How not to be an easy target
•
1 recomendación•810 vistas
security awareness session aiming to increase users privacy, protect their money, identity and data. to download this presentation please follow the following link: http://ahmadsalahe.blogspot.com/2012/09/how-not-to-be-easy-target.html
Recomendados
Más contenido relacionado
Último
Último (20)
Destacado
Destacado (20)
How not to be an easy target
- 1. Presented by: Ahmad Salah eng.ahmad.salah84@gmail.com https://twitter.com/AhmadSalahE eg.linkedin.com/pub/ahmad-salah/32/b11/4a3 http://ahmadsalahe.blogspot.com/
- 2. • Why Should We Protect Our Data? • Who Is The Hacker? • Why Is the Hacker Interested In Hacking Us? • Misconceptions • How Not To Be An Easy Target?
- 4. Data Banking Information Usernames and Passwords Intellectual Property and Trade Secrets Personal Files and Photos
- 8. Money Entry Point Identity Theft Cover Tracks
- 10. Antivirus doesn’t protect against zero day attacks Antivirus doesn’t protect against malware Antivirus doesn’t protect against network attacks
- 11. Doesn't protect when you click on a malicious link Doesn’t protect when you open an infected file
- 13. Phishing Attacks are very easy and effective I Sent This Mail Fake Email Address Infected Attachment Malicious URL
- 14. No one will ask you to reset your password via email You will not win a prize or trip from an email
- 15. Verify that the email come from a trusted source Avoid following shortened links or links have IP address Move the mouse cursor over the hyperlink before clicking Don’t open attachments unless you verify from the source Copy the link to your address bar instead of clicking on it
- 16. Brute-force Attack 1) Use long passwords 2) Use Complex Passwords 3) Change your password frequently Estimated time to crack Estimated time to crack Password length password From 4 Years password nowadays 8 Characters password 22875 years 3 days
- 17. Dictionary Attack 1) Use unpredictable password 2) Don’t Use predictable combinations e.g. (name- birth year) 3) Avoid sequence keyboard characters e.g. 1234
- 18. Use passphrase instead e.g. “I G0 2 School Daily” Don’t let the browser remember your password Make your email password very complex Don’t share the same password across multiple websites
- 19. Ensure that the traffic is encrypted (https:// before the URL) Check that there is padlock located on the address bar
- 20. Check that the personal firewall is enabled Avoid online banking Avoid connecting to your company via VPN 10101010101101010110101110110101101010110100111011101010101101101111 01011010010100100110100110011010111010000001110110101001100110110110 10101010101101010110101110110101101010110100111011101010101101101111 01011010010100100110100110011010111010000001110110101001100110110110
- 21. Change the encryption to WPA2 or at least WPA Use a very complex password Hide the SSID 10101010101101010110101110110101101010110100111011101010101101101111 01011010010100100110100110011010111010000001110110101001100110110110 10101010101101010110101110110101101010110100111011101010101101101111 01011010010100100110100110011010111010000001110110101001100110110110
- 22. Don’t give untrusted people physical access on your PC. Avoid using USB memory as much as you can Cover webcam unless used.
- 23. 1) Switch over to HTTPS. 2) Don’t click on suspicious links 1) Don’t follow shortened URLs 1) Don’t post too much information 2) Switch over to HTTPS.
- 24. Use a dedicated computer. Use an updated (browser, operating system, antivirus) Ensure that the personal firewall is enabled Don’t open another tabs while online banking Don’t share banking information via email
- 25. Don’t store any banking information on your PC. Enter the URL of the online baking website manually Logout once you are finished
- 26. Install antimalware Update (operating system, web browsers, PDF readers, office, flash player) and any other application Disable USP auto run
Notas del editor
- I have chosen this topic to clarify that there is nothing called 100% secured but we can spend some effort for not being easy targets for hackers, example not leaving the car doors opened and saying who will steal my car?
- Banking Information: in the last period there were a lot of malware targeting banking information, Zeus, Spyeye and recently Gauss which is a new malware that infect computer and capture banking login information and it , what if you find in the bank statement that you are stoledUsername and Passwords: personal social network accounts, VPN access to company assets, Banking Login information, personal email (hackers love getting username and passwords)Intellectual Property: which may be the most valuable thing for the organization, what if you are a KFC employee and your computer is hacked because you downloaded infected attachments on your PC and as a result of that KFC trade secret has been exposed to public Personal Files and photos: what if you find that your personal photos are published on the internet
- Hacker can be a person or cyber crime organization
- Zero Day Attacks: it means that that developers don’t know anything about that attack so they don’t created a patch for that particular attack and hackers nowadays are very well educated and trained to discover new vulnerabilitiesNetwork Attack : for example MITM which means that the attacker is intercepting every single packet originating from you and every single packet coming to you and can modify the data too
- Malicious Link: because in this case your PC will call back the hacker and the traffic will be originating from your PC and it will appear as a legitimate traffic for the firewallInfected File: Same as the Malicious link
- Phishing is attempting to acquire information such as usernames, passwords, and credit card details by pretending as a trustworthy entity or personEasy: if I want hack a company I have two options either bypassing all the security measures or just sending malicious mail to one of the employees and access the company networkPassword: security administrators, mail administrators, bank stuff Prize : ignore mails that said that you win a prize and to get it you have to click this link or reply with your banking information in order to receive your prizeTrusted source : for example GOOGLE not G00gleShortened links: mails don’t put restriction on the number of characters so they have no need to put shortened links , IP address means that the destination hasn’t registered a domain name so it is very suspicionsMouse: to see whether the URL is suspicious or notAttachments: if you are not expecting an attachments then there is no need to open it, even it is an excel sheet it might be a malware and if you received a mail from your contacts it is a good practice to call him and verify that he sent you this attachment because his mail account may be hackedCopy: sometimes there is something hidden in the URL
- I thought it is a good practice to tell you about the common password attacks in order to know why you should make your passwords complexBrute Force Attack: is trying all the possible combination until reaching to the correct password, this attack will get the password for sure but sometime this attack is impractical due to the large time it require but the time issue is significantly reduced, processing power now can try33 billion password per second while it was less than 10 000 password per sec in the last four years due to the rapid technology in processing power For example if the password is 8 characters lowercase and uppercase = 26 power 8 + 26 power 8 instead of being lowercase only which will be 26 power 8Complex : upper case lower case digits special charactersDictionary Attack: is trying every single word in a dictionary for the sake of finding possible match Passphrase: long and easy to rememberBrowser remember your password: because it is stored in clear text and easy to get when your computer is hackedEmail Password: is very important because most of other passwords can be reset by sending you an emailDon’t Share Same passwords across multiple websites: Don’t put all the eggs in one basket e.g. LinkedIn incident when six million accounts are leakedPadlock: means that you are visiting the website that you are expecting and the traffic is encrypted so there is no one looking at your traffic while the transaction (online banking, writing password) is processed
- Wireless: your traffic is moving in the air so it is very easy for a hacker to see what you are doing , capturing passwords , modify the traffic, take access to your computer because he is in the same networkPersonal firewall: to protect your Pc. from being hacked VPN: to protect your company from being hacked through you Encryption: is most protective thing you can do . It is very hard to crack WPA2 wireless network while WEP network can be cracked in less than 5 minutesPassword: to make it is difficult for the attacker to take access to your home networkHide the SSID: this will just help
- Untrusted people: even if you are using very complex password it is easy to be cracked if I have a physical access on your pcUSB : it is an excellent media to spread a malware Webcam: because if you are hacked the attacker my have access your webcam and record without your knowledge
- https: to ensure that your traffic is encrypted no one can understand it even if he can see itSuspicious Links: Facebook hackers often use your friends to send you messages or wall posts with harmful links. Usually these can be detected if they seem uncharacteristic for your friends, but beware of generic messages such as "I just found the coolest video!" or "Do you remember when we did this?" If ever in doubt, ask them before you open something that could be potentially harmfulShortened URLS: twitter is limited to 140 characters so people use shortened URLS and this can infect you pc easily because you can’t see what is the actual URL you can limit that to trusted twitter handles and avoid tweets that are to good to be true and you can unshorten the links by http://www.unshorten.comMuch information: your phone number, detailed work experience because this information can be used in social engineering against you for example an attacker can call you and tell you that your manager has delegated to him the responsibility of auditing on something related to your work and then convince you more information via email and that you have to respond fast because the manager is expecting from him the result of the audit soon
- Dedicated computer : it is a good practice to use a dedicated computerUpdated: to mitigate from the common attacksTabs: to protect against that if you clicked a malicious link the attacker can initiate a request from your browser to transfer money to his account this attack called CSRF Share: the bank will never ask you about your banking information (PIN acoount number user password) via emailStore: because in case if your pc is hacked hackers search for any banking informationManually: to protect against directing you to a malicious website which may steal your banking informationLogout: logging out protect your cookies from being sealed and used to take access to your account
- Anti malware: to protect your from malware which can badly affect your privacyUpdate: for not being attacked by common threats and to protect yourself from threats that is introduced when a new update is releasedUSB auto run: it is a feature that show you a menu to execute programs or view files it also introduce a lot of malwares to your computer