social engineering and information protection best practices
TRANSCRIPT
SOCIAL ENGINEERING AND INFORMATION PROTECTION BEST
PRACTICES
Social engineering
Who Are We?• Graduate students at UNM Anderson School of
Management, both studying toward graduate degree in Information Assurance
• Full time employees at Sandia National Laboratories, working in an IT department
INTRODUCTION
Social engineering
Why Are We Here?• We all need to learn to defend our information
from unauthorized access and use• Survey given 3/10/2013 discloses some areas
in which you can protect yourselves better• Major Topics
• Online Privacy/Protection• Social Engineering• Password Strength/Password Management
INTRODUCTION
Here are some of the more interesting results from the survey…
SURVEY RESULTS
Yes No Not Sure0
5
10
15
20
Do you reuse the same password across your online accounts?
Yes No Not Sure0
2
4
6
8
10
12
14
Do you regularly clear your browser cache?
Yes No Not Sure0
5
10
15
20
25
Do you use strong passwords for your online accounts?
Familia
r
S Fam
iliar
S Unf
amilia
r
Unfam
iliar
N/A
0
2
4
6
8
How familiar are you with social media privacy settings?
Social engineering
You may have heard recently that many celebrities email accounts were being hacked• So much information about celebrities on the
internet• Countless followers via Twitter, Facebook, and
other social media
ONLINE PRIVACY/PROTECTION
Social engineering
One of the biggest threats to your personal privacy protection is social media• Over-sharing• “Checking in”• Embarrassing pictures/posts/likes• Lack of controlling who can see what
• Anonymous information gathering
ONLINE PRIVACY/PROTECTION
Social engineering
Browser Safety• Cleaning cache
• Tracking and Cookies
• Double checking URLs
Email Safety• Spam filtering• Attachments
EMAIL / BROWSER SAFETY
Social engineering
Due to social media use today, we are all “celebrities”• Just as people have been able to hack real
celebrity accounts using information from the internet, the same can be done for anyone sharing via social media
• All this public information makes an individual vulnerable to social engineering attacks
SOCIAL ENGINEERING
Social engineering
“the art of manipulating people into performing actions or divulging confidential information”• Tricking the victim in to divulging information
• Only a few of you responded that you had previously given personal information over the internet
• Can involve pretexting, or creating a target specific scenario, to help give the victim the sense of legitimacy
SOCIAL ENGINEERING
Pretexting
“the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.”• Attackers will research their targets so that they can
create a more believable lie• Phishing email from your bank asking to confirm your
username and password• Use of other information such as work or school gained via
social networking sites.
PRETEXTING
Social engineering
1. Clear out your ________ ________ regularly to keep sites from tracking your internet activity.
MIDTERM EXAM
Browser Cache
2. The act of creating a scenario to engage a targeted victim to divulge information is known as what?
Pretexting
3. True or False. “Checking In” on Facebook on a regular basis is a safe practice.
False
4. The art of manipulating people to divulge confidential information is known as what?
Social Engineering
5. One of the greatest threats to our personal online privacy is how we use ________ ________.
Social Media
Password best practices
Password Strength• Most of you say you use strong passwords• What makes a strong password?
• At least 8 characters – more is better• Avoid any dictionary words• Mix of letters (upper and lower), numbers,
and other characters (like punctuation)• Some examples
• r3t7A#EM• Tad3cha5$uh#q
PASSWORD STRENGTH
WHY A COMPLEX PASSWORD?
There are several methods of acquiring a password
– Guessing* – use of personal information available– Dictionary-based attacks* – “Brute Force” attacks* – Programs that can guess
every possible combination of characters.– Phishing** – Shoulder surfing**
* These attacks are best mitigated through the use of a strong password. The stronger the password, the harder it is to guess by either people or programs.
** These attacks are best mitigated through personal security (preventing social engineering)
• Password strength criteria:– http://www.microsoft.com/security/online-pri
vacy/passwords-create.aspx
• Password strength checker:– https://www.microsoft.com/security/pc-secu
rity/password-checker.aspx
• Password generator:– https://secure.pctools.com/guides/passwor
d
• Importance of a strong password:– http://
www.utexas.edu/its/secure/articles/importance_strong_passwords.php
PASSWORD STRENGTH
HOW STRONG IS MY PASSWORD?
5 volunteers!
Password Strength Checker• How long would it take a Desktop PC to
crack a password• http://howsecureismypassword.net/• Do NOT put your REAL password into this
site – it is for relative strength checking only!
PASSWORD STRENGTH DEMONSTRATION
Password best practices
Password Reuse• While most of you said you use strong
passwords, most of you also said you reuse passwords
DON’T USE SAME PASSWORD ACROSS ALL ACCOUNTS!• Sites are hacked regularly and passwords
are retrieved• SERIOUSLY??? Did you see those
password examples?????
PASSWORD REUSE
Password best practices
Password Management• Various tools to manage passwords• Allows unique passwords to be used for
each account• Convenient features for ease of use
• Categorization• Auto-type/Auto-fill
• Online/Cloud based and client based• Each solution has its Pros and Cons
PASSWORD MANAGEMENT
Password best practices
Pros/Cons• Cloud-based – less secure, passwords
stored somewhere on the internet• Client-based – more secure, less
convenient as only available when installed
Solution: KeePass with Dropbox• Power of client-based, encrypted database
with availability provided by online storage
PASSWORD MANAGEMENT
Password best practices
Dropbox• Online storage• Web browser interface• Desktop sync• iPhone/iPad/Android sync• FREE! (2GB – more than enough for a
KeePass database file)
PASSWORD MANAGEMENT
KeePass• Encrypted password database• Categorize by folder• Lightweight install• Password generator/strength indicator• Secure notes• Auto-type• iPhone/iPad/Android app support• FREE!
Result: encrypted database of passwords synced across all devices – only have to remember one really strong password! For FREE!
Password best practices
PASSWORD MANAGEMENT DEMONSTRATION
KeePass & Dropbox Demo
Password best practices
Best Practices• Use spam filters• Don’t open unusual/unknown attachments• Double-check URLs before clicking• Lock-down public information on social
media sites• Be absolutely sure you know who you are
divulging information to• Use strong passwords• Use a password management tool to
enable unique passwords across the internet
REVIEW
Password best practices
QUESTIONS???
QUESTIONS