COMPUTER SECURITY PRINCIPLES AND PRACTICES BY

COMPUTER SECURITY

PRINCIPLES AND PRACTICES

INTRODUCTION

•

My Background

•

Some questions for you

•

Why computer security? – Principle of Incarnation

•

What this presentation covers (and does not cover)

•

* Computers – end user, not corporate office

•

* Smartphones (tomorrow?)

•

Not communication principles

•

Not Social Media security – assume there is NONE! (e.g. facial recognition)

•

Not Physical security of electronic devices. (Airports; Don’t set down

SERVICE ANNOUNCEMENT –

DON’T USE OUT-OF-DATE SOFTWARE

•

Win XP is dead

•

So is MS Office 2003

SECURITY PRINCIPLES – 1) GET RIL

Get RIL

(Risk = Impact * Likelihood)

i.e. Assess your Risk of incursion

•

Nothing 100% Secure

•

Understand the threat source



Random target (opportunistic)



Targeted: e.g. from APT – Advanced Persistent Threat

SECURITY PRINCIPLES – 2) LAYERED DEFENSE

Layered Defense

•

If hacker breaks through one layer, they will still not have full access to information

•

E.g. Use strong password and

have VPN enabled, and 2-factor authentication for bank account

SECURITY PRINCIPLES – 3) BE PRACTICAL

Be Practical

•

Security measures are in direct inverse correlation to ease-of-use

•

"Know Thyself" - If too difficult, you will bypass

•

Good security applied consistently is BETTER than strong security used sporadically

DATA AT REST - #1

1)

Backup your important data!! No excuses!

2)

Keep Computer free from malware

a)

Keep OS Updated

a)

Don’t use illegal, pirated software - otherwise will not be updated

b)

Update 3rd _{party applications (Java, Adobe, etc.)}

c)

Run up-to-date Antivirus

3)

Software-level firewall turned on

DATA AT REST - #2

5) Data Encryption

(A)

Full Disk:

Why? Why not?

Win7 (TrueCrypt); Win8 (BitLocker), Mac (FileVault)

(B)

Encrypted Volume (Hidden?)

(C)

Encrypted in the Cloud (eg Wuala)

(D)

Encrypt flash drives (TrueCrypt)

(E)

Make sure backups are encrypted

DATA IN TRANSIT - #1 VPN

1)

Virtual Private Network (VPN)

a)

Creates encrypted "tunnel" for all network traffic

How a Personal VPN Works

(non-corporate VPN)

1. Encrypted from computer to Tunnel Endpoint (Provider);

2. Then unencrypted to final destination

DATA IN TRANSIT - #1 VPN - CONTINUED

2)

When to use a VPN?

a)

On public network (wired or wifi)

b)

When concerned about unsecured traffic being read (by gov’t)

c)

Part of your Layered Defense

3)

Different levels of VPN security (based on protocol and

provider)

a)

Protocols: Best: IPSec, OpenVPN. Good: L2TP. Worst: PPTP.

b)

Providers: GSEA, StormWind, ConnectMyWorld, DarkWireVPN OR

DATA IN TRANSIT - #2 SECURE EMAIL

2)

Secure Email - A misnomer/oxymoron?

a) Typically Defined: “Encrypted from you to provider and between mail servers”.

b) You may use Secure Provider – but is other end secured?

First Picture: only your email is encrypted

DATA IN TRANSIT - #2 SECURE EMAIL - CONTINUED

a)

Some Email Considerations and Providers

i.

*Not* Yahoo!, Hotmail, - question about Google (index messages, gov’t access) – free product means YOU are the product!

ii.

Some Providers: GSEA, fastmail.fm, generalmail.com, hetzner.de, neomailbox.com, xc.org, etc. (many allow your own domain name)

iii.

Also use VPN? (Layered Defense)

b)

Think about “Email At Rest” - What if computer is accessed? If sensitive email, read in web browser or install email client on encrypted disk

c)

PGP (GPG) is best, but too difficult for most to understand or implement (encrypted from mail client to mail client)

DATA IN TRANSIT - #3

3)

Personal WiFi

a)

Turn on encryption (WPA2)

b)

Administrative password on hardware device (router or Access Point)

4)

Public WiFi

a)

Traffic can be read; turn on VPN

b)

Especially be wary at airports and highly trafficked locations

a)

Only connect to legitimate airport-provided wifi

i.

E.g. Don’t connect to wifi named: “Free WiFi” - except in Helsinki?

PRINCIPLES FOR PASSWORD USE

1)

Don’t use the same password for all accounts ! ! !

2)

Use Strong Passwords for accounts that matter

-PASSPHRASE

1)

E.g. 1) first letters of words in sentence/verse, w/changes; 2) primary passphrase w/changes

2)

No personal info within password/passphrase

3)

Keep passwords in encrypted "password vault" program

a)

E.g. Roboform, LastPass, Dashlane (synced across devices for pay) -KeePass (free - local only) - 1Password (Mac)

b)

Do *not* let web-browser remember your passwords! (Not a “vault”, but “advertisement”)

PRINCIPLES FOR PASSWORD USE - CONTINUED

4)

Use two-factor authentication where possible

e.g. Bank, Gmail, Facebook, Dropbox, Evernote, etc.

5)

Beware of the "password recovery" questions. -- Lie! :-)

CONFIGURATION EXAMPLES

Consider the following examples: What fits for you?

1)

Encrypt Entire Hard Drive – why or why not? Even email

program (e.g. Outlook) would be encrypted.

2)

Minimalist/Travel Machine: “Take no data”. Carry clean

device; access all data from *encrypted* cloud provider

(like Wuala) - or on local hidden, encrypted volume.

3)

Secure email application: on hidden, encrypted volume.

Portable application. Secure provider. Requires VPN to

be accessed.

OTHER RESOURCES – TOOLS AND PROVIDERS

1)

Educate yourself; YOU are your worst enemy. 

A.

Online Training Class on “Computer Security Essentials & You”

www.EquipHisPeople.com - Cost: 5 Euro via PayPal

B.

“Essential Security Measures for Home Computers” at

QUESTIONS?