Docstoc

Managing Risk

Document Sample
Managing Risk Powered By Docstoc
					Managing Security Risks




        Presented by
      Mark Reynolds
  DOIT Information Security
              Managing Risk

   Top 10 Threats – 2008
   Social Engineering – Are You Gullible?
   Shreducini Alfredo – Information Disposal
   Rogue Software
   Identity Management – Who Are You?
   Staying Out of Bad Neighborhoods
   Questions
       Top 10 Threats - 2008
1. Increasingly sophisticated web site attacks that
   exploit browser vulnerabilities.
2. Increasing sophistication and effectiveness in
   botnets.
3. Cyber espionage efforts by well resourced
   organizations looking to extract large amounts
   of data – targeted phishing.
4. Mobile Phones, iPhones, VOIP
      Top 10 Threats - 2008

5. Insider Attacks
6. Advanced Identity Theft
7. Increasingly Malicious Spyware
8. Web Application Security Exploits
9. Blended Social Engineering
10. Supply Chain Consumer Devices
Social Engineering
 Are You Gullible?
            Social Engineering
             Are You Gullible?
   But They Look So Real!
            Social Engineering
             Are You Gullible?
   Credit Cards, Banks
              Shreducini Alfredo
             Information Disposal
   What data elements are in scope?
       SSN, Tax Records
       Financial (bank accounts, routing numbers)
       Credit Card Account Numbers
       Personal Financial or Health Related Info
       Source Code
       Network Diagrams
       Your Pay Stub
         Rogue Anti-Software

   Adware/Spyware
   Registry Cleaners
   Disk Wipers/Data Eradicators
   Performance Enhancers
   Anti-Virus
   http://malwaredatabase.net/blog/index.ph
    p/tag/rogue-security-software
Rogue Security Software
        Rogue Security Software
   Falsely claiming to have scanned users' PCs
    remotely and detected "spyware"
   Using high pressure sales tactics through pop-
    ups and spam to compel users to buy its
    applications
   Selling an "anti-spyware" product that falsely
    detects "spyware" on users' PCs
   Selling an "anti-spyware" product that fails to
    remove a substantial amount of "spyware" from
    users' PCs
From the DOIT IPS Logs
          Who Are You, Anyway?

   Construction Techniques
       Minimum 8 Characters
       Combination of Upper/Lower Case, Numbers,
        Special Characters (?!@#$_)
       No Dictionary Words in Any Part of Password
       Change it Often
       Do NOT Write it Down, Memorize Instead
          Who Are You, Anyway?
   Associative Memory Technique
       Favorite Topic, Area of Interest, State of Mind
       Are You an Automobile Fanatic? Examples
       First Car - 67 Ford Galaxy 500 Convertible =
        f067G@!xe
       Taste in Music? i!0v3bLuz
       Have Numerous Passwords to Remember?
        Document and Encrypt with a Single
        Passphrase, Changed Often.
Stay Out of Bad Neighborhoods
   Don't use your computer logged in with privileges any
    higher than "User"
   Don't click on links from emails, IM's unless you are
    100% sure that they are valid and safe.
   When possible type the address in yourself.
   Verify links before clicking on them by making sure
    that they take you where they say they are going to
    take you. You can do this by putting your mouse over
    them and checking the browser status bar or by
    looking at the page source.
Stay Out of Bad Neighborhoods
   Be very wary of shortened links that are
    created with things such as TinyURL.
   Use Firefox or another alternative browser
    instead of Internet Explorer.
   If offered by your browser community use
    things such as "no script" and "ad blocker".
   Stay off of web sites that are known for
    serving up malware. (Porn, gambling, hacker,
    etc)
                Questions

   Mark.Reynolds@ct.gov
   860-622-2448
   860-622-1719 mobile

				
DOCUMENT INFO