View
223
Download
1
Category
Preview:
Citation preview
Fermilab Computer Security Awareness DayNovember 2012
Basic Computer Security
Why Computer Security?
Why Computer Security?
Fermilab is an attractive targetIt is constantly being scanned for weak or vulnerable
systems; new unpatched systems will be exploited within minutes.
High network bandwidth is useful for attackers who take over lab computers
Publicity value of compromising a .gov siteAttackers may not realize we have no information
useful to them
Why Computer Security?
To establish good computing habits Attacks on users (rather than systems) becoming
more frequent It is easier to trick a user than to break into a system
Why Computer Security?
Security depends on everyone, from management, to system administrators, to developers, to users, etc.As mentioned, phishing attacks are more prevalentThree DOE labs taken offline in 2011 due to phishing attacksA chain is only as strongest as its weakest link
Integrated Security ManagementPart and parcel of everything you do with computers○ Like safety, security is part of everyone’s responsibility
Not “one-size-fits-all” but appropriate for the needs and vulnerabilities of each system - in most cases, it is simply common sense + a little information and care
Spam Spam Spam
Everyone gets spam all the time In 2007, it was estimated that 85% of incoming
email was “abusive email” A 2010 survey of US and European email users
showed that 46% of recipients opened spam messages and 11% clicked on a link
From Spam to Scams
Nothing new – attempts by criminals to defraud you Direct monetary gain is primary motive Never reply to them!
Classic examples: Winning the lottery (which you never entered) Dignitary wanting to give you millions of dollars from his/her
country. Parcel mule scams
The Hitman Bribe Scam
From Scams to Phishing
One of the most common email attacks Fools user into giving up information Eventual monetary gain is a large motive but there are
others
Primary types of phishing: Harvesting information Controlling your computer via malicious links Controlling your computer via malicious attachments
Let’s take a look at some examples
Email: Phishing
Do any red flags jump out?
How about sender’s email address or what they are requesting?
Sometimes things are trickier than they seem – let’s look at another example.
Link goes to:
Email: Phishing
Phishing may be sophisticated and appear genuine: It may be addressed to specific individuals only It may be on topic with what the individuals work with The sender may be forged to appear from a coworker of those
individuals“Spear phishing”
What to do?
The purpose of sending spam or phishing generally comes down to money (now or eventually):Obtaining bank account informationObtaining login credentialsYour machine becomes compromised and becomes a
member of a botnetYour email account compromised to send more spam.
Be careful on what you click on and what you reply to!
What to do?
If after reading an e-mail you think it is a phishing attack or scam, simply delete the message. Here are some indications if an e-mail is an attack.
Be suspicious of any e-mail that requires immediate action or creates a sense of urgency.
Be suspicious of e-mails addressed to “Dear Customer” or some other generic salutation.
Be suspicious of grammar or spelling mistakes, most businesses proofread their messages very carefully.
What to do?
If a link in an e-mail seems suspicious, hover your mouse over the link. This (usually) will show you the true destination where you would go if you actually clicked it. The link that is written in the e-mail may be very different than where it will actually send you.
Do not click on links. Instead copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser. For example, if you get an email from UPS telling you your package is ready for delivery, do not click on the link. Instead, go to the UPS website and then copy and paste the tracking number.
What to do?
Be suspicious of attachments; only open attachments that you were expecting.
Just because you got an e-mail from your friend or coworker does not mean they sent it. Her/his computer may have been infected or their account may have been compromised, and malware is sending the e-mail to all of your friend’s contacts. If you get a suspicious email from a trusted friend or colleague, call them to confirm that they sent it.
What to do?
Ultimately, using e-mail safely is all about common sense. If something seems suspicious or too good to be true, it is
most likely an attack. Simply delete the e-mail.
What to do?
Fermilab personnel will NEVER ask you for your password.
Most outside companies/services should NOT as well.
Social Engineering
Not every method to give up electronic data is electronic.
Phone calls
In personOr physical media
One more thing about personal info
Protecting Personal Information at Fermilab course
If you handle Personally Identifiable Information, you may need to take Advanced PII course
Be cognizant of how personal, sensitive, or financial information is being transmitted (e.g., general email, etc.)
Browsing the web
We know that clicking a link in an email can be bad – this applies to general web browsing as well.
The primary difference is how an attacker might target you.
Browsing the web
Use a modern browser on a current operating system
Since many use a web browser to read email, the same rules apply (e.g., be suspicious of attachments, etc.)!
Don’t click on pop-up advertisements Be careful of web sessions involving personal
or financial data.
Browsing the web
Use common sense … Watch where you browse (note the “web
environment”). Be extra careful if you have administrative
privileges.
Browsing the web
What happens if you see the following screen when browsing the web at Fermi?
Browsing the web
Please do not click on Accept! Contact the Service Desk if you feel this is in
error.
If you see a similar message pop up on your machine by itself without having clicked on anything, please contact the Service Desk.
Incidental Computer Usage
Fermilab permits some non-business use of lab computers
Guidelines are at http://security.fnal.gov/ProperUse.htm
This is pretty much common sense
The top 10 worst Internet passwords:
Source: Splashdata
Passwords When you are typing a password for some reason (e.g.,
logging in to a service) – ask yourself what does this have access to?
2012 was a year for major password breaches: LinkedIn eHarmony LastFM Formspring
What if you used the same passwords everywhere?
Passwords
Always choose a complex passwordThe lab has a password policy that’s enforced, so it’s
difficult to choose a weak Fermi password, however:
Differentiate your passwords – don’t use the same passwords for Fermi services as personal services.
Fermi’s Kerberos, Windows, and Services passwords should all be different as well.
Change them periodically (yes, even passwords to personal accounts).
Fermilab and Central Authentication
All use of lab computing services requires central authentication
Avoid disclosure of passwords on the network No network services (logon or read/write ftp) visible on
the general internet can be offered with out requiring strongest authentication, currently Kerberos (unless a formal exemption is applied for and granted)
Kerberos provides a single sign in, minimizing use of multiple passwords for different systems
Lab systems are constantly scanned for violations of this policy
Remember:
Fermilab personnel will NEVER ask you for your password.
Most outside companies/services should NOT as well.
What happens if you notice a Computer Security incident?
Mandatory incident reportingReport all suspicious activity:○ If urgent to the Service Desk, x2345, 24x7○ Or to system manager (if immediately available)○ Non-urgent to computer_security@fnal.gov
Incidents investigated by Fermi Incident ResponseNot to be discussed!
Fermi Incident Response
Investigate (“triage”) initial reports Coordinate investigation overall Work with local system managers Call in technical experts May take control of affected systems - for an
undetermined amount of time Maintain confidentiality
Perimeter Controls
Certain protocols are blocked at the site border (email to anything other than lab mail servers; web to any but registered web servers; other frequently exploited services)
Temporary (automatic) blocks are imposed on incoming or outgoing traffic that appears similar to hacking activity; these blocks are released when the activity ceases (things like MySpace and Skype will trigger autoblocker unless properly configured)
Patching and Configuration Management
Baseline configurations exist for each major operating system (Windows, Linux, Mac)
All systems must meet the baseline requirements and be regularly patched (in particular running an up-to-date supported version of the operating system) UNLESS:A documented case is made as to why the older OS version
cannot be upgradedDocumentation exists to demonstrate that the system is
patched and managed a securely as baseline systemsAll non essential services (such as web servers) are turned
off All systems with Windows file systems must run anti virus Your system administrator should take care of this for your
desktop
Critical Vulnerabilities and Vulnerability Scanning
Certain security vulnerabilities are declared critical when they are (or are about to) being actively exploited and represent a clear and present danger
Upon notification of a critical vulnerability, systems must be patched by a given date or they will be blocked from network access
This network block remains until remediation of the vulnerability is reported to the TISSUE security issue tracking system (as are blocks imposed for other security policy violations)
Prohibited Activities
“Blatant disregard” of computer security Unauthorized or malicious actions
Damage of data, unauthorized use of accounts, denial of service, etc., are forbidden
Unethical behaviorSame standards as for non-computer activities
Restricted central servicesMay only be provided by approved service owners
Security & cracker toolsPossession (& use) must be authorized
See http://security.fnal.gov/policies/cpolicy.html
Activities to Avoid
Large grey area, but certain activities are “over the line” –IllegalProhibited by Lab or DOE policyEmbarrassment to the LaboratoryInterfere w/ performance of jobConsume excessive resources
Example: P2P (peer to peer) software like Skype and BitTorrent: not explicitly forbidden but very easy to misuse!
Questions?
nightwatch@fnal.gov for questions about security policy
Computer_security@fnal.gov for reporting security incident
http://security.fnal.gov/
Recommended