1. Fermilab Computer Security Awareness Day November 2012 Basic Computer Security

2. Why Computer Security?

3.  Fermilab is an attractive target It is constantly being scanned for weak or vulnerable systems; new unpatched systems will be exploited within minutes. High network bandwidth is useful for attackers who take over lab computers Publicity value of compromising a.gov site Attackers may not realize we have no information useful to them

4. Why Computer Security?  To establish good computing habits  Attacks on users (rather than systems) becoming more frequent  It is easier to trick a user than to break into a system

5. Why Computer Security?  Security depends on everyone, from management, to system administrators, to developers, to users, etc. As mentioned, phishing attacks are more prevalent Three DOE labs taken offline in 2011 due to phishing attacks A chain is only as strongest as its weakest link  Integrated Security Management Part and parcel of everything you do with computers ○ Like safety, security is part of everyone’s responsibility Not “one-size-fits-all” but appropriate for the needs and vulnerabilities of each system - in most cases, it is simply common sense + a little information and care

6. Spam Spam Spam  Everyone gets spam all the time  In 2007, it was estimated that 85% of incoming email was “abusive email”  A 2010 survey of US and European email users showed that 46% of recipients opened spam messages and 11% clicked on a link

7. From Spam to Scams  Nothing new – attempts by criminals to defraud you  Direct monetary gain is primary motive  Never reply to them!  Classic examples: Winning the lottery (which you never entered) Dignitary wanting to give you millions of dollars from his/her country. Parcel mule scams

8. The Hitman Bribe Scam

9. From Scams to Phishing  One of the most common email attacks  Fools user into giving up information  Eventual monetary gain is a large motive but there are others  Primary types of phishing: Harvesting information Controlling your computer via malicious links Controlling your computer via malicious attachments  Let’s take a look at some examples

11. Email: Phishing  Do any red flags jump out?  How about sender’s email address or what they are requesting?  Sometimes things are trickier than they seem – let’s look at another example.

13. Link goes to:

14. Email: Phishing  Phishing may be sophisticated and appear genuine: It may be addressed to specific individuals only It may be on topic with what the individuals work with The sender may be forged to appear from a coworker of those individuals “Spear phishing”

15. What to do?  The purpose of sending spam or phishing generally comes down to money (now or eventually): Obtaining bank account information Obtaining login credentials Your machine becomes compromised and becomes a member of a botnet Your email account compromised to send more spam.  Be careful on what you click on and what you reply to!

16. What to do?  If after reading an e-mail you think it is a phishing attack or scam, simply delete the message. Here are some indications if an e-mail is an attack.  Be suspicious of any e-mail that requires immediate action or creates a sense of urgency.  Be suspicious of e-mails addressed to “Dear Customer” or some other generic salutation.  Be suspicious of grammar or spelling mistakes, most businesses proofread their messages very carefully.

17. What to do?  If a link in an e-mail seems suspicious, hover your mouse over the link. This (usually) will show you the true destination where you would go if you actually clicked it. The link that is written in the e-mail may be very different than where it will actually send you.  Do not click on links. Instead copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser. For example, if you get an email from UPS telling you your package is ready for delivery, do not click on the link. Instead, go to the UPS website and then copy and paste the tracking number.

18. What to do?  Be suspicious of attachments; only open attachments that you were expecting.  Just because you got an e-mail from your friend or coworker does not mean they sent it. Her/his computer may have been infected or their account may have been compromised, and malware is sending the e-mail to all of your friend’s contacts. If you get a suspicious email from a trusted friend or colleague, call them to confirm that they sent it.

19. What to do?  Ultimately, using e-mail safely is all about common sense.  If something seems suspicious or too good to be true, it is most likely an attack. Simply delete the e-mail.

20. What to do?  Fermilab personnel will NEVER ask you for your password.  Most outside companies/services should NOT as well.

21. Social Engineering  Not every method to give up electronic data is electronic.  Phone calls  In person Or physical media

22. One more thing about personal info  Protecting Personal Information at Fermilab course  If you handle Personally Identifiable Information, you may need to take Advanced PII course  Be cognizant of how personal, sensitive, or financial information is being transmitted (e.g., general email, etc.)

23. Browsing the web  We know that clicking a link in an email can be bad – this applies to general web browsing as well.  The primary difference is how an attacker might target you.

24. Browsing the web  Use a modern browser on a current operating system  Since many use a web browser to read email, the same rules apply (e.g., be suspicious of attachments, etc.)!  Don’t click on pop-up advertisements  Be careful of web sessions involving personal or financial data.

25. Browsing the web  Use common sense …  Watch where you browse (note the “web environment”).  Be extra careful if you have administrative privileges.

26. Browsing the web  What happens if you see the following screen when browsing the web at Fermi?

28. Browsing the web  Please do not click on Accept!  Contact the Service Desk if you feel this is in error.  If you see a similar message pop up on your machine by itself without having clicked on anything, please contact the Service Desk.

29. Incidental Computer Usage  Fermilab permits some non-business use of lab computers  Guidelines are at http://security.fnal.gov/ProperUse.htm http://security.fnal.gov/ProperUse.htm  This is pretty much common sense

30. The top 10 worst Internet passwords: Source: Splashdata

31. Passwords  When you are typing a password for some reason (e.g., logging in to a service) – ask yourself what does this have access to?  2012 was a year for major password breaches: LinkedIn eHarmony LastFM Formspring  What if you used the same passwords everywhere?

32. Passwords  Always choose a complex password The lab has a password policy that’s enforced, so it’s difficult to choose a weak Fermi password, however:  Differentiate your passwords – don’t use the same passwords for Fermi services as personal services.  Fermi’s Kerberos, Windows, and Services passwords should all be different as well.  Change them periodically (yes, even passwords to personal accounts).

33. Fermilab and Central Authentication  All use of lab computing services requires central authentication  Avoid disclosure of passwords on the network  No network services (logon or read/write ftp) visible on the general internet can be offered with out requiring strongest authentication, currently Kerberos (unless a formal exemption is applied for and granted)  Kerberos provides a single sign in, minimizing use of multiple passwords for different systems  Lab systems are constantly scanned for violations of this policy

34. Remember:  Fermilab personnel will NEVER ask you for your password.  Most outside companies/services should NOT as well.

35. What happens if you notice a Computer Security incident?  Mandatory incident reporting Report all suspicious activity: ○ If urgent to the Service Desk, x2345, 24x7 ○ Or to system manager (if immediately available) ○ Non-urgent to computer_security@fnal.gov Incidents investigated by Fermi Incident Response Not to be discussed!

36. Fermi Incident Response  Investigate (“triage”) initial reports  Coordinate investigation overall  Work with local system managers  Call in technical experts  May take control of affected systems - for an undetermined amount of time  Maintain confidentiality

37. Perimeter Controls  Certain protocols are blocked at the site border (email to anything other than lab mail servers; web to any but registered web servers; other frequently exploited services)  Temporary (automatic) blocks are imposed on incoming or outgoing traffic that appears similar to hacking activity; these blocks are released when the activity ceases (things like MySpace and Skype will trigger autoblocker unless properly configured)

38. Patching and Configuration Management  Baseline configurations exist for each major operating system (Windows, Linux, Mac)  All systems must meet the baseline requirements and be regularly patched (in particular running an up-to-date supported version of the operating system) UNLESS: A documented case is made as to why the older OS version cannot be upgraded Documentation exists to demonstrate that the system is patched and managed a securely as baseline systems All non essential services (such as web servers) are turned off  All systems with Windows file systems must run anti virus  Your system administrator should take care of this for your desktop

39. Critical Vulnerabilities and Vulnerability Scanning  Certain security vulnerabilities are declared critical when they are (or are about to) being actively exploited and represent a clear and present danger  Upon notification of a critical vulnerability, systems must be patched by a given date or they will be blocked from network access  This network block remains until remediation of the vulnerability is reported to the TISSUE security issue tracking system (as are blocks imposed for other security policy violations)

40. Prohibited Activities  “Blatant disregard” of computer security  Unauthorized or malicious actions Damage of data, unauthorized use of accounts, denial of service, etc., are forbidden  Unethical behavior Same standards as for non-computer activities  Restricted central services May only be provided by approved service owners  Security & cracker tools Possession (& use) must be authorized  See http://security.fnal.gov/policies/cpolicy.htmlhttp://security.fnal.gov/policies/cpolicy.html

41. Activities to Avoid  Large grey area, but certain activities are “over the line” – Illegal Prohibited by Lab or DOE policy Embarrassment to the Laboratory Interfere w/ performance of job Consume excessive resources  Example: P2P (peer to peer) software like Skype and BitTorrent: not explicitly forbidden but very easy to misuse!

42. Questions?  nightwatch@fnal.gov for questions about security policy nightwatch@fnal.gov  Computer_security@fnal.gov for reporting security incident Computer_security@fnal.gov  http://security.fnal.gov/ http://security.fnal.gov/