References‎ > ‎

Basics class references

These notes accompany the Security Awareness Basics class, currently in development.  Class availability will be announced.

You are the Target

Brian Krebs' diagram showing the different uses for a compromised computer

Social Engineering

For those interested in a deep dive, we offer a 40-minute anti-phishing seminar with a focus on social engineering.  The "In The News" tab (summary displays on the "Welcome" tab) is an ongoing list of current warnings, many of which are about the types of social engineering we see happening.

The "County Password Inspector" comic came from the Saturday Morning Breakfast Cereal comic.

Email & Messaging

What happens when you click the link?  Two entries pasted from the Phishing presentation references page:

A quick blog entry from Sophos' "Naked Security" page* explores the possibilities.  They're talking about "unsubscribe" links in particular, but the same traps can be set under advertising links as well.
(*quite safe for work, not sure why they picked that name)

A tech blogger lets downloaded software have its way with a test virtual machine.  Don't try this at home, folks!  His point is that we should have better visibility into what's happening behind the scenes.  That's good for tech folks, but Microsoft and Apple have spent more than a decade sweeping the moving parts under the rug so we can focus on the experience. I think the better takeaway is, "hey, look at all the stuff that can happen if you click the link and keep on following directions!"

Web Browsing

The links for Email & Messaging apply here as well -- malicious links in compromised web sites or advertising are just more ways to lure you to click a malicious link.

To stop using Flash, you can either set your browser to ask before launching flash content, or remove its flash plug-in.  The first option gives you an out if there's some content you really need that won't show any other way, but also puts you at risk if that content turns out to be malicious.  The second option, of course, absolutely protects you from flash compromises, but locks you out of content provided by websites still using Flash.

Managing plug-ins:

in Firefox:  Navigate to the Add-ons menu and select the Plug Ins on the left margin.  You may have to scroll down to find Shockwave Flash.  Set the option to Ask to Activate.

in MS Internet Explorer:  From the gear icon, navigate to Manage Add-ons; make sure Show is set to All add-ons; Select Toolbars and Extensions; highlight Shockwave Flash Object and then click Disable in the lower right corner.

in Chrome:

in Safari:

Note that Apple mobile devices no longer support Flash at all because of security issues, among other things.

Removing Flash:  In Windows systems, Flash is found in the Control Panel under Programs and Features.  Windows web browsers do not uninstall this directly.

Social Networks

The FaceCrooks website is filled with examples of how personal information is leveraged by Facebook, and sometimes outright stolen by advertisers.  Although they focus on Facebook itself, the kinds of attacks they analyze can be found on any social site.

The Cloud

Here's the Dropbox terms of service.  Have a glance over the "Termination", "Service AS IS" and "Limitation of Liability" paragraphs.

Data Security


Passwords

There's another 40-minute seminar on building strong passwords, and the use of password manager software.  The references have their own page.

The math slide used absurdly short password lengths so that you could reproduce the numbers on the Windows calculator app.  The general formula is:

[The size of the character set used (e.g., 26 for an all-lower-case-letter password)] raised to the power of [the length of the password] equals [the total number of guesses needed to check every possible combination.]

If the password sought isn't the very last one checked, it could take many fewer guesses (and much less time) to work out a password.

Encryption


WiFi Security


Data Destruction


Pysical Security


Mobile Devices


Working Remotely


Senior Leadership

Omaha Scoular $17m wire fraud article
The New York Times on the "Carbanak" bank robberies

International Travel


Hacked!

Please see the Identity and Finance Management page for full details on recovering from identity or credit card theft.

There are pretty good tools available from AVG and others for disinfecting a compromised computer; but often the best course of action is to reformat the computer, reload the software, and get your documents, photos, music etc. back from backup.  Please get expert help in making those decisions!