Suggested Topics-Expanded List

The following security-related topics and examples are provided for reference. Contest entrants are not limited to these topics. If you still have additional questions regarding appropriate content for your poster and/or video, please contact us via e-mail.

Botnets

A botnet can refer to any group of bots; however, the word is generally used to refer to a collection of compromised machines running programs, usually referred to as worms. The originator of the botnet can control thousands of computers remotely through a back door to each of them using Internet Relay Chat (IRC).

A botnet can expand to unpatched computers by using commonly available tools to exploit them and can also expand via malicious code (trojan horse) hidden in legitimate software. Botnets serve various purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam, click fraud, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers. To prevent botnets:

Disable windows file sharing if using Microsoft Windows.
Apply the latest patches, as soon as they are available. Configure operating systems to automatically check for new patches.
Add other layers of protection (firewall, antivirus, antispyware, and host-based intrusion prevention).

Computer maintenance

Computer maintenance entails performing regular tasks required to keep a computer system running stable. A computer that is maintained properly will be less prone to compromise.

Maintenance includes, at a minimum, frequent updates to software, antivirus updates, firewall/antispyware updates, security scans, and, of course, regular backups. Remove temporary Internet files routinely.
Apply software updates often, including the operating system, firewall, antispyware, and other vulnerable software such as Microsoft Office.
Perform regular backups of your data. It is preferable to run backup software that will allow you to restore to a point in time.
Computer safety while traveling: don’t leave your computer out of your sight; use a password when using wireless in public spaces; remove and overwrite sensitive data if you have it on your computer.

Cybersafety tips: how to protect yourself online, including on social networking sites

The sharing of personal information, knowingly or unknowingly, poses the greatest risk of identify theft and other malicious intent by perpetrators. There are many opportunities to share personal information. It is very important that guidelines be adhered to when going online:

Don’t reveal information about yourself to strangers, and don’t believe everything you see on the Internet. Be very careful about meeting in person someone you met online: do so with other friends and in a public place.
Only conduct online business when you are confident the service you are using (a bank, for example) has adequate security measures in place. Contact the business and ask about how they will safeguard your personal data. Determine whether the business has had a compromise in the past.
Turn off your computer when you will be away from it for long periods of time. Do not leave it connected while you are away. Consider a screen guard when traveling or in a public place.
Familiarize yourself with basic safe web-surfing tips.

Social networking software includes services such as MySpace, Facebook, Friendster, and instant messaging (IM) services like AIM and Yahoo Messenger. These kinds of online services can be havens for stalkers and sexual predators. They pose an inherent privacy risk—it is all too easy for private information to become public. These sites make it very easy to share personal information, including passing of malicious data. A user bent on malicious intent may instant message a link that appears innocuous to the unsuspecting user, who then clicks on it and immediately infects his or her computer.

Limit the personal information you provide to these services. Do not provide any information that would enable anyone to find out your true identify.
Avoid instant messaging with strangers. Never open an untrusted link provided in an instant message and never open an attachment sent to you via instant message unless you fully trust the identity and integrity of the sender. It is far best to avoid using IM for this purpose.

Encrypting files/e-mails

In cryptography, encryption is the process of scrambling information to make it unreadable without special knowledge that usually involves possessing a private key. Encryption or software code obfuscation is also used in software copy protection against reverse engineering, unauthorized application analysis, cracks, and software piracy used in different encryption or obfuscating software. E-mail is often signed and encrypted to ensure privacy and authenticity. Pretty Good Privacy (PGP) is an example of a widely distributed system used to encrypt files and e-mail. A virtual private network (VPN) is another technology that provides the means for tunneling and encrypting network traffic.

Store sensitive data in an encrypted folder, using a commercial product or native built-in tools. Never forget the key needed to access the encrypted data. Keep the key and key password separate.
For sensitive e-mail, use encryption and sign the e-mail.
Connect to a remote business site using a VPN when possible.

Global cybercrime: includes identity theft, extortion, denial of service, and web defacement

Cybercrime, or criminal activity involving computers and networking, is on the rise worldwide. Cybercrime can involve abusing e-mail, compromising computers and networks, stealing intellectual property, and pirating digital information, just to name a few. Hackers are partnering, monitoring, and collaborating but the public and private sector are not engaged as they should be and are not well prepared. Hackers are often members of organized crime groups.

The enemy within: employees are now regarded as a greater danger to workplace cybersecurity than the gangs of hackers and virus writers launching targeted attacks from outside the firewall.
Blogging gone wrong: stalking, defamation of character, and harassment.
Website defacement: malicious destruction of business or personal websites.
Identity theft: using another’s identity to steal from their bank accounts, gain access to their credit rating, and so forth.
DDoS ransom: criminals are launching distributed denial-of-service (DDoS) attacks, demanding ransom money to stop the attacks.

Guidelines or suggestions for effective passwords

Passwords are used to authorize access to a particular computer or service. The average user may have multiple passwords and therefore may not take great care in safeguarding them and may not be using complex passwords.

Passwords must be safeguarded using memorization or using a commonly available application to keep them in an encrypted database. The key used to access that database must never be written down.
Passwords should be complex and lengthy and should never be written down. Ideally, one should use pass phrases.
Never give another individual your password; a user account should never be shared.
Passwords should be changed frequently.

Physical security

Physical security means physically securing computers, equipment, printouts, and locations where data are housed. It is vitally important, especially for those in open work environments such as cubicle farms.

When leaving the work area, some form of screen lock must be used, requiring a password for unlocking.
All external devices containing any private or sensitive data must be locked in a desk. Any printouts that might contain sensitive information should also be locked away.
Hard disks and other storage media must be properly wiped or destroyed by an approved method after they are no longer needed.
Hard-copy documents should be kept locked away when not in use and must be properly disposed of when no longer retained (shredding).

Safeguarding data: confidentiality, privacy, and identity theft

Safeguarding data involves adding the necessary layers of security and controls (who needs access to what) to adequately ensure that sensitive data is not at risk of being compromised.

Backing up one’s desktop and/or laptop computer data is critical. In the event that the computer has to be rebuilt, a backup will ensure that recent data can be restored intact.
Do not keep unnecessary sensitive data on the local machine or laptop. Laptops can be stolen, so if some sensitive data does need to be stored, it should be encrypted. It is best to keep the information on a trusted, managed server (for on-the-job users).
Backups should be encrypted and should be kept off site in a secure and locked location.
Sensitive data that is stored on a file server should only be stored there if there are adequate controls in place, including a firewall, access controls, regular patching/and update schedule, and frequent vulnerability assessments.

To protect consumer privacy and confidentiality, new laws have been passed at the federal and state level. The federal Sarbanes-Oxley Act of 2002 is in place to address accounting scandals but also includes a provision for the safeguarding of data. The federal Gramm-Leach-Bliley Act requires that financial institutions develop an information security plan. The plan must outline how the institution plans to protect private customer data. The federal Health Insurance Portability and Accountability Act (HIPAA) requires that health care providers implement specific safeguards to protect personal records. Other state laws are in place for protection of personal information (California’s SB-1386, for example).

For those handling sensitive data, be aware of the scope of recently passed laws and understand liability.
Keep sensitive customer information only on secure servers; encrypt the information when possible.
Scan for web application vulnerabilities on a regular basis.
Keep hard-copy data secure; it should never be left unattended.

Identify theft is much more common in today’s online world. It involves the stealing of someone’s identity through common methods such as the compromise of a server, stealing unshredded postal mail, keyloggers (logging all key strokes remotely), and the compromise of desktop computers. Social Security and driver’s license numbers are sought, stolen, and used or sold, enabling the theft of one’s identity.

Shred and destroy personal documents, including discarded bills. Identify thieves look for this type of information.
Do not carry your Social Security number with you. Keep it locked away in a safe place. When possible, avoid providing your Social Security number to any business. Instead, provide alternative information when possible. Never give your Social Security number to anyone else.
Check your credit statements often and get a free credit report at least yearly. Look for anomalies on your statements and take action if you suspect your identity has been stolen by visiting http://ftc.gov/idtheft.
Do not click on links purportedly sent to you by a bank or other agency you do business with, especially if the message asks you to verify your information.

Security of wireless/mobile devices

An unsecured wireless access point provides Internet access to any computer within range, allowing someone to conduct illegal activities, access local files, and/or cause other harm. Data transmitted by the legitimate user may not be encrypted.

Handheld devices are also prone to attacks and can access the Internet. The same standard of security should be applied to them. Mobile devices are increasingly at risk for theft, exposure of critical information, viruses, and spam. Newer devices have attachment accepting e-mail clients and document management software, making it more likely that they will store sensitive e-mail and documents.

The wireless access point should be configured for the highest level of security supported, including enabling encryption (WPA, for example) and disabling the SSID announcement. The default name of the SSID should also be changed.
Enable media access control and use a firewall. If possible, use a wireless router with a built-in firewall.
Do not store sensitive data on any mobile devices, unless it is strongly encrypted and necessary.

Security risks of P2P file-sharing applications

Peer-to-peer (P2P) file sharing enables users to share files housed on their computers to other users. Commonly available P2P applications (Kazaa, for example) are used to share music. Attackers often use these services to infect the computers of unsuspecting users with spyware and other malware. The user transmitting and receiving files may also be at risk for prosecution due to the transmitting of copyrighted material.

Avoid using P2P file sharing applications. Using such services could open you up to compromise of your computer and make you legally at risk for copyright violation.
Use legal non-P2P services such as iTunes and Cdigix.

Security updates, antivirus software, and firewalls

Computer operating systems require patches (updates) frequently to help guard against exposing security holes and ultimately computer compromise, leading to exposure of critical data. Computers can also run firewalls to limit network connections and antivirus software to guard against computer viruses and other malware.

All computers should have the latest security updates installed and should use autoupdate features (Microsoft Update, for example). The latest security updates will generally protect from known attack vectors.
Antivirus (AV) software is also critical and will protect from known viruses. The antivirus software should be updated very often (enable via the Control Panel).
Use a personal firewall to add one more layer of protection. The firewall could protect you from other types of exploits and will also guard against inadvertent actions of the end user.

Spyware and phishing

Spyware comprises malicious software that is commonly installed by visiting malicious and untrusted websites. A benign type of spyware simply tries to track what a user is doing while the more malicious type will attempt to record sensitive data the user may have access to. Both types send information to a third party.

Phishing involves tricking an unsuspecting user to provide personal information to someone else, usually by clicking on an enclosed link to an online form asking for the information. Phishing attacks are commonly launched via e-mail. The e-mail headers are forged, making the e-mail seem legitimate. The site that is visited may seem legitimate but is a forgery of a legitimate site, such as eBay.

To guard against spyware, it is critical to install at least one antispyware application to provide live detection and at least one other antispyware application to do weekly scans.
Never visit untrusted websites.
Avoid opening and accessing links sent in unsolicited e-mail.
Never open links sent in e-mail purportedly from a bank or other agency asking you to verify your account or enter personal information. When banking, always visit the bank URL directly (from the browser).

Cybersecurity Initiative Computer Security Awareness Poster & Video Contest 2009		Suggested Topics-Expanded List The following security-related topics and examples are provided for reference. Contest entrants are not limited to these topics. If you still have additional questions regarding appropriate content for your poster and/or video, please contact us via e-mail. Botnets A botnet can refer to any group of bots; however, the word is generally used to refer to a collection of compromised machines running programs, usually referred to as worms. The originator of the botnet can control thousands of computers remotely through a back door to each of them using Internet Relay Chat (IRC). A botnet can expand to unpatched computers by using commonly available tools to exploit them and can also expand via malicious code (trojan horse) hidden in legitimate software. Botnets serve various purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam, click fraud, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers. To prevent botnets: Disable windows file sharing if using Microsoft Windows. Apply the latest patches, as soon as they are available. Configure operating systems to automatically check for new patches. Add other layers of protection (firewall, antivirus, antispyware, and host-based intrusion prevention). Computer maintenance Computer maintenance entails performing regular tasks required to keep a computer system running stable. A computer that is maintained properly will be less prone to compromise. Maintenance includes, at a minimum, frequent updates to software, antivirus updates, firewall/antispyware updates, security scans, and, of course, regular backups. Remove temporary Internet files routinely. Apply software updates often, including the operating system, firewall, antispyware, and other vulnerable software such as Microsoft Office. Perform regular backups of your data. It is preferable to run backup software that will allow you to restore to a point in time. Computer safety while traveling: don’t leave your computer out of your sight; use a password when using wireless in public spaces; remove and overwrite sensitive data if you have it on your computer. Cybersafety tips: how to protect yourself online, including on social networking sites The sharing of personal information, knowingly or unknowingly, poses the greatest risk of identify theft and other malicious intent by perpetrators. There are many opportunities to share personal information. It is very important that guidelines be adhered to when going online: Don’t reveal information about yourself to strangers, and don’t believe everything you see on the Internet. Be very careful about meeting in person someone you met online: do so with other friends and in a public place. Only conduct online business when you are confident the service you are using (a bank, for example) has adequate security measures in place. Contact the business and ask about how they will safeguard your personal data. Determine whether the business has had a compromise in the past. Turn off your computer when you will be away from it for long periods of time. Do not leave it connected while you are away. Consider a screen guard when traveling or in a public place. Familiarize yourself with basic safe web-surfing tips. Social networking software includes services such as MySpace, Facebook, Friendster, and instant messaging (IM) services like AIM and Yahoo Messenger. These kinds of online services can be havens for stalkers and sexual predators. They pose an inherent privacy risk—it is all too easy for private information to become public. These sites make it very easy to share personal information, including passing of malicious data. A user bent on malicious intent may instant message a link that appears innocuous to the unsuspecting user, who then clicks on it and immediately infects his or her computer. Limit the personal information you provide to these services. Do not provide any information that would enable anyone to find out your true identify. Avoid instant messaging with strangers. Never open an untrusted link provided in an instant message and never open an attachment sent to you via instant message unless you fully trust the identity and integrity of the sender. It is far best to avoid using IM for this purpose. Encrypting files/e-mails In cryptography, encryption is the process of scrambling information to make it unreadable without special knowledge that usually involves possessing a private key. Encryption or software code obfuscation is also used in software copy protection against reverse engineering, unauthorized application analysis, cracks, and software piracy used in different encryption or obfuscating software. E-mail is often signed and encrypted to ensure privacy and authenticity. Pretty Good Privacy (PGP) is an example of a widely distributed system used to encrypt files and e-mail. A virtual private network (VPN) is another technology that provides the means for tunneling and encrypting network traffic. Store sensitive data in an encrypted folder, using a commercial product or native built-in tools. Never forget the key needed to access the encrypted data. Keep the key and key password separate. For sensitive e-mail, use encryption and sign the e-mail. Connect to a remote business site using a VPN when possible. Global cybercrime: includes identity theft, extortion, denial of service, and web defacement Cybercrime, or criminal activity involving computers and networking, is on the rise worldwide. Cybercrime can involve abusing e-mail, compromising computers and networks, stealing intellectual property, and pirating digital information, just to name a few. Hackers are partnering, monitoring, and collaborating but the public and private sector are not engaged as they should be and are not well prepared. Hackers are often members of organized crime groups. The enemy within: employees are now regarded as a greater danger to workplace cybersecurity than the gangs of hackers and virus writers launching targeted attacks from outside the firewall. Blogging gone wrong: stalking, defamation of character, and harassment. Website defacement: malicious destruction of business or personal websites. Identity theft: using another’s identity to steal from their bank accounts, gain access to their credit rating, and so forth. DDoS ransom: criminals are launching distributed denial-of-service (DDoS) attacks, demanding ransom money to stop the attacks. Guidelines or suggestions for effective passwords Passwords are used to authorize access to a particular computer or service. The average user may have multiple passwords and therefore may not take great care in safeguarding them and may not be using complex passwords. Passwords must be safeguarded using memorization or using a commonly available application to keep them in an encrypted database. The key used to access that database must never be written down. Passwords should be complex and lengthy and should never be written down. Ideally, one should use pass phrases. Never give another individual your password; a user account should never be shared. Passwords should be changed frequently. Physical security Physical security means physically securing computers, equipment, printouts, and locations where data are housed. It is vitally important, especially for those in open work environments such as cubicle farms. When leaving the work area, some form of screen lock must be used, requiring a password for unlocking. All external devices containing any private or sensitive data must be locked in a desk. Any printouts that might contain sensitive information should also be locked away. Hard disks and other storage media must be properly wiped or destroyed by an approved method after they are no longer needed. Hard-copy documents should be kept locked away when not in use and must be properly disposed of when no longer retained (shredding). Safeguarding data: confidentiality, privacy, and identity theft Safeguarding data involves adding the necessary layers of security and controls (who needs access to what) to adequately ensure that sensitive data is not at risk of being compromised. Backing up one’s desktop and/or laptop computer data is critical. In the event that the computer has to be rebuilt, a backup will ensure that recent data can be restored intact. Do not keep unnecessary sensitive data on the local machine or laptop. Laptops can be stolen, so if some sensitive data does need to be stored, it should be encrypted. It is best to keep the information on a trusted, managed server (for on-the-job users). Backups should be encrypted and should be kept off site in a secure and locked location. Sensitive data that is stored on a file server should only be stored there if there are adequate controls in place, including a firewall, access controls, regular patching/and update schedule, and frequent vulnerability assessments. To protect consumer privacy and confidentiality, new laws have been passed at the federal and state level. The federal Sarbanes-Oxley Act of 2002 is in place to address accounting scandals but also includes a provision for the safeguarding of data. The federal Gramm-Leach-Bliley Act requires that financial institutions develop an information security plan. The plan must outline how the institution plans to protect private customer data. The federal Health Insurance Portability and Accountability Act (HIPAA) requires that health care providers implement specific safeguards to protect personal records. Other state laws are in place for protection of personal information (California’s SB-1386, for example). For those handling sensitive data, be aware of the scope of recently passed laws and understand liability. Keep sensitive customer information only on secure servers; encrypt the information when possible. Scan for web application vulnerabilities on a regular basis. Keep hard-copy data secure; it should never be left unattended. Identify theft is much more common in today’s online world. It involves the stealing of someone’s identity through common methods such as the compromise of a server, stealing unshredded postal mail, keyloggers (logging all key strokes remotely), and the compromise of desktop computers. Social Security and driver’s license numbers are sought, stolen, and used or sold, enabling the theft of one’s identity. Shred and destroy personal documents, including discarded bills. Identify thieves look for this type of information. Do not carry your Social Security number with you. Keep it locked away in a safe place. When possible, avoid providing your Social Security number to any business. Instead, provide alternative information when possible. Never give your Social Security number to anyone else. Check your credit statements often and get a free credit report at least yearly. Look for anomalies on your statements and take action if you suspect your identity has been stolen by visiting http://ftc.gov/idtheft. Do not click on links purportedly sent to you by a bank or other agency you do business with, especially if the message asks you to verify your information. Security of wireless/mobile devices An unsecured wireless access point provides Internet access to any computer within range, allowing someone to conduct illegal activities, access local files, and/or cause other harm. Data transmitted by the legitimate user may not be encrypted. Handheld devices are also prone to attacks and can access the Internet. The same standard of security should be applied to them. Mobile devices are increasingly at risk for theft, exposure of critical information, viruses, and spam. Newer devices have attachment accepting e-mail clients and document management software, making it more likely that they will store sensitive e-mail and documents. The wireless access point should be configured for the highest level of security supported, including enabling encryption (WPA, for example) and disabling the SSID announcement. The default name of the SSID should also be changed. Enable media access control and use a firewall. If possible, use a wireless router with a built-in firewall. Do not store sensitive data on any mobile devices, unless it is strongly encrypted and necessary. Security risks of P2P file-sharing applications Peer-to-peer (P2P) file sharing enables users to share files housed on their computers to other users. Commonly available P2P applications (Kazaa, for example) are used to share music. Attackers often use these services to infect the computers of unsuspecting users with spyware and other malware. The user transmitting and receiving files may also be at risk for prosecution due to the transmitting of copyrighted material. Avoid using P2P file sharing applications. Using such services could open you up to compromise of your computer and make you legally at risk for copyright violation. Use legal non-P2P services such as iTunes and Cdigix. Security updates, antivirus software, and firewalls Computer operating systems require patches (updates) frequently to help guard against exposing security holes and ultimately computer compromise, leading to exposure of critical data. Computers can also run firewalls to limit network connections and antivirus software to guard against computer viruses and other malware. All computers should have the latest security updates installed and should use autoupdate features (Microsoft Update, for example). The latest security updates will generally protect from known attack vectors. Antivirus (AV) software is also critical and will protect from known viruses. The antivirus software should be updated very often (enable via the Control Panel). Use a personal firewall to add one more layer of protection. The firewall could protect you from other types of exploits and will also guard against inadvertent actions of the end user. Spyware and phishing Spyware comprises malicious software that is commonly installed by visiting malicious and untrusted websites. A benign type of spyware simply tries to track what a user is doing while the more malicious type will attempt to record sensitive data the user may have access to. Both types send information to a third party. Phishing involves tricking an unsuspecting user to provide personal information to someone else, usually by clicking on an enclosed link to an online form asking for the information. Phishing attacks are commonly launched via e-mail. The e-mail headers are forged, making the e-mail seem legitimate. The site that is visited may seem legitimate but is a forgery of a legitimate site, such as eBay. To guard against spyware, it is critical to install at least one antispyware application to provide live detection and at least one other antispyware application to do weekly scans. Never visit untrusted websites. Avoid opening and accessing links sent in unsolicited e-mail. Never open links sent in e-mail purportedly from a bank or other agency asking you to verify your account or enter personal information. When banking, always visit the bank URL directly (from the browser).
		© Copyright 1999-2009 EDUCAUSE Need Help? \| Feedback \| Privacy Policy
	Unless otherwise noted, EDUCAUSE holds the copyright on all materials published by the association, whether in print or electronic form. In certain cases the work remains the intellectual property of the individual author(s) (see Special Circumstances). Content from conference speeches, presentations, blogs, wikis and feeds reflect the opinions of the author, and not necessarily those of EDUCAUSE or its members.