![Security and Privacy
References – Lecture d
References
SANS. Information Security Policy Templates. [Internet]. 2010 [cited 2011 Nov 07].
Available from: http://www.sans.org/security-resources/policies.
GIAC. The Basics of an IT Security Policy. [Internet]. 2010 [cited 2011 Nov 07]. Available
from: http://www.giac.org/certified_professionals/practicals/gsec/1863.php.
Wikipedia. Firewall (computing). [Internet]. 2010 [cited 2011 Nov 07]. Available from:
http://en.wikipedia.org/wiki/Firewall_(computing).
Wikipedia. Antivirus software. [Internet]. 2010 [cited 2011 Nov 07]. Available from:
http://en.wikipedia.org/wiki/Antivirus_software.
Wikipedia. Malware. [Internet]. 2010 [cited 2011 Nov 07]. Available from:
http://en.wikipedia.org/wiki/Malware.
Wikipedia. Intrusion detection system. [Internet]. 2010 [cited 2011 Nov 07]. Available
from: http://en.wikipedia.org/wiki/Intrusion_detection_system.
IT Security. Create your own security audit. [Internet]. 2010 [cited 2011 Nov 07]. Available
from: http://www.itsecurity.com/features/it-security-audit-010407/.
19](https://image.slidesharecdn.com/comp4unit7dlectureslides-201103145714/85/Security-Privacy-Lecture-D-19-320.jpg)
Security & Privacy - Lecture D
- 1. Introduction to Computer Science Security and Privacy Lecture d This material (Comp 4 Unit 7) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001. This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.
- 2. Security and Privacy Learning Objectives - 1 • Define cybercrime and cybersecurity (Lecture a) • List common information technology (IT) security and privacy concerns (Lecture a) • List hardware components that are usually attacked by the hackers (Lecture a) • Explain some of the common methods of attack (Lecture b) 2
- 3. Security and Privacy Learning Objectives - 2 • Describe common types of malware (Lecture b) • Explain social engineering methods used by cybercriminals (Lecture b) • Describe methods and tools available for protection against cyberattacks (Lecture c) • Describe practices designed to minimize the risk of successful cyberattack (Lecture d) 3
- 4. Security and Privacy Learning Objectives - 3 • Address specifics of wireless device security (Lecture d) • Explain security and privacy concerns associated with EHRs (Lecture e) • Describe security safeguards used for health care applications (Lecture e) • Provide the basics of ethical behavior online (Lecture e) 4
- 5. Safe Practices • Follow passwords guidelines • Secure your operating system and files • Install anti-malware software • Promptly install security updates • Engage in safe browsing • Manage cookies • Use a firewall • Know who uses your computer 5
- 6. Password Guidelines - 1 • Don’t use something that can be easily guessed (search for “most common passwords” to see what NOT to use) – Family or pet names – Place or date of birth • Complexity is good – Minimum of 8 characters – Combine uppercase and lowercase letters, digits, and special characters 6
- 7. Password Guidelines - 2 • Protect it – Never share it with anyone – Never include it in an email or text – Don’t write it down – Don’t store it in an online document • Use different passwords in different places • Change passwords regularly; don’t re-use old passwords 7
- 8. Secure Your Operating System • Install critical operating system updates – For Windows operating systems, critical updates fix security flaws and should be installed immediately – Optional updates - install only if needed • Install application software security patches 8
- 9. Install Anti-Malware (AM) Software • Commercial AM software is more robust than free AM software • AM software works by recognizing malware signatures databases – Signature database should be updated daily • If installing more than one AM, verify that they are compatible 9
- 10. Engage in Safe Browsing • Do not click a link within an email unless absolutely sure it is coming from a trusted source • When surfing, never click on a pop-up unless absolutely sure of its owner • Do not click anywhere on or in the pop-up window • Press ALT+F4 to terminate pop-ups 10
- 11. Manage Cookies • Cookie: A text file that a website puts on your computer • Cookies cannot harm a computer • Websites and advertisers use cookies to gather information about your online activities 11
- 12. Types of Cookies • First-Party Cookie – Comes from site you are visiting – Enables multi-item purchases in a single transaction • Third-Party Cookie – Comes from companies authorized by the website’s owners – Interested in where you go and what you do, not who you are – Visiting a single website can result in multiple third- party cookies being placed on your computer 12
- 13. Use a Firewall • Permit or deny the ability to connect to another computer • Disables ports that should not be open and restricts use of ports to certain programs 13
- 14. Know Who Uses Your Computer • Require that all users have their own account – Track who has logged in and some of the things they do while logged in • Don’t log in using the administrator account unless necessary – As soon as you finish the task needing administrator permission, log out of that account • Don’t set up users as administrators 14
- 15. Additional Internet Security Considerations • Never use a public computer to conduct personal business • Always log out of any session before leaving the computer • Do not click on an email from an unknown sender • Do not open or save an email attachment unless the sender is known and trusted 15
- 16. Security and Wireless Networking • Wireless networks unsecure by their very nature – Home networks – Hot spots – Campus environments • Wireless networks are everywhere in medical environment – Doctors and nurses move from room to room constantly 16
- 17. Wireless Device Security • Wireless Access Points (WAPs) must be configured for security: – Change default password – Select unique SSID – Do not broadcast SSID – Require WPA2 authentication – Restrict access to known devices o Can program MAC addresses into WAP memory 17
- 18. Security and Privacy Summary – Lecture d • Described practices designed to minimize the risk of successful cyberattack • Addressed specifics of wireless device security 18
- 19. Security and Privacy References – Lecture d References SANS. Information Security Policy Templates. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://www.sans.org/security-resources/policies. GIAC. The Basics of an IT Security Policy. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://www.giac.org/certified_professionals/practicals/gsec/1863.php. Wikipedia. Firewall (computing). [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Firewall_(computing). Wikipedia. Antivirus software. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Antivirus_software. Wikipedia. Malware. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Malware. Wikipedia. Intrusion detection system. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://en.wikipedia.org/wiki/Intrusion_detection_system. IT Security. Create your own security audit. [Internet]. 2010 [cited 2011 Nov 07]. Available from: http://www.itsecurity.com/features/it-security-audit-010407/. 19
- 20. Introduction to Computer Science Security and Privacy Lecture d This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number 90WT0001. 20
Editor's Notes
- #2: Welcome to the Introduction to Computer Science: Security and Privacy. This is Lecture d. The component, Introduction to Computer Science, provides a basic overview of computer architecture; data organization, representation and structure; the structure of programming languages; and networking and data communication. It also includes the basic terminology of computing.
- #3: The objectives for this unit, Security and Privacy, are to: Define cybercrime and cybersecurity List common information technology, or IT, security and privacy concerns List the hardware components that are usually attacked by hackers Explain some of the common methods of attack
- #4: Describe common types of malware Explain social engineering methods used by cybercriminals Describe methods and tools available for protection against cyberattacks Describe practices designed to minimize the risk of successful cyberattack
- #5: Address specifics of wireless device security Explain security and privacy concerns associated with Electronic Health Records, or EHRs Describe security safeguards used for health care applications And, provide the basics of ethical behavior online
- #6: In this lecture, we will describe practices designed to minimize the risk of a successful cyberattack, and address the specifics of wireless device security. Everyone should follow these commonsense safe practices. Although these safe practices cannot eliminate the risk of a hacker penetrating your system or getting access to confidential data, following these practices will significantly reduce the risk. Each of these will be discussed in more detail in this presentation. Following password guidelines. Password guidelines are designed to make guessing or breaking your password more difficult. Securing your operating system and files. Installing anti-malware software. Installing security updates promptly for the operating system and application software. This is essential for eliminating newly-discovered security holes. Engaging in safe browsing. Managing cookies, this is important for your privacy. Using a firewall to minimize risk of intrusion. And, if you are not the only user of the computer system, knowing who else uses it and what administrative right they have.
- #7: One safe practice is using passwords. A good rule of thumb is not to use as a password any words or numbers that could be easily guessed. Search the Internet for the most commonly used passwords then don’t use those passwords. - Avoid using your own name and names of family members or pets. - Avoid using your place and date of birth. Use complex passwords. - A complex password is usually at least eight characters in length, and includes at least one uppercase character, one lowercase character, one number, and one special character.
- #8: Keep your password a secret. Never send it in an email or a text message. Don’t write it down or store it in an online document. Use different passwords for your different accounts. Hackers know that many people tend to use the same password for all of their online accounts. In addition, it is a good practice to change your password regularly. Many companies require employees to change their password every 30, 60, or 90 days and don’t allow password re-use.
- #9: Another safe practice to help prevent becoming a victim of a cyberattack is to secure your computer’s operating system. This includes installing critical updates promptly. Critical updates fix security flaws and should be installed as soon as they are released. Optional updates should not be automatically installed. Install optional updates only if it provides some new functionality that you want or fixes a problem. For example, an optional update that relates to a printer that is not working properly should probably be installed. Sometimes there are releases of application software updates that are critical to computer security. An example is critical security patches from Oracle for its Java product. Always install software security patches right away.
- #10: After securing the operating system, another safe practice is to secure your files by installing anti-malware, or AM, protection software. Commercially available AM software is more robust than free AM software. Commercial software will catch and quarantine almost all Trojan, virus, and worm attacks before they do any harm to a computer. AM software works by recognizing patterns and stopping what it considers to be bad behavior. These patterns are known as signatures and should be updated daily to protect computers against new attacks. Before installing more than one anti-malware protection program, verify that they will work together. Some AM software programs do not work well when installed on the same system. Most home systems do not require more than one AM protection software program.
- #11: Another safe practice, and a way to protect your computer system, is to engage in safe browsing, which means: Do not click a link within an email unless you are absolutely sure the email is coming from a trusted source. When surfing the web, never click on pop-up windows unless you are absolutely sure of the owner. Some pop-ups may indicate that the computer is infected with a virus or a number of viruses and urge the user to click the pop-up to clean the system. This is a typical scare tactic and clicking such a pop-up will most likely install some form of malware on your computer. To close a pop-up safely, press the key combination ALT and F4. This closes the pop-up without clicking on it, which ensures that the pop-up cannot install any malware.
- #12: Cookie management is an important safe practice, too. A cookie is simply a text file that a website stores on your computer. The cookie itself cannot harm your computer. Website owners and advertisers use cookies to track your online activities and preferences, document which web pages you visit, and, among other things, record purchases you make. That information is then used for various purposes, such as welcoming you back to a webpage on your next visit. This is known as personalizing your web experience. The information that cookies track can also be sold to advertisers who use the data to send you targeted ads based on your buying patterns. Have you ever done an Internet search for something and then noticed ads for that item start showing up everywhere you go online? You can thank a cookie for that behavior.
- #13: Some people don’t mind having their online activities tracked. Others view it as an invasion of privacy. Users who do not want their actions tracked should not allow first-party cookies to be placed on their computers by website owners. A first-party cookie is a cookie created on your computer by the website you are visiting. These can be very handy, as they allow you to, for example, purchase multiple items from a website in one transaction. Without this ability, you could purchase only one item at a time. Another type of cookie is a third-party cookie. Third-party cookies are placed on your computer by companies authorized by the website owner. These cookies are often used to spy on your online activity—they track your clicks and then gather marketing data to sell to website owners. Note that the originators of third party cookies are usually interested in which sites you visit, not your personal identity. Visiting a single website can result in multiple third-party cookies being placed on your computer. Some experts recommend accepting first-party cookies, rejecting third-party cookies, and allowing session cookies. Session cookies are erased when you close your web browser and are not used to track your online activities.
- #14: Using a firewall is another form of protection that secures a system. Firewalls permit or deny a computer’s ability to connect to another computer or network. The firewall may disable what are referred to as “ports” that should not be opened, and restrict the use of ports to certain programs.
- #15: Another safe practice to thwart would-be attacks is to require that all computer users have their own user account and password. When each user has their own username and password, you can tell who is logged in to a computer and may be able to track some of the things they do while they are logged in. Do not log in to a computer using an administrator account except to perform some type of administrator task, such as installing software. And, as soon as you are finished with that task, log out of the administrator account. Don’t set up users as computer administrators unless absolutely needed.
- #16: Additional Internet security considerations include the following: Never use a public computer to conduct personal business. For example, don’t use a kiosk to check your bank account. Instead, do your personal business from your personal computer that has commercial, up-to-date, AV software installed. ALWAYS log out of any session before leaving a computer. NEVER open an email from an unknown sender. Don’t even click on it. And, NEVER open or save email attachments unless the sender is known and trusted.
- #17: Let’s move on to our next topic, security and wireless networking. Wireless networks are unsecure by their very nature; they are open, allowing anybody to connect. Wireless networks include homes, airports, coffee shops, hotels, city-wide wireless access points or WAPs, college campus environments, and hospitals. Wireless networks are ubiquitous in medical environments; doctors and nurses tend to move from room to room, constantly using wireless handheld devices.
- #18: Wireless security starts with the configuration of a WAP. An example of a WAP is the wireless router that many computer users have in their homes. In terms of security, WAPs in a corporate environment are much more robust than those used at home. To configure a WAP for security requires changing the router’s default password and configuring the router’s Service Set Identifier, or SSID. Wireless routers are shipped with default passwords, meaning that anyone on the Internet can look up the default password for a router. Routers need to be configured so that they do not broadcast the device’s SSID, which will make it harder for others to find and connect to that wireless network. Good security requires Wi-Fi Protected Access version 2, or WPA2 authentication. Users may be familiar with the Wireless Equivalency Protocol, or WEP, an older technology that should no longer be used. WPA2 protection is a much better choice for restricting access to known devices. Administrators should program Media Access Control, or MAC, addresses into the access point’s configuration. All network interface cards, or NICs, have their own MAC address. Modern WAPs allow administrators to let only recorded MAC addresses authenticate themselves on the web and then communicate wirelessly.
- #19: This concludes lecture d of Security and Privacy. In summary, this lecture: Described practices designed to minimize the risk of successful cyberattack And addressed specifics of wireless device security
- #20: References slide. No audio.
- #21: No audio.