IT Security Engineer Discusses How to Predict Problems to Be a Cyber Survivor - 10/21/10

For Week No. 3 of National Cyber Security Awareness Month 2010, IT security engineer for Purdue’s IT Networks and Security Nathan Heck expands upon the second aspect of the University’s theme, “Be a Cyber Survivor: Predict, Prevent and Prevail.” In the Q&A that follows, Heck discusses “Prevent” as the term relates to effective ways individuals can deter malicious individuals’ breaches in cyber security.

Q: What are some of the most damaging threats that plague our cyber security, and what protection is available against them?
A: I’d like answer this from the perspective of an average user and not an organization. In my opinion, the largest threats that plague everyday computer users are a lack of education about cyber security, apathy or indifference toward the subject, and being too willing to trust. Yes, there are many specific threats such as viruses, trojans, denial of service attacks and social engineering, but these are all attacks that typically take advantage of a user’s trust, lack of knowledge or apathy.

In association with 2010 National Cyber Security Awareness Month campaign, ITaP will host a presentation by Malcolm Harkins, chief information security officer and general manager for enterprise capabilities, controls and compliance for Intel; and Scott Ksander, Purdue’s chief information security officer.


They will discuss the latest computing threats in a University setting and how to correctly calculate IT risk. 


The event will be 9-11 a.m., Wednesday, Oct. 27 in Stewart Center’s Fowler Hall. 


The free presentation is open to the public and will be live-streamed and archived for viewing anytime online.

Think of the specific threats like symptoms of an illness. A doctor can prescribe medicine to temporarily treat the symptoms or the doctor can do a more thorough job and eliminate the illness and alleviate the symptoms permanently. In keeping with this analogy, viruses, worms, phishing, and other cyber attacks are symptoms of an illness. The illness is threefold.

For example, if software developers were to make security a top priority during development of their products, we would be much less likely to have software that was vulnerable and there would be fewer attack avenues for malicious individuals. Similarly, if users were more educated about security and a bit more suspicious, they would be less likely to open unexpected attachments they received or click on links that end up infecting their machine. Of course, these ideas don’t eliminate all cyber security threats, but they could drastically reduce many of them.

Q: How can we users keep our computers from becoming infected by viruses, trojans, bots, keystroke loggers, and other invasive predators?
Some of the non-technical solutions are:

• Educate yourself on how computers become infected and how to avoid these issues. The SecurePurdue website is a great clearinghouse of information.
• As I mentioned in our last interview, adopt the “trust but verify” mantra and apply it to your computer use.
• Keep the principle of least privilege in mind. Start with the most restrictive security settings. Ease them as necessary.
• Be security conscious. It needs to be part of your lifestyle and not considered a chore or task.
• Always use strong passwords and change them regularly.
• Never provide your password or any other authentication credentials (such as a PIN, token, passphrase) to others. Don’t allow others to view an unobscured/unmasked password. For example, use a privacy filter or hide them by using your hand or body to shield a computer monitor or screen.
• Never click links in an email, even if it is from someone you know. Type the address in your browser window instead.
• Be cautious of flashy new software or software features you really don’t need, as they might harbor vulnerabilities or be malware themselves.

Some of the technical solutions include:

• Install and use anti-virus and anti-spyware software on your computing device, keep the software and definitions files up to date, and run regular scans.
• Turn on and configure an operating system firewall or a hardware firewall.
• Check for and install operating system, security software, and application patches and updates regularly. This helps eliminate vulnerabilities in software, which could be exploited by malicious individuals.
• Install a browser plug-in, such as McAfee SiteAdvisor, which rates sites you visit based on their potential to have malicious content.
• Regularly verify that system security measures are enabled on your computing device.

Q: How effective are firewalls, anti-virus software and anti-spyware in warding off cyber criminals? How can computer users maximize those tools?
No one technology can totally protect you or your computer. It’s always best to take a layered approach when it comes to security. Yes, it’s more work to maintain different products, but the more layers you add to your security the more difficult you make it for a malicious person to compromise your computer. The more difficult it is for them, the more likely they will give up and move on to an easier target.

When properly configured, firewalls are very effective at stopping intruders and keeping unauthorized outbound traffic from exiting. However, they are only one layer of security, and even when properly configured can allow harmful traffic through.

Unfortunately, anti-spyware and anti-virus programs are not as effective. These protection mechanisms rely on a signature file which helps them to identify malicious code or files known as malware. Malware is the general term for malicious software such as viruses, spyware, trojans, worms and so on. The problem with any protective technology is that there is a lag time from when the malware is released in the wild on the Internet to when it is identified and added to the signature file so it can be detected by your anti-virus software. Even though it’s not instantaneous, anti-virus and anti-spyware software do help protect your computer. With up-to- date anti-virus, you may be vulnerable to a new form of malware for up to a half a day or so until the updated signature file is released; but without anti-virus, you are vulnerable 100 percent of the time. To maximize these tools, users should make sure they are properly configured and kept updated at all times.

Q: When shopping, paying bills or banking online, how can users protect their credit card and bank numbers and other sensitive personal information?
Some sources estimate that some 10 million Americans per year are victims of identity theft and that a victim averages 330 hours repairing the damage caused by this crime. While you cannot guard against every possible identity theft attack, such as a corrupt employee in a store, you can protect yourself. That said, you are much less likely to fall victim of identity theft or fraud if you educate yourself on the topic and follow some of these suggestions.

I highly suggest freezing your credit. Indiana state law provides consumers the right to freeze their credit to prevent identity thieves from opening accounts or lines of credit in their victims’ name. It basically keeps new creditors from accessing your credit report without your permission. This does not negatively affect your credit score or your ability to use credit cards or other lines of credit you already have and it’s free. It is important to note that if you perform this freeze, you should expect additional steps when you apply for new lines of credit. However, it’s a small price to pay for security. More information is available at the Indiana Attorney General’s website.

Never perform online banking or shopping on a public or shared computer or on a public/open network. There could be software on the computer or a malicious person lurking on the network ready to capture your credentials or credit card number. Consider dedicating a single machine (possibly a separate machine or a virtual machine) to use only for online banking. By doing nothing more than banking on this machine, you can avoid malware from Internet surfing or infected email attachments. If your bank or credit card company offer automated account monitoring, you should configure and enable it. This feature will alert you of specific changes to your account like adding a new payee, changes made to your security settings or password, and can alert you to a low balance. Many of these alerts can be configured so that a text message is sent to your mobile phone. This offers some additional protection in terms of being timely alerted to a possible issue. Finally, if your bank offers advanced authentication methods, such as the use of a password token, take advantage of them because they drastically improve the security of your account.

Users also need to get into the habit of checking the bank balances and credit card statements once or twice a week for unauthorized charges and transactions. Along these same lines, users should check their credit reports yearly at minimum. Everyone is eligible for one free credit report from each of the three major credit reporting agencies yearly by going to I suggest checking it more frequently.

Using different credentials for different sites is another easy way to protect yourself. At the very least, use different passwords for different sites. This does create a level of complexity that you have to manage. There are programs available that act as a safe for your credentials so you can set different logins and passwords for all of the sites that you visit. All you have to do is remember the master password for your password safe. These products allow you to easily use long, strong passwords for various Internet sites without having to worry about remembering them all. Many of these password-safe programs even have portable versions that can be run from a thumb drive or your mobile phone. The vault itself is encrypted so that you don’t have to worry about compromising your passwords if you lose it. Of course, be sure you have a backup! Some examples of these programs are KeePass and PasswordSafe. For more information, see the article on password manager software on the SecurePurdue website.

Q: What tools and resources are available from ITaP to Purdue employees for use on their personal laptops and home computers?
ITaP primarily provides Purdue employees with information security awareness and training. The SecurePurdue website has information on IT security as well as checklists, recorded training sessions, and news articles. In addition to the training and information from ITaP, we also provide McAfee Security Center free of charge for use by employees and students on their personally owned computers

Q: Can you provide a list of tips for keeping users’ personal information and computer files safe?
There is a lot users can do to help keep their personal information and data safe, some of which we have already discussed, but much more information is available. My three main points are:

1. Educate yourself. Among the sites to assist you with this are: OnGuard Online, Get Net Wise, and Stay Safe Online.

2. Remember to “trust but verify.” You don’t need to be suspicious all the time. However, you should adopt a healthy level of suspicion when it comes to your personal data and your identity information.

3. Don’t be indifferent when it comes to information security. Make it part of your daily life, and it will become second nature.

*   *   * 

More information about cyber security is available on the SecurePurdue website. The site also offers a three-video training series about prudent Internet practices for social networking, password security, and proper handling of spam.

Nathan Heck is an IT Security Engineer with Purdue University working for IT Networks and Security. His duties include developing new security solutions, performing incident response and computer forensic investigations and advising other departments on security-related matters. He graduated from Purdue University in 2000 with a bachelor of science degree in computer technology and psychology. He is currently working on a master of science degree in computer technology.