginia Tech machine vendors
– http://www.microsoft.com/security/it
– http://www.apple.com/security
Spyware tools
–   Ad-aware: http://www.lavasoftusa.com
–   Spybot Search & Destroy: http://security.kolla.de
–   Safe Networking: http://www.safenetworking.org
–   MacScan: http://macscan.securemac.com/
Virginia Tech sites
–   Security site: http://security.vt.edu
–   Computing site: http://computing.vt.edu
–   Engineering and Agriculture & Life Sciences sites
      Other Helpful References
CheckNet – individual system scanning available
from IT Security Lab
VA SCAN – Virginia Alliance for Secure Computing
and Networking
– http://www.vascan.org/
List of 100 best web site for security
– http://www.uribe100.com/index100.htm
Professional Associations
–   http://www.educause.edu/security/
–   http://www.sans.org/
–   http://www.cisecurity.org/index.html
           IT Security Lab
The laboratory’s mission:
 Design, develop and implement training
 materials and classes for University
 technical and general users
 Test computer hardware and software for
 security vulnerabilities and provide
 guidance for addressing these
      Contact Information
Security web site: http://security.vt.edu
VT Computing site: http://computing.vt.edu

 IT Security Office and IT Security Lab
         1300 Torgersen Hall
   Wayne Donald – wdonald@vt.edu
 Randy Marchany – marchany@vt.edu

To top