My workplace physical security includes an alarm which needs to be disarmed by the first person entering the building who has a pass-code and re-set by the last person leaving for the night who also has a pass-code. There is also a second door which is permanently locked which does not require a pass-code but if you don't have your key, you will have to wait for someone to let you in. Both doors use a deadbolt lock. I learned that there are 9 steps to achieve best security which includes: inspect all locks on a regular basis, issue keys only to authorized persons, keep records of who uses and turns in keys, and to keep track of keys issued with their number and identification for both master keys and duplicates. I am one of the people who has a pass-code to disarm the alarm and am almost always the one who disarms the alarm every morning. I know my office follows most of the steps to achieve best security.
In addition to deadbolt locks, there is something called a cipher lock which I have never heard of. These are locks using buttons that must be pushed in the proper sequence to open the door. A cipher lock can be programmed to allow a certain person's code to be valid on specific dates and times. I found that to be very interesting and a smart way to control access. The downside is somebody could be looking over your shoulder so a person would need to be careful to conceal which buttons are being pushed.
In past jobs I have used an ID badge with a bar-code to swipe my way through a secured entrance. I learned that the ID badge is a type of physical token. At another company I worked for, I used an ID badge that could be detected by a proximity reader which meant I only needed the badge to be in my purse and as soon as it was detected by the reader I was allowed entrance into the building. In my current job, I must use a personal identification number and a password to clock in when I arrive to work, and clock out when I leave for the night. This is called multifactor authentication. I also use multifactor authentication when logging onto the network and the mainframe.
I learned about the various aspects of security policies. My company's security policy seems to be basic but effective. It's somewhat restrictive as it blocks certain websites and content such as YouTube and Facebook. We do not have authorization to install or update software. We have access to areas of the network that enable us to do our jobs and nothing more. Emails are supposed to be business only but everybody uses it to send personal messages outside of the company. There is at least one person I work with that spends too much time surfing the internet that is not business related which is frowned upon by the security/internet policies. We are expected to use the company's computers strictly for business purposes and that all information is confidential and to be handled as such. We are required (actually we are forced) to change our passwords to the network and to the mainframe every 60 days. Our text book describes several other policies such as acceptable encryption policy, automatically forwarded email policy, server security policy, and wireless communication policy to name a few. The wireless communication policy defines standards for wireless systems used to connect to the organization's networks.
I learned that there are best practices for access control which are procedures rather than part of a technology. These procedures can be used to limit access control. They include separation of duties, job rotation, mandatory vacations, and the principle of least privilege. Following these procedures can prevent workplace fraud.
The most interesting part of the chapter was the section on computer forensics. Computer forensics uses digital technology to search for evidence of a crime, and can attempt to retrieve information from digital devices even if it's been altered or erased that can be used in the pursuit of the attacker or criminal. It is very interesting that according to the FBI, 85% of crimes committed today leave behind digital evidence that can be retrieved through computer forensics!
Monday, December 2, 2013
Sunday, November 24, 2013
Chapter 5 Mobile Security
I found chapter 5 to be the most interesting so far. I have a couple of mobile devices, and a wireless network but I had no idea what I can do to make them more secure. This chapter gave me the tools to make them more secure.
I learned that attacks against home Wi-Fi networks are relatively easy. There are three primary reasons: the signal can be picked up outside the building, users are unaware how to configure the router's security, some users consider Wi-Fi security an inconvenience. WOW, I really do not understand why some users would consider security an inconvenience, especially if you use your computer to do business. What bothers me most is an attacker could possibly be reading my wireless transmissions which includes usernames, passwords, credit card numbers, and other information I send over the network. All routers come with a default password which is usually the word 'password'. I had replaced that with a strong password when the router was first set up. I also have remote management turned off which adds a stronger degree of security. I learned that WPA2-PSK (AES) should be selected and I discovered that my router was set to 'none'. So, I turned on the WPA-2PSK (AES) with a passphrase (key value). I learned that key values should be at least 20 characters in length because of the damage that can result from a key value being cracked by an attacker.
I am always taking advantage of free Wi-Fi in restaurants and other places but I never use those services for sensitive transactions. It's always to play a game or check my email or text messages. One needs to use the public Wi-Fi with caution because the signals are rarely if ever encrypted. I never use my devices to make purchases unless I am on my home network and I rarely use them to do that. I prefer to use my desktop computer for online purchases.
I learned that tablets and smartphones have increasingly been the target of attackers. This can be done through an infected app, downloading from an unofficial app store, connection to another computer, email attachments, and attacks through networks. To make my smartphone more secure, I installed an anti-virus software which includes settings for remotely wiping the contents of the device if is lost or stolen. I have not installed anti-virus on my tablet but I will be looking into this very soon. I don't use my tablet to check my email like I do with my smartphone. I also learned that by disabling Bluetooth on my smartphone and tablet that it will prevent bluesnarfing. Bluesnarfing is an attack that accesses unauthorized information from a wireless device through a bluetooth connection.
I learned that attacks against home Wi-Fi networks are relatively easy. There are three primary reasons: the signal can be picked up outside the building, users are unaware how to configure the router's security, some users consider Wi-Fi security an inconvenience. WOW, I really do not understand why some users would consider security an inconvenience, especially if you use your computer to do business. What bothers me most is an attacker could possibly be reading my wireless transmissions which includes usernames, passwords, credit card numbers, and other information I send over the network. All routers come with a default password which is usually the word 'password'. I had replaced that with a strong password when the router was first set up. I also have remote management turned off which adds a stronger degree of security. I learned that WPA2-PSK (AES) should be selected and I discovered that my router was set to 'none'. So, I turned on the WPA-2PSK (AES) with a passphrase (key value). I learned that key values should be at least 20 characters in length because of the damage that can result from a key value being cracked by an attacker.
I am always taking advantage of free Wi-Fi in restaurants and other places but I never use those services for sensitive transactions. It's always to play a game or check my email or text messages. One needs to use the public Wi-Fi with caution because the signals are rarely if ever encrypted. I never use my devices to make purchases unless I am on my home network and I rarely use them to do that. I prefer to use my desktop computer for online purchases.
I learned that tablets and smartphones have increasingly been the target of attackers. This can be done through an infected app, downloading from an unofficial app store, connection to another computer, email attachments, and attacks through networks. To make my smartphone more secure, I installed an anti-virus software which includes settings for remotely wiping the contents of the device if is lost or stolen. I have not installed anti-virus on my tablet but I will be looking into this very soon. I don't use my tablet to check my email like I do with my smartphone. I also learned that by disabling Bluetooth on my smartphone and tablet that it will prevent bluesnarfing. Bluesnarfing is an attack that accesses unauthorized information from a wireless device through a bluetooth connection.
Monday, November 18, 2013
Chapter 4 Internet Security
Chapter 4 discusses the various security risks that users face from using the internet. While there are a plethora of risks, I will discuss what stood out for me from reading the chapter.
One of the security risks is what is called 'drive-by downloads'. I know enough not to download suspicious software but I had no idea that just by viewing a website that I could become infected with malware. I learned that CNET.com, ABC News' homepage, and Walmart.com have all at one time or another been infected with drive-by download malware. So, just by visiting a well-known and trusted website I could become infected with malware which will (if all works according to the attacker's plan) automatically download, install and execute on my computer without my knowledge. One way to defend yourself against this attack is to set up browser security zones which can be found in the Internet Explorer's web browser. I use Firefox which doesn't use security zones, however I also use Norton's Security Suite which does have other security settings for browsing safely. One of the assignments this week was to use IE to create security zones for web surfing and to place the sites that I visit into the zones. It was easy enough to do but I didn't see much difference whether I used them or not. Perhaps I don't fully understand how it works, or perhaps it's just not 'all that'? While I love all the security settings found in IE, I just don't care for the browser so I rarely use it.
Another type of attack comes from what is called mobile code. I have heard of JavaScript, Java and ActiveX but I did not know these types of programming instructions is called mobile code. I learned that you can disable these codes from running by disabling them in the browser settings but if you do that, some pages may not look right or function the way it was designed. The text says you can restrict mobile code so that it must prompt the user before the code runs...I like that idea.
One of the more common ways to become a victim of an internet attack is through email which includes spam, malicious attachments, and embedded hyperlinks. Embedded hyperlinks are used to "trick" users to the attacker's website. Easily done since all that is needed is a hyperlink that displays words instead of the URL which is embedded within the text. I personally use a spam filter in my email and I know my ISP also stops spam from reaching my computer. Most of the so called spam that makes it through isn't actually spam...they're legitimate emails that I signed up to receive from websites that I trust! The true spam gets deleted immediately or added to the block list. I wasn't aware that using the reading pane is a way to safely view message because malicious scripts and attachments are not activated or opened automatically in the reading pane. I have always disabled the reading pane simply because I never like the way it took up extra space or the way it looks, however, after learning how it's a way to defend against attacks, I will begin using that feature.
One of the security risks is what is called 'drive-by downloads'. I know enough not to download suspicious software but I had no idea that just by viewing a website that I could become infected with malware. I learned that CNET.com, ABC News' homepage, and Walmart.com have all at one time or another been infected with drive-by download malware. So, just by visiting a well-known and trusted website I could become infected with malware which will (if all works according to the attacker's plan) automatically download, install and execute on my computer without my knowledge. One way to defend yourself against this attack is to set up browser security zones which can be found in the Internet Explorer's web browser. I use Firefox which doesn't use security zones, however I also use Norton's Security Suite which does have other security settings for browsing safely. One of the assignments this week was to use IE to create security zones for web surfing and to place the sites that I visit into the zones. It was easy enough to do but I didn't see much difference whether I used them or not. Perhaps I don't fully understand how it works, or perhaps it's just not 'all that'? While I love all the security settings found in IE, I just don't care for the browser so I rarely use it.
Another type of attack comes from what is called mobile code. I have heard of JavaScript, Java and ActiveX but I did not know these types of programming instructions is called mobile code. I learned that you can disable these codes from running by disabling them in the browser settings but if you do that, some pages may not look right or function the way it was designed. The text says you can restrict mobile code so that it must prompt the user before the code runs...I like that idea.
One of the more common ways to become a victim of an internet attack is through email which includes spam, malicious attachments, and embedded hyperlinks. Embedded hyperlinks are used to "trick" users to the attacker's website. Easily done since all that is needed is a hyperlink that displays words instead of the URL which is embedded within the text. I personally use a spam filter in my email and I know my ISP also stops spam from reaching my computer. Most of the so called spam that makes it through isn't actually spam...they're legitimate emails that I signed up to receive from websites that I trust! The true spam gets deleted immediately or added to the block list. I wasn't aware that using the reading pane is a way to safely view message because malicious scripts and attachments are not activated or opened automatically in the reading pane. I have always disabled the reading pane simply because I never like the way it took up extra space or the way it looks, however, after learning how it's a way to defend against attacks, I will begin using that feature.
Monday, November 11, 2013
Chapter 3 Computer Security
Chapter three was very interesting and informative. One can never read or learn enough when it comes to computer security, preventing viruses and a host of other types of attacks against personal computers. Of course I knew about viruses, worms, malware, spyware, etc. I learned there are two types of Malware: viruses and worms. I also learned that there are several ways a virus can infect one's computer: appender infection, swiss cheese infection, program virus, macro virus. I am more familiar with the program virus which is a virus that infects a program's executable file. Likewise, I've heard much about the macro virus. About 18 months ago I started having problems with my computer after I opened an email from a trusted friend sharing files that were of interest to me that were originally downloaded using a torrent website . When I tried to run the executable for the first file, I got a warning that proceeding could seriously harm my computer. I didn't 'listen' and proceeded with the install. I immediately starting having hard disk errors and random reboots which quickly became worse to the point where I ended backing up my data and replacing the drive. This was after I tried all the various ways to repair the disk by running disk defrag, check disk, disk clean up etc. Check disk found errors that it could not repair. I also ran a Seagate utility that could not read my disk, so that wasn't a good sign (the hard drive was a Seagate model). My class instructor at the time this happened suspected malware caused this and there wasn't much I could do to save the drive as I did everything I could. Meanwhile, I learned a valuable lesson and will never again ignore any pop up warnings in the future.
One of the types of malware that concerns me more than others is the rootkit. The textbook describes this as a set of software tools that an attacker uses to hide the actions or the presence of other types of malware. The textbook says that the user and the operating system do not know that it is being compromised and is carrying out what it thinks are valid commands. In other words, it gains administrative access to the computer. What the heck? How do you detect such a thing? One of the projects assigned this week was to scan for rootkits. I downloaded, installed, and ran a program called Kasperksy's TDSSKiller. The program did not detect any rootkit threats which is good, but what if it did? I shudder to think about that. I guess if it ever does happen, I'll cross that bridge if I need to. The internet is full of advice on how to remove a rootkit from a Windows system.
Another project assigned to our class was to create a disk image backup. This is one of the best defenses against attacks. I have been meaning to purchase an external hard drive for the longest time but kept putting it off. I backed up data files to DVDs, CDs, and flash drives, but never have I created a disk image to restore Windows should some moron manage to infect and wreak havoc on my system. Soooo, I went out and bought an external drive and am so glad I did! After I created the disk image backup, I felt as if a brick has been lifted from my shoulders. I can now run regular backups and have plenty of space on the device to do this for years (providing the device does not stop working or become damaged of course). I have a point of restoration that I can trust should something bad happen...but hope I never have to use it. In addition to this type of defense I also stay current with Windows security patches, run a program called Malwarebytes on my computer in addition to Norton's Security Suite which includes a firewall, antivirus, etc. Windows, Malwarebytes, and Nortons are each set up to automatically download, and install all updates. Next week's chapter is Internet Security. Looking forward to learning about this.
Monday, November 4, 2013
Chapter 2 Personal Security
This week’s chapter was about personal security. The chapter started out with a discussion about passwords. Passwords are subject to a variety of attacks. Most of us have multiple passwords for a variety of online accounts ranging from email, social networking sites, financial sites, work, etc. It is difficult to remember and keep up with the growing list let alone trying to make them strong and safe to use. I know what makes a strong password but I am guilty of not following all of the recommendations to make them stronger and more secure. One of the projects assigned this week to our class was to test three different passwords using three different online password testing services. Generally my passwords are strong but they could and should be made stronger by adding a variety of symbols. Another assigned project involved speaking with three of my friends about their passwords and to try and convince them to make them stronger. All three agreed with me but were reluctant to mess with what works for them. At least one of my friends regularly changes her password to her email every month. This is a result of her account being hacked into and used maliciously by the attacker. However by changing her password so frequently is in fact one of the ways to keep her email account safe. None of my friends were interested in using a password management tool for the reason that they do not trust them. I have to agree with this since it seems risky to keep your passwords online … if an attacker can hack into the United States Government’s website, then how on earth can I trust a password management tool to keep my passwords guarded and safe?
I learned about Social Engineering attacks which doesn’t rely on technology but instead relies on gathering information for an attack by manipulation and psychological approaches. Examples would be asking for small bits of information from several people about one person…not too much to draw attention or suspicion. Using flattery to ‘soften’ up the person to gain their confidence in order to gain the information sought. Playing dumb can also be a way to gather information and to gain the trust of the person. Usually when someone asks me about someone else, I turn the tables and play dumb claiming I do not know. I’m instantly suspicious anytime someone asks me something out of the clear blue sky OR asks a family member something ‘odd’ in my presence. I cannot tell you how many times the family member freely gives away information without thinking! After it’s said and done, I confront this family member with what they did and they’re always surprised. I’ve asked them to be less trusting and to give away nothing to people whom they are not close with.
I’ve heard of impersonation, phishing, and hoaxes. I wasn’t aware of the variety of phishing attacks, but I never open any email I wasn’t expecting and have turned in what appeared to be phishing emails to eBay in the past. I just talked to my husband regarding the shoulder surfing method of someone trying to get your ATM pin number. I’ve asked him to immediately stop what he’s doing at these machines if there is anyone behind him. Let them go first and move in to do his transaction later. Likewise, there is no way shoulder surfing is going to happen with me!! I’ll turn around and ask the person if they would like to go first and then move out of their way. Identity theft is a big concern of mine. It has happened to one of my friends but it was caught very quickly and nipped in the bud before too much damage happened. Avoiding identity theft requires some common sense such as shredding financial documents, don’t carry your social security number in a wallet or write it anywhere (like on a check), don’t give personal info over the phone or by email, keep personal info in a secure location, be alert to any unusual activity with any of your financial accounts. All of these steps I do practice, but one must not become complacent! It requires constant monitoring and acting right away when something doesn’t appear as it should.
Thursday, October 24, 2013
Chapter 1 Introduction to Security
I've read chapter 1 "Introduction to Security" and found myself both fascinated and horrified by the challenges of securing information. I've never been one to shy away from ordering products and goods over the internet and am careful to check that the purchases are done on secure web sites. However as a result of reading this chapter I found myself a lot more leery of making online purchases. Why would anyone care to break into my personal computer? I don't store valuable information on it and I don't store my payment information on my favorite web sites where I make frequent purchases. However, having said this I make most of my purchases using my bank issued debit card which can also be run as a credit card. I rarely use cash and I don't use any other form of payment. One of my concerns is someone stealing my info at the point of purchase. How does this get prevented? Makes me want to go back to cash only which is how I used to pay for my purchases. No matter what you do to keep your data secured you’re never truly safe from the morons wanting to steal your money and personal information. I’ve learned that there is no single simple solution to security. We can block attacks, update defenses, minimize losses in the event of an attack, and send secure information by scrambling the data so the unauthorized cannot view it.
One of the projects our class was assigned was to examine data breaches at the Privacy Clearinghouse (PRC) web site. I have never heard of this site, but am very glad to have learned about it from this project. It is mind boggling and overwhelming the number of breaches made public for all types of organizations. I plan to make use of this site frequently to monitor breaches. Another project involved using an analyzer to analyze EULAs for various software such as Windows Professional and Excel. Who actually reads the EULA before installing the software? I know I am guilty of NOT doing this. I need this software so I can work, so why bother to read it? I was a little surprised by the results of the analysis pertaining to tracking & monitoring. In one instance Microsoft wants to determine whether my computer is connected to a network by either passive monitoring of network traffic or active DNS or HTTP queries. Um....what does that mean exactly? I found that confusing. On the other hand, I don't mind that Microsoft wants to monitor by using information it collects through the software features to upgrade or fix the software & otherwise improve the products & services. Like I said, I need the software, so I agree to the EULA without reading so whatever it says for good or bad is a risk in itself.
I've never heard of hactivists and script kiddies, but now I know what that means. Hactivists remind me of little children who don’t get their way so they throw a fit by attacking the entity (a web site) that upsets them. How mature! Script kiddies are those who break into computers but lack the knowledge of how to do this so they purchase the software from devious individuals who have this knowledge all in the name of making your life a living hell. Again, how mature. Don’t these people have better use of their time than to mess with your life? The very idea of attacking medical devices almost made my heart stop (sorry no pun intended). Recently I read a story where the former vice-president of the United States, Dick Cheney was fearful that terrorists could hack into the heart defibrillator implanted into his heart thus shocking him into a cardiac arrest. I remember thinking he may be overreacting. So right there in chapter 1 it talks about medical devices possibly becoming the next target of terrorists. From what I understand, Cheney's doctors had the wireless device deactivated to prevent anyone from sending a signal to the device to cause a cardiac arrest. He wasn't overreacting at all and I've been 'schooled'. If it's electronic, you bet it can be attacked to cause more trouble than you and I will ever need.
I have three main electronic devices that I use, personal computer, tablet (iPad), and an android smart phone. I know more about how to keep my personal computer secured (and obviously there is always more to learn) but I really have no idea what I can do to protect my phone and tablet other than turn off or enable certain features that pertain to security. Hopefully through this class I will learn how to make those devices more secure, and to share my knowledge with others. Super glad I signed up for this course.
Subscribe to:
Posts (Atom)