NATIONAL CYBER SECURITY AWARENESS MONTH, Part 2:
IT Security Engineer Discusses Predicting Problems to Be a Cyber Survivor - 10/12/10
IT security engineer for IT Networks and Security Nathan Heck expands upon the first aspect of Purdue’s “Be a Cyber Survivor: Predict, Prevent and Prevail” theme in conjunction with the 2010 National Cyber Security Awareness Month. In the Q&A that follows, Heck discusses “Predict” as the term relates to cyber security vigilance: its importance, various types, signs of an imminent breach, and ways computer users can enhance their cyber security awareness.
Q. How can ITaP and the average computer user work together to better predict increasingly sophisticated and sneakier cyber attacks?
SecurePurdue’s outreach and awareness coordinator Cherry Delaney is one of five speakers participating in a national webcast, “Cyber Security—Our Shared Responsibility,” slated for 2-3:30 p.m. Thursday, Oct. 14.
The webcast is sponsored by the Department of Homeland Security’s National Cyber Security Division and the Multi-State Information Sharing and Analysis Center.
The event will feature an interactive PowerPoint presentation accompanied by audio.
Please see the National Webcast Initiative website to obtain instructions for accessing the webcast.
A. There are many things that a user can do. First and most important in my mind is to take a ‘trust but verify’ approach to your daily life. By that, I mean trust when you think you can or feel comfortable doing so, but always verify the details. An example might be, you receive an unexpected email from a friend or coworker you trust. Even though you trust them, that doesn’t mean you should open the attachment before contacting them and verifying that it was really them that sent the email and attachment. Trust but verify.
Other things users can do with regard to working with ITaP are: visit the SecurePurdue web page regularly, report IT-related things they find suspicious, and follow the RSS feeds from the SecurePurdue site. We have a computer incident response team made up of highly trained security analysts and engineers who monitor many sources and meet daily to discuss new security issues and their possible impact to the Purdue community. Relevant issues of concern are either posted on the incident response handler’s log or turned into a STEAM advisory. Either way, they can be found on the STEAM Advisory Alerts and RSS Feeds pages of the SecurePurdue website.
Q. What sorts of data are at risk once the security is breached?
A. This really depends on the system that had been compromised. A good rule of thumb is that whatever is on your system could fall into the hands of a malicious individual if your machine has been compromised. This is why it is a good idea to always keep security in mind when choosing what data you keep and don’t keep on your computer. And make sure to follow the data-handling guidelines located at SecurePurdue.
Q. Give examples of some of the signs of attack that average users can look for.
A. These can vary vastly depending on the computer environment the user is using. Some general signs that a user can look for include programs opening on their own or the appearance that someone else is controlling your machine. Unusual error messages, new accounts or software on your machine that you didn't create or install, or even something as minor as an unusual amount of pop-up windows when browsing the Internet. It really depends on the computing environment the user is using, however. The important thing is to pay attention to details day-to-day when you use your computer, and to be observant enough to notice differences, and curious/suspicious enough to question or investigate and report them.
Q. Which is more dangerous to our computers — apathetic and/or uneducated computer users or more determined hackers?
A. I would have to say apathetic and/or uneducated users. A malicious individual (the phrase hacker is often incorrectly used) is usually no different than a car thief or burglar. They want to take the path of least resistance in committing their crime. So if you do things to make it more difficult for them to commit their crime, they might decide your car, the items inside your house, or your data/computer resources aren’t worth the effort and move on to an easier target. Apathetic or uneducated users provide them the easy targets or the quick wins.
Q. Once the security of individual computers is breached, what’s the danger to an entire network?
A. This depends on several factors: the permissions assigned to the users who have logged on to the compromised machine, the level of trust assigned to the machine or the user(s) of the machine, as well as the attack vector used. If a user with higher permissions, such as a support desk person or an administrator, has logged on to the compromised machine, it is possible that their credentials could be stolen, putting all the other machines on the network that they have permissions on at risk. If the compromised machine is one that is “trusted” on the network and allowed through firewalls, for example, in order to be able to perform its duties, it poses more of a risk to the network than a instructional lab machine, for example. Lastly, it depends on the attack vector used to compromise the first machine. If the vulnerability that was exploited exists on all or many of the other machines on the network, it drastically increases the chance of other machines becoming compromised if all machines are allowed to communicate freely.
Q. What is some of the more effective technology recently or soon-to-be developed?
A. The information security market is a large one indeed. There are many useful and interesting products that help defend a user such as anti-virus, application white listing, network and host-based intrusion detection systems or two factor authentication systems (biometrics, smart cards, or secure tokens). However, none of them can take the place of a well-thought-out security strategy and architecture, policies and standards, and engaged, well-educated users.
Q. Computer protection is sometimes compared to a cat-and-mouse game. Which is gaining the upper hand, the cat or the mouse? Why?
A. I’d like to be positive and say we (IT Security) are winning the war, but the facts and statistics don’t support that. The fact is, computer crimes have become a very lucrative business. Whether it is identity theft, corporate espionage, scamming users out of their hard-earned money or just plain old spam, computer crimes equal big bucks. To combat this, people need to understand the importance of the battle and what is at risk. They also need management’s support and commitment to provide the resources required to fight the battle and assist IT Security in creating and administrating policy and procedures for a secure environment.
However, the last few years have given me hope that we might one day win this war. It seems to me like users are becoming more informed, and the media is doing a better job covering information security stories.
* * *
More information about cyber security is available on the SecurePurdue website. The site also offers a three-video training series about prudent Internet practices for social networking, password security, and proper handling of spam.
As this year’s National Cyber Security Awareness Month campaign winds down, ITaP will host a presentation by Malcolm Harkins, chief information security officer and general manager for enterprise capabilities, controls and compliance for Intel; and Scott Ksander, Purdue’s chief information security officer. They will discuss the latest computing threats in a University setting and how to correctly calculate IT risk. The event is planned for 9-11 a.m., Wednesday, Oct. 27 in Stewart Center’s Fowler Hall. The free presentation is open to the public and will be live-streamed and archived for viewing anytime online.
Nathan Heck is an IT Security Engineer with Purdue University working for IT Networks and Security. His duties include developing new security solutions, performing incident response and computer forensic investigations and advising other departments on security-related matters. He graduated from Purdue University in 2000 with a bachelor of science degree in computer technology and psychology. He is currently working on a masters of science degree in computer technology.