Sunday, 29 April 2012

Information Security Awareness


A virus or worm is a program which will perform an unauthorized activity on your computer.
•Virus - Needs a carrier and a user interaction.
•Worm - Does not need a carrier and requires no user interaction. A zombie is a computer infected by a virus or worm under the control of the attacker.

Virus, Worms and Zombie Propagation

Worm Propagation "Witty Worm"

Zombie Networks

Zombies for Sale

Anti-virus
An anti-virus is a program that will ensure protection against viruses and worms.
Anti-virus requires an updated database of definitions to provide maximum protection.

Antivirus Update
for the corporate or SMB arena these are managed and centralized by IT Systems. However, for individuals who use AV (anti-virus) & AS (anti-spyware) personally should make sure that the auto-update schedule is enabled so that latest virus definitions are updated in their hosted machines. Its always a best practice to watch the virus definition updated date.
ex:

Patching
Patching is process of updating the operating system and software to provide additional protection over and above an anti-virus.
Do not forget patching of your other applications, e.g., yahoo messenger, skype, adobe acrobat reader, adobe flash player, etc.

Email Spam & Phishing
An email spam is an unwanted email.  It generally advertises for medical products like viagra or illegal sites and services.
Main concerns:
  • Consumes bandwidth
  • Clogs the email system
  • Users need to process more emails
  • Causes embarrassment to the user
Don't ever entertain such emails with a reply. If you carefully read the contents that itself is the answer and looks weird. They normally ask your password and other personal identity. So, never ever disclose your password (official or bank accounts) with anyone. Take it granted such emails to be spams or phishing scams. So just ignore and delete from your inbox and deleted items.

Phishing
Phishing, also referred to as brand spoofing or carding, is a variation on "fishing," the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting.
The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user's information.
Example of a phishing email message
 
         
 
                                



                                                                                           

 Protection against Spam
*Subscribe to secure and trusted mailing lists
*Do not use your office email address to subscribe to mailing lists
*If unsure, use "disposable accounts"
*Do not participate in chain emails.  Chain emails is a method for spammers to harvest email addresses.
*Never reply to a spam email. Replying to a spam email confirms the existence of the target.

Good Email Housekeeping Practice
* Try not to keep big attachments in your email.  This clogs your mailbox size and slows down the system
*Instead, try keeping the document on the Intranet and sending the link in the email
*Organize your emails in a structured way for easier reference
*You can create folders and subfolders in your email box and store the related emails therein

Spyware and Adware
A spyware/adware is a program which gets installed on a user computer without the user's knowledge.  Such installation occur when a user simply visits a website.
Such programs are used to:
*Gather information about the user behaviors/ patterns/ personal data
*Used to send targeted advertisement
*Consumes user bandwidth and resources

Spyware/ Adware Protection
*Make use of an anti-spyware program
*Do not visit untrusted websites
*Do not install freeware or shareware software you cannot trust
*Spyware gets installed also from online gaming websites

Identity Theft
Identity theft is a type of attack where the identity of someone is impersonated.  Example, an email from a.xyz@xyz.com
Protection against identity theft includes:
*Implementation of digital certificates
*Wise use of credit cards online (use Internet Credit Cards, or cards with a limit and/or subscribe with your bank for sms alerting)
*Be careful when subscribing to online services

Dangers of Messengers
*Messenger accounts (e.g., yahoo, msn, etc account) gets hijacked.
*Users lose control of their account
*Users get infected while using messengers
*Two main types of attacks:
    *Brute force attack on account password – Attacker will try combination of passwords until he succeeds
    *Cross-site scripting – Attacker will send a link or a file and get the user to click on the link or open the picture
*Seeing a person's camera on messengers does not mean it's him/her.

Social Engineering
Social engineering is a special type of attack where the attacker uses his social skills to extract information from the target.  There is generally no technology involved in such attacks.
How to protect against social engineering?
*Never give away your personal information to someone you cannot verify the identity.
*Never give away your password to anyone (including IT)

Social Networks
Social Networks like "Facebook", "Twitter", "Orkut" plays a big role and is a great help to social engineering attacks.
*Be careful of what information you share online
*Verify your privacy settings carefully as you may be sharing all your contacts and personal pictures with the whole world
*Never discuss any work related issues with colleagues over social networks
*Applications (like the Facebook applications) serves as launch pad for infecting computers or hijacking accounts
"Please rob me" a dutch website identified empty houses based on what people posts on "Twitter"
"Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there's a lot of return-on-investment in going after them," Moyer (a security expert) said, describing the climate as a perfect storm of social engineering and bad programming.

Recent Internet threats

Man in the Browser Attack (MitB)

How bad can it get?

Feb 10, 2010
Identity theft and fraud have ruined Dave Crouse's life.
In fewer than six months, some $900,000 in merchandise, gambling and telephone-services charges were siphoned out of his debit card. His attempts to salvage his finances have cost him nearly $100,000 and have bled dry his savings and retirement accounts. His credit score, once a strong 780, has been decimated. And his identity -- Social Security number, address, phone numbers, even historical information -- is still being used in attempts to open credit cards and bank accounts.
March 20, 2012
Eight online banking scammers arrested in Russia
The Russian Federal Security Service (FSB) arrested eight hackers who allegedly stole $4.5 million in the last quarter alone using an online banking Trojan, security analyst firm Group-IB said.
Caberb Trojan would nestle itself in computers using various browser vulnerabilities, including Java and Flash browser plug-in flaws. Once inside, the Trojan would launch a so-called man-in-the-browser attack. Caberb placed itself in the browser, and was used to run a protocol sniffer, detecting passwords and log-in credentials..
Wireless Insecurity
Wireless Connectivity is a pre-dominant method for network communication in the current age.  However,
*Be wary of free insecure wireless hotspots, specially in hotels, airports, cafés.  There are "Rogue Hotspots" out there.
*Traffic on unsecured wireless networks can be "sniffed".  Passwords and personal details might be captured.
*Ensure that your home wireless network is secured (by using encryption – WEP, WPA, etc).  Why???
  **[Imagine someone parked in front of your house and used YOUR Internet connection to attack a bank????]



0 comments: