Adding Practical Security to Your Intro Computer Course

Presenter: Mark Ciampa, Western Kentucky University It is no surprise that most users are confused or apathetic about making their computers secure from attackers, and this includes our students. Yet the need for schools to provide practical security instruction to every student is real, and enterprises and the government are now calling for schools to take action. Yet it does not take an advanced knowledge of computer security in order to teach it; instead, teaching the basics of practical security can be done by any instructor in any course. In this presentation we will look at how to teach applied practical computer security in the computer courses that you teach.

1.0x

Adding Practical Security to Your Intro Computer Course

Created 3 years ago

Duration 0:00:00
lesson view count 137
Presenter: Mark Ciampa, Western Kentucky University It is no surprise that most users are confused or apathetic about making their computers secure from attackers, and this includes our students. Yet the need for schools to provide practical security instruction to every student is real, and enterprises and the government are now calling for schools to take action. Yet it does not take an advanced knowledge of computer security in order to teach it; instead, teaching the basics of practical security can be done by any instructor in any course. In this presentation we will look at how to teach applied practical computer security in the computer courses that you teach.
Select the file type you wish to download
Slide Content
  1. Adding Practical Security to Your Introduction to Computers Course

    Slide 1 - Adding Practical Security to Your Introduction to Computers Course

    • Mark Ciampa
    • Western Kentucky University
  2. Cut Right To The Chase

    Slide 2 - Cut Right To The Chase

    • Things are really bad in security
    • Users are still confused about security
    • Our students want to learn practical security
    • But schools are not teaching practical security
    • We can teach practical security in our Intro courses
    • Here’s how we can teach practical security
  3. Cut Right To The Chase

    Slide 3 - Cut Right To The Chase

    • Things are really bad in security
    • Users are still confused about security
    • Our students want to learn practical security
    • But schools are not teaching practical security
    • We can teach practical security in our Intro courses
    • Here’s how we can teach practical security
  4. Real Time Attack Trackers

    Slide 4 - Real Time Attack Trackers

    • FireEye Cyber Threat Map
    • Norse IPViking
    • Arbor Networks Digital Attack Map
    • Kaspersky Cyberthreat Real-time Map
    • Anubis Network Cyberfeed
    • F-Secure World Map
    • Trend Micro Global Botnet Threat Activity Map
    • Team Cymru Graphs
    • OpenDNS Global Network
    • Madiant IPew Attack
    • Alien Vault Global Dashboard
  5. Worst Data Breaches Last 12 Months

    Slide 5 - Worst Data Breaches Last 12 Months

    • 2015 Cengage Learning Computing Conference
    • 5
    • Organization
    • Number of Customers
    • Yahoo Mail
    • 298 Million
    • Staples
    • 1.6 Million
    • Community Health Systems
    • 4.5 Million
    • South Korea
    • 40 Million
    • Home Depot
    • 109 Million
    • JP Morgan Chase
    • 83 Million
    • Ebay
    • 152 Million
    • Anthem
    • 105 Million
  6. Slide 6

    • 2015 Cengage Learning Computing Conference
    • 6
  7. Slide 7

    • 2015 Cengage Learning Computing Conference
    • 7
  8. Targets

    Slide 8 - Targets

    • 2015 Cengage Learning Computing Conference
    • 8
  9. Source

    Slide 9 - Source

    • 2015 Cengage Learning Computing Conference
    • 9
  10. Anthem Data Breach

    Slide 10 - Anthem Data Breach

    • Stolen personal data from health insurer Anthem very lucrative
    • Typical stolen payment cards sell on black market for $1
    • Health insurance credentials sell for $20
    • Complete identity-theft kit containing comprehensive health insurance credentials sell for $1,000 each
    • Attackers use identity information (birth dates, Social Security numbers, addresses, employment information, income, etc.) to open new credit accounts on an ongoing basis rather than exploiting just one account until it canceled
    • Also key pieces of data stolen can be used to access financial records
    • In 2014 healthcare providers and payers reported a 60% increase in detected incidents resulting in financial losses increased 282% over 2013
    • 2015 Cengage Learning Computing Conference
    • 10
  11. Anthem Data Breach

    Slide 11 - Anthem Data Breach

    •  Attackers may have first gained a foothold in April 2014, almost 9 months before discovered
    • Flood of phishing scams was unleashed just hours after Anthem announced publicly
    • Fraudsters also are busy perpetrating similar scams by cold-calling people via telephone 
    • 2015 Cengage Learning Computing Conference
    • 11
  12. TurboTax

    Slide 12 - TurboTax

    • TurboTax temporarily suspended transmission of state e-filed tax returns in response to complaints from consumers who found criminals had already claimed a refund in their name
    • Criminals use stolen identity information to file fraud
    • Compromised TurboTax accounts sell for .0002 bitcoins (4 cents)
    • 2015 Cengage Learning Computing Conference
    • 12
  13. Slide 13

    • 2015 Cengage Learning Computing Conference
    • 13
  14. Carbanak

    Slide 14 - Carbanak

    • Most cybercrime targets consumers and businesses, stealing account information like passwords and other data that then lets thieves cash out hijacked bank accounts or create fake credit/debit cards
    • Group now specializes in breaking into banks directly and then use ways to funnel cash from the financial institution itself
    • Carbanak deployed malware via phishing scams to get inside of computers at 100+ banks and steal between $300 million to $1 billion
    • 2015 Cengage Learning Computing Conference
    • 14
  15. Slide 15

    • 2015 Cengage Learning Computing Conference
    • 15
  16. Sony Data Breach

    Slide 16 - Sony Data Breach

    • Email and records of 6,500 employees stolen in 100TB data
    • Thousands of passwords in clear text documents (Password Lists.xls & YouTube Login Passwords.xlsx)
    • Accounts to Facebook, MySpace, YouTube, Twitter, Lexis/Nexis, Bloomberg, Sony servers, collaboration services
    • Prevented theatre release of movie The Interview
    • Will cost Sony $100 million
    • 2015 Cengage Learning Computing Conference
    • 16
  17. Antivirus Misses

    Slide 17 - Antivirus Misses

    • 2015 Cengage Learning Computing Conference
    • 17
    • Time
    • Malware Missed
    • 1 hour
    • 70%
    • 24 hours
    • 34%
    • 7 days
    • 28%
    • 1 month
    • 7%
    • 6 months
    • 100%
  18. SMiShing

    Slide 18 - SMiShing

    • Phishing lures sent via SMS text message and voice phishing (vishing)
    • “Thank you for calling Bank of America. A text message has been sent to inform you that your debit card has been limited due to a security issue. To reactivate, please press 1 now.”
    • Caller then prompted to enter last four digits of Social Security number, and then full card number and expiration date
    • 2015 Cengage Learning Computing Conference
    • 18
  19. Worldwide Smartphone Usage

    Slide 19 - Worldwide Smartphone Usage

    • 2015 Cengage Learning Computing Conference
    • 19
  20. Internet of Things (IoT)

    Slide 20 - Internet of Things (IoT)

    • IoT - Network of networks of uniquely identifiable endpoints (“things”) that communicate without human interaction
    • IoT grow to 26 billion units to sales of $7.1 trillion in 2020
    • Enterprise: smart buildings with web-enabled technologies for managing heat, lighting, ventilation, elevators, security cameras
    • Home: smart TVs, webcams, smart home thermostats, remote power outlets, sprinkler controllers, doors locks, home alarms, bathroom scales, garage door openers, hubs for controlling multiple devices
    • 2015 Cengage Learning Computing Conference
    • 20
  21. Internet of Things (IoT)

    Slide 21 - Internet of Things (IoT)

    • 7 of the 10 most popular types of IoT devices are vulnerable to attackers
    • Each device had average of 25 vulnerabilities (lack authentication, insecure web interface, lack of transport encryption)
    • Communications protocols for building automation and control networks, such as BACnet and LonTalk, are open and transparent
    • As embedded systems no means to update devices
    • 2015 Cengage Learning Computing Conference
    • 21
  22. Slide 22

    • 2015 Cengage Learning Computing Conference
    • 22
  23. Slide 23

    • 2015 Cengage Learning Computing Conference
    • 23
  24. Your Privacy

    Slide 24 - Your Privacy

    • Google Location History
    • Immersion
    • 2015 Cengage Learning Computing Conference
    • 24
  25. Crimes Americans Worry About Most

    Slide 25 - Crimes Americans Worry About Most

    • 2015 Cengage Learning Computing Conference
    • 25
  26. Why Me?

    Slide 26 - Why Me?

    • City/Region
    • Increase in Infections Last Month
    • New York City
    • 93%
    • Pennsylvania
    • 91%
    • New Jersey
    • 71%
    • Rhode Island
    • 55%
    • Maine
    • 53%
    • Massachusetts
    • 46%
    • Connecticut
    • 37%
    • 2015 Cengage Learning Computing Conference
    • 26
  27. Why Me?

    Slide 27 - Why Me?

    • Top 6 cities with computer infections above national average (per capita)
    • Tampa
    • Orlando
    • St. Louis
    • Salt Lake City
    • Little Rock
    • Washington, DC
    • 2015 Cengage Learning Computing Conference
    • 27
  28. Cut Right To The Chase

    Slide 28 - Cut Right To The Chase

    • Things are really bad in security
    • Users are still confused about security
    • Our students want to learn practical security
    • But schools are not teaching practical security
    • We can teach practical security in our Intro courses
    • Here’s how we can teach practical security
  29. Attacks Have In Common?

    Slide 29 - Attacks Have In Common?

    • Target: 110 million customers
    • Federal Government: 87 million records in 228,700 incidents
    • South Carolina Department of Revenue: 3.8 million customers
    • "There is no security patch for a stupid user"
    • 2015 Cengage Learning Computing Conference
    • 29
  30. Attacks Have In Common?

    Slide 30 - Attacks Have In Common?

    • 2013
    • 21% of all federal breaches were traced to government workers who violated policies
    • 16% due to lost or stolen devices
    • 12% improperly handled sensitive information printed from computers
    • 8% who ran or installed malicious software
    • Despite “Think Before You Click!” campaign multiple federal workers who received email before Christmas with subject line “Your Amazon.com order of “Omron XEZ-740V Fat Loss” has shipped!” clicked on the link
    • 2015 Cengage Learning Computing Conference
    • 30
  31. Users Are Still Confused

    Slide 31 - Users Are Still Confused

    • Survey of American, British and German adult computer users
    • 40% not always update software on computers when they initially prompted
    • 25% said do not clearly understand what software updates do
    • 25% said do not understand the benefits of updating regularly
    • 75% said saw update notifications but over half said needed to see notification between 2-5 times before decided
    • 25% said do not know how to check if their software needs updating
    • 2015 Cengage Learning Computing Conference
    • 31
  32. Users Are Still Confused

    Slide 32 - Users Are Still Confused

    • 88% use their home computer for online banking, stock trading, reviewing personal medical information, and storing financial information, health records, and resumes
    • 98% agree important to be able to know risk level of a web site before visiting it (But 64% admit don’t know how to)
    • 92% think that their anti-virus software is up to date (But only 51% have current anti-virus software that been updated within last 7 days)
    • 2015 Cengage Learning Computing Conference
    • 32
  33. Users Are Still Confused

    Slide 33 - Users Are Still Confused

    • 44% don’t understand firewalls
    • 25% have not even heard of the term “phishing” and only 13% can accurately define it
    • 22% have anti-spyware software installed, an enabled firewall, and anti-virus protection that has been updated within last 7 days
    • 2015 Cengage Learning Computing Conference
    • 33
  34. Why Increase In Attacks

    Slide 34 - Why Increase In Attacks

    • Speed of attacks
    • More sophisticated attacks
    • Simplicity of attack tools
    • Faster detection weaknesses
    • Delays in user patching
    • Distributed attacks
    • Attacks exploit user ignorance & confusion
    • 2015 Cengage Learning Computing Conference
    • 34
  35. User Confusion

    Slide 35 - User Confusion

    • Confusion over different attacks: Worm or virus? Adware or spyware? Rootkit or Trojan?
    • Confusion over different defenses: Antivirus? Firewall? Patches?
    • Users asked to make security decisions and perform technical procedures
    • 2015 Cengage Learning Computing Conference
    • 35
  36. Think Of a Typical User

    Slide 36 - Think Of a Typical User

    • Will you grant permission to open this port?
    • Is it safe to un-quarantine this attachment?
    • May I install this add-in?
    • 2015 Cengage Learning Computing Conference
    • 36
  37. User Misconceptions

    Slide 37 - User Misconceptions

    • I don’t have anything on my computer they want
    • I have antivirus software so I’m protected
    • The IT Department takes care of security here at school or work
    • My Apple computer is safe.
    • 2015 Cengage Learning Computing Conference
    • 37
  38. Cut Right To The Chase

    Slide 38 - Cut Right To The Chase

    • Things are really bad in security
    • Users are still confused about security
    • Our students want to learn practical security
    • But schools are not teaching practical security
    • We can teach practical security in our Intro courses
    • Here’s how we can teach practical security
  39. Students Want to Learn Security

    Slide 39 - Students Want to Learn Security

    • Survey #1: 679 students at both a Kentucky university and a North Carolina community college
    • First day of Introduction to Computers class
    • Students had received no instruction about security in class
    • Students had no previous computer courses at the school
    • Asked if specific security items were important to them
    • 2015 Cengage Learning Computing Conference
    • 39
  40. Students Want To Learn Security

    Slide 40 - Students Want To Learn Security

    • 40
  41. Anti-virus Software

    Slide 41 - Anti-virus Software

    • 41
  42. Using Firewall

    Slide 42 - Using Firewall

    • 42
  43. Securing Wireless

    Slide 43 - Securing Wireless

    • 43
  44. Protecting From Phishing

    Slide 44 - Protecting From Phishing

    • 44
  45. Using Spam Filters

    Slide 45 - Using Spam Filters

    • 45
  46. Students Want To Learn Security

    Slide 46 - Students Want To Learn Security

    • Who Said It
    • What They Want
    • Use & know technology
    • Create backups, configure web browser, create strong passwords
    • Owner computer
    • Scan for malware
    • Females
    • Scan for malware, create backups, use anti-virus, secure wireless networks
    • 2015 Cengage Learning Computing Conference
    • 46
  47. Cut Right To The Chase

    Slide 47 - Cut Right To The Chase

    • Things are really bad in security
    • Users are still confused about security
    • Our students want to learn practical security
    • But schools are not teaching practical security
    • We can teach practical security in our Intro courses
    • Here’s how we can teach practical security
  48. Security Education Today

    Slide 48 - Security Education Today

    • Teach comprehensive enterprise security in CIS security track
    • Teach network security to CIS majors
    • Teach brief coverage of security definitions in Introduction to Computers to business majors
    • Yet we are leaving out practical security awareness for all students
    • 2015 Cengage Learning Computing Conference
    • 48
  49. Calls for Vigilance

    Slide 49 - Calls for Vigilance

    • “Securing your home computer helps you and your family, and it also helps your nation . . . by reducing the risk to our financial system from theft, and to our nation from having your computer infected and then used as a tool to attack other computers”
    • Department Homeland Security
    • 49
  50. Calls for Training

    Slide 50 - Calls for Training

    • National Strategy to Secure Cyberspace (NSSC) document, created by U.S. President’s National Infrastructure Advisory Council, calls for comprehensive national security awareness program to empower all Americans, including the general population, “to secure their own parts of cyberspace”
    • Department of Homeland Security, through the NSSC, calls upon home users to help the nation secure cyberspace “by securing their own connections to it”
    • 2015 Cengage Learning Computing Conference
    • 50
  51. Calls for Training

    Slide 51 - Calls for Training

    • Action and Recommendation 3-4 of NSSC calls upon colleges and universities to model user awareness programs and materials
    • Colloquium for Information Systems Security Education (CISSE), International Federation of Information Processing Working Group 11.8 on Information Security Education (IFIP WISE), and Workshop on Education in Computer Security (WECS) all involved in security training in schools
    • Bipartisan Cybersecurity Enhancement Act would fund more cybersecurity research, awareness and education
    • 2015 Cengage Learning Computing Conference
    • 51
  52. Calls for Training

    Slide 52 - Calls for Training

    • Researchers state that institutions of higher education (IHEs) should be responsible for providing security awareness instruction, including Crowley (2003), Mangus (2002), Null (2004), Tobin and Ware (2005), Valentine (2005), Werner (2005), and Yang (2001)
    • Security instruction and training important not only to meet current demands of securing systems but also to prepare students for employment in their respective fields
    • Location of security awareness instruction and training in a college curriculum should not be isolated in upper-level courses for IT majors, according to Tobin and Ware (2005), Werner (2005), and others
    • Instruction should be taught to all graduates as a “security awareness” course (Valentine, 2005) along with integrating it across through the curriculum (Yang, 2001)
    • Long (1999) advocated that security instruction should begin as early as kindergarten
    • 2015 Cengage Learning Computing Conference
    • 52
  53. Cut Right To The Chase

    Slide 53 - Cut Right To The Chase

    • Things are really bad in security
    • Users are still confused about security
    • Our students want to learn practical security
    • But schools are not teaching practical security
    • We can teach practical security in our Intro courses
    • Here’s how we can teach practical security
  54. Security Education Challenge

    Slide 54 - Security Education Challenge

    • Need educate all students about practical computer security in all of our courses
    • “Users should be as fluent with practical security as with using Word”
    • All our courses all use technology, so make security a “teaching moment”
    • Security Across the Curriculum
    • 2015 Cengage Learning Computing Conference
    • 54
  55. Security Education Challenge

    Slide 55 - Security Education Challenge

    • Need educate all students about practical computer security in all of our courses
    • “Users should be as fluent with practical security as with using Word”
    • All our courses all use technology, so make security a “teaching moment”
    • Security Across the Curriculum
  56. Teacher Pushback

    Slide 56 - Teacher Pushback

    • Students don’t care about security
    • I don’t have time to teach it
    • I’m not a security expert so I can’t teach it
    • 2015 Cengage Learning Computing Conference
    • 56
  57. ‘I Don’t Have Time to Teach It’

    Slide 57 - ‘I Don’t Have Time to Teach It’

    • Is there a skill that is more important and more useful than practical security today?
    • We can also take the opportunity as topics arise
    • For example, when we ask them to research using the Internet then spend 10 minutes that day talking about Internet security
    • 2015 Cengage Learning Computing Conference
    • 57
  58. Experts Not Needed

    Slide 58 - Experts Not Needed

    • Security experts are not wanted!
    • Often security experts get too carried away with too many details!
    • Need teach basic practical security skills and not advanced security topics
    • 2015 Cengage Learning Computing Conference
    • 58
  59. Cut Right To The Chase

    Slide 59 - Cut Right To The Chase

    • Things are really bad in security
    • Users are still confused about security
    • Our students want to learn practical security
    • But schools are not teaching practical security
    • We can teach practical security in our Intro courses
    • Here’s how we can teach practical security
  60. How To Teach Security

    Slide 60 - How To Teach Security

    • Practical Security
    • Intro to Computers textbook security
    • Topics
    • Personal, computer, Internet, mobile
    • Security devices
    • Focus
    • End user
    • Enterprise
    • Emphasis
    • Defense
    • How it works
    • Devices
    • Desktop, laptop, smartphone
    • Mainframe, servers
    • Approach
    • How protect yourself
    • Teach definitions
  61. Practical Security Topics

    Slide 61 - Practical Security Topics

    • Personal
    • Computer
    • Internet
    • Mobile
    • Passwords
    • Malware types
    • Browser settings
    • Wi-Fi risks
    • Phishing
    • Patches
    • Digital certificates
    • Bluetooth risks
    • Social networks
    • Anti-virus
    • Hyperlinks
    • Wireless defenses
    • Firewalls
    • Public Wi-Fi
    • UAC
    • Backups
  62. How To Teach Security

    Slide 62 - How To Teach Security

  63. Which Is Better?

    Slide 63 - Which Is Better?

    • thisisaverylongpassword
    • Xp4!e%
    • Length always trumps complexity
    • 2015 Cengage Learning Computing Conference
    • 63
  64. Length Over Complexity

    Slide 64 - Length Over Complexity

    • Keyboard had only 3 keys: A, B, and C
    • Had to create a 2-character password
    • How many different passwords could we create?
    • What’s the relationship between those numbers?
  65. Length Over Complexity

    Slide 65 - Length Over Complexity

    • Number-of-Keyboard-Keys ^ Password-Length = Total-Number-of-Possible-Passwords
    • Keyboard Keys
    • Password Length
    • Possible Passwords
    • 80
    • 2
    • 6,400
    • 80
    • 3
    • 512,000
    • 80
    • 4
    • 4,096,000
    • 80
    • 5
    • 3,276,800,000
    • 80
    • 8
    • 1,677,721,600,000,000
  66. Length Over Complexity

    Slide 66 - Length Over Complexity

    • How Secure Is My Password
    • 2015 Cengage Learning Computing Conference
    • 66
  67. Password Problems

    Slide 67 - Password Problems

    • Effective passwords are long and complex, but these are difficult to memorize and then accurately recall
    • Users must remember passwords for many different accounts (different computers and mobile devices at work, school, and home; multiple email accounts; online banking; Internet site accounts, etc.)
    • Many security policies have that passwords expire after a set period of time when new one must be created
    • Some security policies even prevent a previously used password from being recycled and used again, forcing users to repeatedly memorize new passwords
    • 2015 Cengage Learning Computing Conference
    • 67
  68. Weak Passwords

    Slide 68 - Weak Passwords

    • Common word (Eagles)
    • Short passwords (ABCDEF)
    • Personal information (name of a child or pet)
    • Write password down
    • Predictable use of characters
    • Not change password
    • Reuse same password
  69. Top 10 Passwords

    Slide 69 - Top 10 Passwords

  70. Top Password Lists

    Slide 70 - Top Password Lists

    • 14% users have a password from the Top 10 passwords
    • 40% users have a password from the Top 100 passwords
    • 79% users have a password from the Top 500 passwords
    • 91% users have a password from the Top 1000 password
  71. Top 10 Passwords

    Slide 71 - Top 10 Passwords

  72. Useless User Tricks

    Slide 72 - Useless User Tricks

    • Even when users attempt to create stronger passwords, they generally follow predictable patterns
    • Appending - Typically only add a number after letters (caitlin1 or cheer99); if they add all more it in sequence letters+punctuation+number (amanda.7 or chris#6).
    • Replacing – A zero is used instead of the letter o (passw0rd), the digit 1 for the letter i (denn1s), or a dollar sign for an s (be$tfriend).
    • Attackers are aware of these patterns in passwords and can search for them, dramatically weakening passwords and make it easier for attackers to crack them.
    • 2015 Cengage Learning Computing Conference
    • 72
  73. What Attackers Do

    Slide 73 - What Attackers Do

    • Attackers do not guess at passwords
    • Use technology: brute force, dictionary, hybrid, rainbow tables
    • Recent attack used a computer that tried more than 300 billion plaintext guesses every second
    • Today attackers use stolen password files to determine how users think about creating passwords and use common passwords as candidates
    • 2015 Cengage Learning Computing Conference
    • 73
  74. Password Principles

    Slide 74 - Password Principles

    • Any password that can be memorized is a weak password
    • Any password that is repeated is a weak password
    • Use technology instead of brain
  75. Password Management Application

    Slide 75 - Password Management Application

    • Password management application – Allow user to store username and password, along with other account details
    • Application is itself protected by a single strong password, and can even require the presence of a file on a USB flash drive before the program will open
    • Allows user to retrieve usernames and passwords without the need to remember or even type them
    • Allows for very strong passwords:
  76. My Password

    Slide 76 - My Password

    • ÞtqâƒGøÑÆ»¬ŠñB±.Û©¸ùώ\"$@mgÉ\
    • 76
  77. Password Management Application

    Slide 77 - Password Management Application

    • In-memory protection - Passwords are encrypted while the application is running to conceal passwords
    • Key files - In order to open the password database key file must also be present
    • Lock to user account - The database can be locked so that it can only be opened by the same person who created it
    • Password groupings - User passwords can be arranged as a tree, so that a group can have subgroups
    • Random password generator - A built-in random password generator can create strong random passwords based on different settings
  78. Password Management Application

    Slide 78 - Password Management Application

    • Dashlane
    • LastPass
    • KeePass
    • 1Password
    • Blur
    • PasswordBox
    • RoboForm
    • StickyPassword
    • 2015 Cengage Learning Computing Conference
    • 78
  79. KeePass

    Slide 79 - KeePass

    • 79
  80. KeePass

    Slide 80 - KeePass

    • 80
  81. If You Rely On Memory Only

    Slide 81 - If You Rely On Memory Only

    • Do not use passwords that consist of dictionary words or phonetic words
    • Do not use birthdays, family member names, pet names, addresses, or any personal information
    • Do not repeat characters (xxx) or use sequences (abc, 123, qwerty)
    • Minimum of 12 characters in length or for accounts that require higher security a minimum of 18 characters is recommended
    • Consider using a longer passphrase but not in normal English sequence: not theraininspainfallsmainlyontheplain but instead use in sequence mainlyinonthethespainrainfalls
    • Use nonkeyboard characters
    • Length is more important than complexity
  82. 82

    Slide 82 - 82

    • Use Nonkeyboard Characters
    • Make passwords stronger with special characters not on keyboard
    • Created by holding down ALT key while simultaneously typing a number on numeric keypad (but not the numbers across the top of the keyboard); ALT + 0163 produces £.
    • To see a list of all the available non-keyboard characters click Start and Run and enter charmap.exe; click on character and the code ALT + 0xxx will appear in lower-right corner if can be reproduced in Windows
  83. 2015 Cengage Learning Computing Conference

    Slide 83 - 2015 Cengage Learning Computing Conference

    • 83
  84. Phishing

    Slide 84 - Phishing

    • Social engineering - Relies on deceiving someone to obtain secure information
    • Phishing - Common form of social engineering is sending an e-mail or displaying a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information
    • User asked respond to an e-mail or is directed to a Web site where instructed to update personal information, such as passwords, credit card numbers, Social Security numbers, bank account numbers, or other information for which the legitimate organization already has a record
    • However, Web site is actually a fake and is set up to steal the user’s information
  85. 2015 Cengage Learning Computing Conference

    Slide 85 - 2015 Cengage Learning Computing Conference

    • 85
  86. Slide 86

    • 2015 Cengage Learning Computing Conference
    • 86
  87. Phishing Tests

    Slide 87 - Phishing Tests

    • Mailfrontier
    • Antiphishing.org
    • Antiphishing Phil
    • Paypal
  88. Social Networking Attacks

    Slide 88 - Social Networking Attacks

    • Grouping individuals and organizations into clusters or groups based on affiliation called social networking
    • Web sites that facilitate linking individuals with common interests like hobbies, religion, politics, or school contacts are called social networking sites and function as an online community of users
    • User who is granted access to a social networking site can read the profile pages of other members and interact with them
    • Social networking sites increasingly becoming prime targets of attacks
  89. Social Network Defenses

    Slide 89 - Social Network Defenses

    • Consider carefully who is accepted as a friend – Once person has been accepted as friend that person will be able to access any personal information or photographs
    • Show "limited friends" a reduced version of your profile - Individuals can be designated “limited friends” who only have access to a smaller version of the user’s profile
    • Disable options and then reopen them only as necessary - Disable options until it becomes apparent that option is needed, instead of making everything accessible and restricting access later after it is too late
  90. Social Network Defenses

    Slide 90 - Social Network Defenses

  91. Backups

    Slide 91 - Backups

  92. Personal Firewall

    Slide 92 - Personal Firewall

    • Two-way personal software firewall - Inspects network traffic passing through it and denies/permits passage based on rules
    • Firewall restricts what can come in and go out of your computer across the network
    • Stops bad stuff from coming in
    • Stops a compromised computer from infecting other computers on network
    • Application-aware firewall allows user to specify which desktop applications can connect to the network
    • 92
  93. Check Firewall Settings

    Slide 93 - Check Firewall Settings

    • 93
  94. Test Firewall

    Slide 94 - Test Firewall

    • 94
  95. Test Firewall

    Slide 95 - Test Firewall

    • 95
  96. Test Firewall

    Slide 96 - Test Firewall

    • 96
  97. Patch Management

    Slide 97 - Patch Management

    • 97
  98. Antivirus

    Slide 98 - Antivirus

    • 98
  99. Antivirus

    Slide 99 - Antivirus

    • Test antivirus settings
    • Disinfect
    • Malware scanner
    • Secunia Software Inspector
  100. Windows Action Center

    Slide 100 - Windows Action Center

  101. User Account Control (UAC)

    Slide 101 - User Account Control (UAC)

    • User attempts to perform task that requires administrative access then prompted for approval or administrator password if standard user
    • Displays authentication dialog box must be answered before continuing
    • Administrators - Click Continue or Cancel
    • Standard users - Enter admin password
  102. User Account Control (UAC)

    Slide 102 - User Account Control (UAC)

  103. User Account Control (UAC)

    Slide 103 - User Account Control (UAC)

  104. Does Wireless Security Matter?

    Slide 104 - Does Wireless Security Matter?

    • Get into any folder set with file sharing enabled
    • See wireless transmissions
    • Access network behind firewall can inject malware
    • Download harmful content linked to unsuspecting owner
  105. 105

    Slide 105 - 105

    • 1. Lock Down Device
    • Create strong Password (over 15 characters)
    • Disable Remote Management (cannot access settings via Internet)
  106. 106

    Slide 106 - 106

    • 2. Turn on WPA2
    • On wireless router set WPA2 Personal
    • WPA2 Personal security option, which may be labeled as WPA2-PSK [AES], is turned on by clicking the appropriate option button
    • A key value, sometimes called a preshared key (PSK), WPA2 shared key, or passphrase, must be entered; this key value can be from 8 to 63 characters in length
  107. 107

    Slide 107 - 107

    • 2. Turn on WPA2
  108. 108

    Slide 108 - 108

    • 2. Turn on WPA2
    • After turning on WPA2 Personal on wireless router and entering a key value, the same key value must also be entered on each mobile device that has permission to access the Wi-Fi network
    • A mobile device that attempts to access a wireless network with WPA2 Personal will automatically ask for the key value
    • Once the key value is entered, the mobile device can retain the value and does need to ask for it again
  109. 109

    Slide 109 - 109

    • Disable Bluetooth
    • When using a smartphone or tablet that supports Bluetooth, it is advisable to disable Bluetooth and turn on this service only as necessary
    • Bluetooth devices should be turned off when not being used or when in a room with unknown people
    • Another option is to set Bluetooth on the device as undiscoverable, which keeps Bluetooth turned on in a state where it cannot be detected by another device
  110. 110

    Slide 110 - 110

    • Beware of Imposters
  111. Using Public Wi-Fi

    Slide 111 - Using Public Wi-Fi

    • Limit type of work (not online banking or sending confidential information)
    • Do not set to automatically connect
    • Use sites that have digital certificates (encrypts all transmissions)
  112. Understand Certificates

    Slide 112 - Understand Certificates

    • 112
  113. Understand Certificates

    Slide 113 - Understand Certificates

    • 113
  114. Understand Indicators

    Slide 114 - Understand Indicators

    • No secure connection so don’t enter sensitive information , such as usernames and passwords
    • Successfully established a secure connection with the site
    • Detected insecure content on the page; be careful entering sensitive information
    • Detected either high-risk insecure content on the page or problems with the site’s certificate; don’t enter sensitive information
    • 114
  115. Configure Mobile Device

    Slide 115 - Configure Mobile Device

    • Users should apply any security updates to their mobile devices frequently (if available automatic update option should be selected)
    • Enable auto-lock (password-protects device when it has not been used for a set period of time
    • Devices should be configured so they are locked by a strong password.
    • When using the device’s Web browser auto-complete features that remember usernames or passwords should be disabled.
    • Web browser on the mobile device should be configured properly for security
  116. Using Apps

    Slide 116 - Using Apps

    • Download apps only from reputable sources
    • Do not download third-party apps but instead use apps from reputable developers.
    • Download and install an antivirus app
    • Download and install a remote wipe app that can erase the contents of the device if lost or stolen.
    • Install and use tracing and tracking software to identify the location of the device.
  117. New Approaches

    Slide 117 - New Approaches

    • “Security Across the Curriculum”
    • Adding practical security to Introduction to Computers course
    • Content added to freshman orientation course
    • Substitute practical security course for advanced Office applications course
    • Adding 1 hour ethics & practical security course
  118. Student Comments

    Slide 118 - Student Comments

    • As for the material presented in this class, it is great. I have found all the hands on projects to be very useful. I would recommend this class to all students. Very useful!
    • I have to say that I was dreading this course because I am definitely not a "techie", but I have been surprised by how much I have enjoyed it so far. I love the hands on projects!
    • Your class is interesting, informative, and would help anyone learn about what threats are out there, and what needs to be done to secure their system.
    • I'm actually having an awesome time with this class. It's kind of making me question switching my major to something more involved in the field of computer technology.
    • 2015 Cengage Learning Computing Conference
    • 118
  119. Security Awareness 4e

    Slide 119 - Security Awareness 4e

    • Security Awareness: Applying Practical Security in Your World, 4e
    • Basic introduction to practical computer security for all users, from students to home users to business professionals
  120. Mark Ciampa

    Slide 120 - Mark Ciampa

    • Western Kentucky University
    • mark.ciampa@wku.edu
    • Adding Practical Security to Your Introduction to Computers Course