Category Archives: Information Security

  • 1

Having Fun with Security Awareness–Phishing

Category:Higher Education,Information Security,Infosec Communicator,Social Networking,Uncategorized Tags : 

Phishy

Phishy and Ritchie at RIT

The task of creating a culture of information security awareness in higher education can be a daunting one. You may feel as though your efforts are unnoticed and unrewarded. However, one of the really cool things about working in higher ed is that universities and colleges are often willing to share their best practices and even the materials they’ve created. This can ease the burden of coming up with new ideas to to help increase user awareness of information security threats.

Over the last couple of years, higher education has seen an increase in phishing attempts known in the industry as “spear phishing.” Spear phishing targets a specific group of individuals by crafting emails or other “bait” that appear to come from a known and trusted source, such as a school’s Information Technology department. In 2009, RIT saw a string of phishing attempts that had, from our view, a success rate that was unacceptable. (Much as we’d like to block all phishing attempts and train our community to recognize and not respond to password requests, someone will always fall for a well-crafted phish.)

Unsure of how to best combat the threat, we formed a team of our best information technology and information thinkers to address the issue. We chose a multi-pronged approach with both technology and people initiatives. We increased our email alerts and advisories to inform the community of the problem. Our Information Technology Services organization began prepending a warning message to all incoming emails that contained the word “password” in the text. However, we knew that this wouldn’t be enough to solve the problem.

One of our coop students had worked the previous summer at Yale University and showed us phishing awareness posters that they had created. We received permission from Yale to modify the posters for our own use and began a poster campaign on campus. We decided to go a step beyond.

What better way to draw attention to phishing than having a giant “phish” walk around campus! Phishy was an instant hit. Phishy visited offices around campus and greeted students with cards that reminded them to NEVER respond to requests for their passwords. Phishy hung around RIT for a week twice during 2009.

Gil Phish

Gil Phish at Yale

This fall, Yale leveraged our Phishy idea. They bought a fish costume and greeted new students at orientation. (They also created a Gil Phish Facebook page with pictures of Gil engaged in behavior that could only be described as sub-crustacean…

Building off of each others successes has enabled both universities to create innovative security awareness programs.

Enhanced by Zemanta

  • 1

Best Security Awareness Videos for College Students

Category:Facebook,Information Security,Infosec Communicator,Internet Safety,Social Networking,Uncategorized Tags : 

Each fall, the RIT Information Security Office provides a Digital Self Defense orientation to first year students. The session helps the students understand the information security threats they will face. We also communicate their responsibility for keeping themselves and others safe online. As you might imagine, keeping the attention of these students midway through their orientation week can be challenging. To help hold their interest, we use a number of security awareness videos in our presentation.

The list of videos below includes an amateur and professional videos and student-created entries in the EDUCAUSE Annual Security Video contest.

Video resources

Facebook Stalker
http://www.youtube.com/watch?v=wCh9bmg0zGg

The Onion: Facebook, Twitter Revolutionizing How Parents Stalk their College-Aged Kids http://www.theonion.com/video/facebook-twitter-revolutionizing-how-parents-stalk,14364/

Weird “Al” Yankovic Virus Alert
http://www.youtube.com/watch?v=zvfD5rnkTws

Identity Theft for Criminals student video
http://www.youtube.com/watch?v=agmHVBJL_fk

Check out the EDUCAUSE Video Contest Page on Facebook for more videos.

If you know of other good security awareness videos, please add a comment!

src=”http://media.theonion.com/flash/video/embedded_player.swf” type=”application/x-shockwave-flash” allowScriptAccess=”always” allowFullScreen=”true” wmode=”transparent” width=”480″ height=”430″ flashvars=”videoid=14364″>
Facebook, Twitter Revolutionizing How Parents Stalk Their College-Aged Kids

  • 3

Is “Secure Mobile” an Oxymoron?

Category:Information Security,Infosec Communicator,mobile device,Risk Tags : 

If you haven’t noticed, mobile device use is pretty much ubiquitous. Apple iPhone/iPod/iPad, Windows Mobile, Palm, Google Android, Blackberry–all of these device families have their own Operating Systems that could be exploited by an attacker.  Yet, we’re seeing more and more mobile device use in business settings.

SMobile published a white paper yesterday (6/22), Threat Analysis of the Android Market,  about the ~20% of apps available from the Google Android Market that are granted permissions to potentially exploitable features/information when they’re installed. As they point out, it’s pretty easy for an attacker to encourage a potential target to install a seemingly innocent application when that application is available from the Google Market and was never vetted for security issues.

Another big issue is how easy it is to lose a mobile device. If the device is not encrypted, any confidential or private information you’ve placed on the device is at risk. If you’ve cached login credentials to your institution’s network, an attacker has easy access.

We’re working on developing mobile device security guidelines for use in accessing our university data. Because almost all devices are individually-owned and pose their own unique security risks, it’s hard to develop a one-size-fits-all policy. We’re looking at both general and device-specific guidelines.

I’ve included a preliminary draft below, parts of it based on materials developed by EDUCAUSE member institutions.  What would you add or subtract? Is it a good approach?

General Guidelines for Mobile Device Use

  • Configure mobile devices securely. Depending on the specific device, you may be able to:
    • Enable auto-lock. (This may correspond to your screen timeout setting.)
    • Enable password protection.
      • Use a reasonably complex password where possible.
      • Avoid using auto-complete features that remember user names or passwords.
      • You may want to use a password safe application where available.
    • Ensure that browser security settings are configured appropriately.
    • Enable remote wipe options.
      • If you’re connecting to the university email with ActiveSync for email and calendaring, you may be able to wipe the email and calendaring information from your device remotely.
      • Third party applications may also provide the ability to remotely wipe the device.
    • Ensure that SSL protection is enabled.
  • For improved performance and security, register your device and connect to the university WPA2 network where available.
  • Disable Bluetooth (if not needed). This will help prolong battery life and provide better security.
  • Keep your mobile device and applications on the device up to date. Use automatic update options if available.
  • Install an antivirus/security program and configure automatic updates if possible. Like computers, mobile devices have operating systems with weaknesses that attackers may exploit.
  • Use an encryption solution to keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (https) connection where available.
  • Take appropriate physical security measures to prevent theft of mobile devices.
    • Never leave your mobile device unattended.
    • Report lost or stolen devices and change any passwords immediately.
    • Include contact information with the device.
      • On the lock screen (if possible). For example, “If found, please call 585-475-HELP.”
      • Engraved on the device.
      • Inserted into the case.
  • Know your mobile vendor’s policies on lost or stolen devices. Know the steps you need to take if you lose your device. Report the loss to your carrier ASAP so they can deactivate the device.
  • Use appropriate sanitization and disposal procedures for mobile devices.
Enhanced by Zemanta

Categories