PowerPoint Presentation

4/1/114/1/11 Techfast: Security Not just for banksBarry Wilson/Scott McNulty Wharton ComputingWho Are We?And what do we do?2Wharton ComputingTwo quotes from experts34/1/11As head of security it is my duty to be... concerned.

- Worf, USS EnterpriseBy failing to prepare, you are preparing to fail. - B. Franklin, local celebrity

Wharton Computing3The Internet is out to get you (only a little)44/1/11

Wharton Computing4Password Rules of ThumbWHARTON COMPUTING5No sharing passwords between accounts

4/1/11WHARTON COMPUTING6One password to spoil them all74/1/11Wharton Computing

7No short passwords

4/1/11Wharton Computing8

No Dictionary Words

4/1/11WHARTON COMPUTING9No personal information

4/1/11WHARTON COMPUTING10

Passphrases: exception to the rules114/1/11Very longEasy to rememberHard to crackWharton Computing11Example passphraseMy, arent members of Wharton Computing good looking? 4/1/11WHARTON COMPUTING12How Secure is your password?4/1/1113

http://howsecureismypassword.netWharton ComputingHow long will it take to crack these passwords:144/1/11Wharton Computingpassword15Wharton ComputingInstantly4/1/1116

Wharton ComputingOther common passwords12345612345678123412345dragonqwertymustangletmeinbaseballmastermichaelfootballshadowmonkeyabc123passjordanharleyrangerjenniferhunter2000testbatman4/1/11Wharton Computing17Password Cracking 101WHARTON COMPUTING18Dictionary Attacks

4/1/11Wharton Computing19http://mtyourmind.10001mb.com/2009/0127/Rainbow Table

4/1/11WHARTON COMPUTING20http://www.elsingadesign.com/Brute Force attacks

4/1/11Wharton Computing21http://ryan.skow.org/siege/Fields2002/SaturdayBattleReport.htmlSocial engineering

4/1/11WHARTON COMPUTING22http://news.bbc.co.uk/2/hi/technology/3639679.stmPassword Tip 1o = 04/1/11Wharton Computing23Password Tip 2cAmelCaSe4/1/11Wharton Computing24passW0rd25Wharton Computing10 Days4/1/1126

Wharton ComputingPassword Tip 3$pec!@l Ch@r@cter$4/1/11WHARTON coMPUTING27p055W0rD!28Wharton Computing9 Years4/1/1129

Wharton ComputingMy, arent members of Wharton Computing good looking? 30Wharton Computing560 tresvigintillion years4/1/1131Wharton Computing

Managing your passwords the old way324/1/11

Wharton Computing32Your Wharton password must:Be between 9 and 15 characters long.Include at least one numeric character (the digits 0 - 9).Your Wharton password may:your password may include the following special characters: -_+Your password cannot include the following special characters: $ * | @ # %&{ [ ( ,"` ' ~ or a blank space.Your Wharton password must not:Be composed of all numbers or numbers and decimal points, plus signs, or minus signs.For example, 1-215-555-1212 is not a valid password.Be derived directly from words or phrases.For example, time2go, big$deal, ivyLeague, 2morrow, money$, and Ivyleague are not valid passwords.Contain your PennNet ID, username, or your first, middle, or last name.Consist of all uppercase or all lowercase characters.169 days4/1/1133

Wharton ComputingManaging your passwords the old way344/1/11

Wharton Computing34Your Wharton password must:Be between 9 and 15 characters long.Include at least one numeric character (the digits 0 - 9).Your Wharton password may:your password may include the following special characters: -_+Your password cannot include the following special characters: $ * | @ # %&{ [ ( ,"` ' ~ or a blank space.Your Wharton password must not:Be composed of all numbers or numbers and decimal points, plus signs, or minus signs.For example, 1-215-555-1212 is not a valid password.Be derived directly from words or phrases.For example, time2go, big$deal, ivyLeague, 2morrow, money$, and Ivyleague are not valid passwords.Contain your PennNet ID, username, or your first, middle, or last name.Consist of all uppercase or all lowercase characters.Managing your passwords the secure way354/1/11

Password Safe

http://passwordsafe.sourceforge.net/1Password

http://agilewebsolutions.com/onepassword/Wharton Computing351PASSWORD costs $39.95 available for Mac, PC, iPhone and iPad

Check with your reps if you want a password manager for your work computerPhishing36

Wharton Computingphishing |fi sh i ng |nounthe activity of defrauding an online account holder of financial information by posing as a legitimate company 36As defined by the OED

4/1/11WHARTON COMPUTING37Tips for identifying a phishing email384/1/11

Wharton Computing38Phishing - browser address bar394/1/11

Wharton Computing39Phishing - browser address bar404/1/11

Wharton Computing40Not 100% accurate, because some places use wacky URLs. Remember Phishing - browser address bar - SSL414/1/11

Wharton Computing41Define SSL: Phishing - browser address bar - SSL424/1/11

Wharton Computing42Phishing Poor wording434/1/11

Wharton Computing43Phishing Check the sender444/1/11

From: Usman Bagudu Wharton Computing44Phishing asks for your password

4/1/11WHARTON COMPUTING45Phishing email or not?

4/1/11WHARTON COMPUTING46Phishing email or not?

4/1/11WHARTON COMPUTING47PHISHING!Not a Penn Web site.Not a real group @ PennUndisclosed recipientsWhen in doubt: ask4/1/11WHARTON COMPUTING48

Defending against Phishing4/1/11WHARTON COMPUTING49

Defending against Phishing4/1/11WHARTON COMPUTING50

Defending against Phishing

4/1/11WHARTON COMPUTING51What to do if you respond to a phishing email524/1/11

http://mantia.me/wallpaper/dont-panic/Wharton Computing52Tell Someone534/1/11Wharton Computing

53Change your passwords

544/1/11Wharton Computing54Review Statements

554/1/11Wharton Computing

55Contact the authoritiesWharton: security@wharton.upenn.edu

FTC: 1-877-ID-THEFT or https://www.ftccomplaintassistant.gov/

Police

Credit Card issuers: Setup a fraud alert

564/1/11Wharton Computing56Home Computers57

Wharton ComputingAvoid: no-name anti-virus584/1/11Image credit: Complete Computer Repair of CT (http://tinyurl.com/272uvla)

Wharton Computing58Avoid: downloading material594/1/11

Wharton Computing59Forewarned is Forearmed.60Wharton ComputingAutomatic Software Updates614/1/11

Wharton Computing61Software Updates 3rd Party Software624/1/11

Wharton Computing62Install Antivirus software634/1/11

http://www.upenn.edu/computing/virus/Wharton Computing63http://www.upenn.edu/computing/virus/Install Antivirus software644/1/11

Wharton Computing64Mac and PC, required if youre on Pennnet (your work computer has it if they are setup by Wharton Computing)Firewall654/1/11

Credit: Stuck in Customshttp://www.flickr.com/photos/stuckincustoms/1194563275/in/photostream/Wharton Computing65Firewall Windows 7

4/1/11WHARTON COMPUTING66Firewall Windows 7

4/1/11WHARTON COMPUTING67Firewall Windows 7

4/1/11WHARTON COMPUTING68Firewall OS X4/1/11WHARTON COMPUTING69

Firewall OS X4/1/11WHARTON COMPUTING70

Firewall OS X

4/1/11WHARTON COMPUTING71Home computers: Ideal vs. Reality724/1/11

Wharton Computing72Home computers: IdealDedicated computer: Only you use your computer.Password protected.734/1/11

Wharton ComputingHome computers: PracticalMultiple accounts: Each user has their own individual account.VPN.Dont store work files on home computer.744/1/11

Wharton ComputingVPN: Sentinal.wharton.upenn.edu74Mobile devices754/1/11Wharton Computing

75Mobile devices: set a password764/1/11

Wharton Computing76Mobile devices: remote wipe774/1/11Wharton Computing

77Mobile devices: encryption784/1/11

Wharton Computing78Bitlocker: Windows Vista and 7

FileVault :OS XIPAD DEMOWharton Computing79Confidential DataWHARTON COMPUTING80Nobody wants this814/1/11Wharton Computing

81Or this824/1/11Wharton Computing

82Or this!

4/1/11WHARTON COMPUTING83

Confidential Data What is it?844/1/11

Wharton Computing84Legally ProtectedAs defined by the government.SSNsCredit Card DataBank Account informationMedical dataStudent enrollment data (anything defined in FERPA)854/1/11

Wharton ComputingUniversity ProtectedAs defined by the UniversityAll the legally protected info +Salary informationTax and payroll informationData we have agreed to keep confidential: Business Plans at the Small Business Center

864/1/11

Wharton ComputingUniversity PolicyThis policy establishes expectations around the use of SSNs - sensitive data whose misuse poses privacy risks to individuals, and compliance and reputational risks to the University. It calls on staff, faculty, contractors, and agents of the above to inventory their online and offline SSNs and reduce the above risks by, in priority order: (1) eliminating this data altogether, (2) converting it to PennID, (3) truncating the data to capture and display only the last four digits, (4) when the complete SSN is clearly necessary, ensuring strict security controls to protect the full data.

874/1/11

Wharton ComputingUniversity Policy - SummaryFour easy things to do:EliminateConvert (to PennID)TruncateSecure884/1/11

Wharton ComputingIdentity Finder

4/1/11WHARTON COMPUTING89Why Identity Finder?Cross platformCentrally managedBest in class software

4/1/11WHARTON COMPUTING90

Identity Finder914/1/11Wharton Computing

91Shredding files4/1/11WHARTON COMPUTING92

Identity Finder Management Console

4/1/11WHARTON COMPUTING93Identity Finder Management Console4/1/11WHARTON COMPUTING94

IMPORTANTNone of your data is transmitted/stored on the Identity Finder Management serverOnly location/general type of found data is transmitted (securely)No data will be deleted from your computer by Wharton Computing without your consent

4/1/11WHARTON COMPUTING95How dangerous is your confidential data?3 questions to help gauge your riskHow much do you have?Who does it include?What else is stored with it?964/1/11Wharton Computing

How do you manage it?Know what you haveKeep it separatedMake sure it is secure974/1/11

Wharton ComputingSecuring your confidential dataStore it on a central serverBack it upEncrypt it984/1/11

Wharton ComputingSecuring your confidential dataNever let anyone log in as you.Dont allow workstudies to use a computer that contains confidential data994/1/11

Wharton ComputingHacking happensWHARTON COMPUTING100The Process1014/1/11Wharton ComputingQuestions?102Wharton Computinghttp://beacon.wharton.upenn.edu/security/techfast

WHARTON COMPUTING1034/1/11Contact us104Barry WilsonChief Security Officer

wilsonbf@wharton.upenn.eduScott McNultySr. IT Project Leader

smcnulty@wharton.upenn.edusecurity@wharton.upenn.edu

http://beacon.wharton.upenn.edu/security4/1/11Wharton Computing

104Tell us what you think!Tech-fast@wharton.upenn.edu4/1/11WHARTON COMPUTING105