Security+&+Privacy

= = SECURITY AND PRIVACY •Data and information are everywhere •Attacks becoming more widespread •Both “hacking” and social engineering –“Fill out this credit card application and we’ll give you a free t-shirt!” –Take this Facebook quiz to find out which HIMYM character you’re most like – just click “accept”! –Click jacking, like-farming, IT Security

•Goal: To prevent and detect unauthorized actions by users and nonusers of systems •How is it achieved? –Security principles / concepts •Guide information system design and development –Security mechanisms •Secure existing information systems –Physical and organizational security •Polices help ensure security IT Security

Three main components of computer and information security: –Confidentiality: Prevent unauthorized disclosure •Privacy, secrecy •Secure HTTP (HTTPS); PGP; SSH; IPSec –Integrity: Prevent unauthorized modification •Access control –Availability: Prevent unauthorized withholding •Uptime, 24/7, DDoS prevention

IT Security

Other factors –Accountability •Audits, access control, logging –Reliability - how reliable is it? –Dependability –Survivability, disaster recovery -unexpected shutdowns, power outages, etc. Security is a balance –Policies can interfere with work practices –Security requires additional IT, financial resources –Security should be at the forefront –Ideally, a trade-off Asking the Right Questions

•Should protection focus on data, operations, or users? •At what level(s) or layer(s) should we place security? •Should security control tasks be given to a central entity (i.e. the IT dept.), or left to individual people or departments? •Who controls security policy? Hardware Security

•Hardware more visible to criminals •Easy to add, remove, change, control hardware •Can intercept, flood network traffic •Physical security Software Security

Interruption or deletion: surprisingly easy! Modification: –Logic bomb: failure when certain conditions met –Buffer overflow: disguise code as data, then get it to run –Viruses: malicious code that spreads itself by attaching to programs –Worm: self-reproducing code, not attached to programs –Spyware: “annoying” code that you accidentally install, slows down or disrupts your computer with ads, phishing, etc. –Trapdoor / security hole: specific entry point that can be hacked Interception or theft: unauthorized copying(different from torrents) Information Security

Social engineering –Manipulation of people through social factors to perform actions or divulge confidential information, compromising IT security –Phishing, impersonation, war-driving Encryption –Encoding information such that only those with a given “key” can decode it –PGP, PKI, VPNs Internet Security: VPNs

Virtual Private Network –Allows for private communications over public networks (such as the Internet) –Secured through authentication, encryption, and tunneling protocols •Tunneling protects traffic from being read by others •The tunnel is what gives VPNs their “virtuality” •IPSec (IP Security), SSL, and other protocols Protecting Security

Basics: Firewall, anti-virus, anti-spyware, patches, strong passwords, backups –Password guidelines vary, but commonly include: •At least 12-14 characters •Randomly generated, if feasible •Avoid dictionary words, names, ID numbers, etc. •Use mixed case, symbols, numbers •Don’t use the same password for everything! •Change it often Protecting Security

Protecting Security

Risk Assessment –Identify business assets of relevance –Identify risks to security and privacy –Identify impacts to the business –Associate risks, assets, and impacts –Recommend actions that can be taken – FSU Information Technology Services on

[|IT Security at FSU] Security: More Information

Security news sources –Sophos’s [|Naked Security] blog –SANS [|Internet Storm Center] CERT: Computer Emergency Response / Readiness Team –[] –[|http://www.us-cert.gov][|/] Certified Information Systems Security Professional (CISSP) –[|https://www.isc2.org/cissp/][|default.aspx] LIS 4774 Information Security –Offered fall semesters with Dr. Shuyuan Mary Ho

=Types of WiFi Security=

WEP - Wired Equivalence Privacy: 40 or 104-bit encryption, outdated, __easy to hack__. WPA - Wi-Fi Protected Access: 128 or 256-bit encryption, more secure. __Best option: WPA2 - AES, 256-bit encryption.__

=VPNs=

VPNs - Virtual Private Networks: Allows for private communication over public networks or the Internet. Secured by ecryption and tunneling. __Tunneling__ is what allows VPNs to exist, protects traffic from being read by other users.

Benefits of a VPN include extended connection through multiple geographic areas, without needing a physical line. It also is improved security and flexibility for organizations.


 * PASSWORDS**

Strong Passwords - A passwords that is difficult to detect by both humans and computer programs. Consists of at least six characters that are a combination of letters, numbers and symbols, and is case-sensitive. Passwords should be different! Do not use the same password for everything.

Love the copy & paste.