January 9: HEISC (Higher Education Information Security Council), Town Hall. Recording available.

January 30:  Bullet Proofing Your Career Online (with Hannah Morgan, @careersherpa), ABCPNG (Always Be Connecting Power Networking Group), First Unitarian Church, Rochester, New York

Description: What are the 10 key steps to building and securing your online reputation? A security professional and a career sherpa provide their perspectives on how to create an online presence that enhances and promotes your career safely and effectively.

April 24: Leadership Day, STC Rochester Spectrum Conference, Rochester Institute of Technology, Rochester, New York

Topic TBD

May 15-17: Engage! Creating a Meaningful Security Awareness Program (with Cherry Delaney, Purdue University), EDUCAUSE Security Professionals Conference 2012, Indianapolis, IN

 Abstract: This session will help attendees identify available resources and tools and determine the steps needed to create an engaging security awareness program. We’ll share how to integrate social media, video and other resources in an effort to reach a variety of audiences. We’ll also discuss how to leverage security incidents to create opportunities for engagement with your community. We’ll conclude the session by helping you plan a series of targeted activities for a high profile event such as the National Cyber Security Awareness Month.

May 20-23: Bullet Proofing Your Career Online (with Hannah Morgan), STC Summit, Rosemont, IL

May 20-23: Shockproofing Your Use of Social Media 2012, STC Summit, Rosemont, IL

To see more about how we’re using blogging to raise awareness in a specific academic course, visit the RIT Cyber Self Defense blog.

Image via Wikipedia

I teach a section of Cyber Self Defense, a security awareness course at the Rochester Institute of Technology. We always have a number of interesting discussions about current infosec issues. I believe these discussions would be of interest to a wider audience, and especially to readers of the Infosec Communicator blog.

This fall, we’ve created a blog for the students to share their thoughts on various information security topics. We’re requiring the students to blog weekly, so we’re hoping to generate a good amount of traffic to and discussion on the site. (The students will be blogging in lieu of a term paper.)

I’m expecting this activity to be quite a challenge for many of the students. Most of them are first-year Information Technology, Information Security/Forensics, and Networking, Security, and Systems Administration majors. They are very much techies who can easily grasp the nuances of a highly technical field. However, most of them aren’t used to communicating technical concepts to general audiences and many of them do not appreciate the value of blogs written by professionals. So we’re providing an opportunity that addresses both issues.

The blog launches the week of September 5th and should run through the end of November. I invite you to visit and comment on the posts.(Your comments will be held for moderation.)

I think it will be an interesting exercise.

What do you think?

RIT Cyber Self Defense Blog

Tip #1: Use strong passwords/passphrases.

It’s important to use strong passwords because automated “cracking” programs can break weak passwords in minutes. At a minimum, you should use 8 characters (preferably 15 or more), mixing upper and lower case letters and numbers. Many websites also allow the use of longer passwords and special characters. Incorporating special characters into your password will make them more difficult to crack. You’ll also want to use different passwords on different accounts. Using a password safe such as LastPass will help you manage these passwords by generating strong passwords and then supplying them when needed.

Tip #2: Keep up to date.

Attackers take advantage of vulnerabilities in software to place malware on your computers. Keeping up to date with patches/updates helps thwart attackers from using “exploits” to attack known vulnerabilities. It’s important to keep both your Operating System (Windows, Mac OS, linux, etc.) and your applications (Microsoft Office, Adobe, QuickTime) patched.

Tip #3: Use security software.

It’s a good practice to follow the requirements of the RIT Desktop and Portable Computer Security Standard on personally-owned computers. Among other elements, the standard requires use of a firewall, antivirus, and anti-spyware programs. Many security suites contain all of the elements needed to protect your computer. (Your Internet Service Provider may also provide security software.)

Tip #4: Learn to recognize phishing attacks.

You’ve all seen phishing attacks. They’re typically emails that appear to come from a financial institution that ask you to verify information by providing your username and password. Never respond to these requests. Your financial institution should not need your password.

Tip #5: Think before you post.

Don’t post personal information (contact info, class schedule, residence, etc.) A talented hacker can see this, even if you’ve restricted your privacy settings! Don’t post potentially embarrassing or compromising photos. Be aware of what photos you’re being “tagged” in—don’t hesitate to ask others to remove photographs of you from their pages.

Tip #6: Remember who else is online.

Did you know that most employers “Google” prospective employees? Have you seen the stories of people’s homes being burglarized because they’ve posted their vacation plans online? Many people other than your friends use these sites.

Tip #7: Be wary of others.

You can’t really tell who’s using a social network account. If you use Facebook, you’ve certainly seen posts by your “friends” whose accounts have been compromised. Don’t feel like you have to accept every friend request, especially if you don’t know the person.

Tip #8: Search for your name.

Have you ever done a “vanity search?” Put your name in a search engine and see what it finds. Did you know that Google allows you to set up an Alert that will monitor when your name appears online? Setting this up with daily notifications will help you see where your name appears.

Tip #9: Guard your personal information.

Identity thieves can put together information you share to develop a profile to help them impersonate you. Be especially careful of Facebook applications. They may collect information that they sell to marketing companies or their databases could be compromised. Do they really need the information they’re requesting?

Tip #10: Use privacy settings.

Default settings in most social networks are set to sharing all information. Adjust the social network’s privacy settings to help protect your identity. Show “limited friends” a cut-down version of your profile. Choose the strongest privacy settings and then “open” them only if needed.

Related articles

• Parenting in the Cyber Age: A Parents’ Guide to Safer Social Networking (benwoelk.wordpress.com)
• 7 Tips for Creating a Secure Online Password (money.usnews.com)
• Tips To Defend Your Personal Privacy Online (mylookout.com)

Add me to your circle on Google+

This post provides an update to last year’s Choosing the Safest Browser post. Let’s take a look at what’s changed since June 2010.

Browsers

Last year, we looked at the following browsers to discuss which would be the safest:

• Opera
• Firefox
• Safari
• Internet Explorer
• Google Chrome

Number of Vulnerabilities

How do you decide which browser is the safest? One way is to look at the vulnerabilities that were disclosed for each one. Attackers may exploit these vulnerabilities to place malicious code onto your computer.

In Spring 2010, my Cyber Self Defense class ranked the browsers in the order below according to which ones they thought had the most vulnerabilities:

1. Internet Explorer
2. Safari
3. Opera
4. Firefox
5. Chrome

According to the  Symantec 2008 Internet Threat Report, here’s the list of browsers ranked from most reported vulnerabilities to the least:

1. Firefox
2. Internet Explorer
3. Safari
4. Opera
5. Chrome

The class was really surprised by this ranking.

June 2011

Let’s see how the rankings look from the Symantec 2010 Internet Threat Report. Here’s the 2010 list of browsers and number of vulnerabilities:

1. Google Chrome–191 vulnerabilities
2. Apple Safari–119
3. Mozilla Firefox–100
4. Microsoft Internet Explorer–59
5. Opera–31

I was surprised by this order. Ranking browsers by vulnerabilities reported, Chrome appears to be the worst and Opera the best. (In the 2008 report, Chrome had the fewest vulnerabilities!)

Average Time to Fix a Vulnerability

Another way to look at browser safety is how long it takes for a reported vulnerability to be fixed. How would you rank these same five browsers from shortest to longest patch time?

In the 2010 report, Internet Explorer had an average patch time of 4 days. Opera, Safari, and Chrome were each one day or less. (In the 2008 report, Safari had an average “exposure” time of nine days, compared to the “best,” Firefox, which normally took only one day to patch.)

Patch time alone doesn’t appear to be a factor when choosing the worst browser.

Safe browsing is important because the majority of attacks are web-based, peaking at  almost 40 million per day in September 2010.

Does Your Browser Choice Really Matter?

In my opinion, not so much. Internet Explorer vulnerabilities are targeted more because it’s the biggest target. However, all of the browsers mentioned have vulnerabilities and all are patched relatively quickly. Many attacks actually target applications such as Adobe Flash, QuickTime, and the like. Malicious PDFs have also become a huge problem in the last year. What matters are safe practices!

Related articles

• Gadgetwise: A Tool to Help Secure Your Browser (gadgetwise.blogs.nytimes.com)
• Avoiding Phishing (benwoelk.wordpress.com)