Information Security Archives - Page 13 of 13

03
Sep 10
1

Having Fun with Security Awareness–Phishing

Category:Higher Education,Information Security,Infosec Communicator,Social Networking,Uncategorized Tags : Best practice Facebook Higher education Information security Information Technology Phishing RIT Rochester Institute of Technology social networking Yale University

Phishy and Ritchie at RIT

The task of creating a culture of information security awareness in higher education can be a daunting one. You may feel as though your efforts are unnoticed and unrewarded. However, one of the really cool things about working in higher ed is that universities and colleges are often willing to share their best practices and even the materials they’ve created. This can ease the burden of coming up with new ideas to to help increase user awareness of information security threats.

Over the last couple of years, higher education has seen an increase in phishing attempts known in the industry as “spear phishing.” Spear phishing targets a specific group of individuals by crafting emails or other “bait” that appear to come from a known and trusted source, such as a school’s Information Technology department. In 2009, RIT saw a string of phishing attempts that had, from our view, a success rate that was unacceptable. (Much as we’d like to block all phishing attempts and train our community to recognize and not respond to password requests, someone will always fall for a well-crafted phish.)

Unsure of how to best combat the threat, we formed a team of our best information technology and information thinkers to address the issue. We chose a multi-pronged approach with both technology and people initiatives. We increased our email alerts and advisories to inform the community of the problem. Our Information Technology Services organization began prepending a warning message to all incoming emails that contained the word “password” in the text. However, we knew that this wouldn’t be enough to solve the problem.

One of our coop students had worked the previous summer at Yale University and showed us phishing awareness posters that they had created. We received permission from Yale to modify the posters for our own use and began a poster campaign on campus. We decided to go a step beyond.

What better way to draw attention to phishing than having a giant “phish” walk around campus! Phishy was an instant hit. Phishy visited offices around campus and greeted students with cards that reminded them to NEVER respond to requests for their passwords. Phishy hung around RIT for a week twice during 2009.

Gil Phish at Yale

This fall, Yale leveraged our Phishy idea. They bought a fish costume and greeted new students at orientation. (They also created a Gil Phish Facebook page with pictures of Gil engaged in behavior that could only be described as sub-crustacean…

Building off of each others successes has enabled both universities to create innovative security awareness programs.

Facebook is an increasingly used hook in phishing attacks, report says (sfgate.com)
Phishing scam targets fast food customers (v3.co.uk)
U.S. Labor Day: phishers won’t be on holiday (sunbeltblog.blogspot.com)

11
Jul 10
1

Best Security Awareness Videos for College Students

Category:Facebook,Information Security,Infosec Communicator,Internet Safety,Social Networking,Uncategorized Tags : EDUCAUSE Internet Safety RIT security awareness video social networking

Each fall, the RIT Information Security Office provides a Digital Self Defense orientation to first year students. The session helps the students understand the information security threats they will face. We also communicate their responsibility for keeping themselves and others safe online. As you might imagine, keeping the attention of these students midway through their orientation week can be challenging. To help hold their interest, we use a number of security awareness videos in our presentation.

The list of videos below includes an amateur and professional videos and student-created entries in the EDUCAUSE Annual Security Video contest.

Video resources

Facebook Stalker
https://www.youtube.com/watch?v=wCh9bmg0zGg

The Onion: Facebook, Twitter Revolutionizing How Parents Stalk their College-Aged Kids https://www.theonion.com/video/facebook-twitter-revolutionizing-how-parents-stalk,14364/

Weird “Al” Yankovic Virus Alert
https://www.youtube.com/watch?v=zvfD5rnkTws

Identity Theft for Criminals student video
https://www.youtube.com/watch?v=agmHVBJL_fk

Check out the EDUCAUSE Video Contest Page on Facebook for more videos.

If you know of other good security awareness videos, please add a comment!

src=”https://media.theonion.com/flash/video/embedded_player.swf” type=”application/x-shockwave-flash” allowScriptAccess=”always” allowFullScreen=”true” wmode=”transparent” width=”480″ height=”430″ flashvars=”videoid=14364″>
Facebook, Twitter Revolutionizing How Parents Stalk Their College-Aged Kids

23
Jun 10
3

Is “Secure Mobile” an Oxymoron?

Category:Information Security,Infosec Communicator,mobile device,Risk Tags : Android Blackberry iPad iPhone iPod SMobile

If you haven’t noticed, mobile device use is pretty much ubiquitous. Apple iPhone/iPod/iPad, Windows Mobile, Palm, Google Android, Blackberry–all of these device families have their own Operating Systems that could be exploited by an attacker. Yet, we’re seeing more and more mobile device use in business settings.

SMobile published a white paper yesterday (6/22), Threat Analysis of the Android Market, about the ~20% of apps available from the Google Android Market that are granted permissions to potentially exploitable features/information when they’re installed. As they point out, it’s pretty easy for an attacker to encourage a potential target to install a seemingly innocent application when that application is available from the Google Market and was never vetted for security issues.

Another big issue is how easy it is to lose a mobile device. If the device is not encrypted, any confidential or private information you’ve placed on the device is at risk. If you’ve cached login credentials to your institution’s network, an attacker has easy access.

We’re working on developing mobile device security guidelines for use in accessing our university data. Because almost all devices are individually-owned and pose their own unique security risks, it’s hard to develop a one-size-fits-all policy. We’re looking at both general and device-specific guidelines.

I’ve included a preliminary draft below, parts of it based on materials developed by EDUCAUSE member institutions. What would you add or subtract? Is it a good approach?

General Guidelines for Mobile Device Use

Configure mobile devices securely. Depending on the specific device, you may be able to:
- Enable auto-lock. (This may correspond to your screen timeout setting.)
- Enable password protection.
  - Use a reasonably complex password where possible.
  - Avoid using auto-complete features that remember user names or passwords.
  - You may want to use a password safe application where available.
- Ensure that browser security settings are configured appropriately.
- Enable remote wipe options.
  - If you’re connecting to the university email with ActiveSync for email and calendaring, you may be able to wipe the email and calendaring information from your device remotely.
  - Third party applications may also provide the ability to remotely wipe the device.
- Ensure that SSL protection is enabled.
For improved performance and security, register your device and connect to the university WPA2 network where available.
Disable Bluetooth (if not needed). This will help prolong battery life and provide better security.
Keep your mobile device and applications on the device up to date. Use automatic update options if available.
Install an antivirus/security program and configure automatic updates if possible. Like computers, mobile devices have operating systems with weaknesses that attackers may exploit.
Use an encryption solution to keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (https) connection where available.
Take appropriate physical security measures to prevent theft of mobile devices.
- Never leave your mobile device unattended.
- Report lost or stolen devices and change any passwords immediately.
- Include contact information with the device.
  - On the lock screen (if possible). For example, “If found, please call 585-475-HELP.”
  - Engraved on the device.
  - Inserted into the case.

Know your mobile vendor’s policies on lost or stolen devices. Know the steps you need to take if you lose your device. Report the loss to your carrier ASAP so they can deactivate the device.
Use appropriate sanitization and disposal procedures for mobile devices.

Secure Mobile-an Oxymoron? (Redux) (benwoelk.wordpress.com)
How to Secure Mobile Devices (brianpennington.co.uk)

02
Jun 10
1

Choosing the Safest Browser

Category:Information Security,Infosec Communicator,Internet Safety,Uncategorized Tags : Browser Firefox Internet Explorer Internet Safety Safari

There’s always discussion among techies about which internet browser is better. Most of them end up bashing Internet Explorer. Does it really matter which browser you use?

Maybe, but not for the reasons you might think. Here’s a list of the five most common browsers, in no particular order:

Opera
Firefox
Safari
Internet Explorer
Google Chrome

Which of these browsers is the safest? The one with the fewest number of reported vulnerabilities? I asked my Cyber Self Defense class last quarter to guess which browser had the most vulnerabilities.

Here’s the order they came up with:

Internet Explorer
Safari
Opera
Firefox
Chrome

According to the Symantec 2008 Internet Threat Report, here’s the list of browsers ranked from most reported vulnerabilities to the least:

Firefox
Internet Explorer
Safari
Opera
Chrome

Is this the order you expected? Did you think that Internet Explorer would have the highest number? If we go strictly by number of vulnerabilities reported, Google Chrome would be the safest browser to use and Firefox the worst.

Another way to look at browser safety is how long it takes for a reported vulnerability to be fixed. How would you rank these same five browsers from shortest to longest patch time?

Again, the class assumed the worst browser would be Internet Explorer. However, Safari had an average “exposure” time of nine days, compared to the “best,” Firefox, which normally took only one day to patch.

Internet Explorer is attacked the most. Why? Because it’s used by the most people and provides a higher ROI for cyber criminals. Because it’s attacked the most, it MAY be safer to use a different browser. However, safer Internet browsing has as much to do with safe practice as it does browser choice. If you browse unsafe sites, you’re more likely to be attacked.

Here’s what we’re telling students, faculty, and staff at the Rochester Institute of Technology about safer internet browsing.

Browser Security

How can you tell how secure your web browser may be? Scanit’s Browser Security Test checks your browser security settings and provides a report explaining the vulnerabilities, the potential impacts, and how to correct them.

Update Regularly

It is important to keep your browser up-to-date on security patches. This can typically be done from within the browser, or directly from the vendor’s website. Check for updates at least monthly.

Anti-Phishing Tools

Internet Explorer 7.x and higher, Safari 3.2 and higher, and Mozilla Firefox 3.x and higher all provide some protection against phishing.

The Netcraft Toolbar is a browser plug-in available for Internet Explorer and Firefox. The toolbar helps stop phishing attempts by blocking known phishing sites and providing hosting information about the sites you visit.

The McAfee Site Advisor is a browser plug-in available for Internet Explorer and Firefox. The Site Advisor warns you of websites known to have malicious downloads or links by checking them against a database at McAfee.

Limited Account Privileges

Limiting account privileges provides simple but effective protection when working online. Limited accounts allow you to do most daily activities but do not allow you to install software (only accounts with administrative privileges can install software on the computer).

Many attacks take advantage of administrative privileges to install malware on your computer. If you’re using a limited account, attackers and malicious websites will not be able to install malware. (This is less of an issue with Windows 7 and Mac OS X because they ask you to confirm software changes.)

Ben

Postscript: I’ve included links below to my 6/30/11 posts updating this article.

Updated: Choosing the Safest Browser, Part One (benwoelk.wordpress.com)
Choosing the Safest Browser, Part 2 (benwoelk.wordpress.com)
Avoiding Phishing (benwoelk.wordpress.com)

25
May 10
6

On the Eve of the Latest Facebook Privacy Fix

Category:Facebook,Information Security,Infosec Communicator,Internet Safety,Privacy,Risk,Social Networking Tags : Facebook Facebook privacy Privacy Risk social networking

Facebook is releasing its latest privacy fix on Wednesday, May 26. I don’t have high expectations for the new controls as Facebook has not shown any ability to make the controls user friendly, or really understand what their users want for privacy.

A much bigger issue is that we seem to have abrogated OUR responsibility to protect our private information.

Fundamentally, information security is about managing risk. ANY involvement in social networking increases the risk of something negative happening–whether it’s loss of privacy, cyberstalking, identity theft, embarrassment, etc. It’s up to us to manage the risk. We should not expect the same amount of privacy protection from a free service that we would get from a credit card company, hospital, etc.

Although Facebook, Google, LinkedIn are all provided “free” to us, that freedom comes with a price–reduced privacy and some tracking of our web habits.

It’s up to us what we choose to share on social networking sites. We agree to EULAs (end user license agreements) that we click through to get to the “good stuff.” We blithely provide requested personal details and install apps that ask for even more and that tell us up front that they may share our information. Do you have to publish your date of birth? Hometown? 20 favorite things? (I’m just waiting for the next Facebook posting asking us, “What’s your mother’s maiden name?” and urging us to send the posting to all of our friends!)

Yes, Facebook, Google, and the other social networking applications have a responsibility to protect our information. However, WE have the responsibility to share ONLY the information we choose.

Category Archives: Information Security

Jun 10

3