COMPUTER SECURITY PRINCIPLES AND PRACTICES BY COREY@MARK5MINISTRIES.ORG
INTRODUCTION My Background Some questions for you Why computer security? Principle of Incarnation What this presentation covers (and does not cover) * Computers end user, not corporate office * Smartphones (tomorrow?) Not communication principles Not Social Media security assume there is NONE! (e.g. facial recognition) Not Physical security of electronic devices. (Airports; Don t set down smartphone when traveling; Keep devices locked to desk; Hotel Rooms)
SERVICE ANNOUNCEMENT DON T USE OUT-OF-DATE SOFTWARE Win XP is dead So is MS Office 2003 (And IE 6)
SECURITY PRINCIPLES 1) GET RIL Get RIL (Risk = Impact * Likelihood) i.e. Assess your Risk of incursion Nothing 100% Secure Understand the threat source Random target (opportunistic) Targeted: e.g. from APT Advanced Persistent Threat The key is to prioritize your efforts
SECURITY PRINCIPLES 2) LAYERED DEFENSE Layered Defense If hacker breaks through one layer, they will still not have full access to information E.g. Use strong password and have VPN enabled, and 2-factor authentication for bank account
SECURITY PRINCIPLES 3) BE PRACTICAL Be Practical Security measures are in direct inverse correlation to ease-of-use "Know Thyself" - If too difficult, you will bypass Good security applied consistently is BETTER than strong security used sporadically Weakest Link
DATA AT REST - #1 1) Backup your important data!! No excuses! 2) Keep Computer free from malware a) Keep OS Updated a) Don t use illegal, pirated software - otherwise will not be updated b) Update 3 rd party applications (Java, Adobe, etc.) c) Run up-to-date Antivirus 3) Software-level firewall turned on 4) Home Office use "home router" in addition to modem
DATA AT REST - #2 5) Data Encryption (A)Full Disk: Why? Why not? Win7 (TrueCrypt); Win8 (BitLocker), Mac (FileVault) (B) Encrypted Volume (Hidden?) (C)Encrypted in the Cloud (eg Wuala) (D)Encrypt flash drives (TrueCrypt) (E) Make sure backups are encrypted
DATA IN TRANSIT - #1 VPN 1) Virtual Private Network (VPN) a) Creates encrypted "tunnel" for all network traffic How a Personal VPN Works (non-corporate VPN) 1. Encrypted from computer to Tunnel Endpoint (Provider); 2. Then unencrypted to final destination 3. IP Address shows you location at your Provider s place
DATA IN TRANSIT - #1 VPN - CONTINUED 2) When to use a VPN? a) On public network (wired or wifi) b) When concerned about unsecured traffic being read (by gov t) c) Part of your Layered Defense 3) Different levels of VPN security (based on protocol and provider) a) Protocols: Best: IPSec, OpenVPN. Good: L2TP. Worst: PPTP. b) Providers: GSEA, StormWind, ConnectMyWorld, DarkWireVPN - OR - Private Internet Access, Witopia, ExpressVPN (China)
DATA IN TRANSIT - #2 SECURE EMAIL 2) Secure Email - A misnomer/oxymoron? a) Typically Defined: Encrypted from you to provider and between mail servers. b) You may use Secure Provider but is other end secured? First Picture: only your email is encrypted Second Picture: both sender and receiver encrypted
DATA IN TRANSIT - #2 SECURE EMAIL - CONTINUED a) Some Email Considerations and Providers i. *Not* Yahoo!, Hotmail, - question about Google (index messages, gov t access) free product means YOU are the product! ii. iii. Some Providers: GSEA, fastmail.fm, generalmail.com, hetzner.de, neomailbox.com, xc.org, etc. (many allow your own domain name) Also use VPN? (Layered Defense) b) Think about Email At Rest - What if computer is accessed? If sensitive email, read in web browser or install email client on encrypted disk c) PGP (GPG) is best, but too difficult for most to understand or implement (encrypted from mail client to mail client)
DATA IN TRANSIT - #3 3) Personal WiFi a) Turn on encryption (WPA2) b) Administrative password on hardware device (router or Access Point) 4) Public WiFi a) Traffic can be read; turn on VPN b) Especially be wary at airports and highly trafficked locations a) Only connect to legitimate airport-provided wifi i. E.g. Don t connect to wifi named: Free WiFi - except in Helsinki? b) At airport, assume all info being sent/received can be read
PRINCIPLES FOR PASSWORD USE 1) Don t use the same password for all accounts!!! 2) Use Strong Passwords for accounts that matter - PASSPHRASE 1) E.g. 1) first letters of words in sentence/verse, w/changes; 2) primary passphrase w/changes 2) No personal info within password/passphrase 3) Keep passwords in encrypted "password vault" program a) E.g. Roboform, LastPass, Dashlane (synced across devices for pay) - KeePass (free - local only) - 1Password (Mac) b) Do *not* let web-browser remember your passwords! (Not a vault, but advertisement )
PRINCIPLES FOR PASSWORD USE - CONTINUED 4) Use two-factor authentication where possible e.g. Bank, Gmail, Facebook, Dropbox, Evernote, etc. 5)Beware of the "password recovery" questions. -- Lie! :-) But make sure you record your answers in your password vault program
CONFIGURATION EXAMPLES Consider the following examples: What fits for you? 1) Encrypt Entire Hard Drive why or why not? Even email program (e.g. Outlook) would be encrypted. 2) Minimalist/Travel Machine: Take no data. Carry clean device; access all data from *encrypted* cloud provider (like Wuala) - or on local hidden, encrypted volume. 3) Secure email application: on hidden, encrypted volume. Portable application. Secure provider. Requires VPN to be accessed. 4) Email not stored locally: Read email via web-browser.
OTHER RESOURCES TOOLS AND PROVIDERS 1) Educate yourself; YOU are your worst enemy. A. Online Training Class on Computer Security Essentials & You www.equiphispeople.com - Cost: 5 Euro via PayPal B. Essential Security Measures for Home Computers at www.computersecuritynw.com
QUESTIONS? TOMORROW WE WILL TALK ABOUT SMARTPHONE SECURITY