Staff e-mail addresses Availability tradeoffs December 13, 2012.

Slides:

Advertisements

Similar presentations

What Are Scams? Scams are designed to trick you into giving away your money or your personal details. Scams come to you in many forms – by mail, ,

Advertisements

Cyber Stalking Cyber Stalking Phishing Hacker 1. Never reveal your home address !!! This rule is especially important for women who are business professionals.

Victoria ISD Common Sense Media Grade 6: Scams and schemes

P ASSWORD S ECURITY. I F SOMEONE HAS YOUR PASSWORD, EITHER FROM YOU GIVING IT OUT OR THEM FIGURING OUT, THEY COULD : 1.Send abusive or threatening .

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.

What is identity theft, and how can you protect yourself from it?

1 What is Phishing? …listening to music by the band called Phish or perhaps …a hobby, sport or recreation involving the ocean, rivers or streams…nope.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

Internet Phishing Not the kind of Fishing you are used to.

Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.

Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.

Phishing, Pharming, and Spam Margaret StewartTuesday, Oct. 21, 2006.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

By Laura Trawin.

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

Department Of Computer Engineering

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

How It Applies In A Virtual World

Threats to I.T Internet security By Cameron Mundy.

PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

Identity Theft By: Chelsea Thompson. What is identity theft? The crime of obtaining the personal or financial information of another person for the purpose.

BUSINESS B1 Information Security.

Reliability & Desirability of Data

Scams & Schemes Common Sense Media.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.

Security at NCAR David Mitchell February 20th, 2007.

Phishing scams Phishing is the fraudulent practice of sending s purporting to be from reputable companies in order to induce individuals to reveal.

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Presented by : Phishing Identity Theft Supervised by : Mr M. ABDELLAOUI Afaf DAHMANI Amal ATMANI Imane ALLAL.

BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)

SOCIAL ENGINEERING PART IA: HOW SCAMMERS MANIPULATE EMPLOYEES TO GAIN INFORMATION.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

SCAMS & SCHEMES PROTECTING YOUR IDENTITY. SCAMS WHAT IS A SCAM? ATTEMPT TO TRICK SOMEONE, USUALLY WITH THE INTENTION OF STEALING MONEY OR PRIVATE INFORMATION.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Copyright ©2005 CNET Networks, Inc. All rights reserved. Practice safety Learn how to protect yourself against common attacks.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Kamran Didcote.

Minding your business on the internet Kelly Trevino Regional Director October 6,2015.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholder to insert your own image. Cyber.

Scams and Schemes Essential Question: What is identity theft, and how can you protect yourself from it?

Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.

Computer Security By Duncan Hall.

Unit 2 Assignment 1. Spyware Spyware is a software that gathers information about a person or site and uses it without you knowing. It can send your information.

Information Security: Current Threats Marc Scarborough Information Security Officer

1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.

Confidentiality, Integrity, Awareness What Does It Mean To You.

FLTCYBERCOM / C10F    U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET    1 Overall Classification of this Briefing is UNCLASSIFIED//FOUO Phishing.

Todays’ Agenda Private vs. Personal Information Take out your notebook and copy the following information. Private information – information that can be.

Phishing and Internet Scams. Definitions and recent statistics Why is it dangerous? Phishing techniques and identifiers Examples of phishing and scam.

JANELL LAYSER Training Manual. AWARENESS! Social Engineers are out there, and everyone should be prepared to deal with them! They can contact you by phone,

Cyber security. Malicious Code Social Engineering Detect and prevent.

Fall Phishing - attempt to acquire sensitive information, like bank account information or an account password, by posing as a legitimate entity.

PHISHING Hi, The comms team asked if I could refresh everyone about Phishing after a fairly successful phishing circulated last week that led to.

how to prevent them from being successful

Digital Citizenship Middle School

Protecting What’s Yours: Your Identity

Information Security and Privacy Pertaining to Phishing and Internet Scams Brian Corl COSC 316 Information Security and Privacy.

Challenges We Face On the Internet

Cybersecurity Awareness

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

Information Security Session October 24, 2005

Introduction to Computers

Qiyu chen, Xiaomin Dong, Chenhui Lai, Xinteng Chen, Vittorio DiPentino

What is Phishing? Pronounced “Fishing”

Cybersecurity Simplified: Phishing

Presentation transcript:

Staff addresses Availability tradeoffs December 13, 2012

Facts on the ground Starting October 24, we have had 19 user accounts successfully phished. Our normal rate of security incidents is usually 1-2 incidents per month. Successful phishes have resulted in our mail servers being used to send ~4 million spam mails. The amount of spam originating from UCAR has led several service providers to blacklist mail coming from us, including 2 educational institutions (udel.edu, ucsd.edu).

Why the increase in successful phishing? Phishers are getting better at writing believable s that look authentic. Attacks are less scripted and have more individualized human attention involved. For example, using Staff Notes subject lines and formatting to try to fool our users. They use tinyurl and google docs links, which in general people trust. New employees and “pre-coffee” users are the ones who have fallen for these attacks. Domino effect: Every time a user falls for phishing, the attackers gain more information about our patterns and systems used, and have new ways to try to fool our people.

What’s the end game? Most likely, identity theft, access to bank accounts and credit card numbers, and the like People leave personal information trails all over the place. s tend to be full of it, and people also reuse passwords on multiple sites. One stolen password can mean a lot of information about that person in the attacker’s hands. An account also contains many trails leading to other people’s accounts. Phishing is a numbers game – the more people you touch, the more likely you will have success.

Here’s the rub… We consider ourselves an open academic institution, with a high value placed on sharing information externally We have many relationships with other educational and research institutions and organizations, and want to remain accessible How do we balance these needs with the fact that our information is being misused maliciously?

Consider the source We have log information showing the attackers are obtaining information about employees and their accounts using people.ucar.edu. We have other sources of people information on websites. Some draw directly from people.ucar.edu, others are standalone. We have not seen direct evidence that other sources have been used in this recent wave, but there’s no reason they couldn’t be the target at some point in the future.

The phishing begins… If they obtain someone’s webmail password, they can send from that user’s account, making it appear legitimate. They are also changing people’s webmail info, such as vacation messages, signatures, and reply- to addresses. People tend to use the same password in multiple locations. Gaining access to one location often leads to access to other locations. Escalating effect: more info obtained gives more leads to conduct more phishing

What can we do? We need to stop the current bleeding. We need to protect ourselves to prevent this kind of successful, widespread attack from happening again. We need to anticipate the attackers’ next move, so that we don’t immediately end up back in the same cycle. We need to do all of this in such a way that we don’t turn into a “bubble boy”.

People vs. Staff people.ucar.edu is a known current source of information for the attackers. In addition to general info about people, it interfaces with critical business databases (HR information, etc.). It is a potential pathway into these underlying databases. Based on behavior we have seen in our logs, we strongly suspect attackers have attempted to change data in it when they have obtained employees’ passwords. We are therefore moving people.ucar.edu so that it is accessible from internal networks only.

People vs. Staff staff.ucar.edu will be our new external source of people information It pulls info from people.ucar.edu, and does not have write access to any of the critical underlying databases All of the people information we wish to share with the world will still be there, but we have some ways to thwart the attackers

Staff protections Attackers love being able to gain access to tons of information quickly and in an automated way The following will slow down their access to our information: – addresses will be somewhat obfuscated with entity encoding. Humans will be able to read the addresses fine, scripts will have a harder time – Searches will be limited to returning a small number of results. – The user must type in at least 3 characters in a name to be able to search.

More staff protections There will be operational logging included with staff.ucar.edu. We will be able to see IP addresses of connecting machines, and what searches those machines performed. This will help us respond more intelligently in the event of an incident. There will be some basic flood detection and alerting, watching for search patterns that may indicate malicious activity. Further protections are under discussion. This will be an evolutionary process going forward.

Important to understand… The people vs. staff change will NOT completely stop phishing attempts. It will only slow them down. We will no longer be the low-hanging fruit that everyone is going after. But there will always be someone willing to climb the tree to get the good stuff. There is no way to completely shut down phishing attempts other than to isolate ourselves from the rest of the world.. which is unacceptable. We hope that this solution strikes a reasonable balance.

The human element No amount of technical solutions will fix the problem completely, as long as we have humans working in our organization. Attackers have numerous ways to trick and manipulate people into giving up information. Education is the only way to thwart this. New employees need to be brought up to speed on phishing, and know who to contact if they see something suspicious. Even the most well-educated people can have a pre-coffee moment.

Future technologies The WAG reviews new web technologies, and how we can leverage them at UCAR. New technology can be highly useful, but may also carry new risks. SEG encourages the WAG to consult with us when reviewing new technology. We can help identify the risks, and recommend ways to protect the system without losing utility. It is far less costly to build security in from the start, than to tack it on in an ad hoc fashion later.