cyber rugged 2/2/2011 · 2/2/2011 1 _ ... cybersecurity or computer groups: local chapters...

2/2/2011

1

____ _____

The Basics of Cybersecurity for the Information Age

Prepared as a public service by the IT professionals of:

Greater New Orleans ISACA Chapter

Infragard Southeast Louisiana Membership Alliance

Cybersecurity Workshop Outline

Note: Most images used in this presentation were downloaded, with thanks, from http://www.veezzle.com/ a site for free stock photos. This presentation is in compliance with the conditions of use on their and associated websites. No part of this presentation may be sold. Three images were used from http://www.scroogle.org/th/thumbs.html .

For instructors: This class is:• 120 minutes long, averaging 10 minutes per topic+2 minute review, 2‐10 minutes per slide = 12‐ 50 slides pictures &/or videos. • Inspire people by showing them where they are now (what level, idea, knowledge) and where they will go—what their goal is. • View the 18 minute video on teaching without a teacher. Note how he uses Powerpoint slides. http://www.ted.com/talks/sugata_mitra_the_child_driven_education.html• View the 1 hour video on creating good presentations. http://ted.streamguys.net/tedxresources/TEDxLearningSeries_Presentation.wmv• Mouse Mischief add on for teachers: http://www.microsoft.com/multipoint/mouse‐mischief/•If presenting this show in person you may want to add your name and credentials for a ONE MINUTE (time yourself) introduction of yourself and your experience in cybersecurity.

Introduction: The Internet (World Wide Web or WWW) is somewhat like the rugged Wild West (WW !!) of 150 years ago. There is little guidance, there are few laws, many of the laws that do exist are untested in courts. Do you feel like you are on your own in a lawless land? Are you confused about computers, afraid of the Internet for yourself or your family? Worried about what you should or should not do online? Are you overwhelmed by all the contradictory information, or lack of concrete information? Would you like some framework to corral the wild Internet?

Goal: The goal of this presentation is to give you reasonable confidence about Internet safety and help you prioritize the most critical steps to protecting your family. You will learn a basis to develop a personalized map to self resiliency and responsible use of computers for you and your family. You will become Cyber Rugged ! We will help you learn to find responsible cybersecurity resources to make informed decisions about cyber safety.

Teachers: We are not teachers. Your input on design and approach is welcomed in continually updating this material.

Blog and email: http://cyberrugged.wordpad.com for questions and updates or [email protected].

1

Becoming Cyber Rugged

2/2/2011

2

____ _____

This material was developed in fall 2010 as a public service bycybersecurity professionals from:

•ISACA•Infragard•ISECOM

Today’s presentation for NOPC is being given by:

Lydia Lourbacos CISSP+CAP, CISM, CISA, GCIH, GCFA, President GNO

ISACA

2/2/2011

There are two objectives: To inspire you to learn more and to help you answer 10 basic questions for yourself and your family. All learning is built on pre‐existing knowledge. This material will take existing knowledge and use it to help you become a rugged, resilient homesteader in the information age. There are no “experts”. Nobody knows it all, because there is too much to know, it changes too fast, and cybersecurity is an immature discipline. Just as two hours are not enough to clear the land, plant the crops and build a house on a physical frontier, this class isn’t enough time to learn everything to live safely on the digital frontier. We could easily spend a day on each domain, and would still not cover it all. It will however, lay a strong foundation for finding what you need, when you need it. You CAN be rugged and resilient in the Wild Cyber West.

This slideshow is prepared free of charge as a community service by member of local non‐profit cybersecurity or computer groups: local chapters of ISACA, Infragard, ISECOM, and local Personal Computer Clubs.

We endorse no commercial products. Only free, open source, public domain and creative commons programs or applications are suggested. These are suggestions only and not endorsements or recommendations. If commercial vendors are mentioned it is because they have significant free resources available. We do not suggest anyone reading or attending these presentations buy any products produced by any commercial vendors mentioned.

2


2/2/2011

3

____ _____

I.

II. III.

IV.

V. VI. VII.

VIII

IX.

X.

2/2/2011 3

Prepared by GNO ISACA & ISELAMA: Fall 2010

Cyber Rugged means knowing the answers to these questions for yourself and family:

Theme: These 10 domains of knowledge describe the different aspects of using computers and the Internet. They all overlap and link to one another to various degrees, so they cannot stand alone. However, fundamental to each one and underlying it, is that every single one of these domains deals with data and information about you, in one way or another.

I. Information (Slide 4) What am I protecting?II. Threats (Slide 12) Who am I protecting my information from? III. Risk (Slide 16) How do I determine what is really in danger?IV. Access (Slide 18) How do I minimize the attack surface?V. Internet (Slide 22) Why is the Internet dangerous, why now, not before?VI. Technology (Slide 27) What difference does equipment make?VII. Programs (Slide 31) Why are programs dangerous?VIII. Remote (Slide 35) How is remote use different?IX. Pre‐Plan (Slide 36) How do I prepare for an e‐Crisis?X. Recovery (Slide 39) What do I do when something happens?

Each domain contains:Situational Awareness—evaluate where I am nowRugged is…‐‐ how do I get betterTheme (goal) of this section and new ConceptsMaterial for the domain (section)Actions (Good habits): ‐‐ steps to take that make a differenceQuestions to think about – there are no final answers; nothing works for everyone on every issue; decide

what is best for youResources—where to find more information; where to get programs, utilities, applications

3


Concepts for the Digital Age

Data A$$et Ubiquity No Privacy Identity Convergence

6. Speed7. Sphere8. Anonymity9. Images10. The Cloud

These new technical concepts are scattered throughout this handout, but here they are in summary:

1. Data is an asset. Data has monetary value. YOUR data can be sold for money. Do you know the value of your data? To you? To crooks?

2. Ubiquity: computers in chips or devices are everywhere from Radio Frequency Identification chips in passports or library books, to automotive controls, to video game controllers, to pacemakers to utility meters, to refrigerators. They are in devices that we don’t think of as being “computers”.

3. Data Privacy: once information is on the Internet it is there forever. You cannot get it back, eliminate it, erase it.

4. Digital Identity: You can be stolen. This has never before been possible to such an extent. In the past “impersonation” or forgery were physically limited, but no more.

5. Convergence: now a single smartphone can perform the functions of what 10+ separate devices did only 10 years ago.

6. Speed of Communication is instantaneous. Digital acquaintanceships and friendships are formed in hours or days instead of months and years. Young people are eschewing slow, old fashioned email for immediate gratification of text messaging. Facebook and others allow communication of lots of information, to many people instantaneously.

7. Sphere of communication is global. A child’s new “friend” may be around the world. “On the Internet, nobody knows you’re a dog”.

8. Anonymity in communication: there is no easy way to make sure the person at the other end of a website or email is who they say they are. Anonymity and isolation of computer communication release behavioral inhibitions.

9. Images are searchable: new technology is making images searchable. A photo posted on the Internet can be indexed and correlated with other images that may have personal data associated with it.

10. The Cloud: Huge, centralized, data centers, acres in size, that store email, backups, medical information and more. If you have an email account what you have sent via email is stored in the Cloud.

2/2/2011

5

____ _____

2/2/2011 5


CybersecurityI. Information—What am I protecting?Situational Awareness: List the digital information necessary to your life (Take 1 minute to jot them down in the

margins of the handout).

Being rugged is…1. Understanding that information is now an asset like material things are assets.2. Being aware of the other types of digital information and issues that can affect your life.

Theme: You are represented in the digital world by bits and pieces of data about you. Individually, they may be harmless, however, when put together the collective data becomes INFORMATION that describes you. Personal Information on and off computers can be used to steal your identity, to steal money through online transactions, it can affect your reputation, it can wreak havoc in your life. It can take 2‐3 years to recover from identity theft. In this domain we’re going to cover how information has become an entirely new concept; that of an asset in the information age. We will describe the types of information stored in cyberspace about each of us. At the end, you will have a good overview and be able to identify what is most critical in your circumstances.

Safety from cyber space threats is also about you. It is about what you believe and how those beliefs cause you to act that may create a danger This is a new world with new concepts that our parents did not know and could not teach us about. You can learn, and teach your children and grandchildren.

This information is an attempt to motivate you to take the actions presented here and use them at home and work. Action stems from knowing the current reality (situational awareness), knowing it can be different, wanting a result, and believing that a given action will accomplish that result. We’re on a new frontier and in a new age. Everyone wants to be safe in the digital age and the actions presented here are easy to do and will help everyone be safer. Try these things out at home then pioneer! Go further and help others. Tell your neighbors, help them get some of these programs and install them. Tell your friends, your children’s teachers and have them promise to tell two more people.

5


2/2/2011

6

____ _____

Physical Assets Digital Assets

2/2/2011

6


I. Information –What am I protecting? Digital Assets

Concepts: Computers are everywhere; Data is an ASSET; Digital Privacy; Identity is MoneySituational Awareness: What is an asset?

Theme: This is a new concept for the information age: like Time (time can be turned into money by work), digital information is an asset that can be turned into money. Many of our assets can be digitized and stored in computers, The impact of computers on our lives, is enormous.A. Digital information Impact ‐‐Your Daily Life: almost 1/3 of the entire world population is on the

Internet. 2 billion out of 6.9 billion.1. All humans are affected, even those without computersa. Money – banking, mortgages, titles, stocks: recorded and tracked digitally. Digital

money is replacing cash.b. Phones – telecommunication: all digitalc. Commerce – stores, restaurants, transportation: credit cards etcd. Medical – hospitals, doctors offices: records are stored digitally (scanned) e. Government ‐‐ licenses, taxes, disbursements: records are being digitizedf. TV is now digitalg. Older people – can’t get to bank so bank online digitallyh. Countries are doing away with cash; all monetary transactions are digitali. 17 sectors of the economy: all dependent on computers.

As of 10/21/2010, the amount of money lost by businesses to all kinds of fraud rose over the past 12 months to $1.7 million per billion dollars of sales, with electronic theft surpassing physical theft.*

Actions (Good habits)1. Awareness and acceptance of the new concept that digital assets are worth money like gems or other

things are worth money.2. Inventory your own digital assets; assign them a value, even a relative value. Prioritize your digital

assets.3. Develop a plan to protect the most valuable digital assets

Questions to Think About• Name five daily activities that aren’t affected by computers. • How much data describes you? • How much is needed to uniquely identify you? • Where do cybercriminals, marketers, pollsters, statisticians get their information from?• Is the Internet free?• Is everything you can get on the Internet free? Should it be?• Is there any use to a computer without information?

*http://news.cnet.com/8301‐1009_3‐20019999‐83.html

6


2/2/2011

7

____ _____

Non‐Sensitive Information

2/2/2011 7Prepared by GNO ISACA & ISELAMA: Fall 2010

I. Information –What am I protecting? Non‐sensitive personal assets

Situational Awareness: List digital information about you that is not sensitive. How would you restore or replace it?

Theme: There are digital assets with non‐monetary value.

B. Types of Digital Information–1. Non‐Sensitive ‐‐ Personally meaningful but not economically valuable

a. Photographsb. Scrapbooksc. Family recipesd. Ability to prove your identity in an emergency (utility bills)e. Communication – email, text messages, videos

How do you put a dollar value on non‐sensitive information?a. Cost of personal time to recover information (hourly salary)b. Cost to change accounts, overdraft fees, etcc. Emotional valued. Legal cost to hire a lawyere. Reputation (credit history, employers, background clearances)

Actions (Good habits)• Make and store copies on multiple media types.

Questions to Think About• How much is an individual’s personal information worth? To whom?• How long is this information valuable for? Months? Years? Life? After death?• How long do different types of media last? A tape? CD? Paper? USB? Hard drive?• How will you read digital media in a year? Five years? 30 years?

7


2/2/2011

8

____ _____

Personally Identifiable Information (PII)


I. Information–What am I protecting? Personally Identifiable Information (PII)

Situational Awareness: What is the value of PII?

Theme: Recognize PII as an asset that must be identified and protected. There is no clear legal definition of PII, but various legal bodies are working on it. Massachusetts has the most well defined laws about PII. Several are in Congress.

B. Types of Digital Information (continued)2. Identity ‐‐Personally Identifiable Information (PII) ‐‐ Any combination of items that uniquely identifies a person (name, phone, address, social security number, drivers license number, date of birth, mother’s maiden name, passport number).

a. Financially sensitive, accounts, credit cards, stocksb. Legally sensitive – arrests, reputation, libel, slanderc. Medically sensitive (physical or mental)d. Personally sensitive (name, address, phone)e. Emotionally sensitive (behavior, infidelity, family actions or secrets)f. Online behavior (surfing patterns, email, web access)

Questions to Think AboutHow long is digital information an asset?What else can be used to identify you uniquely?

Resources: (search on recovering from identity theft, data vs. information, data mining, privacy, personally identifiable information, HIPAA, HiTech Act) Please note that the commercial sites listed is not an endorsement of or recommendation for any paid products or services. They simply have free information that may be useful.

US Government: http://www.ftc.gov/bcp/edu/microsites/idtheft/ (one of the best sites on identity theft)

Non‐profit:http://www.idtheftcenter.org/

8


2/2/2011

9

____ _____

I. Information ‐‐ continuedResources (continued):

Free: 3 annual credit reports: https://www.ANNUALcreditreport.com/cra/index.jsp The wizard on this link prints out all three at once. You only have 30 minutes to print your report, so make sure the printer is working, has ink, paper etc first. (Hint: use one every 4 months. To run one every 4 months, go to the website of the individual credit bureau and print out the free copy from that credit bureau. Go to the 2nd credit bureau in 4 months and to the 3rd, 4 months after that one.)

Medical records rights: http://patientprivacyrights.org/

Lifespan of Home Burned CDs & DVDs: 2‐5 years; Store standing on edge in a cool dark place. http://www.computerworld.com/s/article/107607/Storage_expert_warns_of_short_life_span_for_burned_CDs

Non‐technical newsletters with excellent information:Brian Krebs (former reporter for the Washington Post): http://KrebsOnSecurity.comSANS Newsbites: (free account registration required): https://www.sans.org/newsletters/

9


2/2/2011

10

____ _____

1234-4567-7890-1234 (16)

123-45-6789 (9)

12-03-1990 (8)

123-456-7890 (10)2/2/2011 10Prepared by GNO ISACA & ISELAMA: Fall 2010

I. Information ‐‐What am I protecting? Online Privacy

Situational Awareness: There is little privacy on the Internet for anyone.

Theme: Because we interact with the computer alone we have a sense of privacy and intimacy around computers. Everything online is recorded somewhere by someone.

B. Types of Digital Information (continued)4. Privacy – your actions, physically and digitallya. Digital tailing – tracking what you do online.b. The Cloud – Large centrally located computer storage data centers in US/ abroad.c. Data mining: Search for specific patterns of data (see slide)d. Smart Grid Privacy 10/2010—utilities connected to Internet could provide information on customer daily schedules, activities, and to identify specific devices in your homee. Marketing databases , insurance companies, employers, credit card companies– can and do collect a lot. Discount cards cost “loss of privacy”.i. Using cookiesii. Posts on Facebook,You Tube and other social mediaiii. Mailing listsiv. Coupons (free/discounts in exchange for privacy information)iv. Email, including requests to unsubscribe and out of office messages5. Digital reputation (Adults –would you want everything you did when younger, available to the world? Teens – think of the most embarrassing thing you have done in your past. Would you want the world to know about that? Or would you want the grace to start over again?) Privacy means only you know it.

Resources on Privacy:• Electronic Frontier Foundation: http://www.eff.org/ • For Teachers: http://www.teachingcopyright.org/EFF Top 12 Ways to Protect Your Online Privacy: http://www.eff.org/wp/effs‐top‐12‐ways‐protect‐your‐

online‐privacy • http://privacy.org/• Privacy International: http://www.privacyinternational.org/article.shtml?cmd[347]=x‐347‐559062• Ponemon Institute: http://www.ponemon.org/index.php (links from this site lead to others with

excellent information)• Privacy Rights Clearinghouse: http://www.privacyrights.org/ • Smart Grid Privacy Recommendations:

http://www.gc.energy.gov/documents/Broadband_Report_Data_Privacy_10_5.pdf

10


2/2/2011

11

____ _____


I. Information –What am I protecting? Intellectual Property, individual and business

Situational Awareness: What intellectual property is on your computer?

Being rugged is…recognizing legal responsibility around intellectual property.

Theme: Our own information is an asset and digital assets created by others are also assets and covered by law. Because we aren’t familiar with our own data being an asset, we tend to also discount the digital assets of others. These are all digital assets and they are protected from unauthorized copying and use, by law. The more intellectual property moves to the Internet the more entertainment and other companies will press for newer, more restrictive laws. Pay attention to new laws.

B. Types of Digital Information (continued)6. Intellectual Property (patents, trademarks, designs and copyright). To be covered by law, the owner of the intellectual property has to take steps to protect it. End User License Agreements (have you every read one?)a. Ideasb. Booksc. Paintingsd. Photographs (all photographs used here are in accordance with law)e. Music – songs, scoresf. Moviesg. Patents ‐‐ Inventionsh. Recipesi. Programs, softwarej. Articles k. Others?7. Intellectual Property in Business –a. Customer listsb. Recipesc. Processesd. Supplierse. Financial informationf. Corporate‐written programsg. Publicationsh. Others?

11


2/2/2011

12

____ _____

I. Information (continued)Actions (Good habits):• Become aware of use of intellectual property belonging to others• Do the Right Thing: recognize digital assets; respect intellectual property of others• Use search engines that do not track cookies e.g. http://www.scroogle.org/cgi‐bin/scraper.htm• Use an anonymizer e.g. http://www.anonymizer.com/

Questions to Think About• Do you have intellectual property of your own? Of others?• Are you protecting yourself from legal action by using others intellectual property in accordance with

current law?• If it were your idea, song, movie, book, article would you want others profiting from or using it without

paying you? Some people don’t care; what about those that do care?• Does it matter if the owner of the intellectual property is rich and famous or not?• How do you suffer from those that steal intellectual property?• If you use intellectual property illegally, are you aware of and willing to endure the consequences?• Why does privacy matter?• With camera phones, how much privacy does anyone have?• When someone says data is “secure” how have they verified that?• How are medical records stored in systems on the internet protected?

Resources: (search on “stories about identity theft” or “stories about privacy” etc, and PII, intellectual property, ACH fraud, online scams, online fraud, phishing, software piracy, data breach, data loss, data loss prevention (DLP),

http://pewinternet.org/Infographics/2010/Reputation‐Management.aspxUS Law and policy: http://www.copyright.gov/laws/Software Piracy: http://www.spa.org/

Data Breach Report Sites:http://www.digitalforensicsassociation.org/http://attrition.org/dataloss/http://datalossdb.org/http://www.privacyrights.org/data‐breach/printhttp://osvdb.org/

US Computer Emergency Response Team (US‐CERT) for non‐technical usershttp://www.uscert.gov/nav/nt01/

Other Sources:https://www.predict.org/Default.aspx?tabid=40&page=overviewhttp://www.google.com/publicdata/directoryhttps://buildsecurityin.us‐cert.gov/bsi/home.html

NOTE: this link is provided for amusement and because it makes a point. NO commercial anti‐malware product is endorsed for purchase. We neither recommend nor endorse any paid commercial products in this printout or in the class.

Awareness by Hasselhoff: http://everyclickmatters.com/dangers/hoff.html

12


2/2/2011

13

____ _____

Steals out of Greed

Steals out of Envy

Steals because of Narcissistic tendencies.

Steals because is too Proud to beg.

Steals out of Necessity

Steals for Justice

There are only 2 ways to steal something:

• Take it.

• Another takes it and gives it to you.

From ISECOM.orghttp://www.BadPeopleProject.org


The above picture was drawn by a 5 year old to answer “What bad people look like” and apparently this one thought bad people tend to live in high‐water areas.

II. Threats ‐‐Who am I protecting my information from?

Situational Awareness: Is the asset sufficiently isolated from the threat?

Rugged: I recognize that computers will be attacked by unscrupulous but talented people, who threaten our future, our physical economic and national security. Rugged is knowing the most common threats and taking responsibility for separating your assets from the threats.

Theme: Currently organized crime is the greatest criminal threat to the individual American. The most common non‐criminal cyber threat is to our children, because we adults do not have enough knowledge from our own experience to protect our children from something we don't understand well. As our parents did not teach us, school teachers are not teaching our children and technology is changing so rapidly it is difficult for anyone to keep up with.

A.How to steal something1. Take it

a. In order to take something you must have ACCESS to itb. To have ACCESS requires interaction.c. To be secure, means a threat cannot interact with it.

2. Have someone else take it and give it to youa. If someone gives you something THEY need to have access but you don’tb. They need a reason to TRUST that you should have access to itc. If it is secure, then either they cannot access the asset or the asset cannot access THEMd. Securing TRUST is much more complicated than securing access.

B. Why people steal:1. Greed2. Envy3. Narcissistic tendencies4. Too proud to beg5. Necessity6. Justice

13


2/2/2011

14

____ _____

II – Threats (continued)C. Security is separation between an asset and a threat. Security separates these interactions

1. Visibility Interaction– you see an opportunity that you know is worth taking2. Accesses Interaction– Scope is the range of access to assets; Access is interaction from outside the scope3. Trusts Interaction – are interactions between those within the scope of the asset4. Prevention means preventing these three types of interactions

D. Interactive Controls:1. Authentication (who are you?)2. Indemnification (I am now responsible)3. Subjugation (Do it my way)4. Continuity (Don’t worry, I have a spare)5. Resilience (Bend but don’t break)

E. To make a valid boundary:1. Move the asset2. Hide the asset3. Change the threat to a harmless state4. Destroy the threat5. Destroy the asset (rarely recommended)

F. Boundaries are:1. Human –communication is either physical or psychological2. Physical – through physical and non‐electronic interaction3. Wireless – a signal, communication or emanation that does not require physical touch or wires4. Data networks – communication is over electronic cables or channels.5. Telecommunication – communication over established digital or analog telephone or like networks

G. Presence of Threat – once a threat is already within the scope or environment use these controls:1. Non‐repudiation (I really am who I say I am)2. Confidentiality (It is just between us)3. Privacy (For MY eyes only)4. Integrity (It hasn’t changed from what it should be)5. Alarm (OOPS! Now you’ve done it!)

I. Work with children to help them realize who bad people they can't see may be.1. For teachers: ISECOMM http://hackerhighschool.org2. Grades 6‐12 http://www.isecom.org/bpp/ Please send (http://info‐at‐badpeopleproject‐dot‐org) a child's

drawing of bad people either scanned in or taken with a digital photo.a. Child's First Name & last initial (optional)b. Child's Agec. Location / Regiond. Any relevant additional info (class project, community activity, etc)

J. Categories of Threats – who are they?1. Insider threat – those with most access to my data2. Organized Crime – now the number one digital criminal element for credit and identity theft3. Business to business espionage4. Advanced Persistent Threat (APT) – foreign government entities – long term infiltration of systems5. Increasingly, child on child bullying and abuse resulting in suicide6. Child predators

14


2/2/2011

15

____ _____

II Threats ‐‐ ContinuedQuestions to Think About:• How do you separate digital assets from those who would steal them? Through wires? Or through the air? Or by physically being present at the computer?• What are safety controls?• What are the security controls?• What would you move, hide, change or destroy to safeguard an asset?

Resources: ISECOM Child security awareness: http://www.badpeopleproject.orgTeen security awareness: http://www.hackerhighschool.org/Home security: Home Security Methodology Vacation Guide: http://www.isecom.org/hsm/

Norton (Dokken‐fried chicken ) http://www.youtube.com/watch?v=UNanKfY5T9A&feature=relatedNorton (Kimbo‐catepillar) http://www.youtube.com/watch?v=OXFNUBoUjz4&feature=relatedNorton (Hasselhof‐fan) http://www.youtube.com/watch?v=98I_‐wkBTJ4Norton (Lundgren‐ unicorn) http://www.youtube.com/watch?v=G6ryQ8N_Lv0&feature=related

15


2/2/2011

16

____ _____


II. Threats ‐‐Who am I protecting my information from?

Situational Awareness: Who has the most access to important information?

Rugged is…1. Knowing the most common threats (accidents, wireless, email, surfing)2. Taking responsibility for separating your assets from the threats.

Theme:C. ACCESS = THREAT increase. Whomever uses the computer most, is the greatest threat. 1. Those with physical access:

a. You or your Spouseb. Childrenc. Guests

2. Wireless Access:a. Hacker from the Internetb. Curious neighbors c. Drive by snoopingd. Googlee. Illegal use of your wireless access point (YOU are legally responsible)

3. Email – spam, scams, infected links and attachments4. Surfing the Internet – drive by downloads, scams, deals to good to be true

Actions (Good habits)• Don’t let someone put a CD, DVD, USB into your computer• Never use default (the one the new product comes with) Wireless configuration/passwords; default password

lists are available on the Web. Secure ALL wireless router configurations (WPA2 is best).• Shut down wireless or Internet modem when not using it. • Use Sandboxie (more under VII. Programs) which runs programs in an isolated “sandbox”.• Delete email from unknown addressees without reading it.• Have backups of important digital assets; safety from accidental deletions or drive crashes.

Questions to Think About• Can you buy security, or is it a mindset?• How do you determine whom you can trust?• How do you protect your property (physical assets) and are there parallels with digital assets?• Who has deleted the most number of files from your computer?

16


2/2/2011

17

____ _____


III. Risk – How do I determine what is really in danger?Situational Awareness ‐‐What are the major risks to the information you have identified for yourself or your family? What is your attack surface? Where can the threat “touch” your digital assets? Is the risk real or derived from emotion?

Rugged is knowing: 1.Which risks have greatest impact on you and your family2.Which would cost the most to recover from3.Which will occur with greatest frequency4.Which are most likely to occur

Theme: We humans have a hard time evaluating how likely, costly, frequent and how much impact a bad event will have.

Definition: Wikipedia defines “risk” as “A state of Uncertainty where some of the possibilities involve a loss, catastrophe or other undesirable outcome.” Risk is usually measured in gambling terms – odds, probability, chance.

These are the greatest Internet risks:

A. Crimes: http://www.ic3.gov/media/annualreport/2009_IC3Report.pdf

1. Identity theft is #1 crime nationwide, surpassing drug trafficking (in 2010)*

a. targeted email phishing scams

b. corporate database breaches

c. whatever is easiest; crooks go for the unaware and unprotected

d. social engineering

2. Crimes against children on internet

a. Theft of intellectual property (patents, copyright, music, video)

b. Publication and dissemination of malware

c. National and international internet fraud (highest dollar loss)

17


2/2/2011

18

____ _____

III. Risk (Continued)

B. Non‐crime:

1. Harrassment (bullying, abuse, threats, offensive behavior)*

2. Sexting (Self victimization –cell phones with cameras, web cams, digital camera)

3. Exposure to inappropriate material

4. Disclosure of personal information (18‐24 year olds are most at risk for Identity Theft)**

5. Disclosure of account information

6. Texting (12‐13 year olds 52% have cellphones, 14+ 71% ‐‐ teens receive and send 2800 text messages per month)***

C. Elements of risk: —Determining if it is manageable: If the most unlikely risk occurs, is recovery possible or not?

1. Impact ‐‐ will not paying attention to a warning kill someone, or is it a minor inconvenience?

2. Cost – will losing the data cost a lot of money?

3. Likelihood – has it happened before? Will it happen again?

4. Frequency ‐‐ will this happen once a day or once in a lifetime?

D. Awareness – do all in the family know the risks?

E. Insurance ‐‐ “transfer the risk” to someone else (for a price)

F. Psychology – Human beings ignore or discount the risk of extreme events:

1. Wishful thinking

2. True Fear (Gavin de Becker) “True fear is a gift. It is a survival signal that sounds only in the presence of danger. (Wikipedia)

3. On the Internet we have no historical or cultural signs to help us determine what a “true fear” is.

4. We do not evaluate odds well http://www.bookofodds.com/

Actions (Good habits)• Ask the risk questions for the most valuable and hard to replace information• Make a response plan for the worst possible outcome.• Make a list of important documents, credit cards etc.• Photocopy or scan them (both sides) to make paper copies• Keep them in a secure place (safe deposit box, Encrypted disk, Encrypted USB drive etc)• Shred papers with PII on them so threats can’t “dumpster dive”

Questions to Think About• What is my tolerance for risk? What would I do if the worst happened?• List the number of ways can you turn off a light. (even simple things are reliant on many things and

that there's many ways to achieve the same result, one of the reasons why security is so complicated).

Resources•http://rn‐t.com/view/full_story/8898905/article‐Magnolia‐Moms‐‐‐Parents‐face‐new‐challenges‐in‐Facebook‐‐texting‐era?instance=news_special_coverage_right_column

** http://www.pewinternet.org/Media‐Mentions/2010/18‐to‐24yearolds‐most‐at‐risk‐for‐ID‐theft‐survey‐finds.aspx

***http://docs.sandiego.gov/councilcomm_agendas_attach/2010/PSNS_100428_3ppt.pdf http://www.getnetwise.org/http://pewinternet.org/Reports/2010/Social‐Media‐and‐Young‐Adults.aspx

http://www.scambusters.org/identitytheft.html‐Actions

http://isecom.org Security and Trust Powerpoint. Protected by Creative Commons License.


18

2/2/2011

19

____ _____


IV. Access ‐‐ How do I minimize the attack surface?Situational Awareness: Who has the most access to important information?

Rugged is… Restricting who has access to types of information; Being aware of the wide variety of ways threats can get information; Learning what levels of trust are appropriate in different situations and for different types of information

Theme: One of the best ways to protect assets is to remove the asset from the threat.

A. Physical security is always the first line of defense1. Physical access – if you have physical access you can “own the box” Isolate it ‐‐ Lock it up. Physical

theft (thousands of laptops disappear in Airports daily) 2. Set up layers of security the bad guy has to overcome, (build on high ground, surround with a moat,

soldiers in courtyard, valuables in Keep, discourage scaling walls with hot oil)3. Limit the “attack surface” (one drawbridge for access, reduce # windows)4. Disposal – shred paper, break DVDs, overwrite hard disks and cell phones and PDAs before disposal

(eliminates “dumpster diving”)5. All useless if you let someone socially engineer you

B. What are the digital equivalents of the physical security defense lines?1. Isolate the computer from threats2. Set up layers: router between computer & Internet modem; host firewall, anti‐malware, isolate

dangerous programs or sessions3. Encrypt Use extreme caution with encryption—if the password is lost the information is lost!!!!

(Use KeePass to track passwords.)

a. Encyrpt your hard drive (Truecrypt)

b. Encrypt specific folders

c. Encrypt USB drives

d. Understand what you’re doing and practice until you are comfortable. Not something to do before going on a week’s vacation!!!)

4. Identification – Identify and Limit users with access to the attack surface:

a. username identifies an account. That’s all. A username is not verifiable information about a person. Don’t use your real name online. Don’t trust other usernames.

b. How do you know the person is who he or she claims to be?

c. Don’t share usernames; choose different ones for email, computer login, blogs, etc.

19


2/2/2011

20

____ _____

IV – Access (Continued) How do I minimize the attack surface?

• Certificates are supposed to verify that the person, account, website, program, is who it says it is.

• GPG (Gnu Privacy Guard) is a way of proving who you are on the Internet

C. Restrict outsiders & family: IT IS YOUR COMPUTER. Here are some possible “family rules” to discuss and decide on:

1. Explain why you have computer rules, that they’re for protection like “don’t talk to strangers”2. Start now. Studies show children’s surfing habits are set by the time they are 11‐12. 3. Tell children they never, EVER, tell their password to anyone but mom or dad; make a game of it to test

them (would you give your password to …..the mailman? NO!, a Teacher? NO!, A Stranger? NO!, Sibling? NO!)

4. restrict browser permissions (set browser security); surf in an isolation program like Sandboxie.5. Dispose of computers securely, overwrite hard drives (DBAN—see VII. Programs)6. Never give passwords, account numbers etc to anyone by phone, in person or by email. Empower

yourself and children to say “No, I can’t tell you that.” If the entity asking is authorized, they already know it and shouldn’t have to ask. Tell them to read it to you and you will verify it.

D. Password protect but know limitations of a password. (Use KeePass)1. Treat a password like a signature. Agree with your spouse what passwords you will share & not share.2. SIZE MATTERS!!– make it 15 characters if possible (how much longer does it take to type in 15 characters

than 8?)3. Too hard and you won’t remember or use it (use a saying, phrase or song line)4. Keep a list of your account numbers and passwords somewhere safe, locked or encrypted (see KeePass)5. If you have even a suspicion someone knows your password, change it.6. Use separate passwords for meaningless accounts (newsletter subscriptions, blogs) and different ones for

each account with financial access (bank, online stocks, PayPal, Amazon, eBay, etc)There is lots of emotion around passwords. These are the facts: password crackers ONLY work on 14 characters or less passwords. Cracker programs reject passwords 15+ characters. It takes less than a second to “crack” a dictionary word. Once they get the password file, It takes 2‐24 hours to crack a 14 character password. Hackers have all the time in the world. Passwords aren’t protected against keystroke loggers. Passwords aren’t protected against “shoulder surfing”.

E. Time is the enemy of passwords– too easy to forget/confuse with time. • If you keep a written list cross out the old password with one line• If you keep a digital list note the date you change your passwords

F.Social Engineering – (Wikipedia) A fancy way of lying. The act of manipulating people into performing actions or divulging confidential information rather than by breaking in or using technical tools.

G. An Attack Surface**:1. Is how much of something or someone is unprotected. 2. Shows how much can be attacked. 3. Is evaluated for a given environment and for a certain amount of time (e.g. not good forever). 4. Shows you how much is unprotected, uncontrolled and open to certain classes of threats.5. A risk assessment is one way of making an educated guess if something bad could/would happen to that

attack surface.


2/2/2011

21

____ _____


IV. Access and Trust: How do I minimize the attack surface?

E. Security and Safety use “controls” to reduce the attack surface because it cannot be completely separated like you from lightening in a mountain.**

1. Safety from lightening** means you control how it interacts with youa. by putting up lightening rodsb. stay someplace dryc. don’t stand under a treed. don’t be the tallest object in the environmente. be insulated inside a non conducting object (e.g. car on rubber tires—not steel belted tires)2. Security from lightening** means you change your attack surface by: a. Separate yourself from the threat (lightening) by e.g. going inside a mountain where it can’t reach

youb. That is not always practical so be alert to new “safety” measures3. Safety is what you need when you have no clear boundaries.a. Safety is what happens when you need to be around the threat because it is not possible to

identify or contain it. b. The threat can be an asset, which becomes a threat in the wrong situation or by accident.

Actions: (Good Habits)1. Use the non‐administrative account for daily use, for email, for banking, for surfing2. Keep the administrative account for parents only

a. Create a separate account for each user‐ one account per person; b. Separate administrative accounts for the adult used only to install/uninstall program

3. Explain to your children that passwords protect the things you use on the computer: from carelessness at home and bad people on the Internet4. Turn off the Internet connection at night – shut down the computer if not using it to prevent exposing it to the Internet for long periods of time.5. Unplug the wireless router when not using it. Disable it if it automatically starts on laptops.6. Make sure the wireless router has a good password (see the Remote section)7. Talk about trust and who can be trusted on the Internet (nobody – anybody on the Internet can say they are anyone)8. Never give real name, date of birth, address, financial information, social security number via email or over the Internet or by phone or text. See “Internet” section for further cautions on Facebook and social networking.9. Anonymity– “On the Internet nobody knows you’re a dog”.

a. can lead to quicker emotional attachments because there are no visual cues/restraintsb. intense relationships (good and bad) can form with frightening speedc. Impersonalize others because of inability to see their reactionsd. Self centeredness/self absorption of Internet interactions—assume your emotions are

mirrored by others

21


2/2/2011

22

____ _____

IV. Access & Trust (Continued)NOTE: there is a lot of misinformation about passwords available on the Internet. THE MOST SECURE

password is 15 characters. Most password cracking programs will see it as an error and simply stop trying to uncover the password. The other “suggestions” you hear, even from banks and credit card companies, is worthless (e.g. Upper/lower case and numbers don’t really matter but it is so commonly accepted you hear it repeatedly. 15 characters is the most secure password, if the operating system will accept 15 characters. Some Unix, Windows 3.1, Windows 95, and databases won’t.

Questions to Think About**• What's the best place on a door to put a lock to make it the most difficult possible to break open?• To prevent everyone except those approved, from getting into your home what do you need to do?

Would it be harder or easier to instead let in everyone except the approved people?• If a police officer knocks on your door while you're home alone, which should you trust more and open

the door for, one who shows you their badge or the one in a uniform? What would make you trust either one more?

• You're in a crowded room: how many different ways can you tell a friend a secret so that nobody else can learn it? Now what if it was over the Internet?

• A guy you know has a suitcase full of money under his bed. How many different ways can you think of to steal it (feel free to also suggest the silly, the crazy, and the impossible)? What do all these ways have in common?

• How do you know to trust someone? • What information do you not give strangers, family, friends? • Why is it important not to tell some people certain things? • Why do we protect the information on the computer? • Why does protecting it protect us? • What is trust? • What types of things make you decide to trust someone? • Who can you trust on the Internet? (Cartoon: on the Internet, no one knows you’re a dog.)

Reference (permissions, computer access, file permissions, password length, social engineering)Gnu Privacy Guard (identification, encrypted email, documents):

http://www.gnupg.org/download/index.en.htmlTrueCrypt (hard drive encryption): http://www.truecrypt.org/KeePass (protects passwords): http://keepass.info/Size Matters: http://www.avertlabs.com/research/blog/index.php/2007/11/02/password‐policy‐length‐vs‐complexity/ and Passwords: http://www.symantec.com/connect/articles/ten‐windows‐password‐mythsHome Security Guide: http://www.isecom.org/hsm/Child security awareness: http://www.isecom.org/bpp/

**http://isecom.org Security and Trust Powerpoint. Protected by Creative Commons License.**http://www.isecom.org/mirror/Jack_of_All_Trades.v2.pdf

http://drugwarfacts.org/cms/?q=node/30


2/2/2011

23

____ _____

2/2/2011 23

http://www.ted.com/talks/lang/eng/pattie_maes_demos_the_sixth_sense.htmlPrepared by GNO ISACA & ISELAMA: Fall 2010

V. Internet Why is the Internet dangerous, why now, not before?

Situational Awareness: How afraid of the Internet are you? Is it an aware and reasonable fear or fear based on lack of knowledge?

Rugged: I recognize that the Internet is an extraordinary resource and a threat. Rugged is:1.knowing what the threats and risks are of Internet activities you and your family use2.Learning enough to teach your children (siblings), and parents to be safe and recover without significant damage

Theme (goal): The Internet Is HUGE. As of June 2010 there are about 2 billion users out of 6.8 billion people in the world*. Through the Internet, every single one potentially has access to your computer without you knowing it.

Concept of CONVERGENCE –(Wikipedia)The concept of “convergence” is another new concept that we haven’t grown up with. Computers used to only sit in air conditioned raised floor heavily secured rooms. Televisionsused to be black and white and plugged into one place in the house. You used to make telephone calls from a device you leased from the phone company and which plugged into the wall. You used to have a slide rule to calculate equations. You used to get paper letters delivered by the postman. You used to have a separate device, a radio that had to be plugged into an electrical outlet. You had a record player to play music or tapes or DVDs. You used bound books‐ encyclopedias in the library to research information. You used to pay for goods and services with paper money. You used to use a camera to take pictures you could only see if you printed them out. Now a smartphone has more computing capability than all 10 of those devices and processes put together and it fits in your pocket without wires. That’s convergence. And there is more! That 4 ounce device doesn’t just deliver information to you, it SENDS OUT signals that anyone within at least 30 feet can pick up and read. Your credit card number, if you pay for something, they can listen to your telephone conversations, read your emails and intercept them and reply as you. You will never know about it. There are similar analogies to your computer at home, especially if you use wireless at home. (More on that in the Remote section). Physical safety and digital safety are converging– they are not separate concepts.

http://www.ted.com/talks/lang/eng/pattie_maes_demos_the_sixth_sense.html

23


2/2/2011

24

____ _____



Situational Awareness: Computers are installed in many things they have not been in before.

Rugged is…learning what the ever changing threats are. Are they different from non‐digital threats? What are the parallels between digital and non‐digital? Which are the same? How are they different?

A. No longer “just TV”1. “Web 2.0” is INTERACTIVE: As of June 2010 there are about 2 billion Internet users out of 6.8 billion people in the

world. Through the Internet, every single one potentially has access to your computer without you knowing it. What makes it dangerous now is the “interactivity”. You are not just viewing web pages, like a TV; you are exchanging information with real people you will never know and we will never really know where.

B. Scale of access1. Huge amount of information in small container2. Physical theft has limits on what quantities you can steal but you can steal ALL OF IT over the Internet3. From a single file millions of credit cards can be stolen 4. With a single weakness millions of files can be copied

C. Ubiquity ‐‐ EVERYWHERE ‐‐What are some things computers are now in?Computers and chips are in EVERYthing: • cars, • pace makers, • Gas, electric and water meters, • TVs, • phones, • refrigerators,

and they are increasingly connecting to the Internet. If there was a problem with your electrical meter it used to only affect you, but now with Internet access, from a single computer, electricity, or water or gas to an entire city can be interrupted.

• RFID (library book checkout, passports, commercial goods, shipping containers, more)• SCADA systems for nuclear powerplants, electrical grid, water control

D. Speed of communication• Acquaintanceships and friendships form online with incredible speed and intensity• Lack restraints that would be warning signs person to person

24


2/2/2011

25

____ _____



Rugged is… using caution on Web 2.0 sites, deleting cookies when exiting a browser, keeping browsers updated.

E. Interactive:1. Interpreters make the Web interactive. Interpreters are similar to compilers and are imbedded in web pages. They “interpret” simple text instructions as programs and perform actions you don’t know about. Interpreters are in web browsers like IE and Firefox, Chrome, Safari and others. They are in programs like Microsoft Office, OpenOffice, Adobe Reader, and others. They are on web servers out on the Internet and are used by pages that allow you to do any kind of interaction (entering data, searching, purchasing).

F. Cookies1. A serious Privacy issue2. What is a Cookie? A small text file stored on your computer

http://en.wikipedia.org/wiki/HTTP_cookie#Tracking3. Used for tracking credit card numbers, passwords, logins, etc4. Web browsers store cookies that contain information about what sites you visit, what you did on that

site, what web page you came from, information you enter on a website, what your location is, the time you visited and lots more. Bad guys can steal cookies stored on your computer or sent over unencrypted wireless. Example of a cookie named example.txt: Set‐Cookie: RMID=732423sdfs73242; expires=Fri, 31‐Dec‐2010 23:59:59 GMT; path=/; domain=.example.net

G. Protect your privacy: 1. Use Scroogle Scraper: http://www.scroogle.org/cgi‐bin/scraper.htm which saves no cookies, keeps no search term records, and deletes the log of who accessed it ever 48 hours. Lots of good privacy information on that site.2. Most people can be identified with just 3 pieces of information: zip code, sex and date of birth* often stored in cookies. When compared with other databases privacy information can be derived.

H. Web 2.0 (Web 2.0 = Interactive) KNOW THE DANGERS1. Web 2.0 includes Social Networking, Wikis, blogs, You Tube, Vimeo, Internet TV, Ustream, commercial

sites, hundreds more sites and growing daily.2. Social networking sites (hundreds ‐‐Facebook, MySpace, Twitter…)

a. Do not put full name , date of birth, high school, address, year of graduation b. Track what your children do on Facebook. Show an interest, ask them to show you how to set up an account. Talk to children about what they see on the Internet. Know what kind of pictures they are posting and viewing.

*http://blogs.techrepublic.com.com/security/?p=2350 and http://www.theregister.co.uk/2009/11/20/ohm_database_anonymity_worries/

25


2/2/2011

26

____ _____


V. Internet Why is the Internet dangerous, why now, not before? Being rugged means confronting the dangers head on instead of ignoring them.

I. Web 2.02. (continued) Facebook

d. Read and learn about the privacy and safety guidelinese. Discuss them with children.f. Only “friend” people you actually knowg. Don’t install Facebook apps especially those that store yours or friends’ birthdaysh. Check Facebook settings periodically because they “reset” them.i. Facebook is having continual privacy breaches (latest Oct 18, 2010) because of the

Facebook apps that retain privacy information even when Facebook settings are very restrictive. 10 most popular Facebook apps were transmitting user’s IDs to outside companies.*

i. Create a Facebook account with another email addressj. Do not post full names or date of birth of Facebook friends.k. UnFriend people who bully on Facebook.l. Facebook games are not your friends; the real “customer” is the advertiser not youm. Practice online kindness—

http://www.zdnet.com/blog/igeneration/january‐2011‐the‐definitive‐facebook‐lockdown‐guide/7439

26


5. Internet‐‐Cyberbullying

3. Online Bullying –"...Contrary to what many people believe, bullying is an adult problem, not a child's problem. Adults are entirely to blame for bullying in our schools because they do not stop it. Bullies bully because they can, and because they can get away with it and adults decide when, and who will get away with bullying.“ **

“Bullying is a form of abuse. It may include name calling, written abuse, exclusion from activities, exclusion from social situations. It can be emotional, verbal and/or physical. It can involved subtle methods of coercion. (Wikipedia) ”

Often, people who are victims are also bullies and may perceive themselves as ‘righting a wrong’ to themself or another. (Take this test with your child: http://www.stopcyberbullying.org/kids/are_you_a_cyberbully.html )

It may seem like “normal child behavior” but differs from traditional physical bullying in that the bully can remain virtually anonymous. Adults have a responsibility to teach children how cruel it can be and to educate children not to do it. Digital bullying takes on an added dimension of seriousness because of the number of people it can reach, the speed with which it can spread and the ease and impact of frequent repetition. “Embarrassing” pictures can humiliate children to the point of suicide and additionally, can spread to pornographic sites. On cell phones or email, “embarrassing pictures” can be child pornography, possession of which is a felony. Laws don’t distinguish between the age of the possessors.

• 30% of middle school students were victims of at least one form of cyberbullying in a 30 day period.• 22% of middle school students admitted to some form of cyberbullying two or more times in the last 30 days.• 67% of bullying occurs when adults are not present• Bullies are equally divided between male and female; Starts as early as 2nd grade; boys are most likely to start earlier, but by

middle school girls are more likely to engage in it than boys. (Wikipedia).

Types of Cyberbullying: From: http://www.teachernet.gov.uk/wholeschool/behaviour/tacklingbullying/cyberbullying/understandingcyberbullying/formsofcyberbullying/

• Anonymity, Masquerading, Impersonation—the bully’s identity remains hidden, but they send or post embarrassing orhurtful information about someone, or pretend to be someone

• Exclusion/Ostracism/peer exclusion can be difficult to detect; social networking is now an important extension of a young person’s social space and activity. Exclusion from them can be extremely hurtful.

• Flaming—intense, arguments involving digital messages with intent to start verbal fights• Harassment—sending offensive messages targeted to an individual or group, insistent; may enlist friends to send hundreds

of messages• Outing—public display or forwarding of personal text messages, emails or instant messages; printed, reading them out loud

to others. This can inlcude creating web pages or Facebook pages with embarrassing or hurtful rumors, statements, remarks or images.

• Cyberstalking—repeatedly sent, unwelcomed messages, that become threatening through their frequency• Unauthorized access/identity theft– hacking is illegal.• Manipulation (social engineering)—putting pressure on to reveal personal information or take certain actions; the victim

often feels implicated or guilty. Embarrassment about rude images or conversations may make them reluctant to seek help. This can also be used by adults to “groom” children they stalk on line.

Dealing with bullying: http://www.education.com/reference/article/ten‐actions‐to‐eliminate‐bullying/a. Discuss it with your children frequently so they feel comfortable telling you if they start being bullied. Ask open ended

questions about who they spend time with at school, what they do at recess and after school.b. Discuss what bullying is and help them understand how it affects the other child.c. Discuss what to do if they become aware of others who are bullying or being bullied. Bullying is not an appropriate

retaliation for being bullied.d. Don’t let bullying continue; it can be devastating and fatal. Report it to school authorities.e. Teen educators for teen behavior is often more effective than adult preaching. f. Some states have laws against it. http://www.stopbullyingnow.hrsa.gov/hhs_psa/pdfs/sbn_tip_6.pdfg. Teach a child to ignore bullies and focus on developing positive peer and family activities insteadh. Limit the amount of time spent online; the more time they spend the more likely to be bullied.i. Parents/guardians monitor their children’s social network pages, cell phone calls.j. Model kindness, compassion and leadership in front of your children.k. Learn the signs: loss of personal belongings, headaches, avoiding activities.

*http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html**http://www.bullypolice.com/EBookI.html

4. Email & Phishinga. URL, links in email can automatically take you to malicious websites

i. Disable HTML in email. HTML makes it possible for the Email application’s interpreter to automatically read malicious scripts or redirect to a malicious website.b. Delete email from people you don’t know without opening it.c. Delete spam without opening itd. Attachments can include malicious software. Never click on attachmentse. No real government organization, financial or commercial company will ever ask for your account name and password. If they do report it. Do not click on any URL links in the email. Type in links yourself in the browser.f. Phishing is a fraudulent attempt, usually through email, to steal your personal information. PhishTank is a site that allows you to paste in a URL and it will tell you if it is on it’s list of Phishing sites. http://www.phishtank.com/. Can you tell a legititmate site from a phishing site? Test yourself at https://www.phish‐no‐phish.com/default.aspxg. Hoaxes – DO NOT click on links in emails! Do not reply, Do not forward. Use HoaxSlayer or Snopes(links below) to check out deals that seem “too good to be true”.

5. Cell phones ; “Giving a child a cell phone without preparing them for the responsibility of owning the device is like giving them the keys to a Mack Truck”*

a. Texting – sending text messages cell phone to cell phone, can include bullying, sending inappropriate or demeaning photos; existing laws do not address minor‐to minor distribution of inappropriate photos of themselves. http://www.wired.com/threatlevel/2009/01/kids/

b. Parents can get printouts from cell phone companies of time date and phone number of text messages but not the content (which requires a court order).

c. Parents can buy software to monitor children’s texting. The software is downloaded to the phone when in physical possession of the phone.

d. In Louisiana, texting or checking email while driving is a primary offense (police can pull the driver over for that offense).

e. The GPS on cell phones can be used by stalkers; cell companies say they notify the phone user when the tracking functions are activated.

6. Online games ( ‐‐MMORPG, gambling, bridge etc) Massively Multiplayer Online Role Playing Game, gambling often have “peer to peer” programs that allow installation of malicious software. Many gaming sites install cookies AND malicious or tracking software. If people who use the computer go to any of those sites the computer will almost certainly become infected.

a. Use Sandboxie for running MMORPG and other Internet gaming or gambling or adult sitesb. Do not access online financial accounts from any machines that are used for gaming or adult sites.c. In Advertisement driven gaming sites: the real “customer” is the advertiser, not you.

7. Online purchasing (Amazon, iTunes, eBay , thousands of others)a. Type the URL in yourself, do not click on a link that is sent to youb. Check the URL by right clicking it and then looking at properties and comparing whether the URL

showing is the same one listed in the “properties”.c. No legitimate online vendor will ever ask for your account and password. If you get an email from

them do not click on any link in the email and do not respond with account, password or financial information (same applies to phone solicitations).

8. Child stalkers/child exploitation; having inappropriate pictures of minors (under the age of 18) is a felony. Links to laws are below. Existing laws were written thinking of adults as offenders against minors. Teens are now self inflicting some of these activities and the laws have not caught up. Teens can be charged as adults.

9. Intellectual property theft and Internet crime: children need to be educated to what intellectual property is and that it is stealing to copy software, music, movies, books without paying for them and a violation of copyright law to quote text from the Internet without attribution to the source.

2/2/2011

29

____ _____

V. Internet (Continued)Actions• Re‐evaluate relationship with email: delete what looks suspicious without reading it; NEVER respond to unsolicited emails. Run email in program isolation (Sandboxie).•“Free” is not really free; they always want something in return—very likely your information.• Use layers of protection because no one barrier is perfect; no one product or action is perfect (Don’t use IE6 – upgrade to IE9, set Windows Updates to automatic, use ClearCloudDNS, install Secunia PSI, use a non‐Adobe PDF reader with no additional functionality (Foxit, Nitro or others)

Questions and Things to Think About:• What is the difference between the Internet and the World Wide Web?•Is what is on the Internet different from what is in physical life?•Are there criminals in physical life? How do we protect ourselves from them? Is the Web the same?•If a website offers something for free, what do they want in exchange? Nothing is “free” on the Internet.•Do you use layers of protection in other areas of your life?Ask your children: •What types of things do you see on the Internet?•Do you know of any bullying going on?•What do bad people look like?•Play what would you do if….games. ….If someone you don’t know sent you an email? Texted you? Sent you a picture that made you uncomfortable?

Resources (search on internet vs web, "physical security" vs "digital security“, •Inappropriate texting: *http://www.nj.com/news/local/index.ssf/2010/09/westfield_parents_warned_to_mo.htmlhttp://humanrights.einnews.com/247pr/172908

•Bullying: http://www.childline.org.uk/explore/bullying/pages/bullying.aspx andhttp://www.stopbullyingnow.hrsa.gov/kids/ and http://www.nlm.nih.gov/medlineplus/bullying.htmlCheck your state bullying laws: http://www.bullypolice.org/la_law.htmlCyberbullying Research Center: http://www.cyberbullying.us/Good overview: http://stopcyberbullying.org/•Exploiting children: http://www.missingkids.com/missingkids/servlet/PageServlet?LanguageCountry=en_US&PageId=1476•Twitter dictionary: http://www.webopedia.com/quick_ref/Twitter_Dictionary_Guide.asp•Using Facebook securely:•Did You Know? (original website) http://www.michaelhartzell.com/videos‐that‐rock/did‐you‐know‐‐video‐by‐karl‐fisch‐scott‐mcleod‐and‐jeff‐bronman/•Internet Statistics: http://www.internetworldstats.com/stats.htm•2010 Website Security Statistics: http://www.slideshare.net/jeremiahgrossman/w‐pstats‐fall1010th•Research Portal: http://portal.brint.com/cgi‐bin/cgsearch/cgsearch.cgi?query=internet+crime•Phishing: Check a site: http://www.phishtank.com/ Test yourself: https://www.phish‐no‐phish.com/default.aspx•Internet Crime: http://arstechnica.com/web/news/2010/03/losses‐from‐internet‐crime‐more‐than‐doubled‐in‐2009.ars and http://www.fbi.gov/about‐us/investigate/cyber/cyber


2/2/2011

30

____ _____


VI. Technology – What difference does equipment make? Equipment = Hardware = Devices

Situational Awareness: List computing devices you currently use and their capabilities. What makes them dangerous?

Rugged: I am rugged and more importantly my computer is rugged. Rugged is knowing what makes a device dangerous and taking steps to lessen the dangers.

Theme (goal): Technology is providing miracles of speed, usefulness, ease, time savings, capability never before seen by humanity. Our use of it leaps ahead of our understanding of the implications of its use, of its implications to society, ahead of developing social norms to manage it, ahead of our ability to make laws to protect ourselves.

A. Scale When personal computers were first introduced in the late 1980s, 300 megabyte disk drives were the size of washing machines. Note in the photograph that the washing machine is the size of a 300 megabyte harddrive storage from the 1980s. The USB drive next to the boy’s hand, contains 32 Gigabytes in 2010. Now, an 8 GIGAbyte USB drive can hold as much data as 2424 washing machine sized hard drives from the 1980‐90s and a 64 gigabyte iPhone can hold the equivalent of over 19,000 of the old hard drives.1. Storage and Scale: Storage retains files when the computer is shut down. Like a phone book.

1 bit is 1/8 of a byte, There are 8 bits in a byte1 byte is 1 letter (each letter is made up of 8 bits)1 kilobyte (K or Kb) is 1000 letters or about ½ page of text1 Megabyte (M or Mb) is 1 million bytes (letters) or 1000 kilobytes or 500 pages (a thick

book)1 Gigabyte (G or Gb) is 500,000 pages or 100,000 thick books; 1000 Megabytes1 Terabyte (T or Tb) is 500 million pages; 1000 Gigabytes1 Exabyte (E or Eb) is 1000 Terabytes

• A CD holds 680 megabytes, A DVD holds 4.5 gigabytes (2010)• Newest iPhone/iTouch is 64 G or 8 times an 8G USB drive.• The largest USB drive commonly available (as of late 2010) is 32 GB for about $50• Largest hard drives commonly sold as of late 2010 are 2 Terabytes for less than $150• Rate of change & obsolescence—your CDs & DVDs. What about the drive needed to read them?

DISPOSAL OF STORAGE DEVICES: Remember when giving away an old computer, or selling it online, not to leave information on it. Simply “deleting” files does not erase them from the hard drive. It is very important to thoroughly erase or OVERWRITE information from storage (hard drives, C: drives), cell phones, USB drives, printers (if at work). A simple way for computers, is to copy an erasing program to a CD then turn on the computer (boot it up to the CD) and overwrite the disk(s) with 1s. DBAN is a free program that can be downloaded and used for that purpose. It is a myth that hard drives have to be overwritten multiple times. A one pass over write with 1’s and 0’s is sufficient to safeguard personal information.

30


2/2/2011

31

____ _____


VI. Technology ‐‐What difference does equipment make?

Rugged is knowing the danger of the hardware you use. B. Types of hardware (8 terms basic to computers)

1.Clients are the personal computer, pc , also called desktop computer, also called workstations, used by (usually) one individual at a time. 2.Servers are larger computers with more memory more storage, several network connections that store files and “serve” them out to clients. Some malicious software (malware) runs on CLIENTS some runs on the SERVERS. You can’t do anything about the malware that runs on the SERVERS. But you can protect your own CLIENT(s).3. Network – computers connected together (Internet is short for Inter Network)4. Keystroke loggers – can be a small USB type hardware device or a software program5. Routers – connect 2 or more networks –like a home (or wireless) network to the Internet.a. A single computer can connect to the Internet through a modem, cable modem or DSL modemb. Adding a router between your computer and Internet is a good added precaution

6. Wireless Access Point: a small device or a software program that allows wireless devices to connect to a wired networka. Always change the default Wireless Network name and password when setting it up.b. Use the strongest encryption that will workc. Shut off or unplug the wireless router when not using it or when leaving the housed. Remember to write down the address, login and passwords to the router and encryption keys

7. Firewalls – a device or software to block unauthorized access (see references for differences)8. Processor – the brain of a computer; processors for pcs are either Intel or AMD. Macs use Intel processors. Many smart phones use ARM processors.

C. MEMORY vs STORAGE (as in humans) memory is transitory. When the computer loses electricity memory is lost. Memory is referred to as Random Access Memory or RAM. Like storage, RAM is also measured in bytes, in gigabytes in 2010. Most new computers in 2010 come with 2 or 4G of RAM. When memory is erased or if it overflows, it has to be completely reloaded from storage the next time the computer is turned on.

D. Speed and Moore’s Law1. Transistor capacity will double about every 2 years (first proposed by Gordon E Moore in 1965). He estimated

it would continue doubling for about 10 years. It is still true 45 years later.2. Speed of a computer’s processor is measured in “Cycles per second” which is how fast circuits can read

programming instructions (code). It is measured in megahertz (Mhz). First PC was 2 Mhz and had 1024 bytes (1 K) of RAM, today laptops are up to 266 Mhz and 4Gb of RAM. An iPhone 3G has a 600Mhz processor and 32 G RAM.

31


2/2/2011

32

____ _____

VI. Technology ‐‐What difference does equipment make?

Being rugged is… knowing the danger of the hardware you use.

E. Data transfer or bandwidth is measured in bits (storage and memory are measured in bytes)1 kilobit per second = 1,000 bits per second1 megabit per second = 1,000,000 bits per second1 gigabit per second is 1 billion bits per second

1.How fast is your Internet connection?a. Phone with a 56k modem is 56 kilobits per secondb. DSL (usually what you get if you have Internet through your telephone line (AT&T) and

are from 128kbps to 3Mbps.c. Cable modem (e.g. in New Orleans ‐ Cox) slows if many people in your neighborhood are

using the Internet simultaneously.

F. Ubiquity ‐‐ Computers in EVERYthing:a. Cars, Busses, Trucksb. Pace makers, c. Gas and water meters and they are increasingly connecting to the Internet. If there was a problem with your electrical meter it used to only affect you, but now with internet access, from a single computer electricity to an entire city can be halted.d. Nuclear power plants, electrical stations, dams, pump stations, oil and gas wellse. Medical equipmentf. Transportation (rail, shipping, traffic lights)g. Microwaves, stoves, refrigerators, washers, dryersh. Toysi. Increasing capacity in smaller and smaller devices


2/2/2011

33

____ _____


VI. Technology

Actions to take:• Turn off devices when not using them (reduce attack surface). If they’re not connected to the Internet,

hackers can’t probe them.• Completely overwrite devices with DBAN when disposing of them• Never leave default configurations or passwords on devices.

Questions to Think About:What social conventions are changing because of technology?Do we need more laws to protect us?How is such widespread computer availability going to change us?How would I prove someone else used my wireless access point to download illegal software?

Resources (Search on technology, hardware, convergence )

Data Loss from Printers:

http://www.cbsnews.com/video/watch/?id=6412572n

Wireless Networks: http://www.us‐cert.gov/cas/tips/ST05‐003.html

http://www.wikihow.com/Secure‐Your‐Wireless‐Home‐Network

Information on “burning” emergency recovery disks:

1. Burning a disk means to copy it to disk.

2. To make a CD or DVD in a format that the computer will start up or boot from (start it up by its “boot straps”) requires a special program – “image burning software”. This copies a special type of program or disk image in an “ . ISO format”. These are free image burning programs that will allow you to create a bootable CD or DVD: http://www.techmixer.com/free‐windows‐cd‐dvd‐burner‐software‐list‐download/

3. Follow their instructions

33


2/2/2011

34

____ _____


VII. Software (Programs) Why are programs dangerous?

Situational Awareness: Be aware of what types of programs and what software problems open your computer to theft of sensitive information.

Rugged is recognizing that software has become the foundation of our modern world. It is knowing how to protect the most vulnerable software by keeping up with patches, anti‐malware and common sense.

Theme (goal): Software is the Achilles heel of the computer that allows criminals to steal personal data.A. Programs, also called software, programming code, code, are files with instructions that tell devices or hardware what to do. Some general types of programs are:

1. Operating systems ‐‐Windows, Mac OS X, Unix and it’s variants including types of Linux (Ubuntu, RedHat, etc) Operating systems are programs that translate human input into action on the computer.

2. Firmware – small read‐only programs embedded into computer chips3. Drivers – small programs that translate operating system instructions to devices like printers,

scanners, monitors, generally called “periferals”)4. Compilers – take human written programming statements in a specific programming language and

turn it into a format readable by an operating system.5. Applications usually run on clients; almost all

a. Office Automation – used in business‐‐ word processing, spreadsheets, presentationsb. Email – has both a client and a server piece—the client reads emails delivered by the servers

that store and manipulate the messagesc. Databases – Access (client), or MySQL (client or server), Oracle (server), MS SQL (Server)d. Graphics – create pictures, diagrams etce. Games – many on clients (Solitaire etc), but some run on servers MMORPGs.f. Utilities‐programs that do specific functions (PDF readers, zip programs, encryption

programs, anti‐malware, firewalls)g. Malware – Malicious software including viruses, trojans, worms, ad‐ware popups, spyware,

rootkits, botnets, designed to access a computer system without the owner’s consent. Malware can be distructive or merely intrusive and annoying. Malware gets on computers primarily through email and the Web.

h. Patches ‐‐ Patches are additions or corrections to errors in programs. They can also be scripts to apply configuration changes to correct a misconfigured operating system or application. Patches are distributed through updates sent out by the software vendor.

34


2/2/2011

35

____ _____

a. Browsers run on clients (Internet Explorer or IE, Firefox, Chrome, Safari. Opera) i. Plugins‐are user added additions to make a browser provide ability to display

graphics or otherii. Add‐ons – like Active‐X controls provide ease of use or • Many computer weaknesses are exploited in browsers through plugins and

addons.b. Search Engines (servers) – Google, Scroogle, Bing, Yahoo, Ask.com and search engine

aggregators like Dogpile, Ixquick, others, and Question answering engines like Wolfram Alpha)

B. Legal Awareness: Check and know what rights you have when you obtain the various types of software. New laws cracking down on illegal use of software could at very least embarrass if not cost a family or business fines. Software is considered intellectual property. There are various types of licenses for software:

1. Commercial or retail software – available only by purchasing a license and not shared with others (read the End User Licensing Agreement sometime)..

2. Shareware or Trial software – (Wikipedia) proprietary software that is provided to users on atrial basis and is often limited by time, functions available, or convenience. If at the end of the trial the user opts not to buy the software it is to be removed from the computer.

3. Freeware – (Wikipedia) computer software available at no cost or for an optional fee.4. Public domain‐ (Wikipedia) works in the public domain are not covered by intellectual property

rights at all or the intellectual property rights have expired.5. Open Source Software – (Wikipedia) computer software available in source code for users to

study, change and improve the software and is often developed in a collaborative manner.6. Creative Commons licensing – (Wikipedia) Creative Commons is a non profit organization that

issues licenses that allow creators to communicate which rights they reserve and which rights they waive for the benefits of recipients or other creators.

C. Bugs – programs can be a few lines long or, in complicated products like Microsoft Office, tens or hundreds of millions of lines of code. There is a general correlation between how long a program is and how many “bugs” there are in it. 1. A bug is a command that does something it wasn’t intended to do. Sometimes a bug is just an

ambiguous command – like words that have two definitions but the meaning changes with context. A command can sometimes have multiple outcomes, depending on the circumstances.

a. Generally, it is estimated there is one “bug” per 10,000 lines of code regardless of operating system or company. The number is the same whether Apple, Unix or Windows.2. Vulnerabilities are either programming bugs or flaws in program code

b. There are very smart people looking for code vulnerabilities to exploit the weakness to the vulnerability. Vulnerabilities can lead to unintended access to the operating system, a driver, an application, or a browser that can result in ways to steal information or plant malware.

c. Patches ‐‐ It is a race between the good guys and the bad guys to find the vulnerabilities and write small programs to “patch” the flaws in the existing code before the bad guys can write exploits for them.

D. Malware (malicious software) –1. Viruses, Trojans, Worms, Spyware, Adware, keystroke loggers, etc are all types of malware that

the bad guys infect computers with and that perform various functions in slightly different ways.2. A botnet is a collection of computers controlled by one bad guy’s computer. Much email spam is

sent by botnets. The bad guys buy prepackaged commercial botnet software for thousands of dollars. Bots (also called “zombies”) are small malicious programs installed on our computers by surfing to sites loaded with malware or by clicking on malicious links, adware or spam. The ‘bot’ (short for robot) automatically installs and periodically “phones home” to its command and control server without the computer owner knowing or agreeing to it. Some anti‐malware will find and eradicate some botsoftware, but not always. One way to protect against known botnets is to use ClearCloudDNS to prevent the bot from accessing the “home” website.

35


2/2/2011

36

____ _____


D. Protection ‐‐ Software is the weakness that lets crooks have access to a personal computer. Our objective is to make the computer just difficult enough that the snoop or criminal goes elsewhere. Most gain access to computers either in homes or in businesses because the users have easily exploitable and long standing holes that have not been patched. The bad guys are motivated by money to make it “one click easy” to become a victim. Vendors are motivated by money to get software out fast without thoroughly testing it for bugs. Until the public demands secure software from vendors and writes Congress to pass laws if vendors won’t voluntarily comply, it will be much harder for us to secure computers than it is for the bad guys to compromise them. Until cybersecurity is also one‐click‐easy, we must each be cyber‐rugged!

The top 10 free protections for your computer:

1. Be suspicious of all eMail: For emails that seem too good to be true check Snopes or Hoax‐Slayer (See below for URL). Do not believe “free offers in email or in applications. NOTHING on the Internet is free. NOTHING. “Free” programs virtually ALWAYS result in payment of EITHER your private information or money or expectation of purchase (limited trial).

2. Patch all operating systems regularly. Microsoft sets the second Tuesday of each month to issue patches. Other vendors are beginning to follow suit with scheduled updates (Sun Javascripts, Apple). Almost all malware exploits vulnerabilities in software to gain access to an unprotected computer. Patching regularly is the single strongest protection against having a computer compromised. Better yet, set it to automatically check for updates at a certain time each day (e.g. over lunch or dinner when the computer is on but not used).

3. Patch Applications Regularly: Use an application notification program for when vendors release updates (like Adobe, Apple, other browsers). Secunia PSI is free, installs quickly and makes it easy to keep track of updates to thousands of applications. They recently (12/2010) released version 2.0 which has options for auto updating. http://secunia.com

4. Filter Websites: Use website and DNS filters to prevent your computer from going to known malicious sites. This is not a guarantee since so many new ones come up each day, but it’s one useful layer. a. ClearCloudDNS is free and has a one click install script. b. NetCraft provides lists of compromised websites. It is the “Neighborhood Watch for the Internet” which is what most of the paid security packages license and use to warn of malicious websites. There is a free toolbar for individuals. http://netcraft.com. c. Proxy ‐ For those more advanced, use a free proxy to filter websites. d. PhisTank‐ another resource for phishing sites ‐‐ http://www.phishtank.com/ (free but register for a login)

5. Use anti‐malware – Windows comes with a free security suite (Microsoft Security Essentials v 2.0 free to businesses with < 10 computers) that includes anti‐malware and an incoming firewall; many Internet Service Providers (ISP) give their customers free anti‐malware (McAfee, Symantec, Trend etc) so before buying anything check ISP home page. All Anti‐malware packages together catch only about 20‐30% (at best) of all the malware written today. It is phenomenally easy to write malware now. a. Outbound firewall: If you are willing to spend time to “train” it install a outgoing firewall like Zone Alarm which has a free version. b. Anti‐spyware/adware: c. Malwarebytes: searches for malware if you think you are infected.

36


2/2/2011

37

____ _____

Top 10 FREE Actions For Protecting Computers (continued):6. Take Passwords Seriously: Until there is a better way to authenticate by using biometrics, two‐factor authentication (something you know and something you physically have) or other more sophisticated techniques, take your financial and personal passwords very seriously and teach your children and parents/grandparents/friends to.a. Use KeePass to record and secure your passwords or some other program that uses AES 256 bit encryption. As of this writing that is the most secure “military grade” encryption method. Anything less can be broken quickly. Do not keep a text file, spreadsheet, or other document with passwords.b. Use long passwords or pass phrases—15 characters or longer if permitted, but make them easy to remember and type. E.g. Threeblindmice0) is easy to remember and extremely difficult to crack. Use keyboard punctuation you can reach with your right pinky in passwords (if those characters are permitted).c. Have different passwords for each financial account, for your personal email, for medical accounts and for other sensitive information—use a naming scheme that makes sense to you so they are easy to change. Remember to record changes in KeePass or in AES 256 encrypted programs on your smartphone.d. Compromise: If you think a password has been revealed change it immediately.

7. Lie for Privacy : You don’t owe strangers on the Internet anything – they’re trying to get something from you. For general websites do not use your real name, email, date of birth, zip code or gender. Create “throw‐a‐way” emails to sign up for lists, get coupons, and other gimmicks. Use Scroogle.org for Internet surfing which limits the use of cookies. Use an anonymizer to surf. Do not post your personally identifiable information on Facebook or social media. Recognize that there is a “Deep Web” that has databases full of public information on you, your past addresses, cost of your house, and other information in public databases that is available but does not show up in “normal”search engines.

8. Use a Sandbox: If the computer is used for playing online games or used for adult sites, browse with software isolation programs. Sandboxie is free but requires some learning (tutorial provided on website).

9. Learn about Smartphone Vulnerabilities: Smartphones continue to become more prevalent.a. cell transmission are broadcast like radios ‐‐ nothing is encrypted – do not perform financial transactions on phones.b. Cloud data storage is not protected – often the Cloud provider has full access to anything stored with them.c. Applications on smartphones may access the other info on your phone without your knowledge (contacts, messages, eamail, passwords)d. Applications are almost never free. They either cost information or money.

10. Emergency Actions: a. Have a bootable CD to check a computer that might be compromised with malware (See URL below) and practice using it so you know what to do if something does happen. b. Have a checklist of what to do in an emergency.c. In a secure place have a written list of your hardware and serial numbers (computer, monitor, printer, smartphone, cell phone, scanner, USB drives, digital camera, digital camcorder, wireless router, router, d. In a secure place have a written list of what programs are on your computer and their license codes that you would re‐install if you had to wipe your computer to get rid of a virus. (get the list from Windows Control Panel—Programs) and where the original install disks are. (get quart size clear plastic bags and put CD/DVDs for each computer in them).e. Keep your important data in one folder that you can easily copy to a USB, DVD, or backup to a Cloud backup service. (Know what the privacy policies of the Cloud provider are—Evernote “owns” anything you put on their servers and others may sell the content of your documents to marketers.

Questions to Think About:Why does it only take one click to infect a computer but countless steps and days to either reformat it or try to disinfect it?

References: (search on search engines, metasearch engines, visual search enginesWikipedia article on types of search engines: http://en.wikipedia.org/wiki/List_of_search_engines#Metasearch_enginesAnti‐malware – MALicious softWARE(anti‐spam, anti‐virus, anti‐spyware)

• Windows comes with Windows Security Suite• ISPs provide free anti‐malware

Creative Commons: http://en.wikipedia.org/wiki/Creative_commonsChecksum verifier: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=b3c93558‐31b7‐47e2‐a663‐7365c1686c08&displaylang=enProgram Isolation: Sandboxie: http://www.sandboxie.com/Phishing: check a suspicious website: http://www.phishtank.com/ (free but register for a login)Hoaxes: http://snopes.com/ and http://hoax‐slayer.com/ (WITH THE HYPHEN) Malware types: http://en.wikipedia.org/wiki/MalwareClearCloudDNS: http://clearclouddns.com/Checks patch updates for applications‐‐Secunia PSI http://secunia.com/vulnerability_scanning/personal

Reference Websites: (search on Moore’s Law, drive wiping, wireless configuration,

Hard Drive Overwriting: http://www.dban.org/download

Moores Law (additional interesting statistics): http://en.wikipedia.org/wiki/Moore's_law

Basic PC information: http://www.mysuperpc.com/

Internet Speed Test: http://www.auditmypc.com/internet‐speed‐test.asp OR http://reviews.cnet.com/internet‐speed‐test/

How the Internet works (routers, firewalls etc): animated ~15 minutes: http://warriorsofthe.net/

Hardware/software firewalls: http://www.webopedia.com/search/firewall

Hardware Information: http://www.tomshardware.com/us/

37


2/2/2011

38

____ _____

2/2/2011 38


VIII. Remote (travel) Computing How is remote access different?

Situational Awareness: When away from home base, be aware of circumstances and surroundings.

Rugged is… understanding the extra threats travel away from the security of normal computing circumstances.

A. No computers in hotels, kiosks at Internet cafes, or conferences are safe. Assume there are keystroke loggers installed by a malicious person and do not enter passwords, do financial transactions or send sensitive information from strange computers.

B. If you have no choice but to use strange computers, consider bringing a bootable CD or USB drive that you can boot the alien computer from. Ubuntu, a free Linux operating system has an “image” a self contained operating system that fits on a CD (or USB drive) and you can use to reboot the CD and check email from.

C. If you have a home router, many come with VPN (virtual private networks) that create an encrypted tunnel between your home network and you when travelling.

D. Be extremely careful when at airports. Tens of thousands of computers are stolen daily from airports in the US. Hold the laptop up letting it leave your hand only just before walking through the scanning portal and be there waiting for it to emerge on the other side of the xray machine. Do not leave a laptop even for a minute in airport waiting areas.

E. Many smartphones (iPhone, Droid among others) do not use encrypted transmissions. Ask if the phone is encrypted. Purchasing items with credit card information is sending it across the airwaves to be read by anyone who has a “radio” tuned to the correct bandwidth.

F. Cloud Computing is the future of the Internet. Many services offer free online storage, email, address books and businesses are opting to move their services onto servers in centrally managed data centers often located overseas. Many doctors are storing their patient records “in the cloud”. They give patients a login and password to see the results of tests or other medical documentation. “Client”computers are becoming smaller and more portable and there will be a time in the next few years where a handheld computer will access everything you can from a desktop computer.

Questions to Think About• How long does it take to steal a laptop?• How do I know that information being sent wirelessly is protected?

Resources (search on “computer security while travelling, remote access security, VPN)http://ist.mit.edu/security/traveling Study on lost laptops: http://www.dell.com/downloads/global/services/dell_lost_laptop_study.pdfTravel tips: http://www.devhardware.com/c/a/Hardware‐Guides/Keeping‐Your‐Data‐Safe‐While‐Traveling/Facebook updates for travellers: http://dns.tmcnet.com/topics/internet‐security/articles/111215‐facebook‐

beefs‐up‐security‐after‐privacy‐concerns‐surface.htm

38


2/2/2011

39

____ _____

check

plan

think

9. Plan

2/2/2011 39


XI. Plan How do I prepare for an e‐Crisis?

Situational Awareness: Are you doing the absolute minimum to protect yourself? Do you know exactly what digital assets you might need to restore?

Rugged: I recognize that nobody is protecting me and I am responsible to learn enough to protect myself and my family. Rugged is… having a plan.

Theme (goal): In this section we are going to cover the most likely e‐crisis scenarios and give you the resources to make a plan specific to you.

A. What types of events could be considered an “e‐Crisis”?1. Computer is stolen2. Computer is infected with a worm or virus 3. You fall for a phishing scam and give up key information4. Hard drive crashes5. Office/home is destroyed in a fire6. Lightning/flood/other natural disaster7. Extended power/network outage8. Divorce – does your partner have access to your email, passwords, computer data? Taking such information can legally be considered identity theft (groundbreaking case in Michigan trial Feb 2011)9. Death – what happens to your/spouses online identity?

B. Impacts of an e‐Crisis1.Identity theft‐list of whom to report it to

a. Report identity theft to all 3 credit bureausb. Report identity theft to the IRSc. Report Identity theft to the FTC http://www.ic3.govd. Report identity theft to local police and get a police reporte. You are entitled to 3 free credit reports annually. The ONLY OFFICIAL FREE SITE IS

https://www.annualcreditreport.com/cra/index.jspHINTS: you ONLY have 30 minutes to print your 3 reports; make sure printer has paper & ink. If you check 1 bureau

every 4 months you have a whole year’s worth of coverage.2. Loss of:

a. Irreplaceable files (family pictures, videos, email)b. Ability to pay online accountsc. Contact informationd. Passwords/encryption keyse. Key account information, f. Keep a notebook with pockets for Software license keys, receiptsg. Digital files: encrypt/password protect lists of accounts and financial informationh. Scan in receipts, License key numbers for software (scan CD or box)

39


2/2/2011

40

____ _____

C. Steps to lessen the likelihood or impact of an “e‐Crisis”1. Keep files with highly private information encrypted (TrueCrypt for full volume encryption, or use an encrypted file “zipper”, or use GPG)2. Use strong passwords and change them regularly (passwords of 15 characters are best if possible).3. Do not visit “grey” internet sites (music/file sharing, porn, gambling, online MMORPG)

a. Use SANDBOXIE if you go to these sites b. Use ClearCloudDNS web filter which checks for known bad websites.c. Have a bootable anti‐malware CD to scan your hard drived. Do e‐commerce (banking, stocks, from a bootable Ubuntu CD.e. Install Secunia PSI (free) to notify you of updates to applications (Adobe etc)f. Set Windows Update to update and install updates automatically. Periodically check to be sure you

have Microsoft updates which come out on the 2nd Tuesday of every month.4. Limit access to your PC, establish separate accounts for each user (family member). Do not give all admin rights!5. When selling or giving away a PC, use DBAN to overwrite the disk OR replace the hard drive(s) with a new one to ensure your private information is not transferred to the new owner. 6. Keep key financial account and contact phone numbers readily available7. Establish way to regularly backup important files to external drive or another computer

a. Spreadsheets with family budgetb. Quicken/MS Money data filesc. Photosd. Email archivese. Address book/contact lists (outlook PST, OST, archives)

8. Consider online backup optionsa. Pros/Cons (cost, company going out of business, security/privacy vs. benefit of regular automated backups going offsite)

9. Periodically make copies irreplaceable photos/movies to DVD and store in bank safe deposit box or fireproof safe (burn data to a CD or DVD).10. Keep application CDs/license keys stored in safe location11. Have 3 copies: paper copies; store in bank safe deposit box and/or fireproof safe and USB or CD

a. credit cards and 800 number to call to report lost/stolen cardb. account numbers, addresses and contact information for accounts normally paid onlinec. Address book/email addresses

12. Have a way to boot/recover your computer in case of a operating system or hard drive failurea. Ubuntu Live CD or USB (updated every 6 months)b. Windows recovery disk

13. Buy an external hard drive to back up to.14. Make sure to periodically check to ensure backups are occurring, and that files are actually there and restorable. 15. Plaxo ‐ option to ensure access to contacts16. Locate a reputable and reliable computer technician BEFORE a crisis strikes17. Know what your homeowners insurance covers with respect to identity theft (many now include help for identity theft).

Actions to take: • Do the TOP THINGS TO DO IF YOU DO NOTHING ELSE list• Establish a backup/recovery plan/process for important files• Buy a fireproof safe or use a safe deposit box• Have a plan (preferably written – not stored on your computer) for various scenarios (keep one in a locked drawer at work). Store your plan on multiple types of protected/encrypted media (paper, USB drive, CD/DVD, portable hard disk).• Organize a Cyber Rugged Pre‐Planning emergency Party with family or friends and share what you’ve learned here with them.

Paid “protection services” don’t work: http://www.consumeraffairs.com/news04/2010/11/nearly‐one‐million‐consumers‐getting‐refunds‐from‐lifelock.html


2/2/2011

41

____ _____

Think about what you would do before it happens. Like a hurricane, have a plan and follow it. In Advance:•Find out what local businesses can and cannot do. •Find out what web services are available.•Find out local attorneys who can help with identity theft•Find local forensic experts•Use a safety deposit box for

Reference Websites: These websites will save you hundreds of dollars.(Search on Windows backup, External hard drives, Online backup; online address book; Home office security; identity theft, identity protection, online backup) There is NO Express or Implied ENDORSEMENT OF ANY PAID, COMMERCIAL PRODUCT OR SERVICES LISTED. Where paid service links are listed it is because they also offer good free advice or free products. We do not recommend any paid products at all. We do not provide endorsement of ANY commercial products both to maintain the speaker’s personal integrity and because there are free products that can do the same or better job. We are not suggesting or advocating that you buy anything. No product free or paid, is absolute foolproof protection. Digital threats (computer or smartphone) are constantly changing so this information may be obsolete in a few months. There is enough information provided here that you can do an internet search to get the most current information in the future. Small businesses may want to consider computer insurance (talk to your insurance agent).

•Free bootable anti‐malware disk checkers: http://www.techmixer.com/free‐bootable‐antivirus‐rescue‐cds‐download‐list/•SuperAntiSpyware FREE edition: http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

• Free online tools for malicious websites: http://zeltser.com/combating‐malicious‐software/lookup‐malicious‐websites.html

• Check to see if a file is good or bad: •http://www.virustotal.com/file‐scan/report.html?id=f1a88d717d5f442ce1c79bc839a4434e6fbe603f34e84618f90871abdfe9cdfd‐1278404408

•Plaxo FREE online address book: http://www.plaxo.com/•FREE online money management tips: http://quicken.intuit.com/personal‐finance‐software/free‐online‐money‐management.jsp•Disaster recovery/contingency planning information: http://www.brighthub.com/office/home/articles/2176.aspx •Home computer backup: http://www.geekstogo.com/2008/06/19/options‐for‐home‐computer‐data‐backup‐part‐1/

•Mozy limited free online backup service of 2 gigabytes for home users http://mozy.com

•DBAN (disk erasing utility): http://www.dban.org/download (open source)

Encryption: •TrueCrypt (encryption): http://www.truecrypt.org/ (open source)•GPG (encrypt email or individual files) http://www.gnupg.org/

Safeboot disk:•Ubuntu (operating system bootable image disk): http://www.ubuntu.com/desktop/get‐ubuntu/download (open source)

Password Protection: KeePass http://keepass.info/ (open source)

Bandwidth checkers:http://bandwidthplace.comhttp://pcpitstop.com

List of where to report problems:•Report Identity theft: http://www.ftc.gov/bcp/edu/microsites/idtheft/ •Report Identity theft: http://www.ic3.gov/default.aspx •Report Identity theft: http://www.irs.gov/newsroom/article/0,,id=211493,00.html •Report Identity theft: your local parish police, state attorney general•Free Annual Credit reports (one from each of 3 credit bureaus): https://www.annualcreditreport.com/cra/index.jsp•Report Child cybercrime: http://www.missingkids.com/missingkids/servlet/PublicHomeServlet?LanguageCountry=en_US

Responding to a Data breach compromise:http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=224200365

LEARN MORE at a local Personal Computer Club: In New Orleans area: http://www.nopc.org/ Meets first Wednesday evening of every month at the Harahan Senior Center.

Good Sources for non‐Technical cyber Information: http://krebsonsecurity.com/SANS Newsbytes: http://sans.org/newslettersThe Register: http://www.theregister.com.co.uk


2/2/2011

42

____ _____


X. Recovery What do I do to recover when something happens?

Situational Awareness: After a crisis, situational awareness is most important. The best confidence builder is knowing what you have to do.

Rugged is… having a plan and following it responsibly.

Theme (goal): With time and effort people recover from identity theft and loss of computer data. The hope is that this presentation has provided enough preparation, has provided inspiration to have learned enough and done the steps to make recovery is much quicker and less costly than it would have been.

A. What do I do to recover when something happens? (Recovery) Rugged means1. Evaluate the situation

a. What exactly happened?i. Physical loss – need my data back•System just “died”•System did weird things, now everything is gone•Check for virus/malware infections•If malware or root kit found, may need to take steps to protect identity•Obvious stuff (spilled beer on it, stolen, fell off car roof while driving off, 3 year old “washed it”for you)

ii. Electronic loss/Identity theft – need to limit impact of someone else having my data•I entered account info/password into a fraudulent website•System hacked •Malware (key logger, root kit etc.)

b. What have you lost?c. Are you certain it is really gone (you may want to consult a professional)d. This is beyond me! (In all examples/steps listed, if you feel unsure about what you are doing consider purchasing professional services before more damage is done)

2. Recover from Physical / System‐related Loss a. If not obvious, establish reason for crash (system not functioning, drive read error, virus infection)

i. Data could very well still be intact

42


2/2/2011

43

____ _____

b. Attempt to repair OS (be careful not to overwrite data) or to recover data (if OS is not repairable and current backups not available)

i. Windows repairii. Windows Recovery CDiii. Ubuntu Live CDiv. You may want to consider professional services if the information is very important.

c. Replace hard drive other hardware as necessaryd. Once system/OS is restored or repaired so operating system will boot

i. If unsure that virus is eradicated, and data is backed up safely, often best to format drive and re‐load operating systemii. Be careful not to restore virus from backups!

e. Restore program files from original CDs (as necessary)f. Install ALL updates and service packs for OS and programs

3. Restore data files (as necessary from one of your 3 backups)4. Recover from external Electronic theft / Identity theft

a. Try to determine what was lostb. File fraud alert with any of three primary credit agencies (Experian, etc.)c. Obtain copies of credit reports d. Close any accounts that have been tampered with or opened fraudulentlye. File complaint with FTCf. File police reportg. Change all online passwordsh. Contact Social Security Administrationi. File FTC complaint (at $100,000 they will open an investigation)j. You may want to consider further assistance/guidance from attorney and/or primary financial institution

5. Learn from your mistakes (or better still, learn from others’ mistakes before you make them!)6. Help others. Spread the word of what worked for you.

Actions to take: Make sure you are prepared ahead of time! (See prior domain)

Reference Websites: Identity Theft: FTC http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html

Equifax: 1‐800‐685‐1111; www.equifax.comExperian: 1‐888‐EXPERIAN (888‐397‐3742); www.experian.comTransUnion: 1‐800‐916‐8800; www.transunion.com

Internet Crime Complaint Center: http://www.ic3.gov/default.aspx (aggregate complaints until they reach over $100,000 then investigate). System Loss/Crash/InfectionUbuntu Live Tutorial: http://www.howtogeek.com/howto/windows‐vista/use‐ubuntu‐live‐cd‐to‐backup‐files‐from‐your‐dead‐windows‐computer/PC First Aid Kit: http://lifehacker.com/5645303/be‐prepared‐for‐everyday‐tech‐problems‐with‐an‐essentials‐backup‐kit?skyline=true&s=iSystem Troubleshooting (slightly technical): http://www.daileyint.com/hmdpc/manual.htmSystem Restore: http://lifehacker.com/5466794/the‐complete‐guide‐to‐windows‐system‐restore‐its‐better‐than‐you‐remember System Repair Disk: http://windows.microsoft.com/en‐US/windows7/Create‐a‐system‐repair‐discBootable Anti‐virus rescue CD: http://www.askvg.com/download‐free‐bootable‐rescue‐cds‐from‐kaspersky‐bitdefender‐avira‐f‐secure‐and‐others/Root Kit Detectors: http://www.windowsreference.com/security/list‐of‐free‐anti‐rootkitrootkit‐detection‐software‐for‐windows/

Report Child Cybercrime.http://www.missingkids.com/missingkids/servlet/PublicHomeServlet?LanguageCountry=en_US

Report Phishing sites:http://www.phishtank.com/Look up phishing sites: http://zeltser.com/combating‐malicious‐software/lookup‐malicious‐websites.htmlMalware—upload a file to check for malware: http://www.virustotal.com/index.html


2/2/2011

44

____ _____

I am rugged, and more importantly, my computer is rugged.

I recognize that software has become the foundation of our modern world.

I recognize that the Internet is an extraordinary resource and a threat.

I recognize that nobody is protecting me and I am responsible to learn enough to protect myself and my family.

I recognize that computers will be attacked by unscrupulous but talented people who threaten our future, our physical, economic and national security.

I recognize these things and I choose to be rugged.

I am rugged because I learn to protect myself, my information and privacy.

I am rugged because I take responsibility for my cybersecurity and for helping others in my community learn to protect themselves.

I am rugged because our future is intertwined with freedom of the Internet.

I am rugged not because it is easy, but because it is necessary…and I am up for the challenge.

Name:_______________

Date:_______________

Location:_______________

I Am Cyber Rugged

• I am rugged, and more importantly, my computer is rugged.• I recognize that software has become the foundation of our modern world.• I recognize that the Internet is an extraordinary resource and a threat.• I recognize that nobody is protecting me and I am responsible to learn enough

to protect myself and my family.• I recognize that computers will be attacked by unscrupulous but talented people

who threaten our future, our physical, economic and national security.• I recognize these things and I choose to be rugged.• I am rugged because I learn to protect myself, my information and privacy.• I am rugged because I take responsibility for my cybersecurity and for helping

others in my community learn to protect themselves.• I am rugged because our future is intertwined with freedom of the Internet.• I am rugged not because it is easy, but because it is necessary…and I am up for

the challenge.

Slide Show topics researched and prepared by:

Lydia Lourbacos, (Topics 1‐10) cyberrugged at gmail.com

Pete Herzog, ISECOM, (Topics 2 and 4) http://isecom.org, http://hackerhighschool.org, http://badpeopleproject.org

Russ Wolfe, ISACA International (Topics 8‐10) http://isaca.org

Additional References on Security Awareness:

• SANS Institute Awareness Demos: http://www.securingthehuman.org/#/services

• New Orleans Personal Computer Club http://nopc.org

The NOPC is there to help those in the community interested in learning more about personal computers. They meet the first Wednesday of each month at the Harahan Senior Center, 100 Elodie Ave, Harahan, 70123 504‐737‐3810

44


cyber rugged 2/2/2011 · 2/2/2011 1 ____ _____ ... cybersecurity or computer groups: local chapters...

Documents

cyber rugged 2/2/2011 · 2/2/2011 1 _ ... cybersecurity or computer groups: local chapters...